WireHole is a combination of WireGuard, PiHole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create and deploy a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities (via Pihole), and DNS caching with additional privacy options (via Unbound).
- ☁ If using a cloud provider:
- You need to allow ingress to port
51820
- You need to allow ingress to port
To get started all you need to do is clone the repository and spin up the containers.
git clone https://github.com/IAmStoxe/wirehole.git
cd wirehole
docker-compose up#!/bin/bash
# Prereqs and docker
sudo apt-get update &&
sudo apt-get install -yqq \
curl \
git \
apt-transport-https \
ca-certificates \
gnupg-agent \
software-properties-common
# Install Docker repository and keys
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable" &&
sudo apt-get update &&
sudo apt-get install docker-ce docker-ce-cli containerd.io -yqq
# docker-compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose &&
sudo chmod +x /usr/local/bin/docker-compose &&
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
# wirehole
git clone https://github.com/IAmStoxe/wirehole.git &&
cd wirehole &&
docker-compose up
Within the output of the terminal will be QR codes you can (if you choose) to setup it WireGuard on your phone.
wireguard | **** Internal subnet is set to 10.6.0.0 ****
wireguard | **** Peer DNS servers will be set to 10.2.0.100 ****
wireguard | **** No found wg0.conf found (maybe an initial install), generating 1 server and 1 peer/client confs ****
wireguard | PEER 1 QR code:
wireguard | █████████████████████████████████████████████████████████████████
wireguard | █████████████████████████████████████████████████████████████████
wireguard | ████ ▄▄▄▄▄ █▀▀▀▄ ▀▀▀▀▄█ ██ ▄▀ ██ ██▄▀█ █▄▄█▀ ▄ ██ ▄▄▄▄▄ ████
wireguard | ████ █ █ █▀▄█▀█▄█▄██▀▄ ▀▀██▀▄█ ▀▄█ ▀ █▀▄█▄ ▄▄▄ ██ █ █ ████
wireguard | ████ █▄▄▄█ █▀█ ▀▀▄ ▄██ █▄▄▄█ ████
wireguard | ████▄▄▄▄▄▄▄█ ▀ ▀ █ █▄█▄▀ █▄▄▄▄▄▄▄████
wireguard | ████ ▄▄ █▄▄▄ ▄▀█▀▀▄ ▀█ ▀█ ▄ █▀▀▄▄██▄▄▀▀█▄ ██▀▀ █ █▄█ ▀████
wireguard | █████ ▄█ ▄ ▀▀█▄▄ █▀ ▀ ▀ ▄ ▄ ▀▄▀▀█ ██ ▀██▀ ▀ ▀▀ ▀ ▀▄ ████
wireguard | ████▀▀██ ▄▄▄ ██▀▄▄██▀ ██▀▄ ▀▀ █▄█ ▄ ▄█▄██ ▀▄▄█ █▀▀█ ▄▀████
wireguard | ████ ▄█▀█▀▄▄ ▄███ ▄█ ▀▀▀▀█ ▄█ ▀▀▀▀▀▄ █ █ ███▄ █ ▄▄▄▄▀▀▀ █████
wireguard | ████▀▄ ▀▀ ▄▄ ▄▄ █▀██ ▀▀▀▀▀ ▄ █▀▀██ ██▀ ▀█▄█▄█ ▄▄▀ ▀████
wireguard | ████ ▀█ ▄▄ █ ▀▀██████
wireguard | ███████ ▄▄█ █ ▄█▀█▀▀▄████
wireguard | ████ ▄ █▄▄▀ ▄ ▀▄ █ ▄██▀▀█▀ █▄▄█▀▄█▀█▄ █ ▀▄█ ▄█ ▀ █ █████
wireguard | ████▄██▀█▄▄ ▀ ▄▀ ▀▄ ▄█ ▀▄ █▀ ▀██▀▄███████
wireguard | ████ ▀█ ▄▄▄ ██▀███▄█▄█ █▄█▀ ▀ ▄▄▄ ▀▀ ▀▄ ▀▀█ █ █ ▄▄▄ ▄▀████
wireguard | ████▄██ █▄█ █ ▀▀ ▀████
wireguard | █████▀█▄▄▄▄▄ █▄ ▀▄ ██ ██▀ ▄ █▄ ▄▄▄▀ ▀▄▀█ █▀ █▄ ▄ ▄▄▄ ▄ ▀▄█████
wireguard | █████▀▄▀ ▄▄█▄▀ ██▄▄▄ █▀ ██ ██ █▄ ██▄ ▄▀█▄██▀▄█ █▀████
wireguard | ████▄ ▀ ▄ ▀ ▀▀▀▀▀▀█▀██▀ █ █▀█▀███ ▀▄█ █▄ █ ▀▀█▀██▀ ▄█████
wireguard | ████ ▀ ▄ ██▄ ▀▀▀▄▀█ ▀▀▄ ▄ ▄ █▀▀▄█ ▄█▄▀█▄█▀ ▄▀█▄▀ ▀▀▀ ▀▀ ▀████
wireguard | ███████ ▄█▄ ▀█▄▄ ▀█ █▀ █▀▄ ▄ ▀▄█▄▄█▀▄█▄▄▄▄█▀ ▀█ █▀ ▄ ██▀▄█████
wireguard | ████▀█ █▀ ▄ █ ▄▀█████
wireguard | ████▀▄ ▄▄█▄▄ ▄ ▄██▄ ▀ █ ▀ ▄▄█▀▀ ▄ ▀▀▄█▀▄██▀▀ ▄ ▄▄▄▄▀▀▄▀▀▀ ████
wireguard | ████ ▀▄▄▀▀▄▀▀▀▄ ▄ █▄▄▀ ██▀▄▀ █▄██▀▀▄█▄▄█ ████▄ ▀█▄█▀▄▀ ▀▄ ▀ █████
wireguard | ████ ▀ ▀▀▄▄ ▄ █▄ ▄ ██ ▄▀█▄▄ ▄ ▄ █▄▀ ▄▄▀██▄▀▀██▀▀▄▄ ▄ ██ ▄▀████
wireguard | ██████████▄█▀▀█ ▄█ █▄▄ ▀▄▀█▀▀ ▄▄▄ ▀█▀█ ▄▀█▀█▀▀ ██▄▀ ▄▄▄ ▄██▄████
wireguard | ████ ▄▄▄▄▄ █▄▄▄█▀▄█▀██ ▄ ▀█ ▀ █▄█ ▀▀█▄ ██▄█ ▀▄ ▀█▄▄ █▄█ █████
wireguard | ████ █ █ █ ▄▄ ▄█ ▄▄█ █▀ ▄ ▄ █ ▄█▄▄█ █▀ ▄████ ▄▄ ▀▀▄▄████
