Setting Up PiHole, Wireguard VPN server and Client (Ubuntu Server)

Aveek Dasmalakar
Apr 16 · 7 min read

WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
https://www.wireguard.com/

Lets Start, First we will setup wireguard on the Ubuntu Server(18.10), for ubuntu 19.04 wireguard installation works fine with the below guide, for pihole last time I checked lighttpd doesn’t work correctly. So if you use Apache with pihole web admin, it will work fine.

1. Install Wireguard on Ubuntu

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard-dkms wireguard-tools

Generate public key and private key

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

You can simply go to the /etc/wireguard directory and see your keys either by

cat privatekey or cat publickey

Create configuration file

sudo nano /etc/wireguard/wg0.conf[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
ListenPort = 51280
SaveConfig = false
Address = 10.0.0.1/24

Keep the address 10.0.0.1/24 this will be an internal address to bypass the traffic through wireguard.

Lets Check if its working

Start Wireguard

sudo wg-quick up wg0

Type this command to show Wireguard status

sudo wg

Output

interface: wg0
public key: SERVER_PUBLIC_KEY
private key: (hidden)
listening port: 51280

Now stop wireguard for a moment

sudo wg-quick down wg0

2. Set-up on Android/Mac/Windows

Download and install Wireguard from Google Play or Mac

  • Click the + button
  • “Create from scratch” (for mac create an empty tunnel and edit it)
  • Give a name (without using any special character)
  • Click “GENERATE” beside “Private key”, to generate the private-key and the public-key
  • Fill in “10.0.0.2/32” for “Addresses”
  • Fill in “1.1.1.1,1.0.0.1” or “8.8.8.8,8.8.4.4”, etc for “DNS servers”

Add the server (peer) information

  • Fill in the server-public-key
  • Fill in “0.0.0.0/0” for “Allowed IPs”
  • Fill in the IP or domain-name with port-number for “Endpoint”
  • (e.g.123:456:789:123:51280 or mydomain.com:51280)

3. Finishing the configuration on the server

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 51280
SaveConfig = false
Address = 10.0.0.1/24
[Peer]
PublicKey = PUBLIC_KEY_ON_ANDROID
AllowedIPs = 10.0.0.2/32

Save it, and restart Wireguard

sudo wg-quick down wg0
sudo wg-quick up wg0

To make Wireguard starts-up automatically, run this

sudo systemctl enable wg-quick@wg0

Re-route Internet traffic

sudo nano /etc/wireguard/wg0.conf[Interface]
PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 51280
SaveConfig = false
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

(eth0 is the network interface, this can be any other name , check using ifconfig , naming it correctly in config file is very important)

Enable packet forward

sudo nano /etc/sysctl.conf

Add these two lines if you haven’t done this before

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

Save the file, reboot or enable it immediately with this

sudo sysctl -p

Testing the connection

interface: wg0
public key: SERVER_PUBLIC_KEY
private key: (hidden)
listening port: 51280
peer: PHONE_PUBLIC_KEY
endpoint: PHONE_IP:PHONE_PORT
allowed ips: 10.0.0.2/32
latest handshake: 3 seconds ago
transfer: 148 B received, 92 B sent

PiHole

Pi-hole is free and open source software to block ads and tracking domain. It is released under the GNU General Public License. The biggest advantage is ad blocking on all devices on the network from your smartphone to your tablets including all desktop computers. It even blocks in app ads on iOS and Android/Windows devices. The benefits are as follows:

Blocks all advertisements using network-level DNS based blocking.

Works with both apps and websites regardless of operating system.

You can pair your Pi-hole with a VPN software such as OpenVPN for on-the-go ad-blocking and save on data 3G/4G/LTE costs.

You can get improved privacy and security due to blocking of ads and tracking codes.

Note down your wireguard’s server IP address

You also need to provide wg0 as an interface name including your default gateway IP address such as 192.168.2.1 (this is different for every server , save your own by below command):
$ ip r | grep default
default via 192.168.2.1 dev br0 onlin

Install PI-HOLE

This installer will transform your device into a network-wide ad blocker. The Pi-hole is a SERVER so it needs a STATIC IP ADDRESS to function properly.

CHOOSE AN INTERFACE FOR PI-HOLE: wg0 (select and press ‘space’ then enter)

SELECT PROTOCOLS FOR DNS SERVER

SETUP A STATIC IP ADDRESS (SELECT NO)

Next enter Wireguard’s server IP address as follows:

Finally enter your default router/gateway IP address:

Confirm the settings:

SETUP UPSTREAM DNS IP ADDRESS

In case if you have an apache2 or any other server install then dont install the lighttpd server comes with pihole

And you are done:

Test it

Using domain server:
Name: 10.8.0.1
Address: 10.8.0.1#53
Aliases:
cyberciti.biz has address 75.126.153.202
cyberciti.biz mail is handled by 1 aspmx.l.google.com.
cyberciti.biz mail is handled by 10 aspmx2.googlemail.com.
cyberciti.biz mail is handled by 10 aspmx3.googlemail.com.
cyberciti.biz mail is handled by 5 alt1.aspmx.l.google.com.
cyberciti.biz mail is handled by 5 alt2.aspmx.l.google.com.

Now try to lookup ad server IP address:
$ host pagead2.googlesyndication.com 10.8.0.1
Sample outputs:

Using domain server:
Name: 10.8.0.1
Address: 10.8.0.1#53
Aliases:
pagead2.googlesyndication.com has address 10.8.0.1

As you can see 10.8.0.1 is not a valid public IP address hence any ads coming from pagead2.googlesyndication.com will be served by our own Pi-hole.

You can open pihole Admin Console at: YOUR_SERVER_IP/admin

use the default password pihole shows after installation

Configuring Pihole with Wireguard

Put pihole ip (10.0.0.1) in the DNS instead of 1.1.1.1 or whatever was there previously and save

restart wireguard on server

you may have to edit ubuntu firewall or you can simply disable it by

sudo ufw disable

To create multiple wireguard clients at same time use this tool ……

sometimes you might notice while using wireguard some site may not open or take long time to open , this mainly happens when using GCP(Google Cloud Platform). To solve this you have to set correct mtu for the wg interface.

ifconfig wg mtu 1500

use this when your interface name is wg, remember everytime server restarts you have to do this, Also in client config files put MTU = 1500 under the interface section in such cases.

To make this permanent, Edit /etc/rc.local and add

/sbin/ifconfig wg mtu 1500

At this point everything should be working. Enjoy ad-free personal VPN service! Cheers

Aveek Dasmalakar

Written by

https://selfhood-studios.com