Initial commit

1 files changed, 60 insertions, 0 deletions

diff --git a/generate-dnsmasq.sh b/generate-dnsmasq.sh
new file mode 100755
index 0000000..90791b0
--- /dev/null
+++ b/generate-dnsmasq.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -e /var/run/qubes-service/vpn-exclude-domains ]; then
+    rm -f /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
+    exit 0
+fi
+
+if [ ! -e /rw/config/qubes-vpn-exclude.list ]; then
+    echo "# List of domains that should be excluded from the VPN proxy." \
+        > /rw/config/qubes-vpn-exclude.list
+fi
+
+temp="$(mktemp)"
+trap 'rm "$temp"' EXIT
+
+cat > "$temp" <<EOF
+# Autogenerated file by qubes-vpn-exclude.
+
+# For ease of use we enable the query log.
+log-queries
+
+# We don't want to use resolv.conf as the VPN DNS should handle queries.
+no-resolv
+no-hosts
+
+domain-needed
+bogus-priv
+
+cache-size=0
+EOF
+
+source /var/run/qubes/qubes-ns
+
+domains=
+while IFS= read -r domain; do
+    domain="$(echo "$domain" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+    if [ -n "$domain" ] && [[ "$domain" != "#"* ]]; then
+        domains="$domains/$domain"
+        echo "ipset=/$domain/qubes-vpn-exclude-4,qubes-vpn-exclude-6" >> "$temp"
+        for dns in $NS1 $NS2; do
+            echo "server=/$domain/$dns" >> "$temp"
+        done
+        echo >> "$temp"
+    fi
+done < /rw/config/qubes-vpn-exclude.list
+
+if [ -z "$domains" ]; then
+    rm -f /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
+    exit 0
+fi
+
+# For all other domains that are not excluded we fall back to the DNS provided
+# by the VPN.
+for dns in $(cat /var/run/qubes/qubes-vpn-ns); do
+    echo "server=$dns" >> "$temp"
+done
+
+cp "$temp" /etc/dnsmasq.d/50-qubes-vpn-exclude.conf