PiHole on VPS behind OpenVPN (Private Subnets only)

The issue I am facing: I am currently encountering a challenge in setting up PiHole as a Docker container on my VPS server, pihole.local, within the specified network configuration.

Details about my system:

• VPS server: pihole.local
• OpenVPN server is running on the VPS.
• UDM Pro is connected to pihole.local via VPN.
• Docker is operational on pihole.local with a subnet of 10.254.254.0/24, and the subnet mask is routed by the UDM-Pro.

What I have changed since installing Pi-hole: I have configured the PiHole Docker container with the following settings in the docker-compose file:

pihole:
    image: pihole/pihole
    environment:
        - 'Europe/Berlin'
    volumes:
        - './pihole/etc:/etc/pihole'
        - './pihole/dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped
    networks:
        vpn:
            ipv4_address: 10.254.254.100
networks:
  vpn:
    driver: bridge
    ipam:
      config:
        - subnet: 10.254.254.0/24

The goal is to restrict DNS queries to only private IP addresses.

ifconfig:
br-098f467cbcef: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.254.254.1 netmask 255.255.255.0 broadcast 10.254.254.255
inet6 fe80::42:e8ff:fe49:d2a4 prefixlen 64 scopeid 0x20
ether 02:42:e8:49:d2:a4 txqueuelen 0 (Ethernet)
RX packets 14425 bytes 26038682 (26.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17866 bytes 13479232 (13.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

br-7902e25befaf: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:ea:50:3e:81 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:b7:e0:f3:2c txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 195.xxx.xxx.xxx netmask 255.255.252.0 broadcast 195.xxx.xxx.xxx
ether xx:xx:xx:xx:xx:xxtxqueuelen 1000 (Ethernet)
RX packets 61636798 bytes 8347618620 (8.3 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12087038 bytes 14133531208 (14.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 42666 bytes 13414244 (13.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 42666 bytes 13414244 (13.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tailscale0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280
inet 100.64.0.5 netmask 255.255.255.255 destination 100.64.0.5
inet6 fe80::ee34:e0a7:2436:6a49 prefixlen 64 scopeid 0x20
inet6 fd7a:115c:a1e0::5 prefixlen 128 scopeid 0x0
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 4178097 bytes 365639921 (365.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4141757 bytes 9103492147 (9.1 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 172.16.5.1 netmask 255.255.255.0 destination 172.16.5.1
inet6 fe80::3499:9f52:9609:9a6a prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 4390238 bytes 676619040 (676.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7688579 bytes 9968992200 (9.9 GB)
TX errors 0 dropped 730 overruns 0 carrier 0 collisions 0

veth00fca49: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::e0cd:5dff:fecf:87ec prefixlen 64 scopeid 0x20
ether e2:cd:5d:cf:87:ec txqueuelen 0 (Ethernet)
RX packets 797536 bytes 86095642 (86.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 401156 bytes 51259256 (51.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth35e578a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::682f:5dff:fe00:fc35 prefixlen 64 scopeid 0x20
ether 6a:2f:5d:00:fc:35 txqueuelen 0 (Ethernet)
RX packets 1234 bytes 1000198 (1.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1293 bytes 1845873 (1.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth54b5013: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ecee:eeff:fe36:952c prefixlen 64 scopeid 0x20
ether ee:ee:ee:36:95:2c txqueuelen 0 (Ethernet)
RX packets 395535 bytes 51026956 (51.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 793108 bytes 75347291 (75.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth84370f7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::34c2:60ff:fe9f:e968 prefixlen 64 scopeid 0x20
ether 36:c2:60:9f:e9:68 txqueuelen 0 (Ethernet)
RX packets 11 bytes 1321 (1.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 84 bytes 9938 (9.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Your docker-compose is missing ports and cap-add declarations, as well as the recommended variables for timezone, FTLCONF_LOCAL_IPV4 and an optional WEBPASSWORD.

Perhaps unrelated, but you should also be aware that .local is reserved for mDNS usage and shouldn't be mixed with plain DNS, so you should consider another name instead of pihole.local.

It doesnt need any ports to open, as soon as i open it the whole internet can use my dns server. I have gave him a bridge network where i can access the pihole server within my vpn.

We are talking Docker port options here, not externals.

In Docker's bridge network mode, if you do not map your host's UDP and TCP port 53 to your Pi-hole container, DNS requests will never make it into the Pi-hole container, likewise for TCP port 80/HTTP (see also our Quick start example docker-compose).

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.