Need help settings up traefik with a VPN (Wireguard) + Pi-hole

Hello!

For the last week I tried to make my traefik services accessible over a VPN (Wireguard), but couldn't make it work. Hopefully someone here can help me, since I have no experience setting up a reverse proxy like traefik.

Current status on what is working right now:
:white_check_mark: Access to services via domain name (e.g. pihole.subdomain.domain.duckdns.org) from my local network
:white_check_mark: Using pihole in my local network
:white_check_mark: Connection to my home network through Wireguard (successful handshake); access to e.g. 10.0.0.1:9000 is possible (e.g. Portainer running on host)
:x: Connecting to traefik services (e.g. pihole.subdomain.domain.duckdns.org) through Wireguard
:x: Accessing the internet through Wireguard (when using pihole as my DNS)

Setup:
Everything lives in docker. Traefik is exposed as part of the host, allowing access back to the services - based on DNS entries of the pihole container.

docker-compose.yml:

version: '3'
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    environment:
    - TZ=Europe/Vienna
    - WEBPASSWORD=${PIHOLE_PASSWORD}
    - DNS1=${DNS_IP}
    - DNS2=${DNS_IP}
    volumes:
    - ./volumes/pihole/etc-pihole/:/etc/pihole/
    - ./volumes/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/
    dns:
    - ${DNS_IP}
    cap_add:
    - NET_ADMIN
    restart: unless-stopped
    networks:
      iotstack_nw:
    hostname: pihole
    labels:
    - "traefik.enable=true"
    - "traefik.http.middlewares.mw_piholeadmin.addprefix.prefix=/admin"
    - "traefik.http.routers.pihole.entrypoints=websecure"
    - "traefik.http.routers.pihole.middlewares=blockexternal@file,mw_piholeadmin"
    - "traefik.http.routers.pihole.rule=Host(`pihole.subdomain.domain.duckdns.org`)"
    - "traefik.http.routers.pihole.tls=true"
    - "traefik.http.routers.pihole.tls.certresolver=duckdns"
    - "traefik.http.routers.pihole.tls.domains[0].main=subdomain.domain.duckdns.org"
    - "traefik.http.routers.pihole.tls.domains[0].sans=*.subdomain.domain.duckdns.org"
    - "traefik.http.services.pihole.loadbalancer.server.port=80"
    # Normal DNS coming in on 53 TCP, no TLS
    - "traefik.tcp.routers.dns.rule=HostSNI(`pihole.subdomain.domain..duckdns.org`)"
    - "traefik.tcp.routers.dns.entrypoints=dns"
    - "traefik.tcp.routers.dns.service=pihole"
    # Recieves traffic from both the TLS and non-TLS traefik routers
    - "traefik.tcp.services.pihole.loadbalancer.server.port=53"
    # Normal DNS coming in on 53 UDP
    - "traefik.udp.routers.udpdns.entrypoints=udpdns"
    - "traefik.udp.routers.udpdns.service=pihole"
    - "traefik.udp.services.pihole.loadbalancer.server.port=53"

  wireguard:
    container_name: wireguard
    image: linuxserver/wireguard
    restart: unless-stopped
    environment:
    - PUID=1000
    - PGID=1000
    - TZ=Europe/Vienna
    - SERVERURL=wg.subdomain.domain.duckdns.org
    - SERVERPORT=51820
    - PEERS=1
    - PEERDNS=${PIHOLE_IP}
    cap_add:
    - NET_ADMIN
    - SYS_MODULE
    volumes:
    - ./volumes/wireguard/config:/config
    - /lib/modules:/lib/modules
    hostname: wireguard
    domainname: subdomain.domain.duckdns.org
    networks:
      - iotstack_nw
    dns:
    - ${PIHOLE_IP}
    sysctls:
    - net.ipv4.conf.all.src_valid_mark=1
    labels:
    - "traefik.enable=true"
    - "traefik.udp.routers.wireguard.entrypoints=wireguard"
    - "traefik.udp.routers.wireguard.service=wireguard"
    - "traefik.udp.services.wireguard.loadbalancer.server.port=51820"

  traefik:
    container_name: traefik
    image: traefik:v2.2.7
    restart: unless-stopped
    volumes:
    - ./volumes/traefik/acme.json:/acme.json
    - ./volumes/traefik/dynamic:/dynamic
    - ./volumes/traefik/traefik.toml:/traefik.toml
    - /var/log/traefik:/var/log/traefik
    - /var/run/docker.sock:/var/run/docker.sock
    hostname: traefik
    networks:
    - iotstack_nw
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 53
        published: 53
        protocol: tcp
        mode: host
      - target: 53
        published: 53
        protocol: udp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080 #
        published: 8080 #
        protocol: tcp #
        mode: host #
      - target: 51820
        published: 51820
        protocol: udp
        mode: host
    environment:
    - TZ=Europe/Vienna
    - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    - DUCKDNS_TTL=120
    - DUCKDNS_POLLING_INTERVAL=30
    - DUCKDNS_PROPAGATION_TIMEOUT=500

networks:
  iotstack_nw:
    name: iotstack_nw
    driver: bridge
    ipam:
      driver: default
      config:
      - subnet: 172.20.0.0/16
        gateway: 172.20.0.1

traefik.toml:

[entryPoints]
	[entryPoints.wireguard]
        address = ":51820/udp"
	[entryPoints.web]
		address = ":80"
	[entryPoints.websecure]
		address = ":443"
	[entryPoints.dns]
		address = ":53"
	[entryPoints.udpdns]
		address = ":53/udp"
	[entryPoints.web.http.redirections.entryPoint]
		to = "websecure"
		scheme = "https"

[certificatesResolvers.duckdns.acme]
	email = [REDACTED]
	storage = "acme.json"

	# Uncomment the next line for using the ACME staging server
	caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"

	[certificatesResolvers.duckdns.acme.dnsChallenge]
		provider = "duckdns"
		delayBeforeCheck = 30

[providers.docker]
	endpoint = "unix:///var/run/docker.sock"
	defaultRule = "Host(`{{ normalize .Name }}`)"
	exposedByDefault = false
	network = "iotstack_nw"

wg0.conf:

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = [REDACTED]
PostUp = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer1
PublicKey = [REDACTED]
AllowedIPs = 10.0.0.0/24, 10.13.13.2/32

I also applied this settings from the pihole docs.

I am very thankful for every help!

The solution was pretty simple:

  1. Assign a static ip address to the pihole container
  2. Use this ip as the DNS on wireguard

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.