Lab Objective:

• In order to complete this lab, you’ll first need to work through Part 1. You’ll need to have:
  • Docker installed on your primary host
  • A running Portainer container
  • A running Pi-hole DNS container
• In this lab, you will extend your home lab to enhance DNS privacy by tunneling DNS traffic through a VPN.

You will:

• Create a second Ubuntu VM named Canada
  • This VM will simulate a remote server located in another country.
  • It will act as a VPN endpoint outside your local network.
• Install a WireGuard VPN server container on the Canada VM
  • This container will accept encrypted VPN connections from your home lab.
  • It will function as the “remote” endpoint for all DNS traffic leaving your network.
• Install the Gluetun container on the host running Pi-hole
  • Gluetun will act as a VPN client using WireGuard.
  • It will connect securely to the WireGuard server on the Canada VM.
• Route Pi-hole DNS traffic through the VPN tunnel
  • Only DNS requests generated by the Pi-hole container will traverse the VPN.
  • All other network traffic (web browsing, streaming, downloads) will continue to use your normal internet connection.
  • This ensures minimal performance impact while significantly improving privacy.
• Why tunnel DNS traffic over a VPN connection?
  • DNS queries expose browsing behavior in plain text
  • Every time a device connects to a website, app, or online service, it first sends a DNS request asking for the IP address associated with a domain name (for example, youtube.com, reddit.com, or bankofamerica.com).
  • By observing these DNS queries, ISPs and DNS providers can see:
    • Which domains you access
    • How frequently you access them
    • When you are active online
    • Which devices on your network are making the requests
  • DNS data is valuable because it provides a near-complete picture of user activity without needing to inspect encrypted traffic.
  • By tunneling your home DNS through a VPN, you can effectively obfuscate your DNS traffic and significantly improve your privacy posture.

We’ll be using two VMs for this lab:

• HomeLabExample (PiHole/Portainer)
• Canada (VPN Server Endpoint)

We’ll start with the Canada server:

• Note the IP address of my endpoint is: 192.168.231.17

Create a file on the Canada server called docker-compose.yml

• Use the template below, but be sure to change the Server IP Address.

docker-compose.yml

services:
  wireguard:
    image: linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
      - SERVERURL=192.168.231.17 # CHANGE THIS!!! <----
      - SERVERPORT=51820
      - PEERS=1
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0
      - ALLOWEDIPS=0.0.0.0/0
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped