Wireguard - No internet access with PiHole

Hi All,

Thanks for the awesome software. I’ve installed wireguard and i can connect internally fine using IP addresses, and externally when using an external DNS eg

I can’t use my piHole IP though ( Hosts on the LAN use this fine and it isn’t an issue. Any ideas?


OK quick update, I’ve found if I use my home router’s IP address (, and then set its primary DNS server to the pihole ( it actually works.

I suspect it may be some sort of issue with pihole and wireguard on the same machine, some sort of firewall or loop back type issue?


yep it’s actually a behavior of PiHole. I fixed it for myself by changing PiHole DNS Settings to > Listen on all interfaces, permit all origins

Awesome thanks that did it :slight_smile:

For what it’s worth for other people trying to use Wireguard, I also needed to make a change to:

I had to uncomment the following line:

Then reboot.

for me this is not needed at all to change anything on /etc/sysctl.conf. WireGuard is working. I can access my Local Network as well as the Internet. And PiHole is acting as DNS Server.

root@DietPi4:~# cat /etc/sysctl.conf|grep net.ipv4.ip_forward

One comment on that change - I had to do it on my Pi (hosting both Wireguard and PiVPN) and after reboot the change reverted (and PiVPN lost access to anything outside of the Pi).

As a temporary measure I’ve set up a systemd service to run a script setting that traffic forwarding again on boot-up, but at least on my set-up there’s something weird going on with sysctl.conf .

In any case for my configuration Wireguard worked fine either way, it was PiVPN (configured for OpenVPN support) which failed.

Hi Guys,

in meantime it got clear that setting of net.ipv4.ip_forward=1 depends on the way how WireGuard was installed. Basically there are 2 ways.

  1. Installation done directly via dietpi-software
  2. Installation done using PiVPN

In case of option 1, applying this setting system-wide is not required, since we apply it right via the server config on service start, for the involved network interfaces:

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.\$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.\$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.\$(sed -n 3p /DietPi/dietpi/.network).forwarding=1

Joulinar - on my Pi both WG and PiVPN (hosting OpenVPN) are installed, both via dietpi-software.

Would that explain why I have to set the forwarding by script at reboot otherwise the OpenVPN cannot connect to anything outside the Pi (to my network or the Internet)?

It’s all working fine now, but only because I set that forwarding via a systemd triggered script.


No thats a misunderstanding.

Wireguard can be installed 2 ways:

  1. using PiVPN package, as PiVPN is offering both options now: WireGuard as well as OpenPVN. But if you use PiVPN to install WireGuard or OpenVPN, you will haft to set the parameter.
  2. If you install WireGuard directly from dietpi-software all is fine.

So the issue seems to be with PiVPN script not handling the settings correctly

See as well GitHub https://github.com/MichaIng/DietPi/issues/2505

Yes, that does seem like the same issue I have.

To be clear I don’t have any issue with Wireguard at all, the issue is with the PiVPN install (which is used for OpenVPN, not Wireguard). Wireguard is installed via dietpi-software and has no issue.

It sounds like the issue described on Github is affecting me too, although in my case I just worked around it by resetting the forwarding via a script triggered by a systemd service. But if it’s now a replicated and known issue hopefully that won’t be needed anyway if it can be fixed at source.

This doesn’t do the trick for. Still no internet access via VPN (Wireguard). Using a Raspberry Pi 4B, dietpi, pi-hole, … all installed with dietpi-software UI. Ip forwarding is on (not changed by me)
Any other tips?

can you check using wg command if VPN connection was established

Can’t check it now, but the connection must be established, as I was able to SSH to the Pi.
Today I also needed to set back pi-hole settings to “Listen only on interface eth0”, as I had connection issues in my network and pi-hole didn’t seem to block anything with Listen on all interfaces, permit all origins"

Listen on all interfaces, permit all origin is needed, otherwise PiHole will not react on request coming from VPN interface.

Same problem here. Must exist since latest updates, a couple of weeks ago with another setup it was working out of the box.
With active Wireguard connection I can reach the Pi itself but hothing behind, the traffic won’t get routed past it.
You will have to set to listening only on eth0 or whatever your interface name is in PiHole settings. For now after PiHole installation it’s set to only allow traffic that is 1 Hop away not further.
On top I did pivpn -d for debug mode and then during the test it asks you to activate IP forwarding.
Really this was driving me nuts the last couple days but finally it’s working again with PiHole in combination with Wireguard :slight_smile:

Yes if you are using PiVPN, you would need to set IP forwarding manually. This would not be needed if you install WireGuard directly from DietPi Software Catalog.