How can I make Pi-Hole treat each individual "FRITZ!Box Wireguard VPN tunnel" as a separate client?

Hello,

I have set up Pi-Hole with Unbound DNS. I have also configured my FRITZ!Box to work with Pi-Hole.

The FRITZ!Box acts as the DCHP server. The FRITZ!Box DHCP server distributes the static ipv4 & ipv6 DNS addresses to the clients connected to my home network:

(Clients) -> Pi-hole -> Upstream DNS Server

I have configured Conditional Forwarding in Pi-Hole to retrieve the client names from the FRITZ!Box.

For the guest network, I use the Pi-Hole as an upstream server for my FRITZ!Box. All devices connected to the guest network will display the name of the FRITZ!Box, because Pi-Hole is the upstream server of the FRITZ!BOX:

(Clients) -> Fritz!Box -> Pi-hole -> Upstream DNS Server

So far so good, everything is working as intended.

Here’s my problem:
I have multiple devices connected to my local home network through a FRITZ!Box Wireguard VPN tunnel, to connect phones to my network when I am away from home.

Pi-Hole consistently shows all connections via Wireguard VPN as a single client named “fritz-nas.fritz.box”.

I have configured my WireGuard settings files as follows:

[Interface]
PrivateKey = ****
Address = 192.168.60.201/24,****:****:****:6060::201/64
DNS = 192.168.60.254,****:****:****:6060:****:**:**
DNS = fritz.box

[Peer]
PublicKey = ****
PresharedKey = ****
AllowedIPs = 192.168.60.0/24,0.0.0.0/0,****:****:****:6060::/64,::/0
Endpoint = ****.myfritz.net:56436
PersistentKeepalive = 25

I have set each device’s IP address in the same range as the devices on the local network, e.g. 192.168.60.* (IPv4) and ****:****:****:6060 (IPv6)

I can ping devices connected through the Wireguard VPN tunnel from my home network devices.

I can reach my pihole install from my devices connected with Wireguard via its IP address or via its web address “pi.hole”.

When I look at “Pi-hole web interface > Tools > Tail log files > pihole.log”, the IP clearly shows as being in the same subnet (query to pi-hole.net):

2026-01-12 16:21:59.871 query[AAAA] pi-hole.net from 192.168.60.201

2026-01-12 16:21:59.872 cached pi-hole.net is NODATA-IPv6

2026-01-12 16:22:02.493 query[A] js.stripe.com from 192.168.60.201

Filtering traffic on the VPN tunnels works, except all VPN tunnel traffic is grouped in Pi-Hole under “fritz-nas.fritz.box”.

Is there a way for me assign each VPN client a unique client name in Pi-Hole for customized filtering?

I know that it must be possible, because today, one of my devices passed its own client name through the VPN tunnel consistently. I could not find any divergent lines in the config compared to the others, and tried refreshing (deleting and installing) new tunnels to replicate this effect(since it was newer than the others). Unfortunately, it did not work, and all devices are back to being grouped together.

You could create Local DNS Records for all the Wireguard IP addresses you hand out, but in order to benefit from that you need to tell them that the DNS IP address is the IP address of your Pi-Hole Server and not the Wireguard Gateway IP address or the Fritz!Box Router and from my point of view that does not seem to be the case at the moment if I understand your situation correctly ?!

What's that second and perhaps third DNS server IP?
Would they belong to your Fritzbox?

First of all, I have found the solution. I will explain after I answer the questions in this thread.

You could create Local DNS Records for all the Wireguard IP addresses you hand out, but in order to benefit from that you need to tell them that the DNS IP address is the IP address of your Pi-Hole Server and not the Wireguard Gateway IP address or the Fritz!Box Router and from my point of view that does not seem to be the case at the moment if I understand your situation correctly ?!

For the solution I am using the Wireguard Gateway IP addresses, since they are unique for each invididual Wireguard tunnel setup. Using Local DNS Records solved my problem.

What's that second and perhaps third DNS server IP?
Would they belong to your Fritzbox?

No, these belong to the static IPv4 and IPv6 of my device that hosts Pi-Hole.

Now, the solution to my problem:

Step 1: On the FRITZ!Box web interface, I have configured several Wireguard tunnels for every device that I want to connect to my home network (where my Pi-Hole server is located), by going to:

Internet > Permit Access > VPN (Wireguard) > Add connection: Connect a single device

Follow all steps that follow. After you finish, you can see the local IPv4 address that’s being used in the local network for each Wireguard connection under “Remote Network”. In my case, it’s 192.168.60.201, 192.168.60.202, etc.

Step 2: On the Pi-Hole web interface, I configured Local DNS Records for each individual Wireguard IP, by going to:

Settings > Local DNS Records

Under “List of local DNS records”, I added each Wireguard tunnel IPv4 address in the “Associated IP” field, and gave it a name by adding it to the “Domain” field. So, for example, I would, for example, add my laptop as “dekbik-laptop” with the IP “192.168.60.201” in “Associated IP” and “Domain”.

So far so good. But, I still could not assign each device (domain) its own group. After some frustration, I decided to read the instructions under:

Clients > Add a new client

These are the instructions:

You can select an existing client or add a custom one by typing into the field above and confirming your entry with ⏎. Multiple clients can be added by separating each client with a space or comma. Clients may be described either by their

1. IP addresses (IPv4 and IPv6 are supported),

2. IP subnets (CIDR notation, like 192.168.2.0/24), their

3. MAC addresses (like 12:34:56:78:9A:BC), by their

4. hostnames (like localhost), or by the

5. interface they are connected to (prefaced with a colon, like :eth0).

