Home/Labs/Network and DNS/Local DNS
Network and DNSLocal DNSIntermediateApproximately 2 hoursLab build

Create a WireGuard plus Split DNS Lab for Secure Remote Access to Self-Hosted Services

By completing this guide, you will establish a secure remote access setup using WireGuard and implement split DNS for your self-hosted services.

Last reviewed4/30/2026
Technitium DNS setupssplit DNS for self-hosted servicessecondary DNS and failover
Linux (Ubuntu)WireGuardTechnitium DNS

Expected Outcome

A fully operational WireGuard VPN with a split DNS configuration that allows secure access to self-hosted services while maintaining internal DNS resolution.

Assumptions

  • A Linux server (Ubuntu 20.04 or later recommended)
  • Root access to the server
  • Basic knowledge of networking and DNS concepts

Bill of Materials

  • WireGuard installed on the server
  • A DNS server (e.g., Technitium DNS) configured on the same or a different server
  • Client devices to test the VPN and DNS setup

Build Steps

  1. Install WireGuard

    Set up WireGuard on your Linux server to enable secure VPN access.

    Changes system state: review before running

    sudo apt update
sudo apt install wireguard
sudo mkdir /etc/wireguard
  2. Configure WireGuard

    Create the WireGuard configuration file and generate keys for the server.

    Safe to run: read-only

    sudo wg genkey | sudo tee /etc/wireguard/server_private.key
sudo wg pubkey < /etc/wireguard/server_private.key | sudo tee /etc/wireguard/server_public.key
sudo nano /etc/wireguard/wg0.conf
  3. Add WireGuard Configuration

    Edit the WireGuard configuration file with the appropriate settings.

    Security-sensitive: review before running

    sudo nano /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = <server_private_key>
ListenPort = 51820
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32
  4. Enable IP Forwarding

    Allow IP forwarding on the server to enable traffic routing through the VPN.

    Safe to run: read-only

    echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
  5. Start WireGuard

    Bring up the WireGuard interface to start the VPN service.

    Safe to run: read-only

    sudo wg-quick up wg0
  6. Install and Configure DNS Server

    Set up Technitium DNS or another DNS server to handle split DNS for your self-hosted services.

    Changes system state: review before running

    sudo apt install technitium-dns-server
sudo systemctl start technitium-dns-server
sudo systemctl enable technitium-dns-server
  7. Configure Split DNS

    Set up DNS records for your self-hosted services to resolve internally via the VPN.

    Example pattern only. Adjust for your environment before running.

    Add A records for your services in Technitium DNS with internal IPs
Configure DNS forwarding for external domains as needed
  8. Test the Setup

    Connect a client device to the WireGuard VPN and verify that DNS resolution works for your self-hosted services.

    Example pattern only. Adjust for your environment before running.

    wg-quick up wg0
ping <your_service.local>

Validation

  • Ensure the WireGuard interface is up and running using 'sudo wg show'.
  • Check DNS resolution for your self-hosted services using 'nslookup <your_service.local>'.

Troubleshooting

  • If the VPN connection fails, check the firewall settings to ensure port 51820 is open.
  • If DNS resolution fails, verify that the DNS server is running and that the records are correctly configured.

Cleanup or Rollback

  • To stop the WireGuard service, run 'sudo wg-quick down wg0'.
  • Remove any temporary files or configurations if necessary.

Next Improvements

  • Consider adding additional clients to the WireGuard configuration.
  • Explore further DNS configurations for advanced setups.