WireHole is a combination of WireGuard, PiHole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create and deploy a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities (via Pihole), and DNS caching with additional privacy options (via Unbound).
π€ Devin Stokes
- Twitter: @DevinStokes
- Github: @IAmStoxe
Contributions, issues and feature requests are welcome!
Feel free to check issues page.
Give a β if this project helped you!
The Wireguard image supports multiple architectures such as x86-64
, arm64
and armhf
. Linuxserver - who makes the wireguard image we use - utilises the docker manifest for multi-platform awareness.
More information is available from docker here and LinuxServer's announcement here.
Simply pulling linuxserver/wireguard
should retrieve the correct image for your arch, but you can also pull specific arch images via tags
This is the default configuration in this project
The architectures supported by this image are:
Architecture | Tag |
---|---|
x86-64 | amd64-latest |
arm64 | arm64v8-latest |
armhf | arm32v7-latest |
To get started all you need to do is clone the repository and spin up the containers.
git clone https://github.com/IAmStoxe/wirehole.git
cd wirehole
docker-compose up
#!/bin/bash
# Prereqs and docker
sudo apt-get update &&
sudo apt-get install -yqq \
curl \
git \
apt-transport-https \
ca-certificates \
gnupg-agent \
software-properties-common
# Install Docker repository and keys
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable" &&
sudo apt-get update &&
sudo apt-get install docker-ce docker-ce-cli containerd.io -yqq
# docker-compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose &&
sudo chmod +x /usr/local/bin/docker-compose &&
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
# wirehole
git clone https://github.com/IAmStoxe/wirehole.git &&
cd wirehole &&
docker-compose up
Within the output of the terminal will be QR codes you can (if you choose) to setup it WireGuard on your phone.
wireguard | **** Internal subnet is set to 10.6.0.0 ****
wireguard | **** Peer DNS servers will be set to 10.2.0.100 ****
wireguard | **** No found wg0.conf found (maybe an initial install), generating 1 server and 1 peer/client confs ****
wireguard | PEER 1 QR code:
wireguard | βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wireguard | βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wireguard | ββββ βββββ βββββ ββββββ ββ ββ ββ βββββ βββββ β ββ βββββ ββββ
wireguard | ββββ β β βββββββββββββ βββββββ βββ β βββββ βββ ββ β β ββββ
wireguard | ββββ βββββ βββ βββ βββ βββββ ββββ
wireguard | ββββββββββββ β β β βββββ ββββββββββββ
wireguard | ββββ ββ ββββ ββββββ ββ ββ β βββββββββββββ ββββ β βββ βββββ
wireguard | βββββ ββ β βββββ ββ β β β β βββββ ββ ββββ β ββ β ββ ββββ
wireguard | ββββββββ βββ ββββββββ ββββ ββ βββ β βββββ ββββ ββββ ββββββ
wireguard | ββββ βββββββ ββββ ββ βββββ ββ ββββββ β β ββββ β βββββββ βββββ
wireguard | ββββββ ββ ββ ββ ββββ βββββ β βββββ βββ ββββββ βββ βββββ
wireguard | ββββ ββ ββ β ββββββββ
wireguard | βββββββ βββ β βββββββββββ
wireguard | ββββ β ββββ β ββ β βββββββ ββββββββββ β βββ ββ β β βββββ
wireguard | βββββββββββ β ββ ββ ββ ββ ββ ββββββββββββ
wireguard | ββββ ββ βββ ββββββββββ ββββ β βββ ββ ββ βββ β β βββ ββββββ
wireguard | βββββββ βββ β ββ βββββ
wireguard | ββββββββββββ ββ ββ ββ βββ β ββ ββββ ββββ ββ ββ β βββ β βββββββ
wireguard | ββββββββ βββββ βββββ ββ ββ ββ ββ βββ βββββββββ ββββββ
wireguard | βββββ β β β βββββββββββ β βββββββ βββ ββ β βββββββ ββββββ
wireguard | ββββ β β βββ ββββββ βββ β β βββββ ββββββββ βββββ βββ ββ βββββ
wireguard | βββββββ βββ ββββ ββ ββ βββ β βββββββββββββββ ββ ββ β βββββββββ
