
WireHole: Set up Pihole, WireGuard, and Unbound instantly - byteknight
https://github.com/IAmStoxe/wirehole
======
kd913
I can understand the benefit of automating these things but I think it would
probably be better for people to setup these things manually first. At least
to understand what each step is doing. Otherwise, people are trusting rather a
core piece of infrastructure with a random docker image online.

I found personally that there are several aspects of this automation that
needs tweaking.

* If you need ipv6 support this config needs to be overhauled.

* Wireguard config should have ipv6 addresses set to avoid potential leakages (even if ipv6 is disabled).

* This setup would benefit from some ddns mechanism as most people do not have static ip setups.

* Firefox is beginning to have https only modes in which case maybe I would like to adjust lighthttp to work with that.

The list goes on.

~~~
byteknight
* I will update the IPv6 stuff

* Also the wireguard config

* I will look into how I can allow the user to provide that information as the IP is pulled within the doctor container

* Noted on Firefox

Thanks for the detailed comment

EDIT:

Just provided instructions in the repo for how to configure DDNS:
[https://github.com/IAmStoxe/wirehole#configuring-for-
dynamic...](https://github.com/IAmStoxe/wirehole#configuring-for-dynamic-dns-
ddns)

Also modifed it so only the port 51820 is exposed preventing any unintentional
exposure.

~~~
clankyclanker
Have you considered producing a patch for the FreedomBox folks? Getting it
into Debian would make it easily available to lots of users.

[https://salsa.debian.org/freedombox-
team/freedombox/](https://salsa.debian.org/freedombox-team/freedombox/)

~~~
byteknight
I have not but that's only because I had never heard of it.

Will check it out

------
drexlspivey
I wrote a guide for the Pihole + Wireguard setup for anyone interested to try
it [https://drexl.me/guides/wireguard-pihole-vpn-
setup.html](https://drexl.me/guides/wireguard-pihole-vpn-setup.html)

------
matrixagent
If I'm reading the docker-compose file correctly, this creates an open dns
resolver that is accessible to the outside, as Docker by default bypasses the
firewall, see [https://github.com/chaifeng/ufw-
docker](https://github.com/chaifeng/ufw-docker). I'm not quite sure about
that, though, so I'd be happy to be corrected and learn more about how your
setup works exactly.

~~~
byteknight
Edit: I was wrong and I'm removing it to prevent spreading false information.
Please see below.

EDIT 2:

Just provided instructions in the repo for how to configure DDNS:
[https://github.com/IAmStoxe/wirehole#configuring-for-
dynamic...](https://github.com/IAmStoxe/wirehole#configuring-for-dynamic-dns-
ddns)

Also modified it so only the port 51820 is exposed preventing any
unintentional exposure.

~~~
dsissitka
Are you sure? From [https://docs.docker.com/compose/compose-
file/](https://docs.docker.com/compose/compose-file/):

> Either specify both ports (HOST:CONTAINER), or just the container port (an
> ephemeral host port is chosen).

It sounds like you get a random publicly accessible port unless you specify a
non publicly accessible IP. I'm not sure whether having a DNS server listening
on a non standard port would be an issue though.

~~~
byteknight
Sorry! I was wrong you are correct.

but nonetheless you're ingress rules in your cloud provider will not allow
anything but that's single port so it's not really a big deal provided you
close everything else off in your firewall.

I will make an update to see how I can work around this

~~~
dsissitka
> but nonetheless you're ingress rules in your cloud provider will not allow
> anything but that's single port...

That's all that's required for a DNS amplification attack. :)

~~~
byteknight
Thats not true. DNS isnt on 51820. That's wireguard. You cannot hit the DNS
unless you're connected to the wireguard VPN provided you're using a cloud
provider and you havent configured any additional ingress rules other than
port 51820. That I am positive on.

~~~
dsissitka
You're right! I thought we were talking about the Pi-hole port. ><

------
woodruffw
At the risk of splintering interest: Algo[1] and Streisand[2] are two popular
open source projects that do nearly identical things. Both also have the
advantage of supporting a wide variety of cloud providers by default. Algo
installs the absolute minimum needed to get you online with a well-configured
VPN; Streisand comes with a whole bunch of bells and whistles (including some
that are easy to misconfigure).

FD: My employer maintains Algo.

[1]:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

[2]:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
rsync
We can't talk about these without talking about nextdns.io which, in my
opinion, is the most elegant way of solving this problem.

I _wanted_ to run a pihole for years but never got around to building it into
my dns infrastructure. Nextdns, on the other hand, was a quick afternoon setup
...

