WireGuard Client Port 53 w/Pi-Hole on Google Cloud Compute Micro Instance

I am not a system admin. I am only poorly self taught with Linux. Suffice it to say that healthcare is my full time job. So, if I error here, just let me know, and I’ll move on.

I have set up a micro instance (free) of Debian on a Google Cloud Compute Engine. It provided me an external IP and even a firewall.

I installed WireGuard and Pi-Hole. I have my client’s WireGuard DNS point to my Pi-Hole on the internal IP of the micro instance. The only ports that I have to open on the instance firewall are the port for the WireGuard Interface Listen Port and port 22 so I can SSH into my instance.

The setup works incredibly well as a split tunnel serving DNS to my WireGuard Client on my iPhone / Mac / etc. It also works well as a full tunnel when needed. That is all true as long as I am using port 1194 for the WireGuard Interface Listen Port.

However, if I try to change the Listen Port of the WireGuard Interface to port 53, the Pi_Hole DNS FTL? Engine will not start. I know this is because Pi-Hole uses port 53 as the Listen Port for all incoming IPs.

If I read correctly, this process is called binding and involves ports and binding sockets? I read there is a way to bind one port to two Interfaces as long as that either they use separate IPs or each Interface uses UDP. I believe that one or both of these criteria have been filled.

The problem becomes how? I am not sure how. I have tried modifying some configuration files but I really have no idea.

The reason I would like to use port 53 is that in countries where the healthcare is poor and we go to help, the firewalls are very restrictive. Often times, the only port out is 53. They rarely seem to run their own DNS or use a well built proxy.

Before others mention Iodine, yes, I have tried it. It is horribly slow in these countries where the bandwidth is not good. In any case, I appreciate any help, if I errored asking or this is the wrong place, I apologize.

Bind Wireguard to the IP on the eth0 interface on port 53.
Bind pihole-FTL to the IP on the VPN wg0 interface on port 53.
Also bind pihole-FTL to the IP of the internal loopback interface called "lo" on port 53 for local running software to do DNS lookups.

Suppose eth0 interface public IP is 99.99.99.99.
And suppose Wireguard wg0 interface IP is 10.0.0.1.

wireguard  --> eth0 --> 99.99.99.99:53
pihole-FTL --> wg0  -->    10.0.0.1:53
pihole-FTL --> lo   -->   127.0.0.1:53

To check IP's on the interfaces, run below one:

ip a

Or more specific, show IPv4 on wg0 interface:

ip -4 address show wg0

Wireguard needs to push IP 10.0.0.1 as DNS server to its VPN clients.

If you would run a netstat, below is how it should look like with above example IP's:

$ sudo netstat -nltup | grep 'Proto\|:53 '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      686/pihole-FTL
tcp        0      0 10.0.0.1:53             0.0.0.0:*               LISTEN      686/pihole-FTL
udp        0      0 127.0.0.1:53            0.0.0.0:*                           686/pihole-FTL
udp        0      0 10.0.0.1:53             0.0.0.0:*                           686/pihole-FTL
udp        0      0 99.99.99.99:53          0.0.0.0:*                           999/wireguard

To have pihole-FTL listen/bind on wg0 and lo IP's, run below one , select reconfigure and when asked for interface, select the wg0 one:

pihole -r

Not sure if sufficient but run netstat to check.
If pihole-FTL is still listening on all IP's 0.0.0.0, you could create a new config file like for example:

/etc/dnsmasq.d/99-my-settings.conf

Containing:

listen-address=127.0.0.1,10.0.0.1
bind-interfaces

And restart pihole-FTL to apply:

sudo service pihole-FTL restart

And check with netstat oc.

I dont know how to bind Wireguard as I have no experience with this one.

Ps. I have only posted how to do this with IPv4 as I wouldn't know howto with IPv6 :wink:

Thank you deHakkelaar! This is precisely what I needed. I can handle the WireGuard half.

This can be considered resolved.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.