[HN Gopher] Setup Pihole, WireGuard, and Unbound Instantly with ...
___________________________________________________________________
Setup Pihole, WireGuard, and Unbound Instantly with WireHole
Author : byteknight
Score : 101 points
Date : 2020-09-09 20:16 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| byteknight wrote:
| If you want to automate the deployment and setup a free forever
| Oracle cloud server and deploy this automatically check out my
| other project:
|
| https://medium.com/@devinjaystokes/automating-the-deployment...
| ahnick wrote:
| What is the appeal of Oracle cloud?
| byteknight wrote:
| Free tier is quiet extensive and "forever". Not just a trial.
| ohyeshedid wrote:
| Last I saw, the free accounts offer 2 vm's with double the
| memory, and more bandwidth, than competitors free offerings.
| Dangeranger wrote:
| True, but then you have to deal with Oracle. So you will
| still lose money in the end.
| ohyeshedid wrote:
| Ya know, I almost edited the comment to specifically say
| I only looked, and can't speak to the quality of service
| because I won't do business with Oracle when at all
| possible.
| ancorevard wrote:
| Now, if you can script this for a Raspberry Pi, then the solution
| is complete.
| byteknight wrote:
| Can run that on a pi
| jradd wrote:
| So I've never setup a vpn before, I've been trying to decide how
| to make this simple for windows clients and phones. Must I have a
| vpn client? I'm using IPSec, ssl, and LDAP on the public end. I
| don't want a client app. A gateway/router should suffice I hope.
| drexlspivey wrote:
| I wrote a guide for the Pihole + Wireguard setup for anyone
| interested to try it https://drexl.me/guides/wireguard-pihole-
| vpn-setup.html
| byteknight wrote:
| You really think that's a polite thing to do?
| carlinmack wrote:
| Weird to see the OP of a post being aggressive towards other
| commenters
| matrixagent wrote:
| If I'm reading the docker-compose file correctly, this creates an
| open dns resolver that is accessible to the outside, as Docker by
| default bypasses the firewall, see
| https://github.com/chaifeng/ufw-docker. I'm not quite sure about
| that, though, so I'd be happy to be corrected and learn more
| about how your setup works exactly.
| byteknight wrote:
| Edit: I was wrong and I'm removing it to prevent spreading
| false information. Please see below.
| dsissitka wrote:
| Are you sure? From https://docs.docker.com/compose/compose-
| file/:
|
| > Either specify both ports (HOST:CONTAINER), or just the
| container port (an ephemeral host port is chosen).
|
| It sounds like you get a random publicly accessible port
| unless you specify a non publicly accessible IP. I'm not sure
| whether having a DNS server listening on a non standard port
| would be an issue though.
| [deleted]
| byteknight wrote:
| Sorry! I was wrong you are correct.
|
| but nonetheless you're ingress rules in your cloud provider
| will not allow anything but that's single port so it's not
| really a big deal provided you close everything else off in
| your firewall.
|
| I will make an update to see how I can work around this
| NerdyBird wrote:
| This is false. Not listing the host port will make docker
| choose a random one. It however is still opened up in the
| firewall by default.
|
| Source: https://docs.docker.com/compose/compose-file/#ports
| byteknight wrote:
| https://news.ycombinator.com/reply?id=24426759&goto=item%3F
| i...
| matrixagent wrote:
| Ahh, so as long as I only list single ports and not pairs, it
| is not exposed to the host, because the other number of a
| pair is the port to be exposed on the host. And therefor it
| is not exposed to the public network in this case. Makes
| sense, thanks for the explanation!
| pkulak wrote:
| Very interesting, thanks for making this!
|
| Why the extra unbound DNS server? I assume PiHole is using it,
| but why not just point PiHole at the final server?
| homarp wrote:
| https://docs.pi-hole.net/guides/unbound/ explains why and how
| unbound is used.
| byteknight wrote:
| Thanks for that
| luizfelberti wrote:
| Another good reason for having unbound is enabling internal DNS
| resolution for things that are in the VPN. For example,
| resolving build-server.mycompany to the in-VPN IP of your build
| server, and so on.
| byteknight wrote:
| You can do that with just pihole FYI
|
| You can set up DNS records
| kd913 wrote:
| I can understand the benefit of automating these things but I
| think it would probably be better for people to setup these
| things manually first. At least to understand what each step is
| doing. Otherwise, people are trusting rather a core piece of
| infrastructure with a random docker image online.
|
| I found personally that there are several aspects of this
| automation that needs tweaking.
|
| * If you need ipv6 support this config needs to be overhauled. *
| Wireguard config should have ipv6 addresses set to avoid
| potential leakages (even if ipv6 is disabled). * This setup would
| benefit from some ddns mechanism as most people do not have
| static ip setups. * Firefox is beginning to have https only modes
| in which case maybe I would like to adjust lighthttp to work with
| that.
|
| The list goes on.
___________________________________________________________________
(page generated 2020-09-09 23:00 UTC)