Sources
- Free your Synology ports for Docker
- Setup on Synology Docker
- Wireguard not connecting to Docker Pi-hole as DNS when WG server is the host for the Docker container
Configure only one DHCP server, either AdGuard or Pi-Hole.
# Host macvlan bridge recreate.
# See "ip addr" interface name "eth0".
ip link add macvlan-br0 link enp0s25 type macvlan mode bridge
# IP of server (docker host).
ip addr add 192.168.0.5/32 dev macvlan-br0
ip link set macvlan-br0 up
# IP of adguardhome docker container inside MACVLAN.
ip route add 192.168.0.6/32 dev macvlan-br0
# IP of pihole docker container inside MACVLAN.
ip route add 192.168.0.7/32 dev macvlan-br0
Install Wireguard
sudo apt install wireguard
Enable IP forwarding, uncomment net.ipv4.ip_forward = 1
and net.ipv6.conf.all.forwarding = 1
in /etc/sysctl.conf
and reload config sudo sysctl --system
.
Create public and private keys
mkdir -p wireguard/keys
cd wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Create /etc/wireguard/wg0.conf
, use the interface name (here br-2c754ed5073d
) of the dns_server_bridge
Docker bridge network. This is required to access the DNS servers from Wireguard.
[Interface]
Address = 10.4.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o dns_bridge -d 192.168.100.1/28 -j MASQUERADE; iptables -t nat -A POSTROUTING -o enp0s25 ! -d 192.168.100.1/28 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o dns_bridge -d 192.168.100.1/28 -j MASQUERADE; iptables -t nat -D POSTROUTING -o enp0s25 ! -d 192.168.100.1/28 -j MASQUERADE
ListenPort = 51820
PrivateKey = <server-private-key>
Maybe update the firewall rule
sudo ufw allow 51820/udp
sudo ufw enable
Start the Wireguard server
sudo wg-quick up wg0
Start the system service to auto-start the server at bootup
sudo systemctl enable wg-quick@wg0.service
Install Wireguard
sudo apt install wireguard
Create public and private keys
mkdir -p wireguard/keys
cd wireguard/keys
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
Create /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <client-private-key>
Address = 10.4.0.2/32 # use different IP for each client
DNS = <dns-server-comma-separated>
[Peer]
PublicKey = <server-public-key>
Endpoint = <public-server-ip/domain>:51820
AllowedIPs = 10.4.0.0/24 # or just 0.0.0.0/0 to run everything over the server
PersistentKeepalive = 25
On the server execute
sudo wg set wg0 peer <client-public-key> persistent-keepalive 25 allowed-ips <client-ip-address>/32
sudo systemctl restart wg-quick@wg0.service