Pinhole block ads only on wireguard vpn, not connected to my home wifi

Help Community Help
1

Pihole blocks ads only on devices connected to WireGuard VPN

Hi team, let me explain what I have done. I deployed:

  • Portainer CE 2.19.4
    • pihole 5.17.3
    • WG-Easy (wireguard)

Both container were deployed using this compose:

version: "3.8"

services:
  wg-easy:
    environment:
      # ⚠️ Change the server's hostname (clients will connect to):
      - WG_HOST=mysubdomain.duckdns.org

      # ⚠️ Change the Web UI Password:
      - PASSWORD=Passwordxxxxx

      # 💡 This is the Pi-Hole Container's IP Address
      - WG_DEFAULT_DNS=10.8.1.3
      - WG_DEFAULT_ADDRESS=10.8.0.x
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - ~/.wg-easy:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    networks:
      wg-easy:
        ipv4_address: 10.8.1.2

  pihole:
    image: pihole/pihole
    container_name: pihole
    environment:
      # ⚠️ Change the Web UI Password:
      - WEBPASSWORD=Passwordxxxxx
    volumes:
      - '~/.pihole/etc-pihole:/etc/pihole'
      - './.pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "5353:80/tcp"
    restart: unless-stopped
    networks:
      wg-easy:
        ipv4_address: 10.8.1.3

networks:
  wg-easy:
    ipam:
      config:
        - subnet: 10.8.1.0/24

This configure both container I the same network in order to move the vpn traffic pihole where an device is connect to it .

Everything deployed well and all of this within a raspberry pi 5, until I see that pihole is blocking ads only when I’m connected to the vpn and when I’m using my home WiFi without vpn, pihole doesn’t block ads.

I have configured raspberry pi ip 192.168.1.10 address as my primary dns on my home router.

Within pihole, I can see the list of my lan devices I have (attached this).

Is there ways that i can configure within pihole or something like that, in order to allow pihole to block ads when I’m connected via vpn and disconnected but using my home wifi.

Test I did:
1- All devices connected to my wifi are getting raspi ip as dns. I browsed internet and all ads appears.

2- Connect a laptop to my smartphone internet as hotspot, enable the WireGuard vpn, I browsed again or refresh the same page and the ads disappeared.

3- I did the same exercise with my smartphone, connected through the WiFi all ads are present, using mobile data and connected to vpn , all ads gone.

4- I recently used macvlan because I see that could be useful to connect a virtual network to the container using a real ip from my LAN. But I see pihole look the IPs even macs of my devices, but doesn’t block the ads.

IMG_4584
IMG_45841290×2239 211 KB

2

Apparently, your docker-compose works as intended by its author (quoting from Using WireGuard Easy with Pi Hole · wg-easy/wg-easy Wiki · GitHub):

By default, all connected clients will use Pi-Hole as DNS server.

So instead of using that docker-compose, you could try to configure Pi-hole in a different container, next to wg-easy's default setup, and point your wg-easy container's WG_DEFAULT_DNS to the your Pi-hole's IP.
However, it would depend on how wg-easy's makes use of WG_DEFAULT_DNS whether that would actually work.

As that is internal to wg-easy, you should consider to consult wg-easy's maintainer for support.

3

Hi thanks for your response, I think the issue is, apparently if I use a secondary DNS (required on my router) the traffic bypass pihole ads blocking when I am connected to my WIFI network.

Connected to wireguard vpn is working fine because, it is using just one ip address as DNS, which in my case is the pihole ip.

4

Let me repeat:
As per the docker-compose author's quote, the docker-compose you are using is designed to serve only Wireguard clients.

If you want your home network to make use Pi-hole, you have to use a different configuration.

You can try my suggestion above of running Pi-hole in a separate container, but if that doesn't work, you'd have to seek advice from wg-easy maintainers how to make their wireguard container to send its DNS traffic to a Pi-hole container that you want to serve Wireguard as well as your private home network.

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.