Press J to jump to the feed. Press question mark to learn the rest of the keyboa

1. Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
2. log in
3. sign up
4. 171
5. [Guide] How to install WireGuard on a Raspberry Pi (full tunnel + split tunnel) using Pi-Hole as DNS.
6. 171
7. Posted byu/vaporisharc92
8. 3 months ago
9. PlatinumSilver
10. [Guide] How to install WireGuard on a Raspberry Pi (full tunnel + split tunnel) using Pi-Hole as DNS.
11.  
12. If you’re interested check out this config reference. It may help you get a better understanding if you get stuck while following along. There's also /r/WireGuard if you need help!
13.  
14. FOR THE UNINITIATED: Please do some research on these topics before you begin:- Full Tunnel vs Split Tunnel, DDNS, Subnet, Port Forwarding, LAN, & Public IP.
15.  
16. I see threads popping up here from time to time asking for an easy to follow guide on how to install WireGuard on a Raspberry Pi. There are a couple of guides out there on how to do this, but I couldn’t find one that covered everything from A-Z. So, I wanted to make one on how to get it installed on your Pi and have it use Pi-Hole as DNS. While it’s easier to install this with a few clicks on Diet Pi, the Pi is meant to be a learning tool for cheap, so I encourage you to do this manually instead. I will divide this guide into 6 parts so hopefully it's easy for you to follow (Part 5 can be skipped if you prefer to do that bit manually, more info near the end of the post):
17.  
18. PART 1: SETUP WIREGUARD
19.  
20. sudo su
21.  
22. # ↑ You need root privilege for this so be sure to enter this first
23.  
24. apt install raspberrypi-kernel-headers libelf-dev libmnl-dev build-essential git
25.  
26. # ↑ Some of these dependencies are already installed on your Pi but run the whole command anyway just to be sure (as it varies between models)
27.  
28. There are two ways to proceed from here, pick whichever method you prefer:
29.  
30. (IMPORTANT: Method B will NOT work for these models: Pi 1, 2 (except v1.2), Zero & Zero W. If you're using one of these your only choice is Method A. The CPUs for these models lack some of the features of ARMv7 architecture. If you download using Method B on these models you'll get a “Segmentation fault” error.)
31.  
32. Method A (Manual compilation):
33.  
34. git clone https://git.zx2c4.com/WireGuard
35.  
36. cd WireGuard/
37.  
38. cd src/
39.  
40. make
41.  
42. # ↑ If you get an error here that says "No such file or dir" you're probably on an older kernel. Fix it by running 'sudo BRANCH=stable rpi-update' (refer to “Troubleshooting” at the end to update it manually)
43.  
44. make install
45.  
46. (The “make” command may take a few minutes to finish.)
47.  
48. Method B (Apt repo, If you install using this method you can keep WireGuard up-to-date using 'apt update'):
49.  
50. echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
51.  
52. printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
53.  
54. # ↑ These commands may change in the future, when this post gets old go to this link and check before running them (check the section for Debian): https://www.wireguard.com/install/
55.  
56. apt update
57.  
58. # ↑ Ignore the error
59.  
60. apt install dirmngr
61.  
62. apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7638D0442B90D010
63.  
64. apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC
65.  
66. apt update
67.  
68. apt install wireguard
69.  
70. Once WireGuard is done installing using either method we're gonna enable IP Forwarding then reboot the Pi:
71.  
72. perl -pi -e 's/#{1,}?net.ipv4.ip_forward ?= ?(0|1)/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
73.  
74. reboot
75.  
76. After rebooting, verify that IP Forwarding was enabled before proceeding to the next part. To do that enter the following, your output will be 1:
77.  
78. sysctl net.ipv4.ip_forward
79.  
80. PART 2: GENERATE PRIVATE AND PUBLIC KEYS FOR SERVER AND CLIENT
81.  
82. sudo su
83.  
84. cd /etc/wireguard
85.  
86. umask 077
87.  
88. wg genkey | tee peer1_privatekey | wg pubkey > peer1_publickey
89.  
90. wg genkey | tee server_privatekey | wg pubkey > server_publickey
91.  
92. ls
93.  
94. # ↑ Verify the keys got generated
95.  
96. peer1_privatekey peer1_publickey server_privatekey server_publickey
97.  
98. You can view your keys using the cat command like so:
99.  
100. cat server_publickey
101.  
102. cat server_privatekey
103.  
104. cat peer1_publickey
105.  
106. cat peer1_privatekey
107.  
108. (We’re gonna need these keys in the next 2 parts)
109.  
110. PART 3: CONFIGURE WIREGUARD SERVER
111.  
112. Make a wg0.conf file in ‘/etc/wireguard/’ :
113.  
114. nano /etc/wireguard/wg0.conf
115.  
116. Copy and paste the following template and make changes as needed. Make sure to enter the right key in the right line. Again, DOUBLE CHECK THE KEYS WHEN ENTERING THEM:
117.  
118. [Interface]
119. Address = 10.9.0.1/24
120. ListenPort = xxxxx
121. DNS = 192.168.x.xx
122. PrivateKey = server_privatekey
123.  
124. PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
125. PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
126.  
127. [Peer]
128. #Peer-1
129. PublicKey = peer1_publickey
130. AllowedIPs = 10.9.0.2/32
131. #PersistentkeepAlive = 60
132.  
133. (‘Ctrl + x’ then ‘y’ to exit and save the changes.)
134.  
135. Lines you need to modify:
136.  
137. ListenPort: The port you're gonna forward on your router
138.  
139. DNS: Pi-Hole’s IP
140.  
141. PrivateKey: Enter the key you get from 'cat server_privatekey'
142.  
143. PostUp & PostDown: Change 'eth0' to 'wlan0' in both lines if you're connected via Wi-Fi. If your network interface has a different name find it using 'ifconfig' then use that name instead.
144.  
145. PublicKey: Enter the key you get from 'cat peer1_publickey'
146.  
147. PersistentkeepAlive: Uncomment this line (remove the #) if you are behind a NAT and want the connection to stay alive.
148.  
149. PART 4: CONFIGURE WIREGUARD CLIENT
150.  
151. Make a peer1.conf file in ‘/etc/wireguard/’ :
152.  
153. nano /etc/wireguard/peer1.conf
154.  
155. Copy and paste the following template and make changes as needed. DOUBLE CHECK THE KEYS WHEN ENTERING THEM:
156.  
157. [Interface]
158. Address = 10.9.0.2/32
159. DNS = 192.168.x.x
160. PrivateKey = peer1_privatekey
161.  
162. [Peer]
163. PublicKey = server_publickey
164. Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
165. AllowedIPs = 0.0.0.0/0, ::/0
166. #PersistentkeepAlive = 60
167.  
168. Lines you need to modify:
169.  
170. DNS: Pi-Hole’s IP
171.  
172. PrivateKey: Enter the key you get from 'cat peer1_privatekey'
173.  
174. PublicKey: Enter the key you get from 'cat server_publickey'
175.  
176. Endpoint: Your-Public-IP or DDNS:The-Port-You-Forwarded
177.  
178. AllowedIPs: 0.0.0.0/0, ::/0 (allows all traffic to route through wg aka full tunnel)
179.  
180. (OR)
181.  
182. AllowedIPs: 192.168.1.0/24 (allows split tunnel with LAN access and DNS only, your router's subnet)
183.  
184. PART 5: EXPORT THE CLIENT CONFIGURATION TO YOUR PHONE USING QR CODE
185.  
186. (Manual export method further down the post, you don’t need to install qrencode if you take that route so skip ahead and do it then continue from Part 6.)
187.  
188. apt install qrencode
189.  
190. qrencode -t ansiutf8 < /etc/wireguard/peer1.conf
191.  
192. A QR code will be generated, you will need to scan this code and import it to the WireGuard app on your phone. Install the app and do that now.
193.  
194. PART 6: FINALISE INSTALLATION
195.  
196. After your client profile has been imported to your phone run the following commands to finish up the installation on the Pi:
197.  
198. systemctl enable wg-quick@wg0
199.  
200. chown -R root:root /etc/wireguard/
201.  
202. chmod -R og-rwx /etc/wireguard/*
203.  
204. (The first command enables Wireguard to autostart on boot and the last two commands secures the contents of ‘/etc/wireguard/’ so it can only be read by the administrator as it contains your private and public keys + vpn configuration files.)
205.  
206. Next, go to your Pi-Hole Admin console's 'Settings> DNS' and enable the following:
207.  
208. Listen on all interfaces (Allows only queries from devices that are at most one hop away (local devices)
209.  
210. Then start WireGuard:
211.  
212. wg-quick up wg0
213.  
