shut up, be happy

This guide assumes you have a working and up-to-date Debian 12 server with Pi-hole installed.

Install WireGuard and requirements:

$ apt install wireguard wireguard-tools iptables

Enable kernel port forwarding by editing /etc/sysctl.conf and uncommenting the following:

#net.ipv4.ip_forward=1

so it will look like this:

net.ipv4.ip_forward=1

Alternatively, create /etc/sysctl.d/ipforward.conf with said line. Then force-reload the set variable:

$ service procps force-reload

Verify that the variable has taken effect:

$ cat /proc/sys/net/ipv4/ip_forward

This should return 1. If it returns 0, the variable has not been set properly.

Next, change to your WireGuard configuration directory and set the proper umask to insure limited rights on future files:

$ cd /etc/wireguard
$ umask 077

Create a private and public key for Pi-hole:

$ wg genkey | tee pihole.key | wg pubkey > pihole.pub

Check if your keys have been created properly:

$ cat pihole.key pihole.pub

The first line of the output is your private key, the second line the public key. Create a new configuration file for your local WireGuard peer:

$ nano wg0.conf

Add the following content:

[Interface]
# WireGuard doesn't really use server/client terminology.
# Instead it considers parties to be 'peers'.
# This part concerns the local peer: your Pi-hole server.
Address = 10.20.30.1/24 # note the /24 subnet
ListenPort = 51820
PrivateKey = <content of pihole.key>

# Tell iptables to forward your client's traffic.
# Replace <interface> with whatever your network interface is called.
# You can find this by running 'ip a'.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o <interface> -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o <interface> -j MASQUERADE

Set WireGuard to start after a reboot:

$ systemctl enable wg-quick@wg0.service

Start WireGuard:

$ systemctl start wg-quick@wg0.service

Check if WireGuard is running:

$ wg show

This should show something like the following:

interface: wg0
  private key: (hidden)
  listening port: 51820

Next, create keys for your other peer and repeat this for every peer that you wish to connect to your WireGuard Pi-hole VPN server:

$ wg genkey | tee peer1.key | wg pubkey > peer1.pub

Verify that it worked:

$ cat peer1.key peer1.pub

For good measure, create a pre-shared key:

$ wg genpsk > peer1.psk

Tell your local installation to allow the newly created peer by adding the following at the of /etc/wireguard/wg0.conf:

[Peer]
# peer1
PublicKey = <content of peer1.pub>
PresharedKey = <content of peer1.psk>
AllowedIPs = 10.20.30.2/32 # note the /32 subnet

Reload the configuration:

$ systemctl reload wg-quick@wg0.service

Create a configuration file for your peer:

$ nano peer1.conf

Add the following content:

[Interface]
# This is your peer's ip:
Address = 10.20.30.2/24 # note the /24 subnet
ListenPort = 51820
# Since you have Pi-hole as your DNS, your Pi-hole's local ip:
DNS = 10.20.30.1
PrivateKey = <content of peer1.key>

[Peer]
# Pi-hole's config
PublicKey = <content of pihole.pub>
PresharedKey = <content of peer1.psk>
# The endpoint is the publicly available address of your Pi-hole server.
# This can be your WAN ip, or more convenient, a domain name.
Endpoint = <your WAN ip or domain>:51820
# Accept everything to accept returning traffic:
AllowedIPs = 0.0.0.0/0

Now import peer1.conf into your peer’s Wireguard application. For mobile phones, you can create a QR code to scan:

$ apt install qrencode
$ qrencode -t ansiutf8 -r peer1.conf

Lastly, if your Wireguard peer is behind a router, forward incoming UDP traffic on port 51820 to it.