TL;DR
This guide shows you how to block specific websites for clients connected via WireGuard using DNS filtering and firewall rules on your server. We’ll use Pi-hole as a DNS sinkhole, then configure the WireGuard interface to use it. Finally, we’ll add extra firewall rules to ensure traffic is routed correctly.
Prerequisites
- A working WireGuard server and client setup
- Root or sudo access to your WireGuard server
- Basic understanding of the command line
Step 1: Install Pi-hole
Pi-hole is a network-level ad blocker that can also block arbitrary domains. We’ll use it as our DNS sinkhole.
- Update your server’s package list:
sudo apt update - Install Pi-hole. Follow the on-screen prompts carefully, choosing a static IP address for Pi-hole if possible.
curl -sSL https://install.pi-hole.net | bash - During installation, you’ll be asked to choose an upstream DNS provider. Cloudflare or Google are good options.
- Note the Pi-hole admin web interface password provided at the end of the installation.
Step 2: Add Websites to Block in Pi-hole
- Access the Pi-hole web interface (usually
http://your_server_ip/admin). Log in with the password you noted earlier. - Navigate to “Domains” and add the websites you want to block, one per line. For example:
- facebook.com
- instagram.com
- example.com
Step 3: Configure WireGuard Interface to Use Pi-hole
Modify your WireGuard interface configuration file (usually in /etc/wireguard/wg0.conf, replace wg0 with your actual interface name).
- Edit the configuration file:
sudo nano /etc/wireguard/wg0.conf - Add or modify the
PostUpandPostDownsections to set Pi-hole as the DNS server for WireGuard clients.[Interface] PrivateKey = ... Address = ... DNS = your_pihole_ip_address PostUp = iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53 ip6tables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53 PostDown = iptables -t nat -D PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53 ip6tables -t nat -D PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53 - Replace
your_pihole_ip_addresswith the actual IP address of your Pi-hole server. - Restart WireGuard to apply the changes:
sudo systemctl restart wg-quick@wg0(replace
wg0if necessary)
Step 4: Verify DNS Resolution
- Connect a WireGuard client.
- From the client, try to ping or access one of the blocked websites.
ping facebook.com - If Pi-hole is working correctly, the website should be unreachable or resolve to Pi-hole’s IP address.
- Check the Pi-hole web interface logs (“Query Log”) to confirm that the client’s DNS queries for blocked domains are being handled by Pi-hole.
Step 5: Firewall Rules (Optional, but Recommended)
This step ensures all traffic from WireGuard clients goes through Pi-hole, even if they try to bypass it.
- Add a rule to your firewall to forward all DNS requests from the WireGuard interface to Pi-hole. This is often already handled by the
PostUpscript in Step 3 but can be explicitly added for clarity.sudo iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53 sudo ip6tables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to-destination your_pihole_ip_address:53 - Save the firewall rules so they persist after a reboot. The method varies depending on your distribution (e.g.,
sudo iptables-save > /etc/iptables/rules.v4andsudo ip6tables-save > /etc/iptables/rules.v6on Debian/Ubuntu).