Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
- log in
- sign up
- 171
- [Guide] How to install WireGuard on a Raspberry Pi (full tunnel + split tunnel) using Pi-Hole as DNS.
- 171
- Posted byu/vaporisharc92
- 3 months ago
- PlatinumSilver
- [Guide] How to install WireGuard on a Raspberry Pi (full tunnel + split tunnel) using Pi-Hole as DNS.
- If you’re interested check out this config reference. It may help you get a better understanding if you get stuck while following along. There's also /r/WireGuard if you need help!
- FOR THE UNINITIATED: Please do some research on these topics before you begin:- Full Tunnel vs Split Tunnel, DDNS, Subnet, Port Forwarding, LAN, & Public IP.
- I see threads popping up here from time to time asking for an easy to follow guide on how to install WireGuard on a Raspberry Pi. There are a couple of guides out there on how to do this, but I couldn’t find one that covered everything from A-Z. So, I wanted to make one on how to get it installed on your Pi and have it use Pi-Hole as DNS. While it’s easier to install this with a few clicks on Diet Pi, the Pi is meant to be a learning tool for cheap, so I encourage you to do this manually instead. I will divide this guide into 6 parts so hopefully it's easy for you to follow (Part 5 can be skipped if you prefer to do that bit manually, more info near the end of the post):
- PART 1: SETUP WIREGUARD
- sudo su
- # ↑ You need root privilege for this so be sure to enter this first
- apt install raspberrypi-kernel-headers libelf-dev libmnl-dev build-essential git
- # ↑ Some of these dependencies are already installed on your Pi but run the whole command anyway just to be sure (as it varies between models)
- There are two ways to proceed from here, pick whichever method you prefer:
- (IMPORTANT: Method B will NOT work for these models: Pi 1, 2 (except v1.2), Zero & Zero W. If you're using one of these your only choice is Method A. The CPUs for these models lack some of the features of ARMv7 architecture. If you download using Method B on these models you'll get a “Segmentation fault” error.)
- Method A (Manual compilation):
- git clone https://git.zx2c4.com/WireGuard
- cd WireGuard/
- cd src/
- make
- # ↑ If you get an error here that says "No such file or dir" you're probably on an older kernel. Fix it by running 'sudo BRANCH=stable rpi-update' (refer to “Troubleshooting” at the end to update it manually)
- make install
- (The “make” command may take a few minutes to finish.)
- Method B (Apt repo, If you install using this method you can keep WireGuard up-to-date using 'apt update'):
- echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
- printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
- # ↑ These commands may change in the future, when this post gets old go to this link and check before running them (check the section for Debian): https://www.wireguard.com/install/
- apt update
- # ↑ Ignore the error
- apt install dirmngr
- apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
- apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
- apt update
- apt install wireguard
- Once WireGuard is done installing using either method we're gonna enable IP Forwarding then reboot the Pi:
- perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
- reboot
- After rebooting, verify that IP Forwarding was enabled before proceeding to the next part. To do that enter the following, your output will be 1:
- sysctl net.ipv4.ip_forward
- PART 2: GENERATE PRIVATE AND PUBLIC KEYS FOR SERVER AND CLIENT
- sudo su
- cd /etc/wireguard
- umask 077
- wg genkey | tee peer1_privatekey | wg pubkey > peer1_publickey
- wg genkey | tee server_privatekey | wg pubkey > server_publickey
- ls
- # ↑ Verify the keys got generated
- peer1_privatekey peer1_publickey server_privatekey server_publickey
- You can view your keys using the cat command like so:
- cat server_publickey
- cat server_privatekey
- cat peer1_publickey
- cat peer1_privatekey
- (We’re gonna need these keys in the next 2 parts)
- PART 3: CONFIGURE WIREGUARD SERVER
- Make a wg0.conf file in ‘/etc/wireguard/’ :
- nano /etc/wireguard/wg0.conf
- Copy and paste the following template and make changes as needed. Make sure to enter the right key in the right line. Again, DOUBLE CHECK THE KEYS WHEN ENTERING THEM:
- [Interface]
- Address = 10.9.0.1/24
- ListenPort = xxxxx
- DNS = 192.168.x.xx
- PrivateKey = server_privatekey
- PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- [Peer]
- #Peer-1
- PublicKey = peer1_publickey
- AllowedIPs = 10.9.0.2/32
- #PersistentkeepAlive = 60
- (‘Ctrl + x’ then ‘y’ to exit and save the changes.)
