Wireguard docker bridge ip used in pi-hole. Want client ip used

Aeration6195 · September 8, 2024, 11:55pm

Hi, I am using Pi-hole and wg-easy (Wireguard) and am using both in docker.
They both work, and work together.
However, there is one small issue: the IP address that shows up in pi-hole is 172.17.0.1, no matter which wireguard client is used.

In the wireguard docker container, I have:
WG_DEFAULT_ADDRESS=10.8.0.x
This lead me to believe that my client, 10.8.0.1 should show up in pi-hole as 10.8.0.1.
The wireguard container is in the bridge network.
Instead all queries from 10.8.0.1 (my phone connected to wireguard) show up as 172.17.0.1 on the pi-hole interface. (this is the docker bridge ip address)

My pihole-FTL.conf:

MACVENDORDB=/macvendor.db
LOCAL_IPV4=0.0.0.0
ANALYZE_ONLY_A_AND_AAAA=true
RATE_LIMIT=1000/60
BLOCK_ICLOUD_PR=false

My resolv.conf:

search home.arpa
nameserver 9.9.9.9

home.arpa is set in the general setup of pfsense under domain.

Is there a way to get pi-hole to see or read the ip addresses from wireguard instead of the bridge ip? If I make a new network for wireguard, won't pi-hole just use that ip instead? How do I get it to differentiate between clients?
Thanks!

Bucking_Horn · September 9, 2024, 7:15am

If Wireguard and/or Docker would NAT your clients' DNS requests, then you'd have to change your Wireguard's container configuration.

Please share your docker-compose or docker run script.

Aeration6195 · September 9, 2024, 1:15pm

docker run -d \
-p port:51820/udp \
-p 51821:51821/tcp \
--name wg-easy \
--restart unless-stopped \
-v /home/user/wg-easy:/etc/wireguard \
-e PORT=51821 \
-e WG_PORT=port \
-e PASSWORD_HASH='hash' \
-e LANG=en \
-e WG_HOST=pub_ip \
-e UI_TRAFFIC_STATS=true \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--sysctl="net.ipv4.conf.all.src_valid_mark=1" \
--sysctl="net.ipv4.ip_forward=1" \
ghcr.io/wg-easy/wg-easy:latest

docker run -d \
--name pihole \
-p "192.168.0.2:53:53/tcp" \
-p "192.168.0.2:53:53/udp" \
-p "8800:80/tcp" \
--restart unless-stopped \
-v /home/user/pihole/etc-pihole:/etc/pihole \
-v /home/user/pihole/etc-dnsmasq.d:/etc/dnsmasq.d \
-v /home/user/pihole/resolv.conf:/etc/resolv.conf \
-v /home/user/pihole/pihole-FTL.conf:/etc/pihole/pihole-FTL.conf \
-e TZ=tz \
-e WEBPASSWORD=password \
-e IPv6=false \
-e DNS1=9.9.9.9 \
-e DNS2=149.112.112.112 \
pihole/pihole:latest

Bucking_Horn · September 10, 2024, 2:28pm

Pi-hole will just report queries as it receives them. If there is just one IP sending them, then that has to be addressed on the client side.

It seems you are running your Pi-hole and Wireguard containers with Docker's default bridge network, which likely causes the NATting you observe.

Did you try to run them in a custom bridge network, just as suggested in Using WireGuard Easy with Pi Hole · wg-easy/wg-easy Wiki · GitHub?

As this is related to wg-easy's Docker container, you should also consider to raise the question with them.

system · October 1, 2024, 2:29pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.