WireHole is a combination of WireGuard, Pi-hole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities thanks to Pi-hole, and DNS caching, additional privacy options, and upstream providers via Unbound.
I have made a docker compose file based on this as follows (urls etc changed for obvious reasons).
version: "3"
networks:
private_network:
ipam:
driver: default
config:
- subnet: 10.2.0.0/24
services:
wireguard:
depends_on: [pihole]
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London # Change to your timezone
- SERVERPORT=51820
- SERVERURL=testvpn.test.com #optional - For use with DDNS (Uncomment to use)
- PEERS=2 # How many peers to generate for you (clients)
- PEERDNS=10.2.0.100 # Set it to point to pihole
- INTERNAL_SUBNET=10.6.0.0
volumes:
- ./wireguard:/config
- /lib/modules:/lib/modules
ports:
- "51820:51820/udp"
dns:
- 10.2.0.100 # Points to pihole
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
networks:
private_network:
ipv4_address: 10.2.0.3
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
hostname: pihole
dns:
- 127.0.0.1
environment:
TZ: "Europe/London"
WEBPASSWORD: "testpassword" # Blank password - Can be whatever you want.
ServerIP: 10.1.0.100
DNS1: 1.1.1.1
DNS2: 1.1.1.1 # If we don't specify two, it will auto pick google.
volumes:
- "./etc-pihole/:/etc/pihole/"
- "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
networks:
private_network:
ipv4_address: 10.2.0.100
This works really well and I am able to get on to the wireguard vpn and have access (though have lost seeing different clients in pi hole compared to running native).
I have tried to remove the INTERNAL_SUBNET environment variable from the wireguard service as on dockerhub for wireguard it says its optional and this defaults it to 10.13.13.0 which I thought would be acceptable however only removing that breaks the whole thing. Was hoping someone could help me understand why.
I have made a docker compose file based on this as follows (urls etc changed for obvious reasons).
This works really well and I am able to get on to the wireguard vpn and have access (though have lost seeing different clients in pi hole compared to running native).
I have tried to remove the INTERNAL_SUBNET environment variable from the wireguard service as on dockerhub for wireguard it says its optional and this defaults it to 10.13.13.0 which I thought would be acceptable however only removing that breaks the whole thing. Was hoping someone could help me understand why.
Thanks in advance.