~~~
kaszanka
Maybe NextDNS is more elegant or easier to set up, but I felt that depending
on its free plan was too risky (what if it eventually goes away?) and didn't
really want to pay for a subscription when I already had a server at home to
run PiHole on. I didn't really like needing to go over the Internet to
configure it either - the PiHole admin panel is just another intranet site.

~~~
austhrow743
That it's easy to set up means there's no risk to it going away because you
haven't invested in it.

------
byteknight
If you want to automate the deployment and setup a free forever Oracle cloud
server and deploy this automatically check out my other project:

[https://medium.com/@devinjaystokes/automating-the-
deployment...](https://medium.com/@devinjaystokes/automating-the-deployment-
of-your-forever-free-pihole-and-wireguard-server-dce581f71b7)

~~~
ahnick
What is the appeal of Oracle cloud?

~~~
ohyeshedid
Last I saw, the free accounts offer 2 vm's with double the memory, and more
bandwidth, than competitors free offerings.

~~~
Dangeranger
True, but then you have to deal with Oracle. So you will still lose money in
the end.

~~~
ohyeshedid
Ya know, I almost edited the comment to specifically say I only looked, and
can't speak to the quality of service because I won't do business with Oracle
when at all possible.

------
pkulak
Very interesting, thanks for making this!

Why the extra unbound DNS server? I assume PiHole is using it, but why not
just point PiHole at the final server?

~~~
homarp
[https://docs.pi-hole.net/guides/unbound/](https://docs.pi-
hole.net/guides/unbound/) explains why and how unbound is used.

~~~
pkulak
Thank you, that's really cool. I've been using DNS over TLS, but it's really
complicated to set up. Just running your own recursive DNS actually seems
easier. :D

------
morazow
Looks nice!

I have similar setup and custom unbound docker container based on distroless.

One suggestion: In unbound use more privacy-centric dns providers.
[https://www.privacytools.io/providers/dns/](https://www.privacytools.io/providers/dns/)

~~~
byteknight
Very nice! I had not heard about distroless. I will look into an alternate
configuration with that perhaps - Thanks!

I will also update the README with a guide on choosing other providers.

------
byteknight
Just added instructions for using DDNS:

[https://github.com/IAmStoxe/wirehole#configuring-for-
dynamic...](https://github.com/IAmStoxe/wirehole#configuring-for-dynamic-dns-
ddns)

------
maigret
What does this tooling do? Of course I could Google the components and look it
up, and I already know some of those so I can imagine what it might do. But it
would be so much better to get the author stance. Ideally for users the first
paragraph on both Medium and GitHub would be something in the order of "Use
this tutorial to accomplish x through the use of y and z."

------
reilly3000
Awesome work! I think you saved me many hours, as I was going to tackle this
over the weekend. Props for making those suggested security changes right
away. I was just looking at my DNS cache last night and was appalled at the
number of ad and telemetry requests are happening.

~~~
byteknight
<3

------
jradd
So I’ve never setup a vpn before, I’ve been trying to decide how to make this
simple for windows clients and phones. Must I have a vpn client? I’m using
IPSec, ssl, and LDAP on the public end. I don’t want a client app. A
gateway/router should suffice I hope.

~~~
kdtsh
WireGuard is growing in popularity but I’m not aware of any router firmwares
which have a WireGuard client built-in (maybe the popular open source
firmwares). Many routers have OpenVPN clients built in.

~~~
jpillora
MikroTik have recent added support
[https://forum.mikrotik.com/viewtopic.php?f=1&t=165248](https://forum.mikrotik.com/viewtopic.php?f=1&t=165248)

------
BOOSTERHIDROGEN
Thank you for making this, I have to change

    
    
       variable "availability_domain_number" {
       default = 2
       }
    

it works now, for someone not very technical for average HN user, this is
awesome. How do I add more peers ?

~~~
byteknight
in docker-compose.yml under wireguard's environment section change PEER to the
total number.

[https://github.com/IAmStoxe/wirehole/blob/master/docker-
comp...](https://github.com/IAmStoxe/wirehole/blob/master/docker-
compose.yml#L35)

------
2Gkashmiri
Can anyone recommend an easy way to tunnel an entire network over zerotier? I
am able to use zerotier perfectly but access is on a per device basis. Could
we tunnel the current network with its gateway as a zerotier pc ?

~~~
fegul
I think OPNsense (an offshoot of pfsense) has this capability built in.

------
fulafel
How does the auto-update work? Or if there is no auto-update, how does this
handle the risk of being pwned from unpatched vulnerabilities?

------
donclark
Noob here. Has anyone done a youtube video on this yet? I searched but I did
not find. Thank you very much in advance!

------
ancorevard
Now, if you can script this for a Raspberry Pi, then the solution is complete.

~~~
byteknight
Can run that on a pi

~~~
ancorevard
nice, what's the performance penalty of running on docker?

