Pi-hole Docker plus Wireguard on Unraid

Please follow the below template, it will help us to help you!

If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using nginx, apache2 or another reverse proxy, or there is some other aspect of your install that is customised) - please use the Community Help category.

Expected Behaviour:

I recently installed Unraid 7.1 on a Ugreen NAS (6800 Pro). I setup the official Pi-hole docker. I assigned the docker a static VPN as part of the docker options. My router is a Deco Mesh and it is set to use the Pi-hole IP as its DNS. All works fine on our local network. I’m now trying to setup the built in Unraid Wireguard VPN as a remote tunneled access connection to access my LAN and home internet connection when connected to my work’s public wifi on my personal laptop. Work PC’s on are their own secure wired or wifi connections which I’m not using. It seems they must block most ports even on the public wifi so I’m using an external port of 443 forwarded to the standard Wireguard 51820 port internally to the NAS IP. I do have a DDNS service as well.

Actual Behaviour:

When Wireguard is set for mi Pi-hole DNS I can connect to my LAN but there is no internet access. If I change DNS to a public one (like Cloudflare 1.1.1.1.1) on the peer config internet works fine. I did try changing the Pi-hole DNS to “permit all origins” but that didn’t help. Also my router does have built in Wireguard which doesn’t allow me to change the port for my work wifi BUT it does otherwise work with the Pi-hole DNS from other networks or mobile hotspot with both LAN and internet access. So I imagine this is some Unraid/Wireguard/Pi-hole config issue. My network and VPN knowledge is limited and I’m new to Unraid, Dockers, and Pi-hole so some of my searching leads to discussions that are over my head. Thanks for any help.

Debug Token:

https://tricorder.pi-hole.net/d2HnN3dU/

I got a little closer. If I use my router ip as the peer dns it mostly works. I’m assuming the router then passes dns to the pi-hole ip as that is how it’s configured. The only thing that doesn't work in this scenario is connecting to the pi-hole web ui. I can reach other local addresses plus internet.

What's the Pi-hole IP that you configure as DNS server in your Wireguard peer configuration?

10.0.0.60

According to your debug log, that's your Pi-hole's home network IP, i.e. it isn't part of your Wireguard network.

For that IP to be reachable for your Wireguard peer, your peer needs to route traffic to 10.0.0.60 to your Unraid Wireguard, and your Wireguard on your Unraid would then need to route traffic from your Wireguard network to your home network.
That's commonly done by configuring the appropriate nftables/iptables rules to NAT traffic from Wireguard to your home network, usually via Wireguard's PostUp/PostDown sections.

Did you set those up already?
If not, you could glance the basic concept from Pi-hole's Wireguard guide on Make local devices accessible - Pi-hole documentation.

Thanks so much. I did not do any of that. I guess I thought that if I set connection type as remote tunneled access it would automatically be set up for both LAN and internet access as that’s what is implied in the documentation for the different connection types.

However I think all of this is going to turn out to be mute. Even with using port 443 or 80 externally from work public wifi, VPN will handshake but I get no access to LAN or internet. So they must be blocking VPN in other ways. If that’s the case I might as well just use the Wireguard built into my router which works fine for both LAN and internet including using the pi-hole for DNS and not open up any other ports. Cellular is spotty/slow in my office but I can use my phone as a hotspot when needed and bypass work wifi.