Set up Wireguard / Pi-Hole and OpenVPN together

martichou

Martin André

Posted on December 4, 2020

Set up Wireguard / Pi-Hole and OpenVPN together

Wireguard is fairly new but already ready to replace OpenVPN. It provides a secure connection tunnel from a client to a server using public and private key authentication.

In this tutorial I will assume that you already have some basic knowledge of networking and command line.

What will we do today?

The other day I was struggling configuring my Wireguard instance to use Pi-Hole while also using the Cloudflare DNS and my company's DNS over a OpenVPN connection to reach the servers of the company.

As a result I decided to write my guide, based on my experience. The little graph below resume what we'll end up with.

Graph of the network

Setting up Pi-Hole

As the name of the project tends to pretend, Pi-Hole is not only reserved for Raspberry Pi. You can run it on a traditional server too and that's what we're going to do.

All you need is running this simple command:

curl -sSL https://install.pi-hole.net | bash
Enter fullscreen mode Exit fullscreen mode

If you need more information for the install, check out this guide.

Once it's installed, head towards the web admin page of the Pi-Hole and go on the Settings page > DNS.

Here you can select which Upstream DNS servers you want to use and setup your own DNS too.
So in my case, my company DNS address is 10.51.1.1which result in this configuration:

Custom Upstream
Interfaces
Advanced Settings
This config allows me to use 1.1.1.1 for general requests and 10.51.1.1 when it's linked to my company (by the domain name).

You're done with Pi-Hole for the DNS, you might want to play with it a bit to block ads correctly.

Open-VPN

In our network graph the Open-VPN connection is only used to speak with my company network. It's running Open-VPN due to our router running pfSense.

To set it up it's pretty easy, you just have to get your config.ovpn file.

Then install openvpn:

apt-get install openvpn
Enter fullscreen mode Exit fullscreen mode

Define your credentials:

echo "username" >> /etc/openvpn/credentials
echo "password" >> /etc/openvpn/credentials
Enter fullscreen mode Exit fullscreen mode

And start the tunnel:

openvpn --config /path/config.ovpn --daemon
Enter fullscreen mode Exit fullscreen mode

You should see a new tun0 interface when you type:

ip a
Enter fullscreen mode Exit fullscreen mode

Wireguard server

Let's install and configure out Wireguard instance now!

The install process is just 3 commands long:

apt-get install linux-headers-$(uname --kernel-release)
add-apt-repository ppa:wireguard/wireguard
apt-get update && apt-get install wireguard
Enter fullscreen mode Exit fullscreen mode

Now we can configure Wireguard.
Start by creating the needed folder and the private/public keys of the server:

mkdir -p /etc/wireguard/keys
cd /etc/wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Enter fullscreen mode Exit fullscreen mode

We'll now create /etc/wireguard/wg0.conf which is our Wireguard config:

vim /etc/wireguard/wg0.conf
Enter fullscreen mode Exit fullscreen mode
PrivateKey = private_key # from the step above
Address = 172.16.0.0/12,fd5b:5840:9e9f:a477::1/64 # you can change it, but IT STAY PRIVATE IPS
ListenPort = 8999
PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE; iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o he-ipv6 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE; iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o he-ipv6 -j MASQUERADE

[Peer]
PublicKey = public_key_client_one
AllowedIPs = 172.16.66.2,fd5b:5840:9e9f:a477::ca:571e/128 # update if you changed the Address from above

[Peer]
PublicKey = public_key_client_two
AllowedIPs = 172.16.66.3,fd5b:5840:9e9f:a477::746f:786f/128 # update if you changed the Address from above
Enter fullscreen mode Exit fullscreen mode

Once it's configured, make it start and launch at boots:

 systemctl enable wg-quick@wg0.service
 systemctl start wg-quick@wg0.service
Enter fullscreen mode Exit fullscreen mode

Wireguard client

As it's not the main goal of this tutorial and as it's not very complicated, I'll just give you an example of a client's config.

[Interface]
PrivateKey = client_private_key
Address = 172.16.66.3/32,fd5b:5840:9e9f:a477::746f:786f/64
DNS = 10.18.1.57 # IMPORTANT (IP OF THE PI-HOLE)

[Peer]
PublicKey = server_public_key
AllowedIPs = 0.0.0.0/0,::/0 # ROUTE ALL TRAFIC
Endpoint = 123.123.123.123:8999 # IP OF THE SERVER:PORT
PersistentKeepalive = 15
Enter fullscreen mode Exit fullscreen mode
💖 💪 🙅 🚩
martichou
Martin André

Posted on December 4, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related