- Lines you need to modify:
- ListenPort: The port you're gonna forward on your router
- DNS: Pi-Hole’s IP
- PrivateKey: Enter the key you get from 'cat server_privatekey'
- PostUp & PostDown: Change 'eth0' to 'wlan0' in both lines if you're connected via Wi-Fi. If your network interface has a different name find it using 'ifconfig' then use that name instead.
- PublicKey: Enter the key you get from 'cat peer1_publickey'
- PersistentkeepAlive: Uncomment this line (remove the #) if you are behind a NAT and want the connection to stay alive.
- PART 4: CONFIGURE WIREGUARD CLIENT
- Make a peer1.conf file in ‘/etc/wireguard/’ :
- nano /etc/wireguard/peer1.conf
- Copy and paste the following template and make changes as needed. DOUBLE CHECK THE KEYS WHEN ENTERING THEM:
- [Interface]
- Address = 10.9.0.2/32
- DNS = 192.168.x.x
- PrivateKey = peer1_privatekey
- [Peer]
- PublicKey = server_publickey
- Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
- AllowedIPs = 0.0.0.0/0, ::/0
- #PersistentkeepAlive = 60
- Lines you need to modify:
- DNS: Pi-Hole’s IP
- PrivateKey: Enter the key you get from 'cat peer1_privatekey'
- PublicKey: Enter the key you get from 'cat server_publickey'
- Endpoint: Your-Public-IP or DDNS:The-Port-You-Forwarded
- AllowedIPs: 0.0.0.0/0, ::/0 (allows all traffic to route through wg aka full tunnel)
- (OR)
- AllowedIPs: 192.168.1.0/24 (allows split tunnel with LAN access and DNS only, your router's subnet)
- PART 5: EXPORT THE CLIENT CONFIGURATION TO YOUR PHONE USING QR CODE
- (Manual export method further down the post, you don’t need to install qrencode if you take that route so skip ahead and do it then continue from Part 6.)
- apt install qrencode
- qrencode -t ansiutf8 < /etc/wireguard/peer1.conf
- A QR code will be generated, you will need to scan this code and import it to the WireGuard app on your phone. Install the app and do that now.
- PART 6: FINALISE INSTALLATION
- After your client profile has been imported to your phone run the following commands to finish up the installation on the Pi:
- systemctl enable wg-quick@wg0
- chown -R root:root /etc/wireguard/
- chmod -R og-rwx /etc/wireguard/*
- (The first command enables Wireguard to autostart on boot and the last two commands secures the contents of ‘/etc/wireguard/’ so it can only be read by the administrator as it contains your private and public keys + vpn configuration files.)
- Next, go to your Pi-Hole Admin console's 'Settings> DNS' and enable the following:
- Listen on all interfaces (Allows only queries from devices that are at most one hop away (local devices)
- Then start WireGuard:
- wg-quick up wg0
- (Replace ‘up’ with ‘down’ on the same command to stop the service.)
- Finally, reboot your Pi and run sudo wg to see the status of your wg instance.
- That's basically it!
- You should now have a working Wireguard VPN server using Pi-Hole as DNS with access to all your LAN devices. To verify that everything is working as expected (Note: Don’t skip rebooting after everything is set!):
- Run a DNS leak test at dnsleaktest.com. You’ll see your public IP (mobile carrier's IP in split tunnel) and in the test result page you'll see the upstream DNS servers you set for your Pi-Hole.
- In the app, check if data is exchanging in lines “Data sent” and “Data received” while connected.
- Check the ‘Query Log’ page in Pi-hole’s Admin console. You’ll see queries coming from the wg client IP (10.9.0.2 in this case).
- (Note: Refer to ‘Troubleshooting’ at the end if you’re having connection issues.)
- TIPS:
- You can access Pi-Hole’s Admin console using wg’s server IP (‘10.9.0.1/admin’ in this case) when connected to the VPN.
- I recommend importing the same config twice and setting one as a full tunnel and the other as a split tunnel (scan and import the same QR code twice and manually change the “Allowed IPs” for the second one in the app). That way depending on your need you can switch between the two modes as you please.
- Officially WireGuard works over UDP protocol only, so make sure you forward a UDP port on your router, a random 4/5 digit port will do.
