Sarah's Catalog

Disclaimer: I am not an expert. The following information is based on my experience and understanding. Research was done beforehand to make sure I'm not getting things wrong.

Overview

  • 192.168.0.0/24 → home network subnet
  • 10.8.8.1/32 → Wireguard server IP
  • Pi-hole → DNS + DHCP server
  • Wireguard → split tunneling
  • Allowed IPs: 192.168.0.0/24 (subnet) + 10.8.8.x (specific peer's wireguard ip)

Pi-hole → DNS + DHCP

  • Pi-hole is a DNS sinkhole. It resolves, or hands out the IP addresses of whitelisted domains.
  • Meanwhile, blocked domains are sunk by routing them to a non-routable IP address (e.g. 0.0.0.0).
  • In my case, I use several blocklists which list out specific domains to block.
  • The blocklists I used are HaGeZi's Light , Adguard DNS Filter, Oisd (Big), someonewhocares.org (Dan Pollock).
  • Pi-hole also acts as my DHCP server for all of my devices except for my servers, which rely on my router.
  • It also resolves all of my .home domains to 192.168.0.3, or my Ubuntu server.

DHCP

  • Setup of DHCP on my network:
  • Router: 192.168.0.2 to 192.168.0.3 → servers.
  • Pi-hole: 192.168.0.100 to 192.168.0.254 → rest of devices.
  • Both of my servers are statically configured within their netplan and the actual router settings, so their IP should never change.

WireGuard

  • The WireGuard peer IPs increment from the server IP (10.8.8.1). So for example, my phone is 10.8.8.2 and so on.
  • FreeDNS is my DDNS provider. I use a cron script to update my public IP for my domain because my router doesn't include FreeDNS.
  • I do split tunneling because all I need it to do is to be able to tap into my home network when I'm away from home.
  • WireGuard won't answer if somebody tries to scan the port.
  • Private (device) key must pair with the public (server) key.
  • For example, if I want to reach one of my .home domains from my phone...
  • Phone sends request through WG tunnel to Pi-hole, which resolves the .home domain to 192.168.0.3.
  • Pi-hole then sends this back through the tunnel to my device, who sends it to my Ubuntu server.
  • Then, the server sends to Wireguard, who encrypts data and sends it through tunnel back to my device.
  • Device → Pi-hole → (tunnel) → Device → Ubuntu server → Wireguard → (tunnel) → device.

Terms

  • For anyone who isn't as tech savvy, or anyone else, here's a short recap of some of the things I discussed.
  • Subnet: a specific range of IPs on a network.
  • Domain host system (DNS): a system which allows IP addresses to be easily identifiable by pairing host names.
  • Pihole: a DNS sinkhole which resolves, or hands out IP addresses to a specific domain.
  • DNS sinkhole: DNS server which "sinks" specific domains by resolving them to non-routable IPs, or IPs that are a dead end.
  • Dynamic host configuration protocol (DHCP): automatically assigns IP addresses within a specific range to devices on a network.
  • Wireguard: a VPN service which solely uses UDP. Compared to let's say OpenVPN, it's newer.
  • Dynamic DNS (DDNS): service which updates the public IP for a specific domain

Re(sources)

Pihole Documentation https://en.wikipedia.org/wiki/DNS_sinkhole For anyone interested, this is the WireGuard guide I followed