Creating an ad-blocking VPN using Pi-hole and OpenVPN
- firewall
- Pi-hole
- pihole
- vpn
- OpenVPN
- pivpn
Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, such as advertisements, without installing any client-side software. It comes with an easy-to-use interactive installer and can block content in non-browser locations, such as mobile apps and smart TVs. This can help to reduce data consumption on mobile plans.
To secure the connection, we use the PiVPN tool to install an OpenVPN virtual Private Network that routes all traffic over a Scaleway Instance.
Before you start
To complete the actions presented below, you must have:
- A Scaleway account logged into the console
- Owner status or IAM permissions allowing you to perform actions in the intended Organization
- An SSH key
Deploying the Instance
- Log in to your Scaleway console and create a new Instance. For this tutorial, we use a PLAY2-NANO Instance running on Ubuntu Focal Fossa (20.04 LTS).
- Log into the newly created Instance using SSH.
- Update the cache of the APT package manager and upgrade the software already installed on the server:
apt update && apt upgrade -y
Installing Pi-hole
- Download the Pi-hole installer and run it:
The installer does some checks and then gives you a series of prompt questions to answer. Choose OK or answer positively to all of them, until you are asked to choose an upstream DNS provider.curl -sSL https://install.pi-hole.net | bash
- Select one of the proposed upstream DNS servers from the list or specify a custom DNS server. Once selected, use the
TAB
key to move to the OK button and confirm by pressingENTER
. - Pi-hole uses third-party filter lists. Select the list you want to use and confirm by pressing the OK button:
- Choose whether you want to filter both IPv6 and IPv4 traffic and confirm by pressing the OK button.
- Confirm the network settings by navigating to the YES button. You will be guided through two more network prompts. Confirm them by pressing the OK button.
- Choose whether you want to enter the Pi-hole web interface and confirm by pressing the OK button:
- The Pi-hole installer proposes the automatic installation of a web server and its dependencies. If you are not using another web server, select to install it and confirm by pressing the OK button:
- Choose whether you want to log queries and confirm by pressing the OK button:
- Select a privacy mode for FTL and confirm by pressing the OK button:
The Pi-hole installer proceeds with the automatic installation of the required software. Once the installation is complete, the URL to the admin interface and your password are displayed in a prompt. Take note of the password and leave the prompt by pressing the OK button.
10. Set the listener of the Pi-hole web interface to local
to avoid it being accessible from the public Internet:
pihole -a -i local
- Optionally, you can customize the password of your Pi-hole’s web interface by running the following command:
pihole -a -p
Installing PiVPN
To direct internet traffic via our Pi-hole Instance, we install OpenVPN using the PiVPN project. It provides a very easy way to install OpenVPN and Wireguard on the Instance. In this tutorial, we are using OpenVPN.
- Create a new non-root user for OpenVPN:
adduser openvpn
- Run the following command from an SSH shell on your Instance to download and launch the PiVPN installer:
curl -L https://install.pