diff --git a/setup-base.sh b/setup-base.sh
index 7eb2bbe..6c623bc 100755
--- a/setup-base.sh
+++ b/setup-base.sh
@@ -161,9 +161,9 @@ if [[ -n "$REPO_DIR" && -f "$REPO_DIR/wireguard/m${MODEL}.conf" ]]; then
     cp "$REPO_DIR/wireguard/m${MODEL}.conf" /etc/wireguard/wg0.conf
     chmod 600 /etc/wireguard/wg0.conf
     systemctl enable wg-quick@wg0 2>/dev/null || true
-    # systemd-resolved Stub funktioniert nicht mit WireGuard DNS catch-all (~.)
-    # → resolv.conf direkt auf die upstream-Server zeigen lassen
-    ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
+    # Stub-Resolver noetig fuer Flatpak-Apps (Brave, PrusaSlicer)
+    # DNS wird per PostUp/PostDown in der wg-Config via resolvectl gesetzt
+    ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
     ok "WireGuard m${MODEL}.conf → /etc/wireguard/wg0.conf"
 else
     warn "WireGuard: keine lokale Config gefunden — manuell einrichten"
diff --git a/wireguard/m13.conf b/wireguard/m13.conf
index f2688ca..a2cfb3d 100755
--- a/wireguard/m13.conf
+++ b/wireguard/m13.conf
@@ -2,7 +2,8 @@
 PrivateKey = sIxh2D50+9bpWe6O6ezrfybW9Iy6QKcrwr9hmFpuGn0=
 ListenPort = 51820
 Address = 10.13.13.8/24
-DNS = 10.47.11.20,10.47.11.1
+PostUp = resolvectl dns %i 10.47.11.20 10.47.11.1
+PostDown = resolvectl revert %i
 
 [Peer]
 PublicKey = 7WrqHPof31gcCYMjLWPoP1EIxPR2896/3KL1pQ3YZGs=
diff --git a/wireguard/m16.conf b/wireguard/m16.conf
index b2a1652..510ccb7 100755
--- a/wireguard/m16.conf
+++ b/wireguard/m16.conf
@@ -2,7 +2,8 @@
 PrivateKey = OA5IiSzPglSY8GdobOYMlaOaG+QqNjHIACBRe7MvK04=
 ListenPort = 51820
 Address = 10.13.13.7/24
-DNS = 10.47.11.20,10.47.11.1
+PostUp = resolvectl dns %i 10.47.11.20 10.47.11.1
+PostDown = resolvectl revert %i
 
 [Peer]
 PublicKey = J/dD1t3Bo9Zbcvxg6PvGP78kgMlL4s4yYfrUMpcoS2w=