Get the top HN stories in your inbox every day.
weejewel
Hey, I’m the author of wg-easy, nice to see my project in here!
As for all the license discussions, I just don’t want a company to pack my work and sell it as a commercial device or service. I’m open for a better license which covers that.
cpach
Did you consider AGPL?
AnonC
AGPL only forces the company to release the sources even if it’s used on a SaaS platform. There’s nothing in AGPL to prevent commercial use/sale or packaging this together with something else (as long as source is made available).
cpach
That is indeed true, but in practice, the features of AGPL might be enough to make most people avoid trying to commercialise an AGPL project.
jddj
Elastic maybe?
botanicalfriend
This looks super useful. It is a bit convoluted to setup WG/PiHole/Unbound/foo and link them all together. But, it is not tedious enough that I’d ever put in the time to make a whole UI to improve it. I’m glad someone did though, it’s these little things that you don’t realize you need :-)
m1chae1
I created an account after years of lurking. This does exactly what I want. Can anyone point me in the right direction? My pihole and unbound dna is working flawlessly and installation was easy. But I have lost countless bours trying to add wireguard to the mix. I got it running, I can connect but my dns stops working when the wire guard is running or my wirrguard has no internet. I have found people with the exact same issue but its still not working. This guy https://www.google.com/url?sa=t&source=web&rct=j&opi=8997844... was facing similar issues but got it running but I couldnt even with these instructions. Also, Im running this on a pi 3, and adding docker is probably going to be a preformance hit so Im not too keen
all2
How willing are you to start from scratch? Pack up your configs in a git repo and nuke your installation. When I run into intractable configuration issues, I typically start from scratch to see if I can get them to work. You might try doing it from scratch on your workstation in a VM/container to see if the issue crops up there as well.
Scrubbington
My setup on Raspberry Pi 3 is
- Dietpi [1]
- Unbound
- Wireguad via PiVPN [2]
- AdGuard, as a replacement of PiHole, never went back
Every time I tried to move it to a container-based solution (Portainer is quite helpful), I went into problems here and there, adding more complexcity in terms of another network layer, container volumes, updating one piece of this (unbound, pihole, vpn) conflicting with the full stack, updating Dietpi itself.
Is it me getting old and lazy, neglecting container stuff?
Anyway, travelling around the globe being able to surf via homeland ip ranges, reverse DNS, adblocking and access to my NAS was never easier and so far - great uptime, no major f*ckups.
BrandoElFollito
One of the reasons I never switch from dnsmasq is the integrated dhcp/dns service.
Unbound did not have this (nor any service I know) and you need extra care to handle your local devices registration
The fact that dnsmasq is the only service I know that manages dhcp records on dns makes me wonder if I am not doing something wrong.
spockz
I think the pihole docker image uses dnsmasq. It definitely supports being the dhcp server and integrates clients into its dns responses.
BrandoElFollito
Yes it does. I was referring to switching to unbound.
byteknight
Unbound is not the intended to be a PiHole service. It's a resolver.
globular-toast
PfSense can do it, but I suppose it "manually" configures the DNS server using the DHCP part.
You could also consider using zeroconf/avahi if you can. You don't even need a DHCP server for it (although you won't be able to connect to the internet etc).
BrandoElFollito
PfSense uses dnsmasq under the hood, no?
globular-toast
It uses unbound for the DNS resolver. Perhaps the DNS forwarder uses dnsmasq, but I don't use it.
figmert
Adguard Home does too.
Anyway, regardless, you can use dnsmasq with Unbound.
BrandoElFollito
> you can use dnsmasq with Unbound
could you elaborate on that? How is the connection done?
figmert
Dnsmasq needs an upstream server to resolve the DNS queries. That upstream server can be anything, Google, Cloudflate, Quad9, or, a local Unbound instance.
You run an unbound server with a static IP, and point dnsmasq to said static IP.
OPs setup has this configured through Pi-hole. Look at the docker-compose file.
Edit: I just remembered Pi-hole has an official guide for this: https://docs.pi-hole.net/guides/dns/unbound/
sthlmb
Ooh, this is definitely something to play around with tomorrow. A split-tunnel on my phone would be nice!
byteknight
Yup! Now we're thinking alike. Split only DNS and bingo, native ad blocking.
esperent
Besides self hosting, is there anything this gives you that using NextDNS with a personal blocklist and adblock turned on can't do?
poisonborz
Not routing every request through a single third party service?
byteknight
Not really, other additional than privacy.
yetanother-1
Would you give more explination please? How are you plannin on setting it up?
byteknight
Run wireguard on your phone. Follow instructions for split tunneling. Only tunnel the IP of your DNS (PiHole) and boom.
josephcsible
I don't see a license.
byteknight
Added :)
josephcsible
You went with a proprietary one :(
byteknight
No - I had to inherit the licenses of the projects I used within it :(
Nrbelex
See also Algo VPN: https://github.com/trailofbits/algo
selfhoster69
Replace Pihole and Unbound with AdGuard and this stack will instantly be more efficient, fast and significantly more powerful.
tristanb
Does this have any mdns reflection?
ace2358
Is that what is required so I can do my server.local and have it work? I’ve struggled a lot of .local stuff with various routers and port openings etc. I know that .local isn’t a standard or something and I’m meant to use something else. I’ve never known what to google to fix it though
JamesSwift
.local is a standard. Its a part of mDNS (multicast DNS). Dont use it for your own DNS records.
I'm not sure what exact issue you are having, but if you are trying to resolve mDNS .local across internal networks then you need to look up mDNS reflection. If you are trying to use .local for your own DNS records then pick something else (ideally using an actual registered TLD, so e.g. if you own foo.com then you could use lan.foo.com for your internal records).
Dathuil
I ran into this issue a few months ago when I got sometime to actually setup my home server and wanted to use urls like nas.local and homeassistant.local on my home network to make things easy for my family to access.
Worked fine on windows but all the Apple devices in the house had a conniption when trying to connect. I ended up just using my personal domain replacing .local. Am currently investigating a wildecard DNS SSL cert to get HTTPS working on the LAN, but that's more out of curiosity than anything else
nilespotter
> .local is a standard. Its a part of mDNS (multicast DNS). Dont use it for your own DNS records.
Hell to the no. They should have camped on less valuable real estate if they wanted it exclusively. I use .local for every host on my local network and I will never stop.
In debian 12 I just change this:
hosts: files resolve [!UNAVAIL=return] dns
to this:
hosts: files dns resolve [!UNAVAIL=return]
in /etc/nsswitch.conf, and everything acts just fine.
> ideally using an actual registered TLD
wat
josephcsible
What should you use for internal records if you don't own a domain?
josephcsible
This uses wg-easy, which isn't open source.
repelsteeltje
This wg-easy?
Definitely not an OSI approved license, but does look like they made an attempt in the spirit of GPL, no?
https://github.com/wg-easy/wg-easy/blob/master/LICENSE.md
> You may:
> - Use this software for yourself;
> - Use this software for a company;
> - Modify this software, as long as you:
> * Publish the changes on GitHub as an open-source & linked fork;
> * Don't remove any links to the original project or donation pages;
> You may not:
> - Use this software in a commercial product without a license from the original author;
AshamedCaptain
"Spirit of the GPL" not really, and the terms you quoted already make it incompatible with the GPL itself. Pretty draconian if you ask me (Github???).
repelsteeltje
Draconian, perhaps. Or just clumsy.
I leaned not to attribute to malice what can be attributed to incompetence.
byteknight
This is accurate. I just recently added the GUI from wg-easy as a revival of the project. If you want to fully open source version you can go back a couple commits before I added the GUI.
josephcsible
Either there's a giant loophole in that license or it prevents you from modifying wg-easy at all. In particular, the prohibition on commercial use is clearly not open source, so the only way you could comply with the requirement to publish your changes in an open-source fork would be for your fork to have a different license. If that is allowed, then the giant loophole is that you could pick MIT, and then the rest of the world could use your fork and ignore the original's license. If that's not allowed, then there's no way for you to comply with that requirement and so you can't modify wg-easy at all.
byteknight
I think you're misunderstanding how licenses work. Being that wire hole is a conglomerate of a multitude of projects I am required to utilize the most restrictive version of that license.
I believe you're also thoroughly misunderstanding the license terms that are present. The license says that you can utilize it for a commercial settings and in a commercial environment you just cannot resell the product.
This means that an Enterprise can openly use it within their Enterprise they just cannot sell it as a service that they offer.
While this is not the license that I would have chosen for a Greenfield project but at the moment I am at the mercy of the licenses in place for the projects that I am using. Once I replace the UI with a proprietary one everything will be fully open source the way it's intended
uneekname
oof, I've been using wg-easy and didn't realize the weird license situation. I like it but the image doesn't get updated as often as I'd like. I've been meaning to either build out an alternative or at least rebuild wg-easy with the latest packages
byteknight
My plan is to replace the UI with a fully open-source version. This is part of the early revival.
uneekname
Awesome, let me know if/how I can help!
deelowe
Huh? Yes it is.
byteknight
I believe OP is referring to OSI licenses as being open source. Wg-easy uses a simple but proprietary license.
ThinkBeat
>* Publish the changes on GitHub as an open-source & linked fork;
Great an open-source license that mandates the use of a proprietary Microsoft product.
j45
Doesn’t seem exclusive, and could be posted elsewhere in addition.
It might not be ideal or my choice but the alternative of no choice at all would probably be more concerning.
byteknight
This is true and only true while the project uses wg-easy. Once the new UI is done it will no longer be required.
j45
Oh that’s a great clarification, thanks!
mcfedr
That's what stops it being an open source license
Get the top HN stories in your inbox every day.
WireHole offers a unified docker-compose project that integrates WireGuard, PiHole, and Unbound, complete with a user interface. This solution is designed to empower users to swiftly set up and manage either a full or split-tunnel WireGuard VPN. It features ad-blocking capabilities through PiHole and enhanced DNS caching and privacy options via Unbound. The intuitive UI makes deployment and ongoing management straightforward, providing a comprehensive VPN solution with added privacy features.