214. (Replace ‘up’ with ‘down’ on the same command to stop the service.)
215.  
216. Finally, reboot your Pi and run sudo wg to see the status of your wg instance.
217.  
218. That's basically it!
219.  
220. You should now have a working Wireguard VPN server using Pi-Hole as DNS with access to all your LAN devices. To verify that everything is working as expected (Note: Don’t skip rebooting after everything is set!):
221.  
222. Run a DNS leak test at dnsleaktest.com. You’ll see your public IP (mobile carrier's IP in split tunnel) and in the test result page you'll see the upstream DNS servers you set for your Pi-Hole.
223.  
224. In the app, check if data is exchanging in lines “Data sent” and “Data received” while connected.
225.  
226. Check the ‘Query Log’ page in Pi-hole’s Admin console. You’ll see queries coming from the wg client IP (10.9.0.2 in this case).
227.  
228. (Note: Refer to ‘Troubleshooting’ at the end if you’re having connection issues.)
229.  
230. TIPS:
231.  
232. You can access Pi-Hole’s Admin console using wg’s server IP (‘10.9.0.1/admin’ in this case) when connected to the VPN.
233.  
234. I recommend importing the same config twice and setting one as a full tunnel and the other as a split tunnel (scan and import the same QR code twice and manually change the “Allowed IPs” for the second one in the app). That way depending on your need you can switch between the two modes as you please.
235.  
236. Officially WireGuard works over UDP protocol only, so make sure you forward a UDP port on your router, a random 4/5 digit port will do.
237.  
238. If you have set up a DDNS domain for your IP address, add a host-record to Pi-hole's settings ‘pihole -a hostrecord Your_DDNS PiHole_IP’, If you don't do this, some clients on Android will not able to connect to the VPN server when inside the internal network (while it will work from outside).
239.  
240. If you have more than one Pi-Hole set up, you can add its IP in the ‘DNS’ line in wg0.conf and peer1.conf with a comma (DNS = Pihole-IP,Pihole2-IP).
241.  
242. Install fail2ban for extra security sudo apt install fail2ban
243.  
244. If ufw is installed (recommended) add a rule for the forwarded port sudo ufw allow forwarded-port/udp
245.  
246. MANUALLY EXPORT CLIENT CONFIGURATION (IF YOU SKIPPED PART 5):
247.  
248. To manually export the peer1.conf file to your phone:
249.  
250. cd /etc/wireguard/
251.  
252. python -m SimpleHTTPServer 8482
253.  
254. then on your phone’s browser go to Pi-hole-IP:8482 and download it. Delete the file from your phone’s memory after importing it to the app.
255.  
256. ADDING MULTIPLE CLIENTS:
257.  
258. Generate a public and private key for the 2nd client:
259.  
260. sudo su
261.  
262. cd /etc/wireguard/
263.  
264. umask 077
265.  
266. wg genkey | tee peer2_privatekey | wg pubkey > peer2_publickey
267.  
268. ls
269.  
270. peer2_privatekey peer2_publickey
271.  
272. Then edit the wg0.conf file:
273.  
274. nano /etc/wireguard/wg0.conf
275.  
276. Paste at the end:
277.  
278. [Peer]
279. #Peer-2
280. PublicKey = peer2_publickey
281. AllowedIPs = 10.9.0.3/32
282. #PersistentkeepAlive = 60
283.  
284. Then make a peer2.conf file:
285.  
286. nano /etc/wireguard/peer2.conf
287.  
288. Paste (use Part 4 as reference):
289.  
290. [Interface]
291. Address = 10.9.0.3/32
292. DNS = 192.168.x.X
293. PrivateKey = peer2_privatekey
294.  
295. [Peer]
296. PublicKey = server_publickey
297. Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
298. AllowedIPs = 192.168.1.0/24
299. #PersistentkeepAlive = 60
300.  
301. Then export it:
302.  
303. qrencode -t ansiutf8 < /etc/wireguard/peer2.conf
304.  
305. (Note: You’re free to add as many clients as you want this way with IPs ranging from 10.9.0.2 to 10.9.0.254. Be sure to avoid assigning the same IP to different clients as that’ll introduce conflicts.)
306.  
307. KEEPING WIREGUARD UP-TO-DATE (if you installed using Method A in Part 1):
308.  
309. To check for updates:
310.  
311. sudo su
312.  
313. cd WireGuard/
314.  
315. git pull
316.  
317. cd src/
318.  
