>I recently took some time off of work to spend time with family. During that time I worked on a few side projects like getting our backups in order and getting a Raspberry Pi 3 running Pi Hole.<p>I know what the original intent is, but still- I found this quite humorous.<p>Still, this seems like a very nice noob-friendly guide, and that's a very good thing when VPNs are concerned.
I run a pi-hole equivalent on a Raspberry Pi at home (dnsmasq with pi-hole's block lists). One word of warning, its list tends toward over-zealous, blocking sites / links you might want (e.g. Google Shopping links). You can add manual domain exceptions but it's tedious and takes a long time to restart dnsmasq due to the enormous list size and the RPI's relatively slow performance.<p>Blocker extensions are nice becuase you can selectively disable them or open an incognito tab in cases when you need to bypass the list. Easier than temporarily changing your DNS server to 1.1.1.1, etc.<p>Still, nice to have automatic adblocking for all devices in the house.
Pihole is great! Great revelation was that over 50% of the requests generated by devices in my network are "malicious", ad or tracking related.<p>The greatest offenders were phone apps and roku TV. Also roku tv scans your HDMI data stream (if you connect your laptop to the Roku TV) which is purely evil!<p>Also worth to note that to have pi-hole to recognize and block over 50% of the requests, constant gravity updates are required (i have over 3.5M unique domains in block-list)<p>Also get VPN for your phone. All traffic on my iPhone goes though pi-hole (check OpenVPN and DNS Override iPhone apps in store)
how about a 3-pronged approach:<p><pre><code> 1) pi-hole
2) steve blacks hosts file
3) ublock origin
3 = most conservative filtering configuration that can easily be tweaked from the browser
2 = use modules (-e gambling -e porn etc)
1 = most basic blocking configuration
</code></pre>
this way you don't have to do much fidgeting on the router. this comes at a tradeoff for putting some of the burden on the hosts #2 & #3 but with the advantage of better usability for non-tech users.<p>protip: if you can live with not accessing unicode domains at all (counter measure to avoid domain squatters and some phishermen) patch[1] your dnsmasq and add this in dnsmasq.conf:<p><pre><code> address=/:xn--*:/0.0.0.0
</code></pre>
[1] <a href="https://github.com/spacedingo/dnsmasq-regexp_2.76.git" rel="nofollow">https://github.com/spacedingo/dnsmasq-regexp_2.76.git</a><p>EDIT: for mobile I used to have a VPS running openvpn. Make Android connect to the vpn by default routing all traffic through it. Run something like opensnitch[1] to MiTM and whitelist the mobile traffic and sinkhole shit you want to get rid off. This isn't for the fainthearted since new versions of apps might make different API calls and break your rules. Apps will just stop working. If you only have 2 or 3 apps and want to kill traffic from built-in carrier spyware it works nicely and is well worth the effort. Nice way to study what your device does. <a href="https://github.com/evilsocket/opensnitch" rel="nofollow">https://github.com/evilsocket/opensnitch</a>
For those that prefer algo, there is an open issue to add Pi-Hole (<a href="https://github.com/trailofbits/algo/issues/1258" rel="nofollow">https://github.com/trailofbits/algo/issues/1258</a>) and in my fork I've added Pi-Hole support: <a href="https://github.com/dan-v/algo" rel="nofollow">https://github.com/dan-v/algo</a>. It's a really nice setup especially on mobile devices where you typically have to choose between using a VPN or using adblock as they typically require a local VPN hack to function.
