

What is this?

WireHole is a docker-compose project that combines WireGuard, PiHole, and Unbound to create a full or split-tunnel VPN that is easy to deploy and manage. This setup allows for a VPN with ad-blocking via PiHole and enhanced DNS privacy and caching through Unbound.


Supported Architectures

The image supports multiple architectures such as x86-64, arm64, and armhf. The linuxserver/wireguard image automatically selects the correct image for your architecture.

The architectures supported by this image are:



To begin using WireHole, clone the repository and start the containers:


# Clone the WireHole repository from GitHub
git clone https://github.com/IAmStoxe/wirehole.git

# Change directory to the cloned repository
cd wirehole

# Update the .env file with your configuration
cp .env.example .env
nano .env  # Or use any text editor of your choice to edit the .env file

# Replace the public IP placeholder in the docker-compose.yml
sed -i "s/REPLACE_ME_WITH_YOUR_PUBLIC_IP/$(curl -s ifconfig.me)/g" docker-compose.yml

# Start the Docker containers
docker compose up

Remember to set secure passwords for WGUI_SESSION_SECRET, WGUI_PASSWORD, and WEBPASSWORD in your .env file.

Environment Configuration Details

The .env file contains a series of environment variables that are essential for configuring the WireHole services within the Docker containers. Here is a detailed explanation of each variable:

General Settings

User / Group Identifiers

Network Settings

WireGuard Settings

WireGuard-UI Settings

Pi-hole Settings

Remember to replace any default or placeholder values with secure, unique values before deploying your services.

Recommended Configuration / Split Tunnel

For a split-tunnel VPN, configure your WireGuard client AllowedIps to, which will route only the web panel and DNS traffic through the VPN.

Accessing the Web Panel (WireGuard-UI)

Manage your WireGuard VPN through the WireGuard-UI at:


Log in with the WGUI_USERNAME and WGUI_PASSWORD you have set in your .env file.

Features of WireGuard-UI

Access PiHole

Connect to WireGuard and access the Pi-hole admin panel at The login password is the one set as WEBPASSWORD in your .env file.

Dynamic DNS (DDNS)

Configure DDNS by setting WG_HOST in your .env file to your DDNS URL.

    - WG_HOST=my.ddns.net

Configuring / Parameters

Additional Settings and Considerations

Support and Updates

Credit to LinuxServer.io for their maintenance of the Wireguard image and other contributions to the project.