DNS not resolving when connected with Wireguard

MotiBanana · December 13, 2024, 12:07pm

I don't have DNS resolving when connecting to Wireguard. I'm using wg-easy with PiHole in a docker-compose setup:

Main compose

name: homelab

networks:
  main:
    name: main
    external: true
    driver: bridge
  wg_network:
    name: wg_network
    ipam:
      config:
        - subnet: 10.8.1.0/24

secrets:
  cf_dns_api_token:
    file: ${SECRETSDIR}/cf_dns_api_token

include:
  - compose/dns/traefik.yaml
  - compose/dns/pihole.yaml
  - compose/dns/wg-easy.yaml

`wg-easy`

services:
  wg-easy:
    container_name: wg-easy
    image: ghcr.io/wg-easy/wg-easy
    restart: unless-stopped
    environment:
      - WG_HOST=${DOMAIN}
      - PASSWORD_HASH=${PASSWORD_HASH}
      - WG_DEFAULT_DNS=10.8.1.3
    volumes:
      - ${DOCKERDIR}/data/wireguard:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      main: {}
      wg_network:
        ipv4_address: 10.8.1.2
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wg-easy.entrypoints=websecure"
      - "traefik.http.routers.wg-easy.rule=Host(`wg.${DOMAIN}`)"
      - "traefik.http.routers.wg-easy.tls.certresolver=cloudflare"
      - "traefik.http.routers.wg-easy.middlewares=secure-headers@file"
      - "traefik.http.services.wg-easy.loadbalancer.server.port=51821"

`pihole`

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "82:80/tcp"
    hostname: pi.hole
    environment:
      - TZ=${TZ}
      - WEBPASSWORD=${PIHOLE_PASSWORD}
    volumes:
      - ${DOCKERDIR}/data/pihole/etc-pihole:/etc/pihole
      - ${DOCKERDIR}/data/pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped
    networks:
      main: {}
      wg_network:
        ipv4_address: 10.8.1.3
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.entrypoints=websecure"
      - "traefik.http.routers.pihole.rule=Host(`pihole.${DOMAIN}`) && (PathPrefix(`/admin`) || PathPrefix(`/api`))"
      - "traefik.http.routers.pihole.tls.certresolver=cloudflare"
      - "traefik.http.routers.pihole.middlewares=secure-headers@file"
      - "traefik.http.services.pihole.loadbalancer.server.port=80"

I'm connecting my phone to my Wireguard tunnel but there is no routing/resolving happening.

Debug token: https://tricorder.pi-hole.net/MTL7y3Sc/

Any help would be appreciated

Bucking_Horn · December 13, 2024, 12:31pm

MotiBanana:

  wg_network:
    name: wg_network
    ipam:
      config:
        - subnet: 10.8.1.0/24
(…)
services:
  wg-easy:
    container_name: wg-easy
(…)
      - WG_DEFAULT_DNS=10.8.1.3
(…)
services:
  pihole:
    container_name: pihole
(…)
    networks:
      main: {}
      wg_network:
        ipv4_address: 10.8.1.3

Your configuration looks much like wg-easy's sample configuration for running Pi-hole for its wireguard clients.

By that wg-easy documentation, Pi-hole would only be used by clients connected via wireguard.

Run from such a wireguard client, what is the output of:

nslookup pi.hole

nslookup flurry.com

MotiBanana · December 14, 2024, 9:41pm

I can't resolve pi.hole, but flurry does resolve. I ran it from my phone using an app called PingTools, hope it's ok.

And yes, I did use the example from their github repo, hope it's ok