- If you have set up a DDNS domain for your IP address, add a host-record to Pi-hole's settings ‘pihole -a hostrecord Your_DDNS PiHole_IP’, If you don't do this, some clients on Android will not able to connect to the VPN server when inside the internal network (while it will work from outside).
- If you have more than one Pi-Hole set up, you can add its IP in the ‘DNS’ line in wg0.conf and peer1.conf with a comma (DNS = Pihole-IP,Pihole2-IP).
- Install fail2ban for extra security sudo apt install fail2ban
- If ufw is installed (recommended) add a rule for the forwarded port sudo ufw allow forwarded-port/udp
- MANUALLY EXPORT CLIENT CONFIGURATION (IF YOU SKIPPED PART 5):
- To manually export the peer1.conf file to your phone:
- cd /etc/wireguard/
- python -m SimpleHTTPServer 8482
- then on your phone’s browser go to Pi-hole-IP:8482 and download it. Delete the file from your phone’s memory after importing it to the app.
- ADDING MULTIPLE CLIENTS:
- Generate a public and private key for the 2nd client:
- sudo su
- cd /etc/wireguard/
- umask 077
- wg genkey | tee peer2_privatekey | wg pubkey > peer2_publickey
- ls
- peer2_privatekey peer2_publickey
- Then edit the wg0.conf file:
- nano /etc/wireguard/wg0.conf
- Paste at the end:
- [Peer]
- #Peer-2
- PublicKey = peer2_publickey
- AllowedIPs = 10.9.0.3/32
- #PersistentkeepAlive = 60
- Then make a peer2.conf file:
- nano /etc/wireguard/peer2.conf
- Paste (use Part 4 as reference):
- [Interface]
- Address = 10.9.0.3/32
- DNS = 192.168.x.X
- PrivateKey = peer2_privatekey
- [Peer]
- PublicKey = server_publickey
- Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
- AllowedIPs = 192.168.1.0/24
- #PersistentkeepAlive = 60
- Then export it:
- qrencode -t ansiutf8 < /etc/wireguard/peer2.conf
- (Note: You’re free to add as many clients as you want this way with IPs ranging from 10.9.0.2 to 10.9.0.254. Be sure to avoid assigning the same IP to different clients as that’ll introduce conflicts.)
- KEEPING WIREGUARD UP-TO-DATE (if you installed using Method A in Part 1):
- To check for updates:
- sudo su
- cd WireGuard/
- git pull
- cd src/
- make
- If an update is available then:
- make install
- IMPORTANT: If you get the following when you run 'git pull' :
- error: Your local changes to the following files would be overwritten by merge:
- src/version.h
- Please commit your changes or stash them before you merge.
- Aborting
- Stash your local files and retry:
- git stash
- git pull
- Alternatively, you can run:
- git checkout filename
- git pull
- Or:
- git reset —-hard
- git pull
- Check out this link for more info.
- TROUBLESHOOTING:
- [1] On rare occasions performing ‘apt upgrade’ will upgrade 'raspberrypi-kernel' and 'raspberrypi-kernel-headers' and cause WireGuard to stop working due to its module not compiling correctly for the updated kernel (if it’s happening on a clean OS install the kernel may need to be updated). If you run sudo systemctl status wg-quick@wg0 you’ll get an error like this:
- wg-quick[748]: RTNETLINK answers: Operation not supported
- wg-quick[748]: Unable to access interface: Protocol not supported
- To fix this, first check if the wg module is loaded using:
- lsmod | grep wireguard
- If it's not loaded run:
- sudo dpkg-reconfigure wireguard-dkms
- sudo modprobe wireguard
- If modprobe fails you can get msgs from the kernel using:
- dmesg | grep wireguard
- Start wg again once you’re done:
- sudo wg-quick up wg0
- If that didn’t work, update the kernel:
- sudo BRANCH=stable rpi-update
- Or manually grab it (steps on how-to in the link under ‘Options’) from the stable branch (you can go to a specific kernel by clicking the <> icon on the right side of each commit) and rerun the commands. Check your kernel version uname -r, you’ll want to ensure your version number is the same as the latest stable release.
- [2] After setting everything up if you're having issues connecting to the internet [assuming you set everything correctly (you can check your config with a public DNS)], in Pi-Hole’s admin console select the option 'Listen only on interface eth0' ('wlan0' if on Wi-Fi) instead and it should work. On a VM I can get it to work by selecting this option but on a 3B+ and Zero W that I tested on it only worked with 'all interfaces (local)' enabled.
