So I’ve been beating my head up against the wall since last night on this one. I’m trying to setup a new Wireguard + Pihole instance on Oracle Cloud in the same way I’ve done many times on AWS, Digital Ocean, and Vultr. There were no issues installing Wireguard, handshaking, or forwarding client traffic through the VPS… everything works as expected with wireguard.
The second half of the setup is to install pihole using the automated installation method ( curl -sSL https://install.pi-hole.net | bash
). I choose wg0 for the interface and accept all the other recommended defaults. Installation completes without any errors and I’m able to access the pihole admin console with ssh port forwarding.
However my wireguard client isn’t able to access either the pihole admin console nor make DNS lookups to pihole. It’s receiving ICMP host 10.6.0.1 unreachable - admin prohibited
but SSH and ping work fine to the server (10.6.0.1). Does this sound like an an issue with the pihole service?
Things I’ve Tried So Far:
- Disabling UFW
- Selecting “Permit all origins” in pihole under Settings → DNS → Interface settings
- Starting from scratch at least 4 times ← Definition of insanity.
- Checking IP tables for any obvious drop rules (although I lack experience here)
- Adding a rule to allow any from wg0 to wg0
Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-1023-oracle aarch64)
Wireguard Server (wg0) : 10.6.0.1
Wireguard Client: 10.6.0.2
Pi-hole admin console and DNS blocked
15:09:08.384240 IP 10.6.0.2.64043 > 10.6.0.1.80: Flags [SEW], seq 2044417045, win 65535, options [mss 1240,nop,wscale 6,nop,nop,TS val 1116977908 ecr 0,sackOK,eol], length 0
15:09:08.384277 IP 10.6.0.1 > 10.6.0.2: ICMP host 10.6.0.1 unreachable - admin prohibited, length 72
18:08:45.874138 IP 10.6.0.2.60674 > 10.6.0.1.53: 60560+ PTR? lb._dns-sd._udp.254.141.0.10.in-addr.arpa. (59)
18:08:45.874174 IP 10.6.0.1 > 10.6.0.2: ICMP host 10.6.0.1 unreachable - admin prohibited, length 95
But SSH and ICMP ping work fine to the same host
18:04:05.372086 IP 10.6.0.2.53986 > 10.6.0.1.22: Flags [SEW], seq 197032587, win 65535, options [mss 1240,nop,wscale 6,nop,nop,TS val 4278353387 ecr 0,sackOK,eol], length 0
18:04:05.372286 IP 10.6.0.1.22 > 10.6.0.2.53986: Flags [S.E], seq 161738644, ack 197032588, win 64296, options [mss 1380,sackOK,TS val 281199899 ecr 4278353387,nop,wscale 7], length 0
15:12:04.542437 IP 10.6.0.2 > 10.6.0.1: ICMP echo request, id 52036, seq 1, length 64
15:12:04.542470 IP 10.6.0.1 > 10.6.0.2: ICMP echo reply, id 52036, seq 1, length 64
Routes
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 100 0 0 enp0s3
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3
10.6.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
link-local 0.0.0.0 255.255.0.0 U 100 0 0 enp0s3
Netstat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN
tcp 0 316 10.0.0.32:22 redacted:33572 ESTABLISHED
tcp 0 0 10.0.0.32:43860 169.254.169.254:80 ESTABLISHED
tcp6 0 0 :::111 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 ::1:4711 :::* LISTEN
udp 0 0 0.0.0.0:9494 0.0.0.0:*
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 10.0.0.32:68 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp6 0 0 :::9494 :::*
udp6 0 0 :::53 :::*
udp6 0 0 :::111 :::*
IP Tables
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:9494 /* wireguard-input-rule */
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.6.0.0/24 ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
ACCEPT all -- 10.6.0.0/24 anywhere /* wireguard-forward-rule */
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
InstanceServices all -- anywhere 169.254.0.0/16
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain InstanceServices (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 169.254.0.2 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.2.0/24 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.4.0/24 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.5.0/24 owner UID match root tcp dpt:iscsi-target /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.0.2 tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.169.254 tcp dpt:domain /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.0.3 owner UID match root tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.0.4 tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT tcp -- anywhere 169.254.169.254 tcp dpt:http /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:bootps /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:tftp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
ACCEPT udp -- anywhere 169.254.169.254 udp dpt:ntp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
REJECT tcp -- anywhere 169.254.0.0/16 tcp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with tcp-reset
REJECT udp -- anywhere 169.254.0.0/16 udp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with icmp-port-unreachable
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
Chain ufw-before-input (1 references)
target prot opt source destination
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
UFW
$ sudo ufw status
Status: inactive
Thanks!