I am running Pi-Hole and Wireguard on a VPS I rented and I want to configure Pi-Hole to act as a DNS and ad-blocker for my Wireguard peers only. Also I want the web interface and any other port like 53 should not accessible via the VPS IP but only when I connect my laptop to Wireguard VPN for example.
What do I need to do so Pi-Hole only works over VPN and the VPS just uses regular internet connection.
I suggest just getting Wireguard to work properly first, then you can try to get DNS working with pi-hole. Here are the steps that I'd take:
allow requests from all origins option.ip addr command to find the VPS's private IP and use that IP as your dns server configuration on your Wireguard client. You will not need to change anything from within the client's OS, it's all handled from within Wireguard's configuration.On the Pi-hole side, nothing.
Since Pi-hole and Wireguard are running on the same machine, your Wireguard interface will be local to Pi-hole, so Pi-hole's default Allow only local requests Interface setting will cover Wireguard as well.
Changing to Permit all origins (as mentioned in Ladrien's step 5) may only be required if you'd run your Pi-hole as a Docker container or some other virtualisation environment.
If you'd want to be really restrictive, you could consider to configure Pi-hole to Respond only on interface wg0 (assuming wg0 would be your Wireguard interface)
For this, you may also have to configure Pi-hole's dns.interface, as accessible via Settings | All settings » DNS server, available in Expert mode only.
This wouldn't make much of a difference, as the only clients configured to use Pi-hole are the Wireguard ones, and inbound port 53 is blocked by your VPS firewall, of course.
With regards to your VPS configuration, Ladrien's reply seems to have good suggestions for the general points to address.
As this isn't related to Pi-hole, you may want to seek additional advice from your VPS provider, or consult forums specialising in networking for your VPS.
I already have Pi-Hole and Wireguard installed and I use Wireguard everyday.
Previously when Pi-Hole was using lighthttpd you could change server.bind to the be IP of your Wireguard interface. This will make the Web UI to only listen on Wiregurad interface and shouldn't be accessible via VPS public IP. Also setting Pi-Hole to "Bind only to interface wg0" would make it only work for Wireguard clients.
Ports can be blocked via firewall I guess. But how do you change the server listen address/interface now that Pi-Hole v6 now uses built-in web server?
As per the documentation, you could either set webserver.acl to e.g. +10.100.0.0/24,+[fd08:4711::]/64 to restrict access, or bind the webserver to the wireguard addresses by setting webserver.port to e.g. 10.100.0.1:80,+[fd08:4711::1]:80.
Of course, you'd have to adjust addresses and ports to match those used by you.
webserver.port allows for very flexible configuration of Pi-hole's embedded webserver listening behaviour. Settings | All settings » Webserver and API has a quite comprehensive description.
All settings is available in Expert mode only.
Is it possible to edit/add this via some config file? Or do I have to do this from Web UI only?
Also about the firewall rules, does anyone here uses iptables and have some rules related to similar setup as mine?
As detailed in the v6 release notes, there are many ways to change your configuration:
E.g. via CLI:
sudo pihole-FTL --config webserver.port '10.100.0.1:80,[fd08:4711::1]:80'
Don't forget to adjust addresses and ports to match those used by you.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.