Finally I found out.
I assumed that the IP 10.9.0.1 (of the wg server) was the correct IP, but found out that the bridge is the correct one.
Output of ip a
:
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:09:44:60:5f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
6: br-c8b529baa05a: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ba:39:b6:2f brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c8b529baa05a
valid_lft forever preferred_lft forever
inet6 fe80::42:baff:fe39:b62f/64 scope link
valid_lft forever preferred_lft forever
8: veth4a5f552@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c8b529baa05a state UP group default
link/ether fa:1b:96:68:d3:3c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::f81b:96ff:fe68:d33c/64 scope link
valid_lft forever preferred_lft forever
That address is 172.18.0.1 of the bridge br- where changes every session (why ?), but the IP fortunately not.
So I used this '172.18.0.1' as DNS server and ssh-ing into that address initally did not work, as I has not whitelisted this (indoor) IP range '172.18.0.0/24' in ufw
. After I whitelisted this in ufw, I could view the web interface, ssh into it by using this brige IP address.
And because of setting this as DNS, Pi Hole also worked over the wg VPN and I double checked it by installing another peer config into an Android wg client (Rethink) with the same DNS setting and connected the cellphone with 4G (and wifi OFF).
The result was that the outdoor IP of my cellphone was my home IP rather than the carrier's IP. And ould ssh into my Pi using the same bridge IP. All traffic goes via PiHole as well. Exactly the same as I connect my cellphone with OpenVPN to the Pi as I also have an OpenVPN server on the same Pi.
Here an example of my peer conf:
[Interface]
Address = 10.9.0.2
PrivateKey = <PKEY>
DNS = 172.18.0.1
[Peer]
PublicKey = <PUB>
PresharedKey = <PRE>
Endpoint = <myhomeip>:51820
#AllowedIPs = 0.0.0.0/0
AllowedIPs = 0.0.0.0/0,192.168.0.0/24
Even the latter 192.168.0.0 is not strictly needed.
ip a
,iptables-save
,nft list ruleset
andss -nltp
to your post.