319. make
320.  
321. If an update is available then:
322.  
323. make install
324.  
325. IMPORTANT: If you get the following when you run 'git pull' :
326.  
327. error: Your local changes to the following files would be overwritten by merge:
328. src/version.h
329. Please commit your changes or stash them before you merge.
330. Aborting
331.  
332. Stash your local files and retry:
333.  
334. git stash
335.  
336. git pull
337.  
338. Alternatively, you can run:
339.  
340. git checkout filename
341.  
342. git pull
343.  
344. Or:
345.  
346. git reset —-hard
347.  
348. git pull
349.  
350. Check out this link for more info.
351.  
352. TROUBLESHOOTING:
353.  
354. [1] On rare occasions performing ‘apt upgrade’ will upgrade 'raspberrypi-kernel' and 'raspberrypi-kernel-headers' and cause WireGuard to stop working due to its module not compiling correctly for the updated kernel (if it’s happening on a clean OS install the kernel may need to be updated). If you run sudo systemctl status wg-quick@wg0 you’ll get an error like this:
355.  
356. wg-quick[748]: RTNETLINK answers: Operation not supported
357. wg-quick[748]: Unable to access interface: Protocol not supported
358.  
359. To fix this, first check if the wg module is loaded using:
360.  
361. lsmod | grep wireguard
362.  
363. If it's not loaded run:
364.  
365. sudo dpkg-reconfigure wireguard-dkms
366. sudo modprobe wireguard
367.  
368. If modprobe fails you can get msgs from the kernel using:
369.  
370. dmesg | grep wireguard
371.  
372. Start wg again once you’re done:
373.  
374. sudo wg-quick up wg0
375.  
376. If that didn’t work, update the kernel:
377.  
378. sudo BRANCH=stable rpi-update
379.  
380. Or manually grab it (steps on how-to in the link under ‘Options’) from the stable branch (you can go to a specific kernel by clicking the <> icon on the right side of each commit) and rerun the commands. Check your kernel version uname -r, you’ll want to ensure your version number is the same as the latest stable release.
381.  
382. [2] After setting everything up if you're having issues connecting to the internet [assuming you set everything correctly (you can check your config with a public DNS)], in Pi-Hole’s admin console select the option 'Listen only on interface eth0' ('wlan0' if on Wi-Fi) instead and it should work. On a VM I can get it to work by selecting this option but on a 3B+ and Zero W that I tested on it only worked with 'all interfaces (local)' enabled.
383.  
384. In normal circumstances this isn’t needed, but if that also fails there’s one more thing you can try with ‘all interfaces (local)’ enabled:
385.  
386. Make a file called 02-wireguard.conf in /etc/dnsmaq.d/
387.  
388. sudo nano /etc/dnsmasq.d/02-wireguard.conf
389.  
390. Paste:
391.  
392. interface=wg0
393.  
394. Then restart wg and Pi-Hole DNS:
395.  
396. sudo systemctl restart wg-quick@wg0 && pihole restartdns
397.  
398. Hope this helps.
399. 58 comments
400. 99% Upvoted
401. What are your thoughts? Log in or Sign up
402. log in
403. sign up
404. Sort by
405. level 1
406. anditails
407. 18 points ·
408. 3 months ago
409.  
410. Thank you for the great guide.
411.  
412. There is an easier route if the above looks a bit daunting for anyone:
413.  
414. Install DietPi distro
415.  
416. Choose PiHole and Wireguard from the Software install menu
417.  
418. Choose server setup (rather than client) when the Wireguard installer asks
419.  
420. Profit.
421.  
422. Yup, really that easy. DietPi runs in VMs too.
423. level 2
424. naddel81
425. 1 point ·
426. 1 month ago
427.  
428. does that include the Pi Zero (Method A)?
429. Continue this thread
430. level 2
431. naddel81
432. 1 point ·
433. 1 month ago
434.  
435. cannot find wireguard on dietpi-setup anywhere. PiHole was selectable.
436. Continue this thread
437. level 2
438. naddel81
439. 1 point ·
440. 1 month ago
441.  
442. https://abload.de/img/wireguardpi08jcn.png
443. level 1
444. harrison172
445. 8 points ·
446. 3 months ago
447.  
448. Great straightforward guide! Best one I've seen so far. Thanks! I've always done my WG configs by hand and it was a pain to generate the client key and then copy that back over to the server. Wasn't aware of the QR code generation.
