From 362206287265a8963abe9ee3f7fdec7f586502ac Mon Sep 17 00:00:00 2001
From: Jimmy Axenhus <github@axenhus.com>
Date: Sun, 28 Feb 2021 16:29:27 +0100
Subject: Initial commit

---
 generate-dnsmasq.sh | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100755 generate-dnsmasq.sh

(limited to 'generate-dnsmasq.sh')

diff --git a/generate-dnsmasq.sh b/generate-dnsmasq.sh
new file mode 100755
index 0000000..90791b0
--- /dev/null
+++ b/generate-dnsmasq.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -e /var/run/qubes-service/vpn-exclude-domains ]; then
+    rm -f /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
+    exit 0
+fi
+
+if [ ! -e /rw/config/qubes-vpn-exclude.list ]; then
+    echo "# List of domains that should be excluded from the VPN proxy." \
+        > /rw/config/qubes-vpn-exclude.list
+fi
+
+temp="$(mktemp)"
+trap 'rm "$temp"' EXIT
+
+cat > "$temp" <<EOF
+# Autogenerated file by qubes-vpn-exclude.
+
+# For ease of use we enable the query log.
+log-queries
+
+# We don't want to use resolv.conf as the VPN DNS should handle queries.
+no-resolv
+no-hosts
+
+domain-needed
+bogus-priv
+
+cache-size=0
+EOF
+
+source /var/run/qubes/qubes-ns
+
+domains=
+while IFS= read -r domain; do
+    domain="$(echo "$domain" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
+    if [ -n "$domain" ] && [[ "$domain" != "#"* ]]; then
+        domains="$domains/$domain"
+        echo "ipset=/$domain/qubes-vpn-exclude-4,qubes-vpn-exclude-6" >> "$temp"
+        for dns in $NS1 $NS2; do
+            echo "server=/$domain/$dns" >> "$temp"
+        done
+        echo >> "$temp"
+    fi
+done < /rw/config/qubes-vpn-exclude.list
+
+if [ -z "$domains" ]; then
+    rm -f /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
+    exit 0
+fi
+
+# For all other domains that are not excluded we fall back to the DNS provided
+# by the VPN.
+for dns in $(cat /var/run/qubes/qubes-vpn-ns); do
+    echo "server=$dns" >> "$temp"
+done
+
+cp "$temp" /etc/dnsmasq.d/50-qubes-vpn-exclude.conf
-- 
cgit v1.2.3