Wireguard on unRaid, and piHole on R-Pi home network


Recommended Posts

anyone have this setup correctly? I'd like to be able to connect to my home network, access local services, and use the PiHole ad-blocker for regular internet browsing. It's worked before, but it's not now, and I'm not sure what got screwed up.

 

  • Wireguard VPN on my unRaid server (static 192.168.11.53). unRaid > Settings > VPN Manager > remote tunneled access
  • both "laptop" and "phone" can connect to VPN no problems to access local services
  • neither laptop or phone can access internet while connected
  • network connected raspberryPI runs pihole ad-blocker and DHCP on static IP 192.168.11.4

 

"guide_pihole_on_the_go_with_wireguard" reddit post

 

vpn-unraid-settings.png

 

 

 

laptop Wireguard conf. You can see the only way I could kinda make it work is by specifying 8.8.8.8 for the DNS, which bypasses the pihole blocker, and is slow as molasses. If I put in 192.168.11.4, the pihole address for DNS, nothing works.

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxx
Address = 10.253.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = username.duckdns.org:61801


 

Edited by dkerlee
Link to comment
  • 2 weeks later...

I gathered more pertinent network data in the hopes at networking pro comes across this! Fingers crossed.

 

 

 

==================================================
========== Orbi RBR750 ===========================
==================================================
DHCP off
WAN: 174.21.xxx.xxx, PPPoE from Centurylink
DNS: 205.171.3.25, 205.171.2.25
LAN: 192.168.11.1
IP Address: get dynamically IP address from Router, grayed 174.21.xxx.xxx
DNS address: Get automatically from ISP, grayed 205.171.3.25, 205.171.2.25
firmware version: V4.6.8.2
Advanced > Router / AP Mode: Router Mode selected
Advanced > Port forwarding: several ports forwarded to unRaid server (including 61801 > 192.168.11.53:61801)
UPnP: On
Traffic meter: Off
VLAN / Bridge Settings: Enabled, By VLAN tag group: VLAN ID 201, Priority 0, All wired ports, All wireless

==================================================
=================unRaid 6.10.0====================
==================================================
Network settings
Enable Bonding: Yes
Bonding mode: Active-backup (1)
Enable briding: Yes
Network protocol: IPv4 only
IPv4 address assignment: Static
IPv4 address: 192.168.11.53 /16
IPv4 default gateway: 192.168.11.1
IPv4 DNS server assignment: static
IPv4 DNS server: 192.168.11.1
IPv4 DNS server 2: 208.67.222.222 (opendns.com I think)
IPv4 DNS server 3: 208.67.220.220
Desired MTU: 1500
Enable VLANs: No

Routing table, all IPv4 Protocols
route            gateway
default            192.168.11.1 via br0
10.253.0.2        wg0
10.253.0.3        wg0
172.17.0.0/16        docker0
172.18.0.0/16        br-4df99f81dc0c
192.168.0.0/17        shim-br0
192.168.0.0/16        br0
192.168.128.0/17    shim-br0

Settings > Network > VPN manager (wireguard settings)
local name: unraid vpn
network protocol: IPv4 only
local tunnel network protocol: 10.253.0.0/24
local tunnel address: 10.253.0.1
local endpoint: myname.duckdns.org: 61801
Local server uses NAT: yes

Peer name: laptop, remote tunneled access
peer tunnel address: 10.253.0.2
peer DNS server: 192.168.11.1

peer name: phone, remote tunneled access
peer tunnel address: 10.253.0.3
peer DNS server: 192.168.11.1


==================================================
=================raspberry pi piHole==============
==================================================
Pi-hole v5.10, FTL v5.15, Web interface v5.12
Settings > DNS > IPv4 both checked: DNS OpenDNS. Nothing checked for IPv6.
Settings > DNS > Interface settings: Allow only local requests checked
Settings > DHCP > enabled
Settings > DHCP > range of IP to hand out: 192.168.11.201 - 251
Settings > DHCP > Router (gateway) IP address: 192.168.11.1
 

Link to comment
  • 6 months later...

Ya know, I didn't get it exactly figured out. I ended up following these directions at docs.pi-hole.net. I'll also mention that you should watch the first 50 seconds of this video, it's funny.

That being said, what I NOW have going on are TWO piholes. One is docker, one is on a RaspberryPI 3 (near impossible to get at the moment sad face). Each one is doing DHCP, but are assigning in different pools of IPs. Each pihole has itself + the other as the two DNS servers (clear as mud!?). Here's how I specified two DNS servers in the pihole DHCP settings.

The reason I found that first youtube video up there hilarious is because having the only DNS server at home in the unRaid server kinda lends itself to ... failure. I had much better luck with a single dedicated raspberrypi; then thought I'd double up with unraid>docker>pihole.

I digress: I hope one of these days pihole makes wireguard into the webGUI. But the instructions, while a little fiddly, are working solid for me now; and takes unraid out of the picture for remote access, which I like.

 

hope that helps. happy holidays.

Link to comment
8 hours ago, adminmat said:

I'm having this same issue. Did you find a fix? I have a similar setup except I run PiHole on unraid in a container. It used to work for me but not anymore. 

 

7 hours ago, rutherford said:

Ya know, I didn't get it exactly figured out.

 

 

Since your VPN allocates IP addressess in a different subnet (10.253.x.x), in Pi-hole did you try change Interface settings to "Permit all origins" ?

 

image.thumb.png.e7def88980f6fbbe00c1289345fe8646.png

Link to comment
1 hour ago, adminmat said:

In the original Wireguard thread form 3 years ago the first page was all questions about how to get this working. And it still hasn't been resolved. I'm going to pull PiHole off unRAID and just use a dedicated RasPi. Not worth the headache. 

 

By far the simplest solution is to host the PiHole on another system. If you host it on Unraid then you have to enable "Host access to custom networks" and give the PiHole its own IP. This puts you in the "Complex Networks" category of the guide:
  https://forums.unraid.net/topic/84226-wireguard-quickstart/

which requires you to setup a static route on your router.  All of the details are explained in first two posts of that guide. I can't really offer 1:1 support because there are too many variables and WireGuard fails silently so there aren't a lot of clues as to where the problem lies. 

 

 

But yes, the simplest solution is to avoid "Host access to custom networks". 

  • Like 1
  • Thanks 1
  • Upvote 1
Link to comment

Alright. Got it working now. The disconnect is I had Host Access to Custom Networks DISABLED. Maybe that happened after I upgraded the OS? Because I knew I had it working at one point....

 

I have a custom network for the PiHole docker container. This was set up to remedy the kernel panics. Host Access to Custom Networks = Enabled. Static routs are set in my router from the WG network 10.253.0/24 to the unRAID server 192.168.10.69. All working as intended.

 

Interestingly I can't ping the PiHole server from my device through the Wireguard tunnel although it will resolve / block DNS properly to that device/client. 

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.