449. level 2
450. vaporisharc92
451. 7 points ·
452. 3 months ago
453.  
454. No worries! Been meaning to do it for a while now, glad you found it helpful.
455. level 1
456. cornishgiant
457. 5 points ·
458. 3 months ago
459.  
460. How do you add multiple devices?
461. level 2
462. vaporisharc92
463. 4 points ·
464. 3 months ago
465.  
466. Check my edit
467. level 2
468. lordderplythethird
469. 3 points ·
470. 3 months ago
471.  
472. Generate as many client public/private keys as you need, and then create as many cooresponding client tables as you need, while making sure to give unique names and either extending the subnet that is available, or giving each client their own specific IP
473. level 1
474. LeNerdNextDoor
475. 3 points ·
476. 3 months ago
477.  
478. How do I decide what port I forward? I get most of the tutorial except the port forwarding thing. I'd like to understand it.
479. level 2
480. lordderplythethird
481. 4 points ·
482. 3 months ago
483.  
484. You simply choose one. You'll want to avoid the commonly used ports (22, 53, 80, 443, etc), but you'll just choose the port number you want to allow outside devices (in this case your phone) to communicate directly with the local device in question (in this case the pi).
485. level 2
486. Luckz777
487. 2 points ·
488. 3 months ago
489.  
490. Eg. for forwarding port 51413 (TCP) to 10.9.0.2, add it on the WIREGUARD SERVER :
491.  
492.  
493. PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A PREROUTING -p tcp -m tcp --dport 51413:51413 -j DNAT --to-destination 10.9.0.2
494.  
495.  
496. PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -D PREROUTING -p tcp -m tcp --dport 51413:51413 -j DNAT --to-destination 10.9.0.2
497. Continue this thread
498. level 1
499. LeNerdNextDoor
500. 2 points ·
501. 3 months ago
502.  
503. Followed the guide exactly except using wlan0 instead of eth0. Enabled wireguard but it didn't seemed to work. Telegram was working and so was google but reddit or github failed to load (dns bad config error). Pihole was set to `listen on all interfaces (one hop away)`.
504.  
505.  
506. Pihole dashboard was inaccessible from pi.hole/admin but 192.168.x.x/admin seemed to work which leads me to think it was a dns resolving problem (telegram has hardcoded IPs too). I have set pihole back to wlan0 in the meanwhile but would appreciate if someone could tell me where I went wrong.
507.  
508. Allowing all origins did not help either.
509. level 1
510. SmoresTiger
511. 2 points ·
512. 3 months ago
513. · edited 3 months ago
514.  
515. Thank you so much! I've been trying to do this forever.
516. edit: Is there a way to add 2 piholes as DNS servers? When I add my second pihole ip address I cant connect to it.
517. level 1
518. CoccodrillooXDS
519. 2 points ·
520. 1 month ago
521.  
522. Thank you for this guide!!!
523.  
524. (and thanks to my friend that suggested me to try with WireGuard instead of OpenVPN) (I've been trying to do with OpenVPN for 6 hours today but it wasn't working at all)
525. level 1
526. macjasp
527. 2 points ·
528. 12 days ago
529.  
530. Absolute props to the OP on this. Flawless documentation, the only difference I have had to make (because my Pi-Hole is also my DHCP server) was to add 67/UDP & 68/UDP as additional rules in my UFW so that clients could continue to get an IP address from the DHCP pool.
531. level 1
532. marco79cgn
533. 2 points ·
534. 1 day ago
535.  
536. Thanks for this great guide! It worked great until an unattended system upgrade broke my wireguard last night. I was able to fix it with your troubleshooting [1] instructions. I had to upgrade the Kernel as well (Raspberry Pi 4, Raspian Buster).
537.  
538. What's really strange is that at the beginning of each installation, there is no internet when connecting via Wireguard. I can fix this by changing the Pihole settings to „Listen only on interface eth0“, save it, and then change it back to "Listen on all interfaces". No idea why but this worked the second time in a row in my case. Maybe it works for others as well.
539. level 1
540. klausita
541. 2 points ·
542. 3 months ago
543.  
544. Main differences with Zerotier one?
545.  
546. Can the 2 coexist?
547. level 1
548. LeNerdNextDoor
549. 1 point ·
550. 3 months ago
551.  
552. Would changing eth0 to wlan0 work if I want to use my zero w?
553. level 2
554. Ruben_NL
555. 3 points ·
556. 3 months ago
557.  
