Pi-Hole on vitual network interface

mk13139 · August 20, 2021, 9:56am

Hi all,

I have an Orange Pi hosting a Wireguard server and Pi-Hole both on the same network interface and IP-address (192.168.1.2). I have my Mikrotik router setup to redirect all internal DNS requests to the IP-address of Pi-Hole (192.168.1.2), with the exception of DNS requests coming from Pi-Hole itself in order to resolve via external DNS servers.
This redirection works for all local devices, except of course for the devices connected through the Wireguard VPN.
What happens is that all traffic from the Wireguard network interface is 'masqueraded' to the same local IP-address on which the Pi-Hole is running. This causes the Mikrotik router to think that DNS requests coming from Wireguard are Pi-Hole DNS requests, thus allowing Wireguard DNS requests to be resolved via external DNS servers. Therefore the VPN clients do not get ads blocked by Pi-Hole.

I was thinking how to solve this problem and the only way I could think of is to let Pi-Hole run on a virtual network interface in order to have a different IP-address than the host itself. This would make the Mikrotik firewall rules work again, but I'm not sure this will work for the Pi-Hole instance.

Are there maybe other ways to solve this problem, other than to have 2 physical devices running?

Bucking_Horn · August 20, 2021, 10:26am

While this isn't strictly a Pi-hole question:
I'd wonder why DNS requests would have to leave your Wireguard/Pi-hole host machine at all, instead of going straight to Pi-hole?

You could e.g. either explicitly configure your Wireguard clients to use that machine's Wireguard subnet IP as DNS server, or add some iptables rules to redirect DNS requests from your Wireguard tunnel to your co-located Pi-hole.

Though not directly applicable for your configuration, you could take a look at our Wireguard guide for some inspirations, specifically at the client configuration and NAT sections.

mk13139 · August 20, 2021, 11:16am

Hi Bucking_Horn,

I'm not sure too, but currently I have in the Wireguard client config the DNS server pointing to the Mikrotik as gateway (192.168.1.1). This way I'm able to resolve DNS requests.
If I change the client config to DNS server 10.6.0.1 (Wireguard server IP) or 192.168.1.2 (host IP/Pi-hole) I'm not able to resolve any DNS requests.

I already added the following lines to the wg0.conf:

PreUp = /boot/dietpi/func/obtain_network_details
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(mawk 'NR==3' /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(mawk 'NR==3' /run/dietpi/.network) -j MASQUERADE

Bucking_Horn · August 20, 2021, 12:25pm

Did you change your Pi-hole's Interface listening behavior to one of the Listen on all... types then?

Wireguard creates a new network interface on your host machine. If you keep Pi-hole listening on eth0 only, it will never receive any of your wg interface DNS requests.
You may also have a read of the troubleshooting section of our Wireguard guide for some additional caveats.

mk13139 · August 20, 2021, 2:05pm

Alright! Setting the DNS server to the Wireguard gateway and setting the Interface listening behavior to Listen on all, permit all origins did the trick!

Thanks!

system · September 10, 2021, 2:05pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.