I have the server up and running. I have wireguard on my phone and it's performing well, just as intended. But as for the smart TV in my house, I would like to set that up to use pihole with Google Cloud as well. The Roku software doesn't allow for custom DNS. Is there something I can do in my router firmware to point my Smart TV at the Google Cloud pihole? I have a Netgear Nighthawk R6900 with stock firmware.

Is there anyway to get an IP from another country without paying? I'm from Spain and a lot of websites are blocks, for example football webs. I would like to change my location to France and get access to those webs.
The only that I have found is to hire a VPN server but I would like to know if it is possible to setup a VPN server in another country from Spain for free.

How do you ensure that Ubuntu stays up to date on the cloud server?

I like to run the below command manually. Would it be worth putting this on a schedule, similar to how you update pihole?

sudo apt update -y && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt clean -y && sudo apt autoclean -y

Hello and thanks for this excellent guide, which I recently used to set up a split tunnel in the cloud.

One question I have is that you say to forward port 51515 on the router. I don’t understand how this works, because I’m only able to forward ports to a device that is connected to my router (which is a google nest by the way). How can I forward it to a cloud device, and what purpose does it serve? I have my iPhone set as a client and pihole is working. However, there’s no protection in in masking my IP address.

Can you confirm what protection I have with just a split tunnel DNS? What safety does that provide outside my LAN, what does it encrypt? Just visiting websites?

appreciate any insite you can offer as I’m new to this and trying to learn. I’m also trying to decide if I should set this up on my local lab for a full tunnel, perhaps that’s more beneficial especially if I want to do file sharing as well.

Change suggestion 1:
Current:
"Name your Virtual Machine pi-hole.
To qualify for the Free Tier, your Region selection should be any US region only (excluding Northern Virginia [us-east4]). I have used us-east1 and the us-east1-b zone because it is closest to me.
Choose the f1-micro Machine Type in the dropdown."

Suggested Change:
"Name your Virtual Machine pi-hole.
To qualify for the Free Tier, your Region selection should be any US region only (excluding Northern Virginia [us-east4]). I have used us-east1 and the us-east1-b zone because it is closest to me.
Change the Series to "N1"
Choose the f1-micro Machine Type in the dropdown."

Change Suggestion 2:
Current:
"The External IP Address should not be Ephemeral. Choose Create IP Address to Reserve a New Static IP Address"

Suggested Change:
"In the External IP Address section, change from "Ephemeral " to "Create IP Address" to reserve a new Static IP Address.
Click "Reserve".

Line 15 in setup.sh needs to include full path to wg0-client* i.e. /root/wg0-client*. Otherwise, script runs great! Thank you for this awesome and easy setup!!

Similarly on what it was done for AWS, I was wondering if there's a way to do the same for GCP: automating the deployment of Wanguard on serverless environment using Terraform, Cloud Run, Cloud Build and Docker

Theorically it should be possible I guess, but I saw that the included setup.sh file is not meant to be run headless so I was just wondering on what could this be overcome (if possible)

Actually, if CPU throttling of CloudRun is not a good deal, GCE would be still ok. But the headless setup issue remains I guess.

any suggestion appreciated!

now the script will generate the first client's config file like wg0-client-2.conf in root's home.
in my sceranio , I would like to rename the file to match user's name and devices
like wg0-client-eric-iphone8.conf
but if I do the rename , then next time when I generate another client , the script will not be able to determine client's ip address and then create wg0-client-2.conf again.
so if I want to use the script to keep generating config without modify client's ip address , then I will not be able to rename the config file.
then , how about add a "comment" in script's interactive process , and just add the comment into config file , so at least I can use grep to find out user's config ?

and also I think that is not proper to store config files in root's home directory , maybe it should be a customize variable ?

Came across some interesting information courtesy of Yegor Ievlev:

Recently there was discussion about obfuscation to avoid restrictive firewalls. The conclusion apparently was that WG devs should add support for pluggable transports. This is a good idea, but for now you can just use shadowsocks-libev:

On server:

ss-server -s 0.0.0.0 -s ::0 -p 443 -k shadowsocks-password -m aes-128-gcm -U # change to lowercase u if you want to be able to connect to the server over TCP too.

On client:

ss-tunnel -s shadowsocks-server -p 443 -l 51820 -L wireguard-server:51820 -k shadowsocks-password -m aes-128-gcm -U

Connect WireGuard to 127.0.0.1:51820. Done.

It's worth experimenting with Shadowsocks to bypass restrictive firewalls that block Wireguard traffic, and improving this guide/bash script to include these enhancements.

ISSUE

some times the wireguard client sets mtu=8920 which is too high and as a result some devices does not load sites and other data properly,

i manually changed the mtu by going to following directory

cd /sys/class/net/wg0
nano mtu
and changing the value to 1380

can this be made the default value ?

it took me hours the catch the issue on one of my networks.