558. yes. that should work
559. level 1
560. gunduthadiyan
561. 1 point ·
562. 3 months ago
563.  
564. Very nice write up, thanks for putting the time into doing this, I am sure a lot of people will find it useful. I have a few suggestions.
565.  
566. I don't think you can have comments in your wireguard server conf & client conf. Also if possible bold the comments in parenthesis so that the end user will remove it when they set things up.
567.  
568. Have you tried also doing unbound on a rasp pi? I don't have one, and not sure how the performance will be, but it would be great if you can add that in too.
569.  
570. level 1
571. filippomito
572. 1 point ·
573. 3 months ago
574. · edited 3 months ago
575.  
576. Have you tried the half tunnel configuration?
577.  
578. I'm using dnssec verification but using splittun I fail the dnssec test, it pass only in full tunnel :(
579.  
580. EDIT: Content filtering seems to work, but dnssec is failing, also dsnleak
581. level 1
582. Clevererer
583. 1 point ·
584. 3 months ago
585.  
586. Sorry for the newb question, but is WireGuard a paid service like other VPNs?
587. level 2
588. LeNerdNextDoor
589. 3 points ·
590. 3 months ago
591.  
592. No, you actually set up your own VPN service using wireguard
593. Continue this thread
594. level 1
595. ThinkPadNL
596. 1 point ·
597. 3 months ago
598.  
599. I have installed Wireguard on my Ubuntu VM (which hosts my Pi-hole) with this script (after i modified it so it detects my correct WAN IP, as explained in one of the Github issues). But i cannot get any traffic flowing from my iPhone to Wireguard.
600.  
601. In my router (EdgerouterX) i have forwarded the corresponding WG port (59783 UDP) but the traffic counters don't increase in the Edgerouter. Does anyone have suggestions on what to check?
602. level 2
603. ThinkPadNL
604. 3 points ·
605. 3 months ago
606.  
607. I fixed it. I had only forwarded TCP port instead of UDP. That won't work, as i understand that Wireguard is UDP.
608.  
609. Internet is working now (showing my home IP when connected to LTE on my phone. However, i cannot browse my internal network yet. But that is probably a configuration i need to make in Wireguard.
610. level 1
611. Comment deleted by user
612. 3 months ago
613. level 2
614. Comment deleted by user
615. 3 months ago
616. Continue this thread
617. level 2
618. Mattfusf
619. 1 point ·
620. 2 months ago
621.  
622. Warning: modules_install: missing 'System.map' file. Skipping depmod.
623.  
624. Running an update on an existing installation and am getting the same. Did you find a way to fix this?
625. Continue this thread
626. level 1
627. _hardliner_
628. 1 point ·
629. 3 months ago
630.  
631. Wow. I must be really stupid because I can't get it to work. I even went to dnsleaktest.com and it still shows me connected to Charter's servers even though it acts like it's working on the Raspberry Pi. I installed Wireguard on my Android phone, scanned the QR code, turned Wireguard and turned off my WiFi. Doing that causes me no Internet connection. Fuck.
632. level 2
633. camwow13
634. 3 points ·
635. 2 months ago
636. · edited 2 months ago
637.  
638. You ever figure out what the issue was? I can get my phone and the server to handshake but then nothing happens after that.
639.  
640. I did it! As I learned from this write up I had to switch the interface for PostUp and PostDown in wg0.conf from eth0 to wlan0 since I'm currently using WiFi (I know I know, just playing around).
641.  
642. Awesome, well now I can call this learning project a success.
643. Continue this thread
644. level 1
645. Comment deleted by user
646. 2 months ago
647. level 2
648. _hardliner_
649. 1 point ·
650. 2 months ago
651.  
652. That's what I have been doing.
653. level 1
654. NLL-APPS
655. 1 point ·
656. 2 months ago
657.  
658. Do we supposed to use " eth0 " or the actual randomized name? For example for my test PI there is no eth0 but enxb827e239.
659. level 1
660. quatschFX
661. 1 point ·
662. 1 month ago
663.  
664. Thanks for putting this guide together.
665.  
666. Everything is working, minus client1 cannot ping any other computer on the local network (i.e another server behind pi-hole, like a NAS). Is there something I need to change with AllowedIP's or firewall maybe?
667. level 1
668. kenny_fuckin_loggins
669. 1 point ·
670. 1 month ago
671.  
