I have a Raspberry Pi 4b 2gb acting as an edge server with the docker engine and docker compose plug in installed:
$ docker --version
Docker version 20.10.22, build 3a2c30b
$ docker compose version
Docker Compose version v2.14.1
My network router is at 192.168.1.1. The router forwards wireguard traffic to the edge server.
The edge server is at 192.168.1.91.
My pihole docker container works well. I am using it for ad blocking and local DNS, but not for DHCP, which is being handled by my Netgear Router. It uses the following docker-compose.yml structure:
version: '3'
networks:
edge:
name: edge
external: true
services:
pihole:
image: pihole/pihole:latest
container_name: pihole
hostname: edge-server
shm_size: 768mb
ports:
- "53:53/tcp" # dns
- "53:53/udp" # dns
- "8080:80/tcp" # web
environment:
- TZ=${TZ}
- WEBPASSWORD=${WEBPASSWORD}
- FTLCONF_LOCAL_IPV4=192.168.1.91
- PIHOLE_DNS_=208.67.222.222;208.67.220.220
- DNSMASQ_LISTENING=all
- FTLCONF_RATE_LIMIT=0/0
volumes:
- ${DIRECTORY_PIHOLE}:/etc/pihole/
- ${DIRECTORY_DNSMASQ}:/etc/dnsmasq.d/
networks:
edge:
ipv4_address: 172.16.0.61
restart: unless-stopped
My pihole configuration includes 32 Local DNS Records for devices on my network. The settings also permit all origins.
On the edge server I have created a bridge network with the following settings:
docker network create --driver bridge --ipam-driver default \
--subnet 172.16.0.0/24 --gateway 172.16.0.1 edge
The other docker containers running services on the edge server connect to the same docker network, and I have set the containers to have the following ip addresses:
| Name | Network | Hostname | ip address | Gateway |
|---|---|---|---|---|
| duckdns | edge | edge-server | 172.16.0.11 | 172.16.0.1 |
| npm_app | edge | edge-server | 172.16.0.21 | 172.16.0.1 |
| npm_db | edge | edge-server | 172.16.0.26 | 172.16.0.1 |
| wireguard | edge | edge-server | 172.16.0.31 | 172.16.0.1 |
| uptime-kuma | edge | edge-server | 172.16.0.41 | 172.16.0.1 |
| netdata | edge | edge-server | 172.16.0.51 | 172.16.0.1 |
| pihole | edge | edge-server | 172.16.0.61 | 172.16.0.1 |
The network on the edge server has the following relevant entries in ifconfig:
$ ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.91 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::e839:490d:913c:7957 prefixlen 64 scopeid 0x20<link>
ether e4:5f:01:0c:74:46 txqueuelen 1000 (Ethernet)
RX packets 26258998 bytes 5743183125 (5.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15522922 bytes 3370294593 (3.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
$ ifconfig br-1fea8a449a07
br-1fea8a449a07: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.1 netmask 255.255.255.0 broadcast 172.16.0.255
inet6 fe80::42:11ff:fe3f:1a7 prefixlen 64 scopeid 0x20<link>
ether 02:42:11:3f:01:a7 txqueuelen 0 (Ethernet)
RX packets 2898209 bytes 2325655500 (2.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3000493 bytes 3571468991 (3.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
$ ifconfig lo
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 163469 bytes 10690634 (10.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 163469 bytes 10690634 (10.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
On a remote device such as a phone or laptop i can connect to my wireguard docker container which routes me through to the internet, but does not allow me to access my network via domain names. I For example, rather than using http://edge-server:8080/admin to access the pi-hole dashboard, I have to use http://192.168.1.91:8080/admin when connected remotely. The wireguard container uses the following docker-compose.yml structure:
version: '2.1'
networks:
edge:
name: edge
external: true
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
hostname: edge-server
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
ports:
- '51820:51820/udp' # wireguard
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
- SERVERURL=${SERVERURL}
- SERVERPORT=${SERVERPORT}
- PEERS=${PEERS}
- PEERDNS=172.16.0.61
- INTERNAL_SUBNET=10.13.13.0
- ALLOWEDIPS=10.13.13.0/24,172.16.0.0/24,192.168.1.0/24,0.0.0.0/0
- LOG_CONFS=false
volumes:
- ${APPDATA}:/config
- /lib/modules:/lib/modules
networks:
edge:
ipv4_address: 172.16.0.31
restart: unless-stopped
The wireguard container generated the following wg0.conf file:
[Interface]
Address = 10.13.13.1
ListenPort = [port]
PrivateKey = [key]
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
[Peer]
# peer_test
PublicKey = [key]
PresharedKey = [key]
AllowedIPs = 10.13.13.2/32
Along with the following peer_test.conf file:
[Interface]
Address = 10.13.13.2
PrivateKey = [key]
ListenPort = [port]
DNS = 172.16.0.61
[Peer]
PublicKey = [key]
PresharedKey = [key]
Endpoint = [serverurl]:[serverport]
AllowedIPs = 10.13.13.0/24,172.16.0.0/24,192.168.1.0/24,0.0.0.0/0
I've tried to set the wireguard DNS to 172.16.0.61 and 192.168.1.91 but I feel I've been trying different things and need to take a step back.
If anyone has any insight on this, I'd very much appreciate it!
The pihole debug token has been uploaded.