- In normal circumstances this isn’t needed, but if that also fails there’s one more thing you can try with ‘all interfaces (local)’ enabled:
- Make a file called 02-wireguard.conf in /etc/dnsmaq.d/
- sudo nano /etc/dnsmasq.d/02-wireguard.conf
- Paste:
- interface=wg0
- Then restart wg and Pi-Hole DNS:
- sudo systemctl restart wg-quick@wg0 && pihole restartdns
- Hope this helps.
- 58 comments
- 99% Upvoted
- What are your thoughts? Log in or Sign up
- log in
- sign up
- Sort by
- level 1
- anditails
- 18 points ·
- 3 months ago
- Thank you for the great guide.
- There is an easier route if the above looks a bit daunting for anyone:
- Install DietPi distro
- Choose PiHole and Wireguard from the Software install menu
- Choose server setup (rather than client) when the Wireguard installer asks
- Profit.
- Yup, really that easy. DietPi runs in VMs too.
- level 2
- naddel81
- 1 point ·
- 1 month ago
- does that include the Pi Zero (Method A)?
- Continue this thread
- level 2
- naddel81
- 1 point ·
- 1 month ago
- cannot find wireguard on dietpi-setup anywhere. PiHole was selectable.
- Continue this thread
- level 2
- naddel81
- 1 point ·
- 1 month ago
- https://abload.de/img/wireguardpi08jcn.png
- level 1
- harrison172
- 8 points ·
- 3 months ago
- Great straightforward guide! Best one I've seen so far. Thanks! I've always done my WG configs by hand and it was a pain to generate the client key and then copy that back over to the server. Wasn't aware of the QR code generation.
- level 2
- vaporisharc92
- 7 points ·
- 3 months ago
- No worries! Been meaning to do it for a while now, glad you found it helpful.
- level 1
- cornishgiant
- 5 points ·
- 3 months ago
- How do you add multiple devices?
- level 2
- vaporisharc92
- 4 points ·
- 3 months ago
- Check my edit
- level 2
- lordderplythethird
- 3 points ·
- 3 months ago
- Generate as many client public/private keys as you need, and then create as many cooresponding client tables as you need, while making sure to give unique names and either extending the subnet that is available, or giving each client their own specific IP
- level 1
- LeNerdNextDoor
- 3 points ·
- 3 months ago
- How do I decide what port I forward? I get most of the tutorial except the port forwarding thing. I'd like to understand it.
- level 2
- lordderplythethird
- 4 points ·
- 3 months ago
- You simply choose one. You'll want to avoid the commonly used ports (22, 53, 80, 443, etc), but you'll just choose the port number you want to allow outside devices (in this case your phone) to communicate directly with the local device in question (in this case the pi).
- level 2
- Luckz777
- 2 points ·
- 3 months ago
- Eg. for forwarding port 51413 (TCP) to 10.9.0.2, add it on the WIREGUARD SERVER :
- PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A PREROUTING -p tcp -m tcp --dport 51413:51413 -j DNAT --to-destination 10.9.0.2
- PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D PREROUTING -p tcp -m tcp --dport 51413:51413 -j DNAT --to-destination 10.9.0.2
- Continue this thread
- level 1
- LeNerdNextDoor
- 2 points ·
- 3 months ago
- Followed the guide exactly except using wlan0 instead of eth0. Enabled wireguard but it didn't seemed to work. Telegram was working and so was google but reddit or github failed to load (dns bad config error). Pihole was set to `listen on all interfaces (one hop away)`.
- Pihole dashboard was inaccessible from pi.hole/admin but 192.168.x.x/admin seemed to work which leads me to think it was a dns resolving problem (telegram has hardcoded IPs too). I have set pihole back to wlan0 in the meanwhile but would appreciate if someone could tell me where I went wrong.
- Allowing all origins did not help either.
- level 1
- SmoresTiger
- 2 points ·
- 3 months ago
- · edited 3 months ago
- Thank you so much! I've been trying to do this forever.
- edit: Is there a way to add 2 piholes as DNS servers? When I add my second pihole ip address I cant connect to it.
- level 1
- CoccodrillooXDS
- 2 points ·
- 1 month ago
- Thank you for this guide!!!
