Setting Up PiHole, Wireguard VPN server and Client (Ubuntu Server)

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Lets Start, First we will setup wireguard on the Ubuntu Server(18.10), for ubuntu 19.04 wireguard installation works fine with the below guide, for pihole last time I checked lighttpd doesn’t work correctly. So if you use Apache with pihole web admin, it will work fine.

1. Install Wireguard on Ubuntu

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard-dkms wireguard-tools

Generate public key and private key

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

You can simply go to the /etc/wireguard directory and see your keys either by

cat privatekey or cat publickey

Create configuration file

sudo nano /etc/wireguard/wg0.conf[Interface]
ListenPort = 51280
SaveConfig = false
Address =

Keep the address this will be an internal address to bypass the traffic through wireguard.

Lets Check if its working

Start Wireguard

sudo wg-quick up wg0

Type this command to show Wireguard status

sudo wg


interface: wg0
private key: (hidden)
listening port: 51280

Now stop wireguard for a moment

sudo wg-quick down wg0

2. Set-up on Android/Mac/Windows

Download and install Wireguard from Google Play or Mac

Launch Wireguard, and create a new connection profile

  • Click the + button
  • “Create from scratch” (for mac create an empty tunnel and edit it)
  • Give a name (without using any special character)
  • Click “GENERATE” beside “Private key”, to generate the private-key and the public-key
  • Fill in “” for “Addresses”
  • Fill in “,” or “,”, etc for “DNS servers”

Add the server (peer) information

  • Click “ADD PEER”
  • Fill in the server-public-key
  • Fill in “” for “Allowed IPs”
  • Fill in the IP or domain-name with port-number for “Endpoint”
  • (e.g.123:456:789:123:51280 or

3. Finishing the configuration on the server

On Wireguard Android app
Click on “Public key” field on the upper “Interface” part, to copy the key
Paste the key on the server configuration file
Edit the file /etc/wireguard/wg0.conf on your server

ListenPort = 51280
SaveConfig = false
Address =
AllowedIPs =

Save it, and restart Wireguard

sudo wg-quick down wg0
sudo wg-quick up wg0

To make Wireguard starts-up automatically, run this

sudo systemctl enable wg-quick@wg0

Re-route Internet traffic

sudo nano /etc/wireguard/wg0.conf[Interface]
ListenPort = 51280
SaveConfig = false
Address =
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(eth0 is the network interface, this can be any other name , check using ifconfig , naming it correctly in config file is very important)

Enable packet forward

sudo nano /etc/sysctl.conf

Add these two lines if you haven’t done this before

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Save the file, reboot or enable it immediately with this

sudo sysctl -p

Testing the connection

Now you can try connecting the server on your Android phone.
If the connection is established, you can see something like this

interface: wg0
private key: (hidden)
listening port: 51280
allowed ips:
latest handshake: 3 seconds ago
transfer: 148 B received, 92 B sent


Pi-hole is free and open source software to block ads and tracking domain. It is released under the GNU General Public License. The biggest advantage is ad blocking on all devices on the network from your smartphone to your tablets including all desktop computers. It even blocks in app ads on iOS and Android/Windows devices. The benefits are as follows:

Blocks all advertisements using network-level DNS based blocking.

Works with both apps and websites regardless of operating system.

You can pair your Pi-hole with a VPN software such as OpenVPN for on-the-go ad-blocking and save on data 3G/4G/LTE costs.

You can get improved privacy and security due to blocking of ads and tracking codes.

Note down your wireguard’s server IP address

Type the following command:
$ ip a show dev wg0
if you following the wireguard installation here , ip should be

You also need to provide wg0 as an interface name including your default gateway IP address such as (this is different for every server , save your own by below command):
$ ip r | grep default
default via dev br0 onlin

Install PI-HOLE

Run the install command as follows:
$ wget -O
$ sudo bash

You will see progress on screen as follows:

This installer will transform your device into a network-wide ad blocker. The Pi-hole is a SERVER so it needs a STATIC IP ADDRESS to function properly.

CHOOSE AN INTERFACE FOR PI-HOLE: wg0 (select and press ‘space’ then enter)



Next enter Wireguard’s server IP address as follows:

Finally enter your default router/gateway IP address:

Confirm the settings:


In case if you have an apache2 or any other server install then dont install the lighttpd server comes with pihole

And you are done:

Test it

Type the following command on Pi-hole to see if DNS is working or not:
$ host
Sample outputs:

Using domain server:
Aliases: has address mail is handled by 1 mail is handled by 10 mail is handled by 10 mail is handled by 5 mail is handled by 5

Now try to lookup ad server IP address:
$ host
Sample outputs:

Using domain server:
Aliases: has address

As you can see is not a valid public IP address hence any ads coming from will be served by our own Pi-hole.

You can open pihole Admin Console at: YOUR_SERVER_IP/admin

use the default password pihole shows after installation

Configuring Pihole with Wireguard

Its very simple, Open the tunnel you created on client side ,edit it

Put pihole ip ( in the DNS instead of or whatever was there previously and save

restart wireguard on server

you may have to edit ubuntu firewall or you can simply disable it by

sudo ufw disable

To create multiple wireguard clients at same time use this tool ……

sometimes you might notice while using wireguard some site may not open or take long time to open , this mainly happens when using GCP(Google Cloud Platform). To solve this you have to set correct mtu for the wg interface.

ifconfig wg mtu 1500

use this when your interface name is wg, remember everytime server restarts you have to do this, Also in client config files put MTU = 1500 under the interface section in such cases.

To make this permanent, Edit /etc/rc.local and add

/sbin/ifconfig wg mtu 1500

At this point everything should be working. Enjoy ad-free personal VPN service! Cheers



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store