WireHole is a docker-compose project that combines WireGuard, PiHole, and Unbound to create a full or split-tunnel VPN that is easy to deploy and manage. This setup allows for a VPN with ad-blocking via PiHole and enhanced DNS privacy and caching through Unbound.
👤 Devin Stokes
- Twitter: @DevinStokes
- GitHub: @IAmStoxe
Contributions, issues, and feature requests are welcome! Feel free to check the issues page.
Give a ⭐ if this project helped you!
The image supports multiple architectures such as x86-64
, arm64
, and armhf
. The linuxserver/wireguard
image automatically selects the correct image for your architecture.
The architectures supported by this image are:
Architecture | Tag |
---|---|
x86-64 | amd64-latest |
arm64 | arm64v8-latest |
armhf | arm32v7-latest |
To begin using WireHole, clone the repository and start the containers:
#!/bin/bash
# Clone the WireHole repository from GitHub
git clone https://github.com/IAmStoxe/wirehole.git
# Change directory to the cloned repository
cd wirehole
# Update the .env file with your configuration
cp .env.example .env
nano .env # Or use any text editor of your choice to edit the .env file
# Replace the public IP placeholder in the docker-compose.yml
sed -i "s/REPLACE_ME_WITH_YOUR_PUBLIC_IP/$(curl -s ifconfig.me)/g" docker-compose.yml
# Start the Docker containers
docker compose up
Remember to set secure passwords for WGUI_SESSION_SECRET
, WGUI_PASSWORD
, and WEBPASSWORD
in your .env
file.
The .env
file contains a series of environment variables that are essential for configuring the WireHole services within the Docker containers. Here is a detailed explanation of each variable:
TIMEZONE
: Sets the timezone for all services. It is important for logging and time-based operations. Example:America/Los_Angeles
.
PUID
andPGID
: These ensure that the services have the correct permissions to access and modify files on the host system. They should match the user ID and group ID of the host user.
UNBOUND_IPV4_ADDRESS
: The static IP address assigned to Unbound, ensuring it is reachable by Pi-hole.PIHOLE_IPV4_ADDRESS
: The static IP address assigned to Pi-hole, allowing it to serve DNS requests for the network.WIREGUARD_SERVER_PORT
: The port on which the WireGuard server will listen for connections.WIREGUARD_PEER_DNS
: The DNS server that WireGuard clients will use, which is typically set to the Pi-hole's address.
WIREGUARD_PEERS
: Specifies the number of peer/client configurations to generate for WireGuard.
WGUI_SESSION_SECRET
: A secret key used to encrypt session data for WireGuard-UI. This should be set to a secure, random value.WGUI_USERNAME
andWGUI_PASSWORD
: Credentials for accessing the WireGuard-UI interface.WGUI_MANAGE_START
: When set totrue
, WireGuard-UI will manage the starting of the WireGuard service.WGUI_MANAGE_RESTART
: When set totrue
, WireGuard-UI will manage the restarting of the WireGuard service.
WEBPASSWORD
: The password for accessing the Pi-hole web interface. It should be set to a secure value to prevent unauthorized access.PIHOLE_DNS
: The IP address of the Unbound server used by Pi-hole to resolve DNS queries.
Remember to replace any default or placeholder values with secure, unique values before deploying your services.
For a split-tunnel VPN, configure your WireGuard client AllowedIps
to 10.2.0.0/24
, which will route only the web panel and DNS traffic through the VPN.
Manage your WireGuard VPN through the WireGuard-UI at:
http://{YOUR_SERVER_IP}:5000
Log in with the WGUI_USERNAME
and WGUI_PASSWORD
you have set in your .env
file.
- Client Management: Add, remove, and manage clients.
- Authentication: Secure login with a username and password.
- Configurations: Update global server settings and manage client configurations.
Connect to WireGuard and access the Pi-hole admin panel at http://10.2.0.100/admin
. The login password is the one set as WEBPASSWORD
in your .env
file.
Configure DDNS by setting WG_HOST
in your .env
file to your DDNS URL.
wireguard:
environment:
- WG_HOST=my.ddns.net
Explain all the environment variables from your .env
file here. (Refer to the previous section where we provided a table of explanations for each variable.)
Discuss any additional settings such as Docker secrets, umask settings, user/group identifiers, adding clients, modifying DNS providers, and networking considerations. Make sure to update any instructions to match the current setup.
Provide information on how to access the shell while the container is running, view logs, update containers, and handle frequently asked questions. Ensure all the commands and steps are updated to reflect the current versions and practices.
Credit to LinuxServer.io for their maintenance of the Wireguard image and other contributions to the project.