- (and thanks to my friend that suggested me to try with WireGuard instead of OpenVPN) (I've been trying to do with OpenVPN for 6 hours today but it wasn't working at all)
- level 1
- macjasp
- 2 points ·
- 12 days ago
- Absolute props to the OP on this. Flawless documentation, the only difference I have had to make (because my Pi-Hole is also my DHCP server) was to add 67/UDP & 68/UDP as additional rules in my UFW so that clients could continue to get an IP address from the DHCP pool.
- level 1
- marco79cgn
- 2 points ·
- 1 day ago
- Thanks for this great guide! It worked great until an unattended system upgrade broke my wireguard last night. I was able to fix it with your troubleshooting [1] instructions. I had to upgrade the Kernel as well (Raspberry Pi 4, Raspian Buster).
- What's really strange is that at the beginning of each installation, there is no internet when connecting via Wireguard. I can fix this by changing the Pihole settings to „Listen only on interface eth0“, save it, and then change it back to "Listen on all interfaces". No idea why but this worked the second time in a row in my case. Maybe it works for others as well.
- level 1
- klausita
- 2 points ·
- 3 months ago
- Main differences with Zerotier one?
- Can the 2 coexist?
- level 1
- LeNerdNextDoor
- 1 point ·
- 3 months ago
- Would changing eth0 to wlan0 work if I want to use my zero w?
- level 2
- Ruben_NL
- 3 points ·
- 3 months ago
- yes. that should work
- level 1
- gunduthadiyan
- 1 point ·
- 3 months ago
- Very nice write up, thanks for putting the time into doing this, I am sure a lot of people will find it useful. I have a few suggestions.
- I don't think you can have comments in your wireguard server conf & client conf. Also if possible bold the comments in parenthesis so that the end user will remove it when they set things up.
- Have you tried also doing unbound on a rasp pi? I don't have one, and not sure how the performance will be, but it would be great if you can add that in too.
- level 1
- filippomito
- 1 point ·
- 3 months ago
- · edited 3 months ago
- Have you tried the half tunnel configuration?
- I'm using dnssec verification but using splittun I fail the dnssec test, it pass only in full tunnel :(
- EDIT: Content filtering seems to work, but dnssec is failing, also dsnleak
- level 1
- Clevererer
- 1 point ·
- 3 months ago
- Sorry for the newb question, but is WireGuard a paid service like other VPNs?
- level 2
- LeNerdNextDoor
- 3 points ·
- 3 months ago
- No, you actually set up your own VPN service using wireguard
- Continue this thread
- level 1
- ThinkPadNL
- 1 point ·
- 3 months ago
- I have installed Wireguard on my Ubuntu VM (which hosts my Pi-hole) with this script (after i modified it so it detects my correct WAN IP, as explained in one of the Github issues). But i cannot get any traffic flowing from my iPhone to Wireguard.
- In my router (EdgerouterX) i have forwarded the corresponding WG port (59783 UDP) but the traffic counters don't increase in the Edgerouter. Does anyone have suggestions on what to check?
- level 2
- ThinkPadNL
- 3 points ·
- 3 months ago
- I fixed it. I had only forwarded TCP port instead of UDP. That won't work, as i understand that Wireguard is UDP.
- Internet is working now (showing my home IP when connected to LTE on my phone. However, i cannot browse my internal network yet. But that is probably a configuration i need to make in Wireguard.
- level 1
- Comment deleted by user
- 3 months ago
- level 2
- Comment deleted by user
- 3 months ago
- Continue this thread
- level 2
- Mattfusf
- 1 point ·
- 2 months ago
- Warning: modules_install: missing 'System.map' file. Skipping depmod.
- Running an update on an existing installation and am getting the same. Did you find a way to fix this?
- Continue this thread
- level 1
- _hardliner_
- 1 point ·
- 3 months ago
- Wow. I must be really stupid because I can't get it to work. I even went to dnsleaktest.com and it still shows me connected to Charter's servers even though it acts like it's working on the Raspberry Pi. I installed Wireguard on my Android phone, scanned the QR code, turned Wireguard and turned off my WiFi. Doing that causes me no Internet connection. Fuck.
- level 2
- camwow13
- 3 points ·
- 2 months ago
- · edited 2 months ago
- You ever figure out what the issue was? I can get my phone and the server to handshake but then nothing happens after that.
- I did it! As I learned from this write up I had to switch the interface for PostUp and PostDown in wg0.conf from eth0 to wlan0 since I'm currently using WiFi (I know I know, just playing around).
- Awesome, well now I can call this learning project a success.
