I had to move my previous Wireguard VPN + Pi-hole ad blocker to another server, but this time I was not able to expose Pi-hole DNS port (53) to the host machine. It was also better to have Wireguard VPN inside a Docker container… so I did!

As a reminder, Wireguard is a stateless and easy to configure VPN: share a pair of public keys between the client(s) and server then you are good to go! Moreover, stateless is great when used from a phone as there is no power-hungry keep-alive like OpenVPN, nor reconnection time when switching from Wi-FI to 4G.

WireGuard is a new VPN software, which is described as It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache and using state-of-the-art cryptography. Pi-hole is a black hole for Internet advertisements, ie a server blocking advertisements at DNS level.

I have Pi-hole on my home network but wanted to have it also as DNS server on my phone when I am not at home. As I have a bad DSL connection, I can not rely on my home server. So I put Pi-hole on a VPS server I rent: it works, flawlessly.
Nevertheless, it was an open DNS resolver, which can be used to amplify DDoS attacks; there is already 2212 unsecured Pi-hole on the Internet, so I do not want to add another one.

Pi-hole provides documentation to use OpenVPN, even to redirect only DNS requests but it is not efficient on a phone as it is not a stateless connection, so it consumes battery; moreover, GSM/Wifi switch is not really handled, you have to reconnect. The solution comes from WireGuard which is stateless, and provides Android & iOS apps. I struggle to configure everything, so here is what I did: