BlocNotes

Notepad of a tinker, maker, hacker or whatever you call it :)

Wireguard and Pi-hole in Docker containers

I had to move my previous Wireguard VPN + Pi-hole ad blocker to another server, but this time I was not able to expose Pi-hole DNS port (53) to the host machine. It was also better to have Wireguard VPN inside a Docker container... so I did!

As a reminder, Wireguard is a stateless and easy to configure VPN: share a pair of public keys between client(s) and server then you are good to go! Moreover, stateless is great when used from a phone as there is no power-hungry keep-alive like OpenVPN, nor reconnection time when switching from Wi-FI to 4G.

DNS address issue

The main issue I had is the way to provide Pi-hole address to Wireguard container: docker-compose does not yet accept do translate a container name in dns section. The easiest workaround is to set a fixed IP for the Pi-hole container, not pretty, but hey... it works :-)
Then both services must be in the same docker-compose.yml file to avoid any issue related to a network race condition when the docker daemon restarts.

Pi-hole

Pi-Hole configuration is straightforward and well documented on their Docker Hub page.

Wireguard

Instead of creating my own Dockerfile I used the image from linuxserver.io, which has been beautifully implemented. Then follow the documentation.  
Thanks to Wireguard's QR Code feature, phone setup is dumbproof: just scan it from the container's logs.

docker-compose file

The resulting docker-compose file is:

version: "3.5"
  
services:
  wireguard:
    image: linuxserver/wireguard
    depends_on:
      - pihole
    dns:
      - 172.29.0.2
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    volumes:
      - ../../data/wireguard:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    environment:
      - TZ=Europe/Paris
      - SERVERURL=host_server.yourdomain.com
      - SERVERPORT=1194
      - PEERS=Android_phone
    networks:
      - network-pihole

  pihole:
    image: pihole/pihole:latest
    volumes:
      - ../../data/pi-hole/etc/:/etc/pihole/
      - ../../data/pi-hole/dnsmasq.d:/etc/dnsmasq.d
    environment:
      TZ: "Europe/Paris"
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: pihole.yourdomain.com
      VIRTUAL_PORT: 80
      LETSENCRYPT_EMAIL: email@yourdomain.com
      LETSENCRYPT_HOST: pihole.yourdomain.com
    restart: unless-stopped
    networks:
      network-pihole:
        ipv4_address: 172.29.0.2

networks:
  network-pihole:
    name: "dns-pihole"