docker pi-hole + cloudflared in a container possible?


#1

just a simple question, does anyone have succeed to make the container pi-hole work with a container of cloudflared?
And if on top of that you did succeed to make the queries of cloudflared go through a vpn container that would be paradise.
thanks in advance


#2

#3

So I managed to make it work but everything is manual
docker run -d --name pihole -p 53:53/tcp -p 53:53/udp -p 67:67/udp -p 80:80 -p 443:443 -v /some/path:/etc/pihole/ -v /some/path:/etc/dnsmasq.d/ -e ServerIP=ip.from.my.docker.host --restart=unless-stopped --cap-add=NET_ADMIN --dns=127.0.0.1 --link cloudflared pihole/pihole:latest

docker run -it --name cloudflared -d travisez13/cloudflared-proxy-dns

after that you need to manually set the ip from the cloudflared container, here it was 172.17.0.3

next step is to make that in auto mode maybe by adding $(docker inspect cloudflared) or something like that.

and then further step is to make cloudflared pass through a vpn docker
docker run -it --cap-add=NET_ADMIN --device /dev/net/tun --name vpn -v /some/path/where/config/is:/vpn --sysctl net.ipv6.conf.all.disable_ipv6=0 -f "" -d dperson/openvpn-client

but for the moment apparently my container inside the vpn stack doesn’t get an ip from the docker virtual router. I guess because it’s a docker supposed to get ip from a LAN server like BRANCH<-HQ which would act as a dhcp relay and isolating the container from any interaction from the virtual docker router. But at least some part works now.


#4

Docker networking can be tricky trying to do things like this. First thing to be aware of based off the commands you used: The default docker0 network of 172.17.* - by default containers on that network are firewalled and cannot see one another, without the deprecated --link syntax - there’s a better way though.

If you use docker network to create a new subnet to put them both on then everything can see everything else on that network free and clear. Putting every container together in a docker-compose.yaml configuration file has the side effect of creating this open, but isolated per-project, network for you automatically too which is pretty nice.

As far as preventing docker’s networking service from handing out IP addresses to containers automatically and letting your container handle DHCP, I haven’t done that ever nor can I find very much on the topic besides the infoblox ipam driver : https://forums.docker.com/t/connecting-containers-to-a-network-without-allocating-ips/35722

And if on top of that you did succeed to make the queries of cloudflared go through a vpn container that would be paradise.

I think you should look at the docker run --network=vpn argument for that, instead of being a actual docker network, you can also specify a single container’s name as the source of the networking.

I often review the docker network and docker run CLI pages for full details when trying to get advanced networking setups like this working.


#5

Yeah I know it’s a bit complicated to do that with docker. I should investigate the network option for sure but what I can tell you is that network=vpn wouldn’t work because you still would need an ip.
I’m going to dig in a little bit more today.


#6

@diginc just a question, what is the --dns for? and is it the dns argument for docker container networking ? what needs does it fulfil for pihole since anyway at start it uses google dns?


#7

–dns sets /etc/resolv.conf inside the container and is what the services running inside the container will use for lookups.

The readme for docker-pi-hole specificaly recommends setting it because PHP needs to know what the internal pi.hole domains and DHCP client names are so setting it to localhost is the best way to accomplish that. Having a secondary that is not localhost prevents a chicken-before-egg/egg-before-chicken situation; e.g. container’s startup scripts need DNS, but DNS isn’t started yet because the container is starting up,


#8

okey I understand.

So I 've made some digging about my problem.
There is no container working out of the box for cloudflared.
Most of them use ubuntu image and actually I’ve made the discovery that ubuntu image can’t share a same network stack than another container with the argument --network container:id_of_parentcontainer. For that to happen we should have an alpine container.

Plus anyway even if I would have that, it would not work because pihole need an ip address to connect to. and with the command above, there is no ip assigned, it would be a bit like 2 programs on the same host using the same ethernet interfaces that’s all.

in the docker network there is no system where you can put a container which would be a container or I did not understand what they wanted to do @docker because --gateway for a network would be the address of the virtual router of the daemon of docker in that network. And even --aux-address is not working as I thought it would be since if you reserve an ip address through this system then you can’t launch a container at this same ip, so I still don’t understand this use.

the only solultion that I see would be to use to have an alpine container with an programmable environment variable as launching argument to change the gateway of the container(the change would occur before the launch of the cloudflared instance because if not it crashes. example with --cap-add=NET_ADMIN ... bash -c ip route del default; ip route add default via ... or maybe I did it wrong ), put the 3 containers in a network. Then you would have a whole system where pihole -> cloudflared -> vpn or TOR .
Or another solution would be put the cloudflared instance inside the vpn container where cloudflared would replace the dns resolver. But then it would go against the philosophy of docker (one process one container).

Any other ideas?


#9

I didn’t yet investigate any container of dnscrypt-porxy which could replace cloudflared