Ad-Blocking VPN with WireGuard + Pi-hole

You've already set up a private and secure WireGuard VPN. Now it's time to give it a superpower: network-wide ad blocking. By routing your VPN's DNS requests through Pi-hole, you can block advertisements, trackers, and malicious domains before they even reach your devices. This guide will show you how to set up Pi-hole in Docker and seamlessly integrate it with your existing WireGuard server.

Prerequisites

Before you begin, you must have:

A fully functional WireGuard server. This guide assumes it's already running.
The IP address scheme for your WireGuard VPN (e.g., 10.0.0.1 for the server).
Docker and Docker Compose installed on your server. Using Docker is the recommended way to run Pi-hole as it avoids conflicts with other services.

Integration Steps

Step 1: Create Pi-hole Configuration Directory

First, SSH into your VPN server. Create a directory to store your Pi-hole configuration. This ensures your settings and blocklists are persistent even if you update or restart the container.

mkdir ~/pihole
cd ~/pihole

Step 2: Create the Pi-hole `docker-compose.yml`

Inside the pihole directory, create a docker-compose.yml file:

nano docker-compose.yml

Paste the following configuration. You must set a secure password for the web interface.

version: "3"

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8080:80/tcp" # Map web UI to port 8080 to avoid conflicts
    environment:
      TZ: 'America/Chicago' # IMPORTANT: Set your server's timezone
      WEBPASSWORD: 'YOUR_VERY_SECURE_PASSWORD_HERE' # IMPORTANT: Set this!
    volumes:
      - './etc-pihole/:/etc/pihole/'
      - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    cap_add:
      - NET_ADMIN # Required for full functionality
    restart: unless-stopped

We map the Pi-hole web interface to port `8080` on the host to prevent it from conflicting with any web servers you might be running on the standard port `80`.

Step 3: Start the Pi-hole Container

With your docker-compose.yml file saved, start the Pi-hole container:

sudo docker-compose up -d

The container will download and start. You can check its status with sudo docker-compose ps.

Step 4: Configure WireGuard Clients to Use Pi-hole

This is the key to integration. You need to tell your WireGuard clients to use Pi-hole for DNS. You do this by editing each client's configuration file (e.g., on your phone or laptop).

In the [Interface] section of your client config, set the DNS server to be your WireGuard server's VPN IP address.

[Interface]
PrivateKey = ...
Address = 10.0.0.2/32 # This client's VPN IP
DNS = 10.0.0.1 # <-- IMPORTANT: Point this to your WireGuard SERVER's VPN IP

After saving this change, disconnect and reconnect your client for it to take effect.

Step 5: Access and Configure Pi-hole Securely

Now, let's access the Pi-hole web interface to finalize the setup. You must be connected to your WireGuard VPN on the device you are using to access the admin page.

While connected to your VPN, open your web browser and navigate to Pi-hole using your WireGuard server's VPN IP address:
```
[http://10.0.0.1:8080/admin](http://10.0.0.1:8080/admin)
```
Use the VPN IP of your server (e.g., `10.0.0.1`), not its public IP. The port is `8080` as defined in our `docker-compose.yml` file.
Log in with the password you set in the docker-compose.yml file.
Go to Settings → DNS tab.
Under Interface settings, select Permit all origins. This allows Pi-hole to answer DNS queries coming from your WireGuard clients.
Click Save at the bottom.

Security Note: Because you are accessing the admin panel through the secure VPN tunnel, you do not need to open any new ports in your server's public firewall. This is the most secure method.

Step 6: Test and Enjoy Ad-Free Browsing

Ensure your WireGuard client is reconnected with the new DNS setting. Now, try browsing the web on that device. You should notice a distinct lack of ads!

You can verify it's working by checking the Query Log in your Pi-hole admin interface. You should see queries coming from your client's VPN IP address (e.g., 10.0.0.2).

Conclusion

Congratulations! You have successfully transformed your WireGuard server into a powerful, network-level ad and tracker blocking machine. All devices connected to your VPN now benefit from a cleaner, faster, and more private internet experience, no matter where they are.