wireguard | ββββββ ββ β β βββββββ
wireguard | ββββββ βββββ β ββββ β β β βββββ β ββββββββββ β ββββββββββ ββββ
wireguard | ββββ ββββββββββ β ββββ βββββ βββββββββββ βββββ βββββββ ββ β βββββ
wireguard | ββββ β ββββ β ββ β ββ βββββ β β βββ ββββββββββββββ β ββ ββββββ
wireguard | βββββββββββββββ ββ βββ ββββββ βββ ββββ βββββββ ββββ βββ ββββββββ
wireguard | ββββ βββββ βββββββββββ β ββ β βββ ββββ ββββ ββ ββββ βββ βββββ
wireguard | ββββ β β β ββ ββ βββ ββ β β β βββββ ββ βββββ ββ ββββββββ
wireguard | ββββ βββββ β β βββ β ββββββββββ βββββββ β βββββ βββββββββββββββ
wireguard | βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wireguard | βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wireguard | βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
wireguard | [cont-init.d] 30-config: exited 0.
wireguard | [cont-init.d] 99-custom-scripts: executing...
wireguard | [custom-init] no custom files found exiting...
wireguard | [cont-init.d] 99-custom-scripts: exited 0.
wireguard | [cont-init.d] done.
wireguard | [services.d] starting services
Modify your wireguard client AllowedIps
to 10.2.0.0/24
to only tunnel the web panel and DNS traffic.
While connected to WireGuard, navigate to http://10.2.0.100/admin
The password (unless you set it in docker-compose.yml
) is blank.
If you're using a dynamic DNS provider, you can edit docker-compose.yml
under "wireguard".
Here is an excerpt from the file.
You need to uncomment #- SERVERURL
so it reads - SERVERURL
without the #
and then change my.ddns.net
to your DDNS URL.
wireguard:
# ...
environment:
# ...
- SERVERURL=my.ddns.net #optional - For use with DDNS (Uncomment to use)
# ...
# ...
Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate <external>:<internal>
respectively. For example, -p 8080:80
would expose port 80
from inside the container to be accessible from the host's IP on port 8080
outside the container.
Parameter | Function |
---|---|
-p 51820/udp |
wireguard port |
-e PUID=1000 |
for UserID - see below for explanation |
-e PGID=1000 |
for GroupID - see below for explanation |
-e TZ=Europe/London |
Specify a timezone to use EG Europe/London |
-e SERVERURL=wireguard.domain.com |
External IP or domain name for docker host. Used in server mode. If set to auto , the container will try to determine and set the external IP automatically |
-e SERVERPORT=51820 |
External port for docker host. Used in server mode. |
-e PEERS=1 |
Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
-e PEERDNS=auto |
DNS server set in peer/client configs (can be set as 8.8.8.8 ). Used in server mode. Defaults to auto , which uses wireguard docker host's DNS via included CoreDNS forward. |
-e INTERNAL_SUBNET=10.13.13.0 |
Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
-e ALLOWEDIPS=0.0.0.0/0 |
The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
-v /config |
Contains all relevant configuration files. |
-v /lib/modules |
Maps host's modules folder. |
--sysctl= |
Required for client mode. |
You can set any environment variable from a file by using a special prepend FILE__
.
As an example:
-e FILE__PASSWORD=/run/secrets/mysecretpassword
Will set the environment variable PASSWORD
based on the contents of the /run/secrets/mysecretpassword
file.
There is the ability to override the default umask settings for services started within the containers using the optional -e UMASK=022
setting.
Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up here before asking for support.
When using volumes (-v
flags) permissions issues can arise between the host OS and the container, this is avoided by allowing you to specify the user PUID
and group PGID
.
Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
In this instance PUID=1000
and PGID=1000
, to find yours use id user
as below:
$ id username
uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
If the environment variable PEERS
is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under /config/peerX
in case PEERS
is a variable and an integer or /config/peer_X
in case a list of names was provided instead of an integer.
Variables SERVERURL
, SERVERPORT
, INTERNAL_SUBNET
and PEERDNS
are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
To add more peers/clients later on, you increment the PEERS
environment variable or add more elements to the list and recreate the container.
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: docker exec -it wireguard /app/show-peer 1 4 5
or docker exec -it wireguard /app/show-peer myPC myPhone myTablet
(Keep in mind that the QR codes are also stored as PNGs in the config folder).
The templates used for server and peer confs are saved under /config/templates
. Advanced users can modify these templates and force conf generation by deleting /config/wg0.conf
and restarting the container.
(This portion of documentation has been adapted from docker-wireguard)
If you choose to not use Cloudflare any reason you are able to modify the upstream DNS provider in unbound.conf
.
Search for forward-zone
and modify the IP addresses for your chosen DNS provider.
NOTE: The anything after
#
is a comment on the line. What this means is it is just there to tell you which DNS provider you put there. It is for you to be able to reference later. I recommend updating this if you change your DNS provider from the default values.
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-tls-upstream: yes
While you can actually use any upstream provider you want, the team over at pi-hole.net provide a fantastic break down along with all needed information of some of the more popular providers here: https://docs.pi-hole.net/guides/upstream-dns-providers/
Providers they have the information for:
- OpenDNS
- Level3
- Comodo
- DNS.WATCH
- Quad9
- CloudFlare DNS
Provided your DNS is properly configured on the device you're using, and you're connected to WireGuard, you can now navigate to http://pi.hole/admin and it should take you right to the pihole admin interface.
- Shell access whilst the container is running:
docker exec -it wireguard /bin/bash
- To monitor the logs of the container in realtime:
docker logs -f wireguard
- container version number
docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard
- image version number
docker inspect -f '{{ index .Config.Labels "build_version" }}' ghcr.io/linuxserver/wireguard
LinuxServer images are generally static, versioned, and require an image update and container recreation to update the app inside.
Note: Updating apps inside the container is NOT supported.
Below are the instructions for updating containers:
- Update all images:
docker-compose pull
- or update a single image:
docker-compose pull wireguard
- or update a single image:
- Let compose update all containers as necessary:
docker-compose up -d
- or update a single container:
docker-compose up -d wireguard
- or update a single container:
- You can also remove the old dangling images:
docker image prune
-
Pull the latest image at its tag and replace it with the same env variables in one run:
docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ containrrr/watchtower \ --run-once wireguard
-
You can also remove the old dangling images:
docker image prune
Note: Watchtower is not endorsed as a solution for automated updates of existing Docker containers. In fact generally automated updates are discouraged. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, LinuxServer.io highly recommends using Docker Compose.
If the environment variable PEERS
is set to a number, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under /config/peerX.
Variables SERVERURL
, SERVERPORT
, INTERNAL_SUBNET
and PEERDNS
are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
To add more peers/clients later on, you increment the PEERS
environment variable and recreate the container.
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: docker-compose exec wireguard /app/show-peer 1 4 5
will show peers #1 #4 and #5 (Keep in mind that the QR codes are also stored as PNGs in the config folder).
The templates used for server and peer confs are saved under /config/templates. Advanced users can modify these templates and force conf generation by deleting /config/wg0.conf and restarting the container.
The ARM variants can be built on x86_64 hardware using multiarch/qemu-user-static
docker run --rm --privileged multiarch/qemu-user-static:register --reset
Once registered you can define the dockerfile to use with -f Dockerfile.aarch64
.
If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost.
This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally).
Both of these approaches have positives and negatives however their setup is out of scope for this document as everyone's network layout and equipment will be different.