this post was submitted on 16 Oct 2023
21 points (92.0% liked)

Selfhosted

40183 readers
1150 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I'm trying to setup Wireguard to use as a VPN on my server using this guide. I currently run Pihole on the same machine.

LAN 192.168.1.*
WG 10.14.0.*
WG Server Addr 10.14.0.1
WG Client Addr 10.14.0.10

The handshake succeeds, and I can even ping IP addresses. However, it doesn't receive DNS responses. I checked in Wireshark and see the following:

WAN Client IP -> Server IP [Wireguard]
WG Client IP -> Server IP [DNS Request]
Server IP -> Server IP [DNS Request]
Server IP -> Server IP [DNS Response]
WG Server Addr -> WG Client Addr [DNS Response]
WG Client Addr -> WG Server Addr [ICMP Port unreachable]

I'm admittedly pretty inexperienced when it comes to routing, but I've been at this for days with no success. Any help would be greatly appreciated.

Edit

I now realize that it would have been relevant to mention the my Pihole instance was running inside a rootless podman container.

To test things further, I wrote a small echo server and spun it up on bare metal. Wireguard had no issues with that. My guess is that something between wireguard and specifically rootless podman was going wrong. I still don't know what, unfortunately.

My fix was to put Pihole in a privileged podman container with a network and static IP e.g. --net bridge:ip=10.88.0.230. I also put wireguard into a privileged podman container on the same network --net bridge. Finally, I set the peer DNS to the Pihole's static IP on the podman network (10.88.0.230).

As I said before, I still don't know why podman wasn't replying to the correct IP initially. I'm happy with my fix, but I'd still prefer the containers to be rootless so feel free to message me if you have any suggestions.

you are viewing a single comment's thread
view the rest of the comments
[–] lemming741@lemmy.world 3 points 1 year ago (1 children)

Your DNS might be configured to only answer local (from 192 addresses) requests. Did you enable IP masquerading?

[–] ShitpostCentral@lemmy.world 1 points 1 year ago (1 children)

Yes. And I set Pi-hole to respond to any interface. Plus, I can see the response being sent in Wireshark. It only gets blocked inside the wireguard interface.

[–] lemming741@lemmy.world 2 points 1 year ago (1 children)

Ok so you see your request in the pihole log? Which address does it show?

[–] ShitpostCentral@lemmy.world 2 points 1 year ago (1 children)

I do see the request. I'm running it inside a container so all the clients show up as the container's hostname.

[–] lemming741@lemmy.world 1 points 1 year ago (1 children)

Can you get to the pihole admin page over wg? Trying to narrow down if it's just port 53 or everything else too.

[–] ShitpostCentral@lemmy.world 2 points 1 year ago (1 children)
[–] lemming741@lemmy.world 1 points 1 year ago (1 children)

Ok what's your container setup? LXC? Docker? Compose?

Is the WG server also a container?

[–] ShitpostCentral@lemmy.world 2 points 1 year ago

Rootless podman. The plan is to eventually move WG into a container once I get it working, but it's running on bare metal at the moment.