diff --git a/.forgejo/workflows/prerelease.yml b/.forgejo/workflows/prerelease.yml
index 8b2fe2d..f9b8a43 100644
--- a/.forgejo/workflows/prerelease.yml
+++ b/.forgejo/workflows/prerelease.yml
@@ -46,6 +46,24 @@ jobs:
       goarch: ${{ matrix.goarch }}
       binari: ${{ matrix.binaries }}
     secrets: inherit
+  upload-scripts:
+    runs-on: docker
+    needs: [set-release-target]
+    strategy:
+      matrix:
+        script:
+          - run-dnsmasq-in-netns.sh
+    steps:
+      - uses: actions/checkout@v3
+      - name: Move asset
+        run: |
+          mkdir -p "dist"
+          cp scripts/${{ matrix.script }} dist/
+      - name: Upload script
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ matrix.script }}-${{ needs.set-release-target.outputs.release_cible }}
+          path: dist/${{ matrix.script }}
   prerelease:
     runs-on: docker
     needs: [set-release-target, build]
diff --git a/scripts/run-dnsmasq-in-netns.sh b/scripts/run-dnsmasq-in-netns.sh
new file mode 100644
index 0000000..c0f9253
--- /dev/null
+++ b/scripts/run-dnsmasq-in-netns.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+# Expects one argument: netns_bridge (e.g. vpc-00003_br-00002 or vpc1_br0)
+arg="$1"
+NETNS="${arg%%_*}"
+BRIDGE="${arg#*_}"
+
+echo "start dnsmasq ${NETNS} ${BRIDGE}"
+
+exec ip netns exec "${NETNS}" \
+  dnsmasq \
+    --no-daemon \
+    --interface="${BRIDGE}" \
+    --bind-interfaces \
+    --pid-file="/run/dnsmasq-$arg.pid" \
+    --conf-file="/etc/dnsmasq.d/$arg.conf" \
+    --no-hosts \
+    --no-resolv \
+    --log-facility="/var/log/dnsmasq-$arg.log" \
+    --no-daemon -p0
diff --git a/systemd/dnsmasq@.service b/systemd/dnsmasq@.service
new file mode 100644
index 0000000..0f9d72e
--- /dev/null
+++ b/systemd/dnsmasq@.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=dnsmasq in netns %i
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/two/bin/run-dnsmasq-in-netns.sh %i
+ExecStopPost=/bin/rm -f /run/dnsmasq-%i.pid
+
+[Install]
+WantedBy=multi-user.target