Block Websites with WireGuard

TL;DR

This guide shows you how to block specific websites for clients connected via WireGuard using DNS filtering and firewall rules on your server. We’ll use Pi-hole as a DNS sinkhole, then configure the WireGuard interface to use it. Finally, we’ll add extra firewall rules to ensure traffic is routed correctly.

Prerequisites

• A working WireGuard server and client setup
• Root or sudo access to your WireGuard server
• Basic understanding of the command line

Step 1: Install Pi-hole

Pi-hole is a network-level ad blocker that can also block arbitrary domains. We’ll use it as our DNS sinkhole.

1. Update your server’s package list:

   sudo apt update

2. Install Pi-hole. Follow the on-screen prompts carefully, choosing a static IP address for Pi-hole if possible.

   curl -sSL https://install.pi-hole.net | bash

3. During installation, you’ll be asked to choose an upstream DNS provider. Cloudflare or Google are good options.
4. Note the Pi-hole admin web interface password provided at the end of the installation.

Step 2: Add Websites to Block in Pi-hole

1. Access the Pi-hole web interface (usually http://your_server_ip/admin). Log in with the password you noted earlier.
2. Navigate to “Domains” and add the websites you want to block, one per line. For example:
   • facebook.com
   • instagram.com
   • example.com

Step 3: Configure WireGuard Interface to Use Pi-hole

Modify your WireGuard interface configuration file (usually in /etc/wireguard/wg0.conf, replace wg0 with your actual interface name).

1. Edit the configuration file:

   sudo nano /etc/wireguard/wg0.conf

2. Add or modify the PostUp and PostDown sections to set Pi-hole as the DNS server for WireGuard clients.

   [Interface]
   PrivateKey = ...
   Address = ...
   DNS = your_pihole_ip_address
   PostUp = iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53
   ip6tables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53
   PostDown = iptables -t nat -D PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53
   ip6tables -t nat -D PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53

3. Replace your_pihole_ip_address with the actual IP address of your Pi-hole server.
4. Restart WireGuard to apply the changes:

   sudo systemctl restart wg-quick@wg0

   (replace wg0 if necessary)

Step 4: Verify DNS Resolution

1. Connect a WireGuard client.
2. From the client, try to ping or access one of the blocked websites.

   ping facebook.com

3. If Pi-hole is working correctly, the website should be unreachable or resolve to Pi-hole’s IP address.
4. Check the Pi-hole web interface logs (“Query Log”) to confirm that the client’s DNS queries for blocked domains are being handled by Pi-hole.

Step 5: Firewall Rules (Optional, but Recommended)

This step ensures all traffic from WireGuard clients goes through Pi-hole, even if they try to bypass it.

1. Add a rule to your firewall to forward all DNS requests from the WireGuard interface to Pi-hole. This is often already handled by the PostUp script in Step 3 but can be explicitly added for clarity.

   sudo iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53
   sudo ip6tables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53

2. Save the firewall rules so they persist after a reboot. The method varies depending on your distribution (e.g., sudo iptables-save > /etc/iptables/rules.v4 and sudo ip6tables-save > /etc/iptables/rules.v6 on Debian/Ubuntu).