guides/wireguard-pihole-vpn-setup

[utterances-bot]

Setting up an ad-blocking VPN with Wireguard and Pihole | Detachment 2702

This guide will walk you through the setup of a remote machine that will act as a personal VPN server at the cost of 3 to 5 USD per month. We will also configure it to act as a DNS resolver that will automatically block spam, tracking, advertising and malware domains on all of your connected devices.

https://drexl.me/guides/wireguard-pihole-vpn-setup.html

[mdp]

Just an FYI about VPS and using them for a VPN. Some sites will block any traffic from known datacenter IP's in order to try and prevent scraping. An example of this would be most airline sites. Give Delta or Southwest a try with your VPS and you'll likely see an error. Same with Craigslist, although they seem to slow the connection vs full block. I suspect this list will grow.

Not that commercial VPN's are any better, just pointing out that there are some downsides to VPS as well.

[ThundercloudActual]

Thank you so much for this configuration. I have it running on DigitalOcean. I did find that I had to remove ", ::/0" from the Allowed Client IPs for Wireguard for iOS, given lack of support for ipv6, based on info in: https://github.com/trailofbits/algo/issues/1385

[gap579137]

Doesn't this leave the server open to be used as a DNS amplification host???

[drdrexl]

@gap579137 the DNS server doesn't have to be exposed to the internet, the queries go through the tunnel

[trestletech]

Great write-up! FYI I needed to add sysctl net.ipv4.ip_forward=1 to the PostUp step. Without running that, my config survive a reboot. Ubuntu 18.04.

[dosch]

Nice writeup. But I do have a few remarks/questions:

• The part where you install pihole is very short. Maybe it would be good to add if you have tho choose eth0 or wg0 at the very least.

• It seems weird to me that the DNS entry in the client config is the public IP of the VPS. Shouldn't this be the internal IP (in your example: 192.168.5.1)?

Then I also have two questions:

• After I connect to my server, I can no longer access websites. My SSL connection is still alive. It seems my requests stop at the VPS. What could I have done wrong?

• Is there a way to make it easier and faster to create new client confs? Would be amazing if there was a web interface, so I can quickly make one when I am at a friends place...

Thnx for any feedback!

[dosch]

@drdrexl I was really hoping you might have a reply for me to the above comments. I have so far not been able to get this working...

[drdrexl]

Hi @dosch

The part where you install pihole is very short. Maybe it would be good to add if you have tho choose eth0 or wg0 at the very least.

Should be whichever interface you are getting internet from (usually eth0)

It seems weird to me that the DNS entry in the client config is the public IP of the VPS. Shouldn't this be the internal IP (in your example: 192.168.5.1)?

Yes it's weird but the internal IP doesn't work and the external IP works as expected (everything goes through the tunnel)

After I connect to my server, I can no longer access websites. My SSL connection is still alive. It seems my requests stop at the VPS. What could I have done wrong?

If it's a DNS issue (try ping 8.8.8.8 from the client to make sure) you probably misconfigured pihole somehow. If you don't have internet at all make sure you enabled ip forwarding and set up the iptables rules as described. Or you might need to remove ::/0 as another comment said

Is there a way to make it easier and faster to create new client confs?

You could write a bash/python script to automate the whole config generation process.

[dosch]

If it's a DNS issue (try ping 8.8.8.8 from the client to make sure) you probably misconfigured pihole somehow.

It is not a DNS issue: all connections go down as soon as I connect. Pinging 8.8.8.8 returns an error.

If you don't have internet at all make sure you enabled ip forwarding and set up the iptables rules as described.

I did ~# sudo sysctl net.ipv4.ip_forward=1 and that returns: net.ipv4.ip_forward = 1

IP tables rules are copy and paste from your blog with no alterations made.

Or you might need to remove ::/0 as another comment said

I did that in the wireguard client on my mac... but also... no result.

Do you have any other tips... ? I wiped the VPS three times already and started all over, following your steps meticulously, but I clearly still doing something wrong... :-(

[angeloschat]

Thank you for this nice guide.I have similar issues as dosch though. Wireguard is active and then all traffic stops... I run it on an aws vm. The Vm has internal IP which are different from public one.

[VolkmarWillert]

"Yes it's weird but the internal IP doesn't work and the external IP works as expected (everything goes through the tunnel)" pi-hole has to listen on interface "wg0". (instead of eth0). Reconfigure pi-hole with "pihole -r" and select interface wg0.

Is there a way the pihole listen on interface wg0 and eth0?

[VolkmarWillert]

To listen on all Interfaces go to pi-hole settings>DNS Interface listening behavior

Listen on all interfaces Allows only queries from devices that are at most one hop away (local devices)

[argiedoubleya]

Hi, does this route all traffic via VPN to the Droplet or just the DNS traffic?

[ulfklose]

Same here. I can see that my system is at least trying to get stuff from the Internet via the Wireguard tunnel but absolutely no name resolution. Yours isn't the first tutorial I'm trying, none of them worked.

Maybe it's something on the provider's network that is blocking such a setup? I guess I'll try another VPS

[ulfklose]

Solved. In my case it was really my provider. I've got a VPS at a German provider called Profihost. It seems as if they do not allow this kind of operation.

I switched to Hetzner, also a German provider, where I pay 2,96 € a month for the smallest instance they offer. It works like a charm. Maybe at smaller providers like Hetzner the issues mdp wrote about won't be any, idk.

[ulfklose]

Sorry for the spam, it wasn't the provider's fault, not really at least. It was IPv6 in my case, as someone mentioned before. I have disabled IPv6 completely which I had to because my provider doesn't offer me an IPv6 address. I hope this helps someone else. Please ignore the last two comments.

[vendelieu]

Let’s create a configuration file for the client. oke, where? what's name for?