AsusWRT + Wireguard + Pi-Hole Guide/Suggestions?

Help Community Help
1

Hey friends!

So I moved into a new place with my fiance and we have a ZenWifi Pro E12 for our home router.

I was wanting to protect our network, be able to access devices at home with Wireguard and use the ad-block VPN we've configured remotely.

AsusWRT on the router supports having a Wireguard VPN, but there's a few questions I have.

  1. I'd rather have the Pi-Hole device to be to main Wireguard "server".

    I believe this is doable with this "VPN Fusion" feature and getting the client configuration from the Pi-Hole device, but I just want to verify. I'd want to do this as I'm unsure of how to access the Wireguard configuration files on the Asus router, and it limits what I can do with Wireguard as well.

  2. What's your preferred or most secure or privacy-focused DDNS provider?

    I know to use the Pi-Hole's block and VPN you need to have a DDNS.

  3. Has anyone tried doing UDP-over-TCP with their Wireguard server?

    I've seen several programs that supposedly let you do this, but I'm unsure of it's viability.

  4. How would I go about tunneling my traffic?

2

I just posted about an extremely similar setup/issue!

I can tell you this-
I set up my VPS using the "VPN Fusion" feature of ASUSWRT, to put my entire home LAN behind the VPN.

It works well...except I have to choose between excluding my PiHole from the VPN, OR not get Pihole ad-blocking on my mobile phone when I'm away from home.

My phone simply will not connect to a Pihole WG server that is behind a VPN network at the router level.

As you said, in my setup, the PiHole is the WireGuard server, and I'd prefer it stays like that.

The limiting factor for me, it appears, is that no matter how I configure things, it's not possible to have my PiHole behind a LAN-wide VPS in addition to being able to tunnel into the Pihole when I'm remote. I suspect my VPN service provider does not allow it...

I did a fair amount of research and ended up going with NOIP for DDNS, as I am extremely privacy-focused, and it works very well with minimal-to-none personal info and 2 minutes total to setup.

I wish you luck, and please let me know if I can be of any more assistance-- we are in the same boat more or less. I've poured over various potential configurations ad nauseum, with no luck yet.

3

Just to complete the reply,

1 - Agreed. I am trying to get everything perfect working with the VPN fusion feature. Not quite there yet.
2-NOIP
3-No
4-if you are not running a VPS at the router level, use PiVPN on your PiHole as a Wireguard Server. You can then tunnel into your Pihole from any peer you choose (iPhone, MacBook, etc).

4

Maybe this is just my thought, but for the most basic setup, the pihole is just the DNS sever on your network.

So I guess before I even dive into trying to tunnel traffic anywhere, the basic idea would be:

  1. Remove your Pi-Hole as the DNS server for your network, temporarily make it 1.1.1.1 or something.
  2. Setup the Wireguard server on your Pi-Hole, allow the access of local devices in the configuration.
  3. Make sure all peers can access other peer devices on the Wireguard network.
  4. Also in the setup, make sure the IP the Wireguard interface configures for your Pi-Hole is the DNS server in the Wireguard configuration.
  5. Make sure port forwarding is enabled on the ASUS router and your Pi-Hole
  6. Get the peer config from the Wireguard tools and use that for the "VPN fusion" thing in the ASUS router.
  7. Set the router's DNS to the same IP as the one in the Wireguard configuration.
  8. Have the DDNS domain name in the corresponding place in the ASUS router configuration
  9. Profit?

I guess that's how you'd do it, but I'm not 100% sure.

5

Thank you for the step-by-step response!

I am going to try exactly this. Much appreciated!

For Port Forwarding on the Pihole, that is in the settings at the bottom, in the part about CIDR notation, correct?

Thank you again. This has been the bane of my existence for weeks now.

6

I realize I need to learn more about Port Forwarding in general. All I have done (which works) is add Port Forwarding for Wireguard's default port.

7

This is what you're supposed to do.

https://docs.pi-hole.net/guides/vpn/wireguard/internal/#enable-ip-forwarding-on-the-server

8

I tried each and every step, and no dice...I believe that my VPN provider (or any VPN service) does not support this.

If you think about it, I am away from home, trying to tunnel into a raspberry pi that has an external IP address that is provided by Mullvad. The VPN service only works outbound from my home LAN; not inbound. I even have DDNS and that only works when my Pihole is NOT behind the router's VPN, for obvious reasons.

That is my understanding of the situation. I spoke to customer service from both Mullvad and another VPN, and they both said "we don't support this."

I always figured I could sort out some workaround, but after a month, I think it's over.

My dream setup is dead :frowning:

I very much appreciate your help, SeƱor Stewart. Thank you.

9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.