[HN Gopher] Setup Pihole, WireGuard, and Unbound Instantly with ... ___________________________________________________________________ Setup Pihole, WireGuard, and Unbound Instantly with WireHole Author : byteknight Score : 101 points Date : 2020-09-09 20:16 UTC (2 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | byteknight wrote: | If you want to automate the deployment and setup a free forever | Oracle cloud server and deploy this automatically check out my | other project: | | https://medium.com/@devinjaystokes/automating-the-deployment... | ahnick wrote: | What is the appeal of Oracle cloud? | byteknight wrote: | Free tier is quiet extensive and "forever". Not just a trial. | ohyeshedid wrote: | Last I saw, the free accounts offer 2 vm's with double the | memory, and more bandwidth, than competitors free offerings. | Dangeranger wrote: | True, but then you have to deal with Oracle. So you will | still lose money in the end. | ohyeshedid wrote: | Ya know, I almost edited the comment to specifically say | I only looked, and can't speak to the quality of service | because I won't do business with Oracle when at all | possible. | ancorevard wrote: | Now, if you can script this for a Raspberry Pi, then the solution | is complete. | byteknight wrote: | Can run that on a pi | jradd wrote: | So I've never setup a vpn before, I've been trying to decide how | to make this simple for windows clients and phones. Must I have a | vpn client? I'm using IPSec, ssl, and LDAP on the public end. I | don't want a client app. A gateway/router should suffice I hope. | drexlspivey wrote: | I wrote a guide for the Pihole + Wireguard setup for anyone | interested to try it https://drexl.me/guides/wireguard-pihole- | vpn-setup.html | byteknight wrote: | You really think that's a polite thing to do? | carlinmack wrote: | Weird to see the OP of a post being aggressive towards other | commenters | matrixagent wrote: | If I'm reading the docker-compose file correctly, this creates an | open dns resolver that is accessible to the outside, as Docker by | default bypasses the firewall, see | https://github.com/chaifeng/ufw-docker. I'm not quite sure about | that, though, so I'd be happy to be corrected and learn more | about how your setup works exactly. | byteknight wrote: | Edit: I was wrong and I'm removing it to prevent spreading | false information. Please see below. | dsissitka wrote: | Are you sure? From https://docs.docker.com/compose/compose- | file/: | | > Either specify both ports (HOST:CONTAINER), or just the | container port (an ephemeral host port is chosen). | | It sounds like you get a random publicly accessible port | unless you specify a non publicly accessible IP. I'm not sure | whether having a DNS server listening on a non standard port | would be an issue though. | [deleted] | byteknight wrote: | Sorry! I was wrong you are correct. | | but nonetheless you're ingress rules in your cloud provider | will not allow anything but that's single port so it's not | really a big deal provided you close everything else off in | your firewall. | | I will make an update to see how I can work around this | NerdyBird wrote: | This is false. Not listing the host port will make docker | choose a random one. It however is still opened up in the | firewall by default. | | Source: https://docs.docker.com/compose/compose-file/#ports | byteknight wrote: | https://news.ycombinator.com/reply?id=24426759&goto=item%3F | i... | matrixagent wrote: | Ahh, so as long as I only list single ports and not pairs, it | is not exposed to the host, because the other number of a | pair is the port to be exposed on the host. And therefor it | is not exposed to the public network in this case. Makes | sense, thanks for the explanation! | pkulak wrote: | Very interesting, thanks for making this! | | Why the extra unbound DNS server? I assume PiHole is using it, | but why not just point PiHole at the final server? | homarp wrote: | https://docs.pi-hole.net/guides/unbound/ explains why and how | unbound is used. | byteknight wrote: | Thanks for that | luizfelberti wrote: | Another good reason for having unbound is enabling internal DNS | resolution for things that are in the VPN. For example, | resolving build-server.mycompany to the in-VPN IP of your build | server, and so on. | byteknight wrote: | You can do that with just pihole FYI | | You can set up DNS records | kd913 wrote: | I can understand the benefit of automating these things but I | think it would probably be better for people to setup these | things manually first. At least to understand what each step is | doing. Otherwise, people are trusting rather a core piece of | infrastructure with a random docker image online. | | I found personally that there are several aspects of this | automation that needs tweaking. | | * If you need ipv6 support this config needs to be overhauled. * | Wireguard config should have ipv6 addresses set to avoid | potential leakages (even if ipv6 is disabled). * This setup would | benefit from some ddns mechanism as most people do not have | static ip setups. * Firefox is beginning to have https only modes | in which case maybe I would like to adjust lighthttp to work with | that. | | The list goes on. ___________________________________________________________________ (page generated 2020-09-09 23:00 UTC)