The written instruction currently says

Machine type: n1-standard-1 (1 vCPU, 3.75 GB memory)

While the screenshot shows

Machine Type: f1-micro

Which option should we go for?

I understand it is an estimate but does anyone know is this estimating based on if I go over limits and what not? Or is this a new thing where you do have to rent a virtual server?

I just noticed a notification that there was an update to my Pi-Hole install, and was wondering how we would go about updating after using your script, if it is even recommended.

I also want to say thank you for going through the work of setting this all up, I used the old way you had of doing this and switched to this as soon as you put it up. Great work!

I already have a server with full tunnel working. Trying to set up a split tunnel profile and hoping to learn how to do it manually.

edit the Allowed IPs on your Client Profile on your device to read 0.0.0.0/0, ::/0

Using this instruction I can only access pihole admin panel everything else just time out.
But works perfectly on android mobile.

I followed the instructions to 'Configure automated Pi-Hole updates and scheduled reboots'.

My question is how can I manually update pihole within the google Cloud SSH? How do I execute the script manually to ensure it's working? I'm unable to run any command like 'pihole -up' from the root as it says "command not found".

Hi, I wanted to congratulate you for this guide, it was very useful and it is really simple to follow. I'm having a problem though: I followed your step-by-step guide, created the account, the virtual machine, the firewall rules and started your script that installs the pi hole service and creates the various accounts for the vpn. I then imported them into various devices, such as my computer, my smartphone and other smartphones of various friends. Herein lies the problem, I did the test on 7 android smartphones, an iPhone and a pc. Everything works on PC, iPhone and 2 Android smartphones, on others it doesn't. The ads are not blocked, and I can't understand why. Do you have any suggestions for me? I specify that from all the devices I can reach the pi hole via ip address, so I think both the pi hole and the vpn are working correctly, but I could be wrong.

Be aware of the limitations of the Free Usage Tier:

1 vCPU + 3.75GB RAM f1-micro virtual machine instance per month in one of the following US regions

https://github.com/rajannpatel/Pi-Hole-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-Wireguard-VPN-Configs/blob/master/GOOGLE-CLOUD.md

Unless the RAM limit has changed, I think we are still limited to 640 MB of RAM. Correct me if I'm wrong... but when I made my server I only got 640 MB RAM as part of the free tier.

how to delete/disable a client from the server?

thank you

As of now, when creating the VM instance on GCP, we are setting up the VM to have a fixed IP address, so it can always be reached. This IP address has a cost.
If you are not making use of the free tier (for whatever reason), I believe you could save some money by using a dynamic DNS service rather than a fixed IP address.

Only a small doubt: The traffic generated by the instance to keep the IP address up to date might go over the price for a fixed IP address, however I believe the traffic generated is very very low.

What do you think?

I am unable to access my admin panel.

I've tried connecting to the VPN and going to http://10.66.66.1/admin as well as the external IP from GCP. Something is not working. I even enabled HTTP and HTTPS in the firewall.

Thanks for the great guide. I followed it a while ago to set up my pi-hole, which has been working great since. When recently switching to an e2-micro instance (see #45) I noticed that it is not possible to access the pi-hole admin page via http://pi.hole/admin. Notably, the docs for this guide only say it will be accessible at the IP address, but especially coming back to pi-hole after a while of not touching it, it was surprising that it didn't work as it does in the pihole documentation. I think the issue is that the IP address in /etc/pihole/local.list is the internal IP of the vm instance, not of wireguard, which is what is needed. I was able to work around this by adding a local DNS record in the pihole admin console pointing pi.hole to 10.66.66.1. I wonder if there's a better solution or if this workaround should be documented in the guide.

I believe the information about autoupdating PiHole that were specified in the OpenVPN version of this guide are still valid. @rajannpatel isn't that so?
If so, I can make a PR to add them here.

At the below site, it says that the script settings will have the server will apply NAT to the client's traffic so it will appear as if the client is browsing the web with the server's IP.

Does anyone know how to do this after successfully applying Rajann’s script

https://github.com/angristan/wireguard-install

Wondering if anyone has any instructions or link/guide detailing how to set up and manage peer to peer communications with wireguard? After we have this all up and running in google cloud... Also would IP forwarding have to be enabled? As an example use; say I set up a raspberry pi4 as a client, and I want to be able to access it from my mobile phone. Or say I want to be able to access this https://www.kickstarter.com/projects/mdevaev/pikvm-v3-hat

As background - I've set up the wireguard server with these instructions and it is running perfectly. I also set up separate keys for each of my clients.

Hello!
After some testing with Network Manager, I have found out that if the wireguard configuration contains a primary DNS in IPv6 format, the VPN won't work. You will be able to connect to PiHole dashboard, but you won't be able to browse the internet, because the DNS, for some reason, is not handled properly.

