diff --git a/package/gluon-mesh-vpn-fastd/Makefile b/package/gluon-mesh-vpn-fastd/Makefile
index 9290b45703eb97cf1507a5ba1c1da1b3f57bd6ae..1547985c3b2a1e8451034cb7de495f9e76f2c6bb 100644
--- a/package/gluon-mesh-vpn-fastd/Makefile
+++ b/package/gluon-mesh-vpn-fastd/Makefile
@@ -11,7 +11,7 @@ define Package/gluon-mesh-vpn-fastd
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for connecting batman-adv meshes via fastd
-  DEPENDS:=+gluon-core +gluon-mesh-batman-adv +fastd
+  DEPENDS:=+gluon-core +gluon-mesh-batman-adv +gluon-wan-dnsmasq +fastd +iptables-mod-extra
 endef
 
 define Package/gluon-mesh-vpn-fastd/description
diff --git a/package/gluon-mesh-vpn-fastd/files/etc/hotplug.d/iface/50-gluon-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/files/etc/hotplug.d/iface/50-gluon-mesh-vpn-fastd
deleted file mode 100644
index 26ad47731b4d70b1722d4a47c894d0cfb8d2b0d3..0000000000000000000000000000000000000000
--- a/package/gluon-mesh-vpn-fastd/files/etc/hotplug.d/iface/50-gluon-mesh-vpn-fastd
+++ /dev/null
@@ -1,3 +0,0 @@
-[ "$INTERFACE" = 'wan' ] || exit 0
-
-/lib/gluon/mesh-vpn-fastd/update-dnsmasq
diff --git a/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/iptables.rules b/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/iptables.rules
new file mode 100644
index 0000000000000000000000000000000000000000..c1a16ee12c735db41a137c2bf1fd4694d0929472
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/iptables.rules
@@ -0,0 +1,3 @@
+*nat
+-I OUTPUT -m owner --gid-owner gluon-fastd -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
+COMMIT
diff --git a/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/update-dnsmasq b/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/update-dnsmasq
deleted file mode 100755
index 33e23a592b2d87f9177f7af16d44cb517985398a..0000000000000000000000000000000000000000
--- a/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn-fastd/update-dnsmasq
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/bin/sh
-
-
-. /lib/functions.sh
-
-
-_json_push() {
-	export JSON_PATH="${JSON_PATH}/$1"
-}
-
-_json_pop() {
-	export JSON_PATH="${JSON_PATH%/*}"
-}
-
-json_init() {
-	export JSON_PATH=''
-}
-
-json_add_object() {
-	_json_push "$1"
-}
-
-json_close_object() {
-	_json_pop
-}
-
-json_add_array() {
-	_json_push "$1"
-}
-
-json_close_array() {
-	_json_pop
-}
-
-json_add_int() {
-	return
-}
-
-json_add_boolean() {
-	return
-}
-
-json_add_double() {
-	return
-}
-
-json_add_string() {
-	[ "$JSON_PATH" = '/inactive/dns_server' ] || return
-	echo "$2"
-}
-
-
-get_dns_server() {
-	eval `jshn -r "$(ubus call network.interface.wan status)"`
-}
-
-generate_dnsmasq_conf_remote() {
-	local remote="$1"; local servers="$2"
-
-	local hostname="$(echo "$remote" | awk -F \" '{print $2}')"
-	[ -n "$hostname" ] || return
-
-	for ns in $servers; do
-		echo "server=/$hostname/$ns"
-	done
-}
-
-generate_dnsmasq_conf_peer() {
-	local peer="$1"; local servers="$2"
-	local enabled; local net
-
-	config_get_bool enabled "$peer" 'enabled' 0
-	[ "$enabled" -gt 0 ] || return
-
-	config_get net "$peer" 'net'
-	[ "$net" = 'mesh_vpn' ] || return
-
-	config_list_foreach "$peer" 'remote' generate_dnsmasq_conf_remote "$servers"
-}
-
-generate_dnsmasq_conf() {
-	local servers="$1"
-
-	config_load fastd
-	config_foreach generate_dnsmasq_conf_peer 'peer' "$servers"
-}
-
-
-mkdir -p /var/gluon/mesh-vpn-fastd
-generate_dnsmasq_conf "$(get_dns_server)" > /var/gluon/mesh-vpn-fastd/dnsmasq.conf.$$
-
-lock /var/gluon/mesh-vpn-fastd/dnsmasq.conf.lock
-
-if cmp -s /var/gluon/mesh-vpn-fastd/dnsmasq.conf.$$ /var/gluon/dnsmasq.d/mesh-vpn-fastd.conf; then
-	rm /var/gluon/mesh-vpn-fastd/dnsmasq.conf.$$
-else
-	mv -f /var/gluon/mesh-vpn-fastd/dnsmasq.conf.$$ /var/gluon/dnsmasq.d/mesh-vpn-fastd.conf
-	/etc/init.d/dnsmasq restart
-fi
-
-lock -u /var/gluon/mesh-vpn-fastd/dnsmasq.conf.lock
diff --git a/package/gluon-mesh-vpn-fastd/files/lib/gluon/upgrade/mesh-vpn-fastd/invariant/010-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/files/lib/gluon/upgrade/mesh-vpn-fastd/invariant/010-mesh-vpn-fastd
index da8b5e6adb532493703e64dba0de683589e2879a..a20811695e2199199f147b5eab17f5ec8c186547 100755
--- a/package/gluon-mesh-vpn-fastd/files/lib/gluon/upgrade/mesh-vpn-fastd/invariant/010-mesh-vpn-fastd
+++ b/package/gluon-mesh-vpn-fastd/files/lib/gluon/upgrade/mesh-vpn-fastd/invariant/010-mesh-vpn-fastd
@@ -13,9 +13,13 @@ local c = uci.cursor()
 -- The previously used user is removed, we need root privileges to use the packet_mark option
 users.remove_user('gluon-fastd')
 
+-- Group for iptables rule
+users.add_group('gluon-fastd', 800)
+
 
 c:section('fastd', 'fastd', 'mesh_vpn',
 	  {
+		  group = 'gluon-fastd',
 		  syslog_level = 'verbose',
 		  interface = 'mesh-vpn',
 		  mode = 'tap',
@@ -70,3 +74,15 @@ c:section('network', 'interface', 'mesh_vpn',
 
 c:save('network')
 c:commit('network')
+
+
+c:section('firewall', 'include', 'mesh_vpn_dns',
+	  {
+	    type = 'restore',
+	    path = '/lib/gluon/mesh-vpn-fastd/iptables.rules',
+	    family = 'ipv4',
+	  }
+)
+
+c:save('firewall')
+c:commit('firewall')