From fa3cd23ec59f4d0779aad0d96fed893f9a7f4111 Mon Sep 17 00:00:00 2001
From: Sam Hadow <sam.hadow@inbox.lv>
Date: Mon, 3 Nov 2025 22:27:24 +0100
Subject: [PATCH] DNS leak prevention

---
 NetworkManager/90-nft-wg.sh | 52 +++++++++++++++++++++++++++++++++++++
 README.md                   | 12 +++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 NetworkManager/90-nft-wg.sh

diff --git a/NetworkManager/90-nft-wg.sh b/NetworkManager/90-nft-wg.sh
new file mode 100644
index 0000000..e65a60f
--- /dev/null
+++ b/NetworkManager/90-nft-wg.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+# /etc/NetworkManager/dispatcher.d/90-nft-wg
+# Automatically toggle DNS leak protection for wireguard
+
+INTERFACE="$1"
+ACTION="$2"
+
+NFT_BIN="$(command -v nft || true)"
+FAMILY="inet"
+TABLE="filter"
+CHAIN="output"
+
+log() { logger -t nft-wg "$*"; }
+
+
+add_dns_protection() {
+    $NFT_BIN add rule inet filter output udp dport 53 oifname "!= \"$INTERFACE\"" drop\; 2>/tmp/nft-wg-add.err
+    if [ $? -ne 0 ]; then
+        log "failed to add udp rule for $INTERFACE: $(cat /tmp/nft-wg-add.err)"
+        exit 1
+    fi
+
+    $NFT_BIN add rule inet filter output tcp dport 53 oifname "!= \"$INTERFACE\"" drop\; 2>/tmp/nft-wg-add.err
+    if [ $? -ne 0 ]; then
+        log "failed to add tcp rule for $INTERFACE: $(cat /tmp/nft-wg-add.err)"
+        exit 1
+    fi
+
+    rm -f /tmp/nft-wg-add.err
+    log "Added DNS leak protection for $INTERFACE"
+}
+
+remove_dns_protection() {
+    $NFT_BIN --handle --numeric list chain inet filter output \
+        | awk -v iface="$INTERFACE" '$0 ~ iface && /drop/ {print $NF}' \
+        | xargs -r -I {} sudo $NFT_BIN delete rule inet filter output handle {}
+    log "Removed DNS leak protection for $INTERFACE"
+}
+
+# Only run for WireGuard interfaces (start with "wg-")
+if [[ "$INTERFACE" == wg-* ]]; then
+    case "$ACTION" in
+        up)
+            add_dns_protection
+            ;;
+        down)
+            remove_dns_protection
+            ;;
+    esac
+fi
+
+exit 0
diff --git a/README.md b/README.md
index 13dcfa9..6a7caaa 100644
--- a/README.md
+++ b/README.md
@@ -31,3 +31,15 @@ move all the files in $1 subdirectories to $1.
 script to backup firefox config directory and restore the latest backup   
 adapt the hostnames and paths to what you need, not made to be easily configured with environment variables.  
 **Careful**, firefox config folder includes all your profiles, including their cookies and localstorage (access tokens of your accounts can be there). 
+
+
+## NetworkManager
+NetworkManager related scripts.  
+These scripts need to be moved in /etc/NetworkManager/dispatcher.d/ and must be executable
+
+### 90-nft-wg-sh
+Automatically toggle DNS leak protection for wireguard connections with nftables.  
+Adds tcp/udp rules to block outgoing traffic to dns port (53) if the outgoing interface isn't the wireguard connection.   
+It assumes wireguard connection names start with "wg-"  
+  
+  You can check for DNS leaks with [this website](https://www.dnsleaktest.com/)
\ No newline at end of file