Pi-hole is normally configured on your router or on a separate device on your LAN (e.g., Raspberry Pi) so that all devices connected to your LAN (Wi-Fi) can use it. But this doesn’t help when you’re not connected to your home network. To use Pi-hole even when not connected to your Wi-fi, i.e., when you’re outside home, you can connect to it over Tailscale VPN. In this post, we look at installing Pi-hole on WSL2 instead of a separate device on your network.
First, install Tailscale on WSL2. Once you have Tailscale running, you can install Pi-hole on WSL2 and use it as the DNS provider for all your devices connected to the Tailscale VPN.
Install Pi-hole on WSL2
Download the Pi-hole files and run install using the instructions from Pi-hole docs' Basic Install
During installation, select the web interface as
Since we already have Apache server that we installed for Nextcloud, we can use that for Pi-hole instead of installing lighttpd that comes along with it. During Pi-hole installation, install the web interface but not the web server. Deselect the option for
lighttpdwhen asked in the installer.
Follow the instructions for using Apache for Pihole at this Gist
After installation, install SQLite connecter for php with
sudo apt install php-sqlite3
Start Pi-hole using the following commands:
sudo pihole restartdns sudo pihole enable
Check the config for
004-pihole.confin Apache configs at
/etc/apache2/sites-availableto allow from required IPs. The IPs in this list should be the list Tailscale IPs for your devices.
Set password for Pi-hole user with
pihole -a -p
Add the user
sudo adduser pihole www-data
chown -R www-data:www-data adminand
chown -R www-data:www-data piholeunder the
After making changes run
Connect to Tailscale from Windows
You can now access the Pi-hole admin page at http://wsl2-tailscale-ip/admin
Login to Pi-hole admin
In Pi-hole Settings > DNS, check that under the Potentially dangerous options, the option for “Respond only on interface tailscale0” is selected
Go to Tailscale admin panel and under Settings > DNS, add the WSL2’s Tailscale IP to Global Nameservers. Check the “Override local DNS” to ON.
With this, the DNS server for your devices connected to Tailscale VPN is the Pi-hole server running on WSL2
With the DNS settings changed, you should also be able to access Pi-hole admin at http://pi.hole/admin from devices connected to Tailscale
If you’ve enabled MagicDNS in Tailscale, Pi-hole admin can be accessed at http://wsl2-tailscale-hostname/admin
- If there are errors when saving blacklist items in Pi-hole admin, check that the user
piholeis added to
www-datagroup by running
groups pihole. Also check that the folders are owned by
www-data. Make sure to run
pihole -gafter making permission changes.
- After restarting your PC or WSL2, you will need to run
sudo pihole restartdnsto start Pi-hole
Errors after updating Pi-hole
After updating pihole using
pihole -up, the settings are changed to default such that the admin can’t be accessed from http://pi.hole/admin but will work from http://wsl2-tailscale-hostname/admin. To fix this, go to Settings > Potentially dangerous options and the check the option for “Respond only on interface tailscale0”. This is the option selected during initial setup.
This post is part of series about using Tailscale & WSL2 for Nextcloud and Pi-hole. See the other posts: