I'm at a complete loss... No matter what I do, I cannot get wireguard to use PiHole's DNS.
original reddit post here
Updated configs below:
Symptoms:
-
When connecting to wireguard, I can access my internal services using IP address directly, but domain names are not resolved from the PiHole DNS.
-
PiHole DNS works under normal conditions (inside the LAN; not connected to the VPN).
-
Wireguard works, in that I am connected to my remote machine and my IP shows it's coming from there. I can browse the web no problem, access my internal services using IP addresses, but not the domain name.
Interesting symptom
-
When connected with wireguard, and running
$ drill 1.1.1.1
on the client machine, I getError: error sending query: Could not send or receive, because of network error
However, I'm still able to resolve webpages in my browser, like
https://reddit.com
.
The same occurs for using$ drill <containerIp or hostDnsIp>
. -
PiHole DNS also doesn't work with
openvpn
Set up:
-
Wireguard and Pi-Hole running on the same host in docker. The host is a Proxmox Debian VM
-
IP address of the host VM (that hosts both PiHole and Wireguard): 10.0.0.18
-
Firewall is disabled
-
Host's
/etc/systctl.conf
:
...
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
...
- Both are connected on the same docker network (also tried in separate docker network)
"Containers": {
"1e7ce2595480c3d74ab97268f1a6ef106846a7b4614bca567bcb8f50450074f4": {
"Name": "pihole",
"EndpointID": "d5309387e70e8869530fcc3a05b49d10937a507b8b64db242b8041c94b63b827",
"MacAddress": "02:42:ac:13:00:02",
"IPv4Address": "172.19.0.2/16",
"IPv6Address": ""
},
"8ce09733f051c62daf304fa693f796dd087c349561e603b97848e250bcba4f7d": {
"Name": "wireguard",
"EndpointID": "c4084f1d73730750f62affe42494676560472fda39385e948a4805b5462d9491",
"MacAddress": "02:42:ac:13:00:03",
"IPv4Address": "172.19.0.3/16",
"IPv6Address": ""
}
},
- The host's
/etc/resolv.conf
(tried many variations of this, including just using a single IP from the container or the host)
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
nameserver 172.19.0.2 # PiHole Container DNS
nameserver 10.0.0.18 #Host IP
127.0.0.53
- Linux client
/etc/wireguard/wg0.conf
(also tried without the PostUp and PostDown):
[Interface]
Address = 10.0.1.2
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT
PrivateKey = ...
ListenPort = 51820
DNS = 172.19.0.2 #Also tried with 10.0.0.18
[Peer]
PublicKey = ...
Endpoint = wireguard.domain.com:51820
AllowedIPs = 0.0.0.0/0
-
Enabled
Listen on all interfaces, permit all origins
in the PiHole Web Settings -
PiHole
docker-compose.yml
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
#network_mode: host
networks:
default:
dns:
ipv4_address: 172.19.0.2
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
- "8001:80/tcp"
environment:
TZ: 'America/Arizona'
WEBPASSWORD: '..'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# - './lighttpd.conf:/etc/lighttpd/lighttpd.conf'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: always
networks:
dns:
driver: bridge
ipam:
config:
- subnet: 172.19.0.0/16
gateway: 172.19.0.1
-
Tried setting
DELAY_STARTUP=5
in thepihole-FTL
-
Tried running the PiHole using the host network (DNS completely fails, even without vpn)
-
docker-compose.yml
for Wireguard
version: "2.1"
services:
wireguard:
image: linuxserver/wireguard
container_name: wireguard
networks:
- 'pihole_dns'
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=America/Arizona
- SERVERURL=wireguard.domain.com #optional
- SERVERPORT=51820 #optional
- PEERS=10 #optional
- PEERDNS=172.19.0.2 #optional
- INTERNAL_SUBNET=10.0.1.0 #optional
- ALLOWEDIPS=0.0.0.0/0 #optional
volumes:
- .:/config
- .:/lib/modules
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: always
networks:
pihole_dns:
external: true
- Host
iptables
$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 2056 packets, 214K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3128 3000K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
3128 3000K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
1461 483K ACCEPT all -- * br-43a3a2d04f93 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
99 6985 DOCKER all -- * br-43a3a2d04f93 0.0.0.0/0 0.0.0.0/0
1568 2510K ACCEPT all -- br-43a3a2d04f93 !br-43a3a2d04f93 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br-43a3a2d04f93 br-43a3a2d04f93 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1276 packets, 135K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
7 420 ACCEPT tcp -- !br-43a3a2d04f93 br-43a3a2d04f93 0.0.0.0/0 172.19.0.2 tcp dpt:80
0 0 ACCEPT udp -- !br-43a3a2d04f93 br-43a3a2d04f93 0.0.0.0/0 172.19.0.2 udp dpt:67
0 0 ACCEPT tcp -- !br-43a3a2d04f93 br-43a3a2d04f93 0.0.0.0/0 172.19.0.2 tcp dpt:53
91 6389 ACCEPT udp -- !br-43a3a2d04f93 br-43a3a2d04f93 0.0.0.0/0 172.19.0.2 udp dpt:53
1 176 ACCEPT udp -- !br-43a3a2d04f93 br-43a3a2d04f93 0.0.0.0/0 172.19.0.3 udp dpt:51820
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
1568 2510K DOCKER-ISOLATION-STAGE-2 all -- br-43a3a2d04f93 !br-43a3a2d04f93 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
3525 3051K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-43a3a2d04f93 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
1767 2522K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
3525 3051K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
-
At each step, I've also ensured to flush my DNS cache and restarted
systemd-resolved.service
on my client machine. -
Forums I've taken a look at and tried:
- https://www.reddit.com/r/WireGuard/comments/og0u3g/wireguard_not_using_pihole_dns/
- Pihole doesn't work with wireguard
- https://docs.pi-hole.net/guides/vpn/wireguard/faq/
- Pi-Hole + Unbound + Wireguard: Home network access but no DNS
- https://stackoverflow.com/questions/64017122/accessing-the-pihole-dns-service-over-the-wireguard-tunnel-not-possible
Anyone see anything I'm missing or can try?
Thanks.