wireguard | ████ █▄▄▄█ █ ▀ ▄▄█ ▄ ▀▀▄██▄▀█▀█ █▀█▀▀▀▄ ▄ █▀▀▄▀ ▄▀███▀██▀██████
wireguard | ████▄▄▄▄▄▄▄█▄██▄▄█▄▄▄▄▄██▄█▄▄▄█▄█▄█▄▄▄▄█▄▄▄█████▄▄█▄█▄▄████▄█████
wireguard | █████████████████████████████████████████████████████████████████
wireguard | █████████████████████████████████████████████████████████████████
wireguard | [cont-init.d] 30-config: exited 0.
wireguard | [cont-init.d] 99-custom-scripts: executing...
wireguard | [custom-init] no custom files found exiting...
wireguard | [cont-init.d] 99-custom-scripts: exited 0.
wireguard | [cont-init.d] done.
wireguard | [services.d] starting servicesModify your wireguard client AllowedIps to 10.2.0.0/24 to only tunnel the web panel and DNS traffic.
While connected to WireGuard, navigate to http://10.2.0.100/admin
The password (unless you set it in docker-compose.yml) is blank.
If you're using a dynamic DNS provider, you can edit docker-compose.yml under "wireguard".
Here is an excerpt from the file.
You need to uncomment #- SERVERURL so it reads - SERVERURL without the # and then change my.ddns.net to your DDNS URL.
wireguard:
# ...
environment:
# ...
- SERVERURL=my.ddns.net #optional - For use with DDNS (Uncomment to use)
# ...
# ...If you choose to not use Cloudflare any reason you are able to modify the upstream DNS provider in unbound.conf.
Search for forward-zone and modify the IP addresses for your chosen DNS provider.
NOTE: The anything after
#is a comment on the line. What this means is it is just there to tell you which DNS provider you put there. It is for you to be able to reference later. I recommend updating this if you change your DNS provider from the default values.
forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-tls-upstream: yesWhile you can actually use any upstream provider you want, the team over at pi-hole.net provide a fantastic break down along with all needed information of some of the more popular providers here: https://docs.pi-hole.net/guides/upstream-dns-providers/
Providers they have the information for:
- OpenDNS
- Level3
- Comodo
- DNS.WATCH
- Quad9
- CloudFlare DNS
- Login to pihole admin
- Navigate to "Local Records"
- Fill out the form like the image below
Provided your DNS is properly configured on the device you're using, and you're connected to WireGuard, you can now navigate to http://pi.hole/admin and it should take you right to the pihole admin interface.
If the environment variable PEERS is set to a number, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under /config/peerX.
Variables SERVERURL, SERVERPORT, INTERNAL_SUBNET and PEERDNS are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs.
To add more peers/clients later on, you increment the PEERS environment variable and recreate the container.
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: docker-compose exec wireguard /app/show-peer 1 4 5 will show peers #1 #4 and #5 (Keep in mind that the QR codes are also stored as PNGs in the config folder).
The templates used for server and peer confs are saved under /config/templates. Advanced users can modify these templates and force conf generation by deleting /config/wg0.conf and restarting the container.
👤 Devin Stokes
- Twitter: @DevinStokes
- Github: @IAmStoxe
Contributions, issues and feature requests are welcome!
Feel free to check issues page.
Give a ⭐ if this project helped you!
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent