Install Pi-hole on WSL2 and use externally with Tailscale

Use your devices with Pi-hole when not connected to your LAN.

Pi-hole is normally configured on your router or on a separate device on your LAN (e.g., Raspberry Pi) so that all devices connected to your LAN (Wi-Fi) can use it. But this doesn’t help when you’re not connected to your home network. To use Pi-hole even when not connected to your Wi-fi, i.e., when you’re outside home, you can connect to it over Tailscale VPN. In this post, we look at installing Pi-hole on WSL2 instead of a separate device on your network.

First, install Tailscale on WSL2. Once you have Tailscale running, you can install Pi-hole on WSL2 and use it as the DNS provider for all your devices connected to the Tailscale VPN.

Install Pi-hole on WSL2

1. Download the Pi-hole files and run install using the instructions from Pi-hole docs’ Basic Install
2. During installation, select the web interface as tailscale0, not eth0
3. Since we already have Apache server that we installed for Nextcloud, we can use that for Pi-hole instead of installing lighttpd that comes along with it. During Pi-hole installation, install the web interface but not the web server. Deselect the option for lighttpd when asked in the installer.
4. Follow the instructions for using Apache for Pihole at this Gist
5. After installation, install SQLite connecter for php with sudo apt install php-sqlite3
6. Start Pi-hole using the following commands:

sudo pihole restartdns 
sudo pihole enable

7. Check the config for 004-pihole.conf in Apache configs at /etc/apache2/sites-available to allow from required IPs. The IPs in this list should be the list Tailscale IPs for your devices.
8. Set password for Pi-hole user with pihole -a -p
9. Add the user pihole to www-data group with sudo adduser pihole www-data
10. Set chown -R www-data:www-data admin and chown -R www-data:www-data pihole under the var/www/html folder
11. After making changes run pihole -g
12. Connect to Tailscale from Windows
13. You can now access the Pi-hole admin page at http://wsl2-tailscale-ip/admin
14. Login to Pi-hole admin
15. In Pi-hole Settings > DNS, check that under the Potentially dangerous options, the option for “Respond only on interface tailscale0” is selected
16. Go to Tailscale admin panel and under Settings > DNS, add the WSL2’s Tailscale IP to Global Nameservers. Check the “Override local DNS” to ON.
17. With this, the DNS server for your devices connected to Tailscale VPN is the Pi-hole server running on WSL2
18. With the DNS settings changed, you should also be able to access Pi-hole admin at http://pi.hole/admin from devices connected to Tailscale
    • If you’ve enabled MagicDNS in Tailscale, Pi-hole admin can also be accessed at http://wsl2-tailscale-hostname/admin

Troubleshooting

• If there are errors when saving blacklist items in Pi-hole admin, check that the user pihole is added to www-data group by running groups pihole. Also check that the folders are owned by www-data. Make sure to run pihole -g after making permission changes.
• After restarting your PC or WSL2, you will need to run sudo pihole restartdns to start Pi-hole

Errors after updating Pi-hole

After updating pihole using pihole -up, the settings are changed to default such that the admin can’t be accessed from http://pi.hole/admin but will work from http://wsl2-tailscale-hostname/admin. To fix this, go to Settings > Potentially dangerous options and the check the option for “Respond only on interface tailscale0”. This is the same option selected during initial setup which sometimes gets reset on update.

---

This post is part of series about using Tailscale & WSL2 for Nextcloud and Pi-hole. See the other posts:

• Install Tailscale on WSL2
• Install Nextcloud on WSL2 and access from anywhere with Tailscale