This is a great initiative!<p>I'm using a similar setup. I have my ISP's router in bridge modus, an ERLite‑3 router by Ubiquiti, and a NAS server by Synology. It could've been a router by PC Engines, a Router7, an unRAID, or a Pi too. Ever since I got the Synology NAS (which can run Docker) my Pi is gathering dust.<p>The NAS runs Docker and uses PiHole(dnsmasq)/Unbound to take the main traffic. The ERLite‑3 router is second choice and uses PiHole/Unbound as well. The setup provides redundancy. All DNS traffic not generated by the router and not coming from the NAS is redirected to the NAS. Both PiHoles have each other as redundant server as well. Both utilize Quad9's DNSSEC servers with DNS over TLS [1]. Though I suppose ideally you want DNSCrypt [2] this should also be possible with Quad9. The advantage this is going to work on any client. Since the ERLite‑3 allows WireGuard (and only that; no OpenVPN or OpenSSH or anything) clients such as my smartphone or laptop have secure and ad-free internet. Since I'm also using Quad9's blocklist, things such as porn are also blocked. The only caveat is that these clients have access to my LAN. While that's intentional, it increases the attack surface of my devices. I shouldn't trust my wife's devices on the LAN remotely. Then again, all internal LAN services are behind strong passwords.<p>[1] <a href="https://www.quad9.net/faq/" rel="nofollow">https://www.quad9.net/faq/</a><p>[2] <a href="https://dnscrypt.info/faq" rel="nofollow">https://dnscrypt.info/faq</a>
Pihole and Pivpn on Google Cloud Platform free tier is working great for me: <a href="https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs" rel="nofollow">https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compu...</a>
For those running pfSense: pfBlockerNG is a great package. It allows for IP and DNS based block lists. Between that and the built in OpenVPN server, I have ad (and other malicious traffic) blocking even while remote. Pretty crazy how much it catches on both levels.
The one thing to keep in mind about running a VPN on AWS is that some services just block whole AWS net blocks to stop scrapers.<p>For instance I used to run a VPN on a free tier micro instance, and I remember not being able to hit Yelp or StackOverflow from a VPN.
I just setup the Pi Hole yesterday on the raspberry pi I had sitting on my shelf and I must say it is a god send.<p>The bonus is my girlfriend noticed the coloring app on iOS she uses doesn't have banner ads and after she's done with a picture, there is no longer popup advertisements.<p>I only had to make one whitelist so far and it was graph.instagram.com otherwise the app completely doesn't work.
I have basically the same implementation except it's running on my dedicated openbsd router using openvpn/unbound/pf and scripts. It doesn't support wireguard though but openvpn should be equivalent? I know the wireguard developers claim it's more secure, however I think a properly secured openvpn with certificate based authentication both ways should be fine for a home setup.<p>For the lazy, someone other than me made scripts to both pi-hole (dns) setup[1] and pf (firewall) setup[2] to block on network level too.<p>The scripts themselves are very easy to read and vet for bad stuff.<p>[1] <a href="https://geoghegan.ca/unbound-adblock.html" rel="nofollow">https://geoghegan.ca/unbound-adblock.html</a><p>[2] <a href="https://geoghegan.ca/pfbadhost.html" rel="nofollow">https://geoghegan.ca/pfbadhost.html</a>
I've heard nothing but praise for PiHole setups, though I personally have an AdBlock service on my router.<p>If you're running OpenWRT, you can install adblock via opkg and there's even a LuCI extension for the web interface.<p>This blocks the majority of ads on my Roku TV, though YouTube is almost impossible.
What do the failure cases look like with Pi Hole? E.g. broken websites, missing (legitimate) content, apps that crash when they can reach their ad server?<p>And what kind of workarounds/remediations are available to deal with this, ideally in a user-friendly way for non-technical users?
I'm running pihole in a Docker container on an Intel NUC, performance is great. Client (browser) performance has also improved remarkably. One problem is getting ipv6 working between host, container and the outside world is non-trivial and non-obvious compared to ipv4 - I still haven't figured it out.<p>Typically you go into your your router's DHCP settings and populate DNS with the pihole DNS, or disable DHCP on your router and let pihole do DHCP. The gotcha is if you have an ISP supplied router which has no DHCP interface at all: no way to disable it, no way to customize DNS. All of Xfinity's hardware now does this for residential, you have to pay for business service to set DNS servers.
Looks like we're running Streisand as a VPN in AWS, and pihole at home on a Raspberry Pi. Why not just run PiHole on the AWS instance alongside streisand and save on the added complexity?
> I even started noticing some network calls our ISP appears to be making<p>I'm curious what this means. AFAIK the only way your ISP could make network requests that appear in Pi Hole is if they're running some kind of software within your network.
With all the people running piholes at home, could a subscription pihole service work? A small vps could run with authentication of some sort (mac-whitelisting seems simple and easy to implement). Allow customization of blocklists per MAC.
I recently set up a RPi with Pi-hole, only to find out that my ISP gave me a router that prevents you from using another DNS server.<p>I can still use the Pi-hole, but I have to set up the DNS manually for every device. Quite a pain in the ass.
For a Managed Service of this try <a href="https://ba.net/adblockvpn" rel="nofollow">https://ba.net/adblockvpn</a><p>Disclosure: I work at ba.net