I am quite confident this is an issue with NM-Wireguard-Plugin. The reason why I am saying this is because if the connection to the VPN is imported manually through nmcli connection import type wireguard file <wg-config-file> the VPN works fine. However, if the connection is imported through the command line, it won't be visible through NetworkManager GUI: no managing of the connection will be possible.

Given that NM-Wireguard-Plugin has not been updated in 7 months, it's unlikely to see an update now. So, I see only 2 solutions possible

Solution 1: Switch to IPv4 DNS in Wireguard config. That will do the trick and can even be done when creating the WG configuration on GCP. Basically, do not use IPv6 DNS.

Solution 2: Live with the problem. The plugin to handle Wireguard configuration graphically is not 100% reliable and can't handle IPv6 DNS. So, instead of importing WG config through NM GUI, just use nmcli . Be aware that, by default, the VPN connection will be activated automatically regardless of which WiFi network you are connected to. Also, unless you go specifically look for the VPN connection, it will be completely transparent to you and won't notice it.

Hello,

I come from your other GitHub (PiVPN and PiHole) that worked flawlessly for quite a while, but had to remove the VM.

I configured the Wireguard through GCloud today. I've done it 2 or 3 times following every step, but I always end up the same.

I created two config files, one for Mac and another for iOS. I've installed both, and both VPNs are connecting fine and traffic flows fine.

But ads are note being blocked, nor I can access Pi Hole admin panel either by http://[fd42:42:42::1]/admin, http://10.66.66.1/admin or http://pi.hole/admin. It doesn't respond to ping either.

I'm using the split configuration. If I try the full tunnel with 0.0.0.0/0, ::/0 then it won't connect.

Where should I look at?

Thanks

After looking through the google cloud free tier, under the Always Free section, on the Compute Engine entry in the table, you can read the following:

- 1 non-preemptible f1-micro VM instance per month in one of the following US regions:
    - Oregon: us-west1
    - Iowa: us-central1
    - South Carolina: us-east1
- 30 GB-months HDD
- 5 GB-month snapshot storage in the following regions:
    - Oregon: us-west1
    - Iowa: us-central1
    - South Carolina: us-east1
    - Taiwan: asia-east1
    - Belgium: europe-west1
- 1 GB network egress from North America to all region destinations (excluding China and Australia) per month

If I understand correctly for each region you only have 1 GB of outbound traffic for free, is that correct?

Line 182 of setup.sh

curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo

Should be using epel-8 for CentOS 8

All of a sudden the full tunnel doesnt work, i cant access the internet. Split tunnel still works fine without any issue.

Tested it by changing the allowed ip on the profile, also on different devices.

Hi!

So I started all over and went start to finish on the tutorial. The Google Cloud account is up and running, Pi-hole is installed and working, and so is Wireguard (iOS). It works but I cannot access the Pi Hole admin panel from either the external IP or from the 10.66.66.2 address. I also tried 10.66.66.1 just to make sure. Thanks in advance!

Permission denied error trying to execute qrencode -t ansiutf8 -l L < cat /root/wg0-client-2.conf

Was able to generate QR code with sudo cat /root/wg0-client-2.conf | qrencode -t ansiutf8 -l L

Thanks for the guide! Running through it once and generating the first key is very smooth. Using a phone with the first QR code works, and modding to go full tunnel works fine.

As soon as I run setup for a second time to generate another key, the first client dies. It appears to connect, but can't reach either the pi hole admin console or the internet.

What am I doing wrong? I notice during the second setup run that its trying to assign the same client IP again (10.66.66.2) which seems like a problem.

Is there a way to blank the wg config so that I don't have to spin up a new VM every time I start over?

Thanks again for the help, enjoyed learning through your guide!

I received an email from GCP instructing me to change my F1-micro instance to E2-micro by August 31, 2021 to continue using the free tier. The E2-micro free tier becomes available on August 1, 2021.

I will attempt to change over on August 1st. I opened this issue to track documentation updates in GOOGLE-CLOUD.md where there are references to the F1-micro VM.

Email excerpt below:

What do I need to know?
The Free Tier F1-micro VM is changing to the E2-micro VM as the VM to use for free. On August 1, 2021, E2-micro Free Tier will be introduced. Follow these steps to change your machine type to E2-micro to avoid incurring charges for continuing to use F1-micro after August 31, 2021.

What do I need to do?
Starting August 1, 2021, change the machine type from F1-micro, or stop your existing F1-micro instance and begin using a E2-micro instance. VMs created with either method will automatically have the Free Tier discount applied to them. The supported regions will remain the same.

I think this has to do with the initial setup of the PiVPN wherein by default Pihole routes everything through the default ethernet address instead of wg0, but whenever I'm connected to the PiVPN wireguard VPN client, the IP address I'm getting back is my ISP's IP and not the VPN IP like I would expect.

