Wireguard - Where's My pi-hole ?

Apr 24, 2026 • 19:09 / 3 min read
#wireguard #vpn #troubleshoot
Table of contents

YOoOoO, new entry for the configuration of my Wireguard server using linuxserver.io docker image.

In brief, what is Wireguard ?

Wireguard is a communication protocol and free and open-source VPN. It is designed to be lighter and better than IPSec and OpenVPN. Wikipedia

Base configuration

On the server

What is cool with linuxserver is that they always manage to give us pretty easy docker-compose.yml templates that we can almost use it as Plug-and-Play.

So here is the base config:

yaml ///
---
services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SERVERURL=wireguard.domain.com #optional
      - SERVERPORT=51820 #optional
      - PEERS=1 #optional
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=0.0.0.0/0 #optional
      - PERSISTENTKEEPALIVE_PEERS= #optional
      - LOG_CONFS=true #optional
    volumes:
      - /path/to/wireguard/config:/config
      - /lib/modules:/lib/modules #optional
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

We do have to adapt that awesome template based our infrastructure and how much peer configuration we want to generate.

The two main reasons of deploying this service were:

  • Hiding some internal services that I don’t want to be exposed online
  • Forcing the traffic through my pi-hole that is self hosted on a Raspberry Pi Zero 2w

After running the docker compose up -d command, the container generates a config/ folder where all our wireguard configurations are stored (don’t forget to add that folder to the .gitignore please).

On the client(s)

First don’t forget to install the wireguard software (sometimes it’s wireguard-tools) AND openresolv (or resolvconf).

We then have to copy manually the peerX.conf file in /etc/wireguard/wg0.conf and starting our VPN service with sudo wg-quick up wg0.

To see if everything looks great, you can sudo wg show to see if everything is up.

Everyone is happy, we managed to deploy wireguard easily !

A problem doesn’t come alone

Sadly, finishing this configuration at 10:00PM was not a good idea.

I went to sleep, and the next day, I woke up without connection on all of my peers !

I first thought of my pi-hole completely exploding because of the 512MB of RAM. I checked the Admin interface and saw that I stopped receiving DNS requests at EXACTLY 1:00AM.

I tried to better understand the problem, but I couldn’t find any errors that could indicate that my pi-hole crashed. So I went to work, frustrated because nothing was working (as always). But afterwards, a friend of mine told me that on servers hidden behind firewalls or NAT, a PersistentKeepalive is necessary.

The reason is that wireguard is a silent protocol, it doesn’t make noises when it’s not necessary. But routers and firewalls are stateful devices that creates temporary mappings that is flushed if there is no traffic OR if the router does a lease renewal (basically give the IP back and getting new one).

The problem was that the tunnel between my vps and my pi-hole broke because my vps had no way of knowing how to find your Pi-hole again once the router’s NAT table cleared.

When I came back from work, I managed to fix that problem, BUT (there is always a but), I couldn’t enable my VPN interface on the pi-hole. After an hour of research (and recreating my peers config etc,etc…), I found some resources saying that on ARM architectures like my Raspberry Pi, resolvconf was more adapted. I eventually switched to that and figured out the issue.

Thanks for reading this (long) post about my first experience with wireguard,

See you, Misako