Pi-hole & Wireguard


#1

Hi everyone,

I’ve been trying to set up Wireguard on my Pi-hole during the past week and i can’t seem to find a way to route all my traffic through it.
The idea is kind of the the as roadwarrior, a portable device=>Wireguard “server” with Pi-hole=>Internet.
The thing is, i can either only being able to access my LAN or being able to reach the WAN with the benefit of the Pi-hole but i can still see my real IP instead of my server’s IP.
I let you take a look at my configuration.
192.168.1.12 Pi-hole/Wireguard server local address on eth0
192.168.99.1 Pi-hole/Wireguard server local address on wg0
192.168.99.2 Portable device.

.wg0 config (server’s):

Interface]
Address = 192.168.99.1/24
ListenPort = 51820
PrivateKey = ****************************************************
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; ip$
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; $
[Peer]
PublicKey = *********************************************************
AllowedIPs = 192.168.99.2/32

client.conf:

[Interface]
Address = 192.168.99.2/24
PrivateKey = ****************************************************
DNS = 192.168.99.1
[Peer]
PublicKey = *****************************************************
AllowedIPs = 0.0.0.0/0
Endpoint = 86.250.189.176:51820
PersistentKeepalive = 25

Thank you for your help!


#4

Why not use the Pi-hole OpenVPN setup guide.

That one uses the RoadWarrior OpenVPN setup (and I would be able to help you with that one, as I have no experience with Wireguard).


#5

Because wireguard is fast and super easy on batteries. And I already managed to do so with open VPN.
I’m still learning, and I’d like trying something new
But thank you!


#6

The setup principles of the Open VPN guide should help you here.


#7

The problem is they don’t…
I tried following so many tutorials, and cherrypicked some firewall rules here and there, some configurations files but I still can’t point my finger on what could the issue be…


#8

Perhaps a visit to the Wireguard forums will provide a solution.


#9

Try to set Allowed IPs to 10.0.0.0/24 instead of 0.0.0.0/0


#10

I have set this up on my arch linux 3b+ pi. I think it’s good to migrate to WireGuard because a) pivpn, which is popular for pihole users, is no longer being maintained b) openvpn in general is a bit cumbersome when compared to wireguard and c) vpn connectivity is so solid on mobile iOS devices when using wireguard compared to openvpn. The difference is night and day. With Openvpn I was having to continually reconnect manually every few hours, or whenever I switched on Airplane mode, and sometimes when transitioning from WiFi to cellular. With the iOS wireguard app I hardly ever have to touch it. I’m just pretty much always connected to my pi no matter what, and all my internet traffic gets routed through my pi and all DNS requests go to pihole.

EDIT: Your configs look slightly different to mine. Here is my server config:

[Interface]                                                                                                                                                   
Address = 10.16.0.1/24                                                                                                                                        
SaveConfig = true                                                                                                                                             
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE                       
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE                     
ListenPort = 51820
PrivateKey = ****

[Peer]                                                                                                                                                        
PublicKey = ***                                                                                                   
AllowedIPs = 10.16.0.3/32

And on the client this is the config:

[Interface]
Address = 10.16.0.3/24
PublicKey = ***
PrivateKey = ***
DNS = 10.16.0.1

[Peer]
PublicKey = ***
Endpoint = DynamicDNS of RaspberryPi:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Make sure you add the wireguard interface as one of the allowed interfaces in your pihole dnsmasq.d conf files. It’s enough to simply add a wg0.conf file in /etc/dnsmasq.d/ directory with the line interface=wg0


#11

I know, from the guide, and the reddit post, that all traffic will be redirected trough this (wg0) interface, But why would you do that? Doesn’t this expose your entire network to the vpn user?


#12

Yeah, but that’s what I want. That way all my iOS traffic goes back home to my Pi and then out again through my home ISP whilst using pihole for dns. The iOS wireguard app actually has an exclude private ip’s option, so that it populates the allowed ip’s field automatically, but I have played around with this setting and it seems to make little functional difference except if I want to use a chromecast, in which case I use the exclude private ip’s. I am not entrirely sure if this is a bug of the app or a feature of iOS, but even with the 0.0.0.0/0 wildcard, I can still access both router pages (as in the local gateway, as well as the remote gateway of the lan my pi sits on). 0.0.0.0/0 is what works for me, except when it doesn’t which is easily rectified from within the wireguard app. Which is another plus of wireguard in fact. OpenVPN requires you to edit the configs before uploading them to the app. WireGuard allows on the fly editing.


#13

Thank you so much, so… My config files are correct, but I was missing the wg0.conf file in /etc/dnsmasq.d.
Still unsuccessul, i’m only able to reach my Pi-hole/Wireguard server through the tunnel, but I can connect to any devices in my lan nor internet… Looks like a routing problem, isn’t it?


#14

Could be. Have you successfully routed traffic through your pi before using openvpn? Do you have IPv4 forwarding enabled on your pi? What’s the output when you enter sysctl net.ipv4.ip_forward ? Also, you don’t have the masquerade rule in your post-up rule in your interface setting of the WG server. Try copying the post-up and pre-down rules from my configs.


#15

I do have the masquerade rule, but in the template configuration file. (I used the user managent script https://github.com/adrianmihalko/raspberrypiwireguard/wiki/User-management-with-Wireguard-User-Management-script).
And sysctl net.ipv4.ip_forward gives me sysctl net.ipv4.ip_forward=1.
Is the masquerade rule the only one we need to route?


#16

The manual actually says: Endpoint = your.publicdns.com:51820.
This should be your WAN address, as retrieved here.

For users who don’t have dynamicDNS entry yet, here is an easy way to get one, without any registration (no email, no username, no password, …)

Once you registered a domain name, you get a list of available methods to update your, possibly changed, WAN IP address.


#17

Since I want to use wireguard for DNS only, I’m looking for ways to restrict access from the wireguard interface.

For example, to deny access from the wireguard interface to lighttpd:
edit or create /etc/lighttpd/external.conf and enter the following:
server.bind = "IP_address_of_pihole's_eth0_interface"
example: if pihole eth0 IP = 192.168.5.100, enter server.bind = "192.168.5.100"

In my manual, I already explained how to setup key authentication for SSH (chapter 4, section 10) and how to limit access to certain IP’s.
Pasword authentication should also be disabled (webmin installation, chapter 4, sections 11 & 12)


#18

Since I want to use wireguard for DNS only, I’m looking for ways to restrict access from the wireguard interface

You could achieve this by making the allowed ip’s only the subnet of the wireguard vpn interface, and just setting the DNS server as the IP of the wireguard server.

So for example, in my config, you would change the allowed ip’s to 10.16.0.0/24 whilst keeping the DNS Server in the wireguard config as 10.16.0.1. That way only traffic that is destined for the wireguard subnet, and in this case, DNS requests, are routed through wireguard. I can confirm this works on ipleak.net, with that change meaning my public ip does not change, but my DNS servers do.


#19

So what exactly can you access when you bring up your wg interface on the client? And what device are you using as the client? Am I right in understanding that you can ping the ip of the pi’s wg server address of 192.168.99.1, but no other ip’s outside of that subnet? Because then yes, it’s a routing issue on your pi.

Are you using a Linux dist that uses systemd? What do you have in the /etc/systemd/network/ directory? If your system uses systemd, try adding either an en.network or eth.network file (depending on whether you use your pi’s WiFi or Ethernet to connect to the lan and internet - eth for Ethernet, en for WiFi) into that directory. And then make sure it has the line IPForward=yes under the [Network] section. For example, I connect my pi using the Ethernet only, so I have a eth.network file in that directory that looks like this:

[Match]
Name=eth*

[Network]
DHCP=yes
IPForward=yes

If you do that and restart the network interface, does that make a difference?

Yes, you need to add a NAT rule to your iptables if you want to forward traffic from your wg0 interface to your eth0 (or en0) interface. I would recommend reading this guide but basically, yes, you want wireguard to add the masquerade NAT rule when it comes up. But you are saying that it is already doing that in your config, so that’s why you should try my other solution above.


#20

Allowed IP’s is restricted to the server wireguard IP address / 32 only.
Using Raspbian stretch lite (November 2018) on pi 3B
Using android 7.0 on Samsung S6 from a public (provider) WIFI

I could access the pihole admin interface and all other files in the lighttpd webserver, including the virtual hosts I have running on my pi, using the server wireguard IP.
I could also use putty and WinSCP, using the server wireguard IP address on the test machine that didn’t have IP address restrictions.
On my production machine I’ve implemented the security measures, described earlier, access from a wireguard client is no longer possible (The way I like it).