Home Blag Links Wireguard About

WireGuard+PiHole

2020-12-23

Today I added a PiHole server to my WireGuard always-on tunnel. Very simple if a default gw tunnel already exists (see earlier posts).

  • Get PiHole install script from https://install.pi-hole.net:
    toe@wgde ~ % wget "https://install.pi-hole.net" --output-document=install_pihole.sh
  • Read script! (Don't just pipe some curl payload from some url into a root shell! Don't trust. Verify!)
  • Install:
    toe@wgde ~ % sudo bash install_pihole.sh
  • Set listening IP to local tunnel endpoint
  • Set gateway to system's default gateway (not a wg address). This is for pulling upstream DNS records and blacklists.
  • Decide for yourself whether you want logs/statistics
  • Decide for yourself whether you want the web interface -- the DNS server will work just fine without it
  • Add iptables rules:
    toe@wgde ~ % cat /etc/iptables/rules.v4
(...)
-A INPUT -i wg0 -p tcp -m tcp -d 10.192.0.6/32 --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wg0 -p udp -m udp -d 10.192.0.6/32 --dport 53 -m conntrack --ctstate NEW -j ACCEPT
(...)
  • Make sure clients use wg server's IP as DNS

This is the footer. Not sure if I'll keep it.

Feed · Xkcd · Webdesign