- Continue this thread
- level 1
- Comment deleted by user
- 2 months ago
- level 2
- _hardliner_
- 1 point ·
- 2 months ago
- That's what I have been doing.
- level 1
- NLL-APPS
- 1 point ·
- 2 months ago
- Do we supposed to use " eth0 " or the actual randomized name? For example for my test PI there is no eth0 but enxb827e239.
- level 1
- quatschFX
- 1 point ·
- 1 month ago
- Thanks for putting this guide together.
- Everything is working, minus client1 cannot ping any other computer on the local network (i.e another server behind pi-hole, like a NAS). Is there something I need to change with AllowedIP's or firewall maybe?
- level 1
- kenny_fuckin_loggins
- 1 point ·
- 1 month ago
- For anyone else that struggled with Pihole not working when set to "listen on all interfaces": in the Settings/DNS page of the UI keep it set to eth0 or wlan0 only. Then add interface=wg0 right after interface=eth0 in the file /etc/dnsmasq.d/01-pihole.conf. Restart the DNS server. Should persist through reboot
- level 2
- Totila_
- 2 points ·
- 1 month ago
- AFAIK, 01-pihole.conf will get overriden on pihole update/reconfigure, better to create a second conf file, e.g. 02-pihole.conf and add the setting there. This custom file will stay as is even if pihole makes changes to 01-pihole.conf
- Both files' settings will get merged by pihole on runtime so it should still work as expected.
- Continue this thread
- level 1
- reesericci
- 1 point ·
- 1 month ago
- · edited 1 month ago
- I made a shell script to easily create new clients in WireGuard
- The script is available on GitHub at https://github.com/reesericci/wireguard.sh
- Also when you are done move all your client configs into /etc/wireguard/client and move all your keys into /etc/wireguard/keys (There will be a subset of folders in the keys folder so move all your key files correspondingly.
- level 1
- dantheman4700
- 1 point ·
- 1 month ago
- I can scan the qr code on my iphone and turn the vpn on but i cant access the internet. In the log it is saying cant complete handshake. Any ideas?
- level 1
- Totila_
- 1 point ·
- 1 month ago
- · edited 1 month ago
- u/vaporisharc92
- Any specifics on how to setup pihole to use together with wireguard?
- Is there a certain order of installs required? What would you suggest, wireguard first or pihole followed by wireguard?
- I understand both are only connected via the wireguard client's DNS setting pointing to the Pihole's IP (which is either the IPv4 IP from eth0 or wlan0).
- Is that correct?
- Many thanks for the guide and your answer.
- level 1
- cornishgiant
- 1 point ·
- 1 month ago
- There seems to be some conflict here in how to set up the client conf files:
- in client1.conf we are told to put:
- [Peer]
- PublicKey = server_publickey
- Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
- AllowedIPs = 0.0.0.0/0, ::/0
- #PersistentkeepAlive = 60
- whereas the instructions for multiple devices (client2.conf) says:
- [Peer] PublicKey = server_publickey
- Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
- AllowedIPs = 192.168.1.0/24
- #PersistentkeepAlive = 60
- The reason I raise this is that I have set up multimple devices (6) - client 1 (my phone) works fine, client 6 (my wife's phone) connects fine but has no internet activity
- I think client1.conf is correct and therefore I have used that (i.e. all 6 conf files I have say Allowed IPs = 0.0.0.0/0, ::/0), or have I got this wrong?
- level 2
- marco79cgn
- 1 point ·
- 9 days ago
- As mentioned in the HowTo, the difference is:
- AllowedIPs: 0.0.0.0/0, ::/0 (allows all traffic to route through wg aka full tunnel)
- (OR)
- AllowedIPs: 192.168.1.0/24 (allows split tunnel with LAN access and DNS only, your router's subnet)
- If you use the second option, only DNS queries will be routed through your Wireguard server. You have to change the ip range in that second option so that it fits to your local LAN subnet. In my case it is 192.168.178.0/24.
- More posts from the pihole community
- Continue browsing in r/pihole
- Subreddit icon
- r/pihole
- 55.6k
- Members
- 182
- Online
- "Pi-hole® is an advertising-aware DNS server that prevents ads from being downloaded." Please read the rules before posting, thanks!
- about
- careers
- press
- advertise
- blog
- help
- The Reddit App
- Reddit coins
- Reddit premium
- Reddit gifts
- Content policy| Privacy policy
- User agreement| Mod policy
- © 2019 Reddit, Inc. All rights reserved
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement