Set up Cloudflare DNS over HTTPS on your Wireguard VPN server
Once you’ve set up a Wireguard VPN server, you’ll also want to protect your DNS requests. One method of achieving this is to set up a DNS over HTTPS resolver on your VPN server and route your DNS traffic over the VPN tunnel.
This follows on from the last post Set up a Wireguard VPN on Ubuntu and connect from Mac and Android so check that out first if you don’t already have a Wireguard VPN server set up.
Cloudflare provide a DNS over HTTPS (DoH) resolver to use with their
220.127.116.11 public DNS service. We’ll install this on our Wireguard server and then configure each client use it.
Install the Cloudflared DoH Server
Download the Cloudflared service for your Linux platform. For Ubuntu/Debian download the
Install the package:
dpkg -i cloudflared-stable-linux-amd64.deb
Confirm that it installed correctly:
cloudflared --version cloudflared version 2019.2.1 (built 2019-02-28-0010 UTC)
Configure the service to use Cloudflare’s
1 2 3 4 5 6 7
mkdir -p /usr/local/etc/cloudflared cat << EOF > /usr/local/etc/cloudflared/config.yml proxy-dns: true proxy-dns-upstream: - https://18.104.22.168/dns-query - https://22.214.171.124/dns-query EOF
Install the service:
sudo cloudflared service install
The service should now be running on
localhost. Test it by querying for a DNS record:
1 2 3
dig +short @127.0.0.1 tau.gr AAAA 2606:4700:30::681b:9ecf 2606:4700:30::681b:9fcf
Configure Wireguard Server
In order to correctly route DNS requests across the VPN we need to amend some of the firewall rules created in the
Edit your Wireguard config
/etc/wireguard/wg0.conf and append the following to the
The first command in
PostUp adds a NAT rule to redirect DNS (i.e. traffic destined to port 53) to the Cloudflared server running on
127.0.0.1. The second command enables the
route_localnet setting on the Wireguard server’s network interface. We need to enable this because by default the Linux kernel will drop packets destined to localhost, as it deems them to be ‘martian packets’.
PostDown command simply deletes the NAT firewall rule that was created in
PostUp. We don’t need to clear the
route_localnet setting because it was only configured on the Wireguard interface, which gets destroyed when you shut down Wireguard.
Save the config file and restart Wireguard for the new changes to take effect:
Configure Wireguard Clients
On each client edit the Wireguard config and change the DNS address to be the Wireguard internal IP address of the server. If you used the settings in the Set up a Wireguard VPN on Ubuntu and connect from Mac and Android guide then this is
Save the config and restart your VPN connection. To verify everything’s working, use Cloudflare’s Browsing experience check.