The first match (from top to down) wins. Note that client recognition by host name or interface recognition as the two latter may only be available after some time. Furthermore, MAC address recognition only works for devices at most one networking hop away from your Pi-hole.

The line “or add a custom one by typing into the field above and“ made me realize you could add clients by typing them in manually, instead of selecting them from the drop-down list. So I did. Unfortunately, it still did not work.

Another important part of the instructions tells you to “The first match (from top to down) wins”. Apparently I had to add all the Wireguard entries first, and the FRITZ!Box last. If I add FRITZ!Box as a client first, then all traffic coming from every single Wireguard connection will be assigned to the FRITZ!Box client domain name.

After running through all these steps, everything seems to works, and I can assign individual clients connected through Wireguard from my FRITZ!Box to groups of my choosing.

This post once again highlights the importance of RTFM.

I also have a suggestion to make.

If I want to add an extra Wireguard connection in the future, I have to delete the FRITZ!Box as a client, then add the Wireguard connection as a client, and then I have to re-add the FRITZ!Box again.

Wouldn’t it be an improvement to be able to move devices up and down in the list of configured clients? Currently the only way to reorder this list is by deleting and (re-)adding entries.

Apparently I had posted my previous reply prematurely by pressing ctrl+enter. Posting this update in case you were subscribed to this thread, received an e-mail, and read my post prematurely. My apologies.

It's not clear to me what your actual issue is.
It seems you may mistake two different aspects of Pi-hole as being the same or related.

Employing Pi-hole's Group Management to enable client-specific filtering is independent from Pi-hole associating names to IPs in its Query Log.

Adjustments in Pi-hole's Group Management don't affect which hostname would be associated to a DNS request's source IP in Pi-hole's Query Log.

Pi-hole's Group Management doesn't allow that, it works the other way round: It allows you to add specific clients to specific filtering groups.

If you don't want to filter your VPN clients differently than your home network clients, there would be no need to employ Pi-hole's Group Management at all.

Employing Pi-hole's Group Management to enable client-specific filtering is independent from Pi-hole associating names to IPs in its Query Log.

Let me elaborate. I add all my devices connected to my home network to the “Clients > List of configured clients” section. This includes my FRITZ!Box.

If I add my FRITZ!Box to the “Clients > List of configured clients” list first, BEFORE adding the Wireguard connections, then all subsequent Wireguard connections, which I assigned a domain name through “List of local DNS records”, will be lumped together under the client name “fritz.box”.

This will be apparent in the Query log, as all traffic coming from seperate devices, which all use their own separate Wireguard connection, will have “fritz.box” as the client name. Only the filtering rules from groups associated with the client “fritz.box” will apply to the Wireguard connections, NOT those I have created for each separate Wireguard connection.

This is why it is important to add the Wireguard IP addresses to “Clients > Known clients” first, and only then add the FRITZ!Box as a client, after you’ve added all Wireguard IP addresses (see “The first match (from top to down) wins” from the instructions).

Pi-hole's Group Management doesn't allow that, it works the other way round: It allows you to add specific clients to specific filtering groups.

Apologies, that’s what I meant. The point I was trying to make, was that I have now achieved this goal for every individual Wireguard connection, instead of all of them being bulked under the fritz.box client name.

If you don't want to filter your VPN clients differently than your home network clients, there would be no need to employ Pi-hole's Group Management at all.

I’m not sure what you mean by this. I also filter each device connected normally to my home network separately. I have groups for each device, which has its own specific filter lists (e.g. phones are part of the “Smartphones” group, or smart TV’s are part of “Smart TVs” group).

My goal was to be able to treat each device as a separate client in the “Client” tab, and to be able to apply unique filters to each client, depending on which groups I assign them to. I have succeeded in this goal.

If there’s another / better way to do this I’d be glad to hear it.

As mentioned:

Group Management assignments won't affect what name would be assigned to a DNS request's IP in Pi-hole's Query Log.

No, the Query Log won't tell you what group has been used for filtering a given DNS request.

Pi-hole will apply filtering to a given DNS request according to the client definition, i.e if you have defined a client by IP, it would assess the DNS request's source IP address and apply the respective filtering groups.

Your statement could only be true if you had opted to define clients by name (which is not what you have done, judging by your description (and not something I'd recommend)).

A plain DNS request's source IP address is the original and only identifying piece of information in a DNS packet. Other ids (like MAC addresses or hostnames) can only be inferred by correlating secondary information from other sources, which is why using IPs for client group identification is preferred.

Any given Query Log entry will have a source IP address, but Pi-hole's Query Log may show a hostname instead, and Pi-hole will learn hostnames for a given IP by virtue of upstream reverse DNS lookups, unless Pi-hole itself already holds a PTR DNS record for that IP, by virtue of Local DNS Record definitions (or active DHCP leases, if Pi-hole would serve as DHCP server).

If your Query Log would show fritz.box as Client for a DNS query, then that would indicate that some DNS server that Pi-hole is using for reverse lookups is holding a PTR record of that name for that source IP.