672. For anyone else that struggled with Pihole not working when set to "listen on all interfaces": in the Settings/DNS page of the UI keep it set to eth0 or wlan0 only. Then add interface=wg0 right after interface=eth0 in the file /etc/dnsmasq.d/01-pihole.conf. Restart the DNS server. Should persist through reboot
673. level 2
674. Totila_
675. 2 points ·
676. 1 month ago
677.  
678. AFAIK, 01-pihole.conf will get overriden on pihole update/reconfigure, better to create a second conf file, e.g. 02-pihole.conf and add the setting there. This custom file will stay as is even if pihole makes changes to 01-pihole.conf
679.  
680. Both files' settings will get merged by pihole on runtime so it should still work as expected.
681. Continue this thread
682. level 1
683. reesericci
684. 1 point ·
685. 1 month ago
686. · edited 1 month ago
687.  
688. I made a shell script to easily create new clients in WireGuard
689.  
690. The script is available on GitHub at https://github.com/reesericci/wireguard.sh
691.  
692. Also when you are done move all your client configs into /etc/wireguard/client and move all your keys into /etc/wireguard/keys (There will be a subset of folders in the keys folder so move all your key files correspondingly.
693. level 1
694. dantheman4700
695. 1 point ·
696. 1 month ago
697.  
698. I can scan the qr code on my iphone and turn the vpn on but i cant access the internet. In the log it is saying cant complete handshake. Any ideas?
699. level 1
700. Totila_
701. 1 point ·
702. 1 month ago
703. · edited 1 month ago
704.  
705. u/vaporisharc92
706.  
707. Any specifics on how to setup pihole to use together with wireguard?
708.  
709.  
710. Is there a certain order of installs required? What would you suggest, wireguard first or pihole followed by wireguard?
711.  
712.  
713. I understand both are only connected via the wireguard client's DNS setting pointing to the Pihole's IP (which is either the IPv4 IP from eth0 or wlan0).
714.  
715. Is that correct?
716.  
717.  
718. Many thanks for the guide and your answer.
719. level 1
720. cornishgiant
721. 1 point ·
722. 1 month ago
723.  
724. There seems to be some conflict here in how to set up the client conf files:
725.  
726. in client1.conf we are told to put:
727.  
728. [Peer]
729.  
730. PublicKey = server_publickey
731.  
732. Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
733.  
734. AllowedIPs = 0.0.0.0/0, ::/0
735.  
736. #PersistentkeepAlive = 60
737.  
738.  
739. whereas the instructions for multiple devices (client2.conf) says:
740.  
741. [Peer] PublicKey = server_publickey
742.  
743. Endpoint = YOUR-PUBLIC-IP/DDNS:ListenPort
744.  
745. AllowedIPs = 192.168.1.0/24
746.  
747. #PersistentkeepAlive = 60
748.  
749.  
750. The reason I raise this is that I have set up multimple devices (6) - client 1 (my phone) works fine, client 6 (my wife's phone) connects fine but has no internet activity
751.  
752.  
753. I think client1.conf is correct and therefore I have used that (i.e. all 6 conf files I have say Allowed IPs = 0.0.0.0/0, ::/0), or have I got this wrong?
754. level 2
755. marco79cgn
756. 1 point ·
757. 9 days ago
758.  
759. As mentioned in the HowTo, the difference is:
760.  
761. AllowedIPs: 0.0.0.0/0, ::/0 (allows all traffic to route through wg aka full tunnel)
762.  
763. (OR)
764.  
765. AllowedIPs: 192.168.1.0/24 (allows split tunnel with LAN access and DNS only, your router's subnet)
766.  
767. If you use the second option, only DNS queries will be routed through your Wireguard server. You have to change the ip range in that second option so that it fits to your local LAN subnet. In my case it is 192.168.178.0/24.
768. More posts from the pihole community
769. Continue browsing in r/pihole
770. Subreddit icon
771. r/pihole
772.  
773. 55.6k
774.  
775. Members
776.  
777. 182
778.  
779. Online
780. "Pi-hole® is an advertising-aware DNS server that prevents ads from being downloaded." Please read the rules before posting, thanks!
781. about
782. careers
783. press
784. advertise
785. blog
786. help
787. The Reddit App
788. Reddit coins
789. Reddit premium
790. Reddit gifts
791. Content policy| Privacy policy
792. User agreement| Mod policy
793. © 2019 Reddit, Inc. All rights reserved