Wireguard is a virtual private network (VPN), it provides you a secure, encrypted tunnel for online traffic and allow you to manage a remote private network. Pihole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. Unbound is a validating, recursive, caching DNS resolver.
-
Wireguard
-
Pi-Hole
-
Unbound
This guide combine the three services so that every device that are connected to the VPN also pass through pihole and unbound. Having a VPN will also reinforce security for your overall infrastructure as you can combine it with traefik IP whitelist.
Credits to @IAmStoxe.
.
|-- docker-compose.yml
|-- etc-dnsmasq.d/
|-- etc-pihole/
|-- unbound/
`-- wireguard/
docker-compose.yml
- a docker-compose file, use to configure your application’s servicesetc-dnsmasq.d/
- a directory used to store dnsmasq configsetc-pihole/
- a directory used to store your Pi-hole configswireguard/
- a directory used to store wireguard data, including client ready-to-use configuration filesunbound/
- a directory used to store unbound data
Please make sure that all the files and directories are present.
Links to the following docker-compose.yml and the corresponding .env.
- docker-compose.yml
version: "3" services: unbound: image: mvance/unbound:latest container_name: unbound restart: unless-stopped hostname: unbound volumes: - ./unbound:/opt/unbound/etc/unbound/ networks: private_network: ipv4_address: 10.2.0.200 labels: # Watchtower Update - "com.centurylinklabs.watchtower.enable=true" wireguard: depends_on: [unbound, pihole] image: linuxserver/wireguard container_name: wireguard restart: unless-stopped cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} - SERVERPORT=51820 - SERVERURL=${SERVERURL} #optional - PEERS=${PEERS} # How many peers to generate for you (clients) - PEERDNS=10.2.0.100 # Set it to point to pihole - INTERNAL_SUBNET=10.6.0.0 volumes: - ./wireguard:/config - /lib/modules:/lib/modules ports: - "51820:51820/udp" dns: - 10.2.0.100 # Points to pihole - 10.2.0.200 # Points to unbound sysctls: - net.ipv4.conf.all.src_valid_mark=1 networks: private_network: ipv4_address: 10.2.0.3 labels: # Watchtower Update - "com.centurylinklabs.watchtower.enable=true" pihole: depends_on: [unbound] container_name: pihole image: pihole/pihole:latest restart: unless-stopped hostname: pihole dns: - 127.0.0.1 - 10.2.0.200 # Points to unbound environment: TZ: "Europe/Paris" WEBPASSWORD: "" # Blank password - Can be whatever you want. ServerIP: 10.1.0.100 # Internal IP of pihole DNS1: 10.2.0.200 # Unbound IP DNS2: 10.2.0.200 # If we don't specify two, it will auto pick google. # Volumes store your data between container upgrades volumes: - "./etc-pihole/:/etc/pihole/" - "./etc-dnsmasq.d/:/etc/dnsmasq.d/" # Recommended but not required (DHCP needs NET_ADMIN) # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities cap_add: - NET_ADMIN networks: private_network: ipv4_address: 10.2.0.100 labels: # Watchtower Update - "com.centurylinklabs.watchtower.enable=true" networks: private_network: ipam: driver: default config: - subnet: 10.2.0.0/24
- .env
SERVERURL=vpn.example.com # How many peers to generate for you (clients) PEERS=2 # user PUID and group PGID - can be found by running id your-user PUID=1000 PGID=1000
- A subdomain of your choice for your VPN, this example uses
vpn
.- You should be able to create a subdomain with your DNS provider, use a
A record
with the same IP address as your root domain.
- You should be able to create a subdomain with your DNS provider, use a
- Ports 51820 open, check your firewall.
The linuxserver images are using the PUID and PGID, they allow the container to map the container's internal user to a user on the host machine, more information here.
To find yours, use id user
. Replace the environment variables in .env
with your own, then run :
sudo docker-compose up -d
- Getting the client configuration file
You should be able to find the required configuration for your clients in the wireguard
directory. Each client will have an associated folder called peerX
.
Inside this folder you can find a QR code for your smartphone as well as configuration file for your linux/windows.
- Adding more clients
If you want more clients, just change the value in the .env
file and relaunch the service sudo docker-compose up -d
.
Once connected to the VPN you should be able to access the pihole admin interface at http://10.2.0.100/admin, for more information regarding pihole you can check the well written official pihole documentation.
The images are automatically updated with watchtower thanks to the following label :
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"
A VPN is often a good solution to always have a dedicated IP. If you want to secure your others services, you can limit their access only when you are connected to your VPN. An easy way to do that is to add the private IP address range used by docker (172.16.0.0/12), your internal IP through the VPN will be one of this range, to the traefik whitelist.
Keep in mind that only the containers that have the following label attached will be prone to this IP restriction.
# Ip filtering
- "traefik.http.routers.service-router-name.middlewares=whitelist@file"
Docker volumes are globally backed up using borg-backup.