Wireguard, Docker, Alternate DNS

  • Dear all.

    This probably have nothing to do with Wireguard itself, probably more with docker networking, MAC-VLAN and docker routing...


    I have a Piehole in docker setup using macvlan so that it have its on IP on my LAN, this works just fine on my local network with local clients.

    I have a Wireguard Server setup in docker and it works just fine when using PEERDNS=auto, if I change this to PEERDNS=IP.Of.Piehole nameresolution stops.

    So... ?


    I am willing to change whatever and also, my Piehole was manually setup a long time ago, so far ago that I think I manually setup the stuff in Portainer using technodad method and not a stack. I'd rather get this stuff done right and have it as a stack since its much simpler that way.

    But, to do that right and I need to understand why my current setup does not work, and then what I need to do to get this done right.

  • I have a Wireguard Server setup in docker and it works just fine when using PEERDNS=auto, if I change this to PEERDNS=IP.Of.Piehole nameresolution stops.

    Did you take this statement into account in the wireguard documentation?


    https://hub.docker.com/r/linuxserver/wireguard


    appointment:


    Variables SERVERURL, SERVERPORT, INTERNAL_SUBNET and PEERDNS are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.

    OMV 5, Intel core i3 3225, 8GB RAM, PendriveUSB system, ZFS RaidZ 5xWD Red 4TB, 1x120GB SSD Docker

    I DO NOT SPEAK ENGLISH. I translate with google, sorry if sometimes you don't understand me well:)

    Make a backup now. You don't want to miss it next week !!

  • Hmmm apperently I dont :/


    Below is my stack, commented is what I THINK I need to change, am I right?

    I only have my two clients and I have no problem updating them.

  • Here is a guide that I published a few days ago. [How-To] Install Wireguard (VPN) in docker, server mode Observe the differences. I think the ports you have configured are not going to work like this.


    When you publish a stack, do it by pressing the code button first, so you keep the indents and it is easier to read, please.

    OMV 5, Intel core i3 3225, 8GB RAM, PendriveUSB system, ZFS RaidZ 5xWD Red 4TB, 1x120GB SSD Docker

    I DO NOT SPEAK ENGLISH. I translate with google, sorry if sometimes you don't understand me well:)

    Make a backup now. You don't want to miss it next week !!

  • The ports I use DO work (been running like that for more than a week), I must do it that way to allow access from Public WiFi that usually only allow 80/443, and on 443 I have SWAG running.


    You and I are doing the exact same thing besides I use port 80 to make the connection, and you use allowed IPs to only your local subnet and I allow my clients to escape the local network out to the internet, this is exactly what I want.

    I want my tunnel to always be active and route all traffic from a public wifi or wherever I am, trough the tunnel home and access the internet from my home connection, and part of that is to use my piehole for dns to remove ads and protect my device from accessing bad things - even when on the run.


    So like I wrote in my first post, everything work just fine BUT as soon as I change PEERDNS from =auto to PEERDNS=IP.Of.Piehole name resolution stops...

  • If you access wireguard through swag, how have you set up swag? Can you post your file?: ...path_swag/config/nginx/proxy-confs/wireguard.subdomain.conf . I just want to learn how you have done it, please.


    To route all traffic from the client to the internet through the tunnel you can change the IPs allowed value on the client. If you put the value 0.0.0.0/0 it will work.

    OMV 5, Intel core i3 3225, 8GB RAM, PendriveUSB system, ZFS RaidZ 5xWD Red 4TB, 1x120GB SSD Docker

    I DO NOT SPEAK ENGLISH. I translate with google, sorry if sometimes you don't understand me well:)

    Make a backup now. You don't want to miss it next week !!

  • I do not route Wireguard trough SWAG, what I wrote is that I use SWAG on port 443, I use Wireguard on port 80.


    I know that putting 0.0.0.0/0 will allow my clients internet access.


    What I still do not know OR understand is WHY I cannot get my piehole working when changing from PEERDNS from =auto to PEERDNS=IP.Of.Piehole

  • What I still do not know OR understand is WHY I cannot get my piehole working when changing from PEERDNS from =auto to PEERDNS=IP.Of.Piehole

    Maybe something to ask on the Pihole forum.

  • You say nameresolution stops with Wireguard active.


    Perhaps you can make some aliases on the "hosts" file (never did it and don't need it so don't know how and I run Wireguard on the System, NOT on docker)


    Some food for thoughts:

    Wireguard VPN connection not resolving local host names - Server Fault

    Hosts on the LAN not resolving when connected using WireGuard : WireGuard (reddit.com)

    no hostname on wireguard - Bing

  • I do not route Wireguard trough SWAG, what I wrote is that I use SWAG on port 443, I use Wireguard on port 80.

    If your swag configuration is standard, the traffic coming in through port 80 should automatically divert to port 443 and enter through swag. Therefore wireguard traffic routed through port 80 would go through swag. It may be necessary to configure swag to route this traffic to the docker "wireguard". That's why I asked what your swag configuration file for wireguard looks like. In the example swag setups there are none ready for wireguard. If there is a configuration example for openvpn, so I suppose there will be some way to configure wireguard as well.

    OMV 5, Intel core i3 3225, 8GB RAM, PendriveUSB system, ZFS RaidZ 5xWD Red 4TB, 1x120GB SSD Docker

    I DO NOT SPEAK ENGLISH. I translate with google, sorry if sometimes you don't understand me well:)

    Make a backup now. You don't want to miss it next week !!

  • First off, THANKS for taking the time!


    On my router port 80 is forwarded directly to the docker container, to make sure I shutdown SWAG and connection is still fine.


    I created another Wireguard container did all the bells and whistles, used the default port and opened the default port on my router and all that... everything connected and works fine. I now tried to PING some stuff and that works to, BUT I cannot even PING the container running Piehole. I tried to ping another container (also macvlan) and I cannot ping that one either.

    So, I'm pretty sure it's Docker networking something... but I have no idea what or how to troubleshoot OR solve it.... anyone?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!