How do I go back and re-run the setup to change the default network address it routes everything through, or the config file itself, so that I can get everything to route through the VPN's IP instead?

Hi there,
Great project thanks!
I've noticed when the pi-hole admin page is open in browser, there is a spike in localhost requests for the hostnames of the VM instance on google cloud.

See the hostnames in attached screenshot. Mostly "pi-hole.google.internal". The requests are being served by the cache, but come back as NXDOMAIN.
The total queries starts to go up about a dozen request per second, with no other devices performing lookups.

When I close the browser admin page window , you can see the requests stop.
[I'm using an iOS App called Pi-hole remote to see a live-log of requests as they come in]

Its like there's an element on the pi-hole admin page itself that is trying to resolve these addresses.

I've set this up fresh as per instructions. Is this known, or even a problem?

cheers

Hey, Thank you for this project. For this amazing work.

Just wanted to know if you have considered using Unbound as a local DNS resolver instead of the big companies for privacy reasons.

Hi, Thank you for the nice guide. Works fine with the VPN client in iPhones.
Updating the GCP instances IP as DNS server in the wifi router doesn't seem to pick up and dont see it being routed via pi-hole.

Hi. Firstly thank you for writing up this excellent guide. I have setup my pi-hole server on GCP and its running.
I have few questions which I think you can answer/add to your guide to make it more noob friendly..

1. How can I connect to web-interface of pi-hole to see stats and update block list? Is it only possible from connected clients other machines which are not connected to this VPN?
2. How do I add this VPN to Ubuntu/Kubuntu client machine for ad blocking?
3. Is it possible to connect my TV to this VPN? I would like to detect which servers it connects to for calling home feature and if possible block youtube ads

How do we enable DNS over TLS or DNS over HTTPS?

Currently I'm able to sniff what websites are being attempted to access with packet capture software.

This is maybe preventable with DoT or DoH?
https://blog.cloudflare.com/encrypted-sni/

Below you can see where I tested access to explicit site as I have it blocked on my setup.

Here you can see my VPN is working, and explicit site is blocked.

I am using Cloudflare as my upstream DNS, so ideally something that works with that would be great.

Also one last thing to note, but not directly related to this project...

iOS 13.5.1 currently has a vulnerability where applications are able to bypass VPNs.

You can read about that here:
https://www.forbes.com/sites/zakdoffman/2020/06/04/new-apple-security-blow-ios-1351-hides-a-surprising-problem-for-iphone-users/#3538f8cb2533

There was a very small charge on my last Google Cloud bill for Network Internet Egress from Americas to China. Maybe from bots, not entirely sure.

Anyway to prevent this?

I've tried to setup wireguard on my google cloud machine, but I get this issue:
./setup.sh: line 5: /etc/wireguard/params: No such file or directory

Looks like Google has started charging for the static IP and it is no longer free. Would Dynamic DNS like DuckDNS be a better option now?

thanks for this guide. How do i get pihole to show various client names in the query log? i followed option A and every query is showing as from localhost. thanks!

Hi,
I want to enable VPN of wireguard only for certain IP address.
Eg: I want all data for google.co.in to go through vpn and in normal case all should go outside vpn
to reduce data. Certain services need country based Ip's . In Openvpn we have that option (Atleast for OpenVpn) But cannot find such option for Windows .Is it possible somehow

I have completed the guide successfully . My home network is ipv4 only . When i connect through the Wireguard tunnel i am not able to ping or open ipv6 only addresses .
Can this be done using the Wireguard tunnel ?

@rajannpatel - currently, you are allowing access from anywhere to port 51515 on the VM. Do you think it also makes sense to implement the iptables rules as recommended at [https://docs.pi-hole.net/guides/vpn/firewall/]? Or is that overkill? Thank you again for this wonderful script.

When I use the command you provided sudo wg set wg0 peer publicid remove it does something to the VM instance, I can't connect the removed client. But when I terminate the connection to ssh and reconnect to it, and run the command sudo wg show I'm still able to see the so called "removed client", however I can't to the server from the client as it should because I ran the remove command. And when I delete it the peer info directly from the /etc/wireguard/wg0.conf after the command, it completely destroy the script when I want to add new client to my server. When I run the bash ./setup.sh after running the remove command and manually deleting the client info from the /etc/wireguard/wg0.conf it still can generate new clients but the newly generated clients won't work and the existing clients will run as if nothing happened. So what removing the peer info directly from the /etc/wireguard/wg0.conf after running the command does to the script and what I should do to completely destroy the every remnant of deleted client? I'm new to this things by the way.

Since the Google Cloud free tier only allows US servers, it can potentially slow things down for other users. As far as I know, the AWS free tier is available in every region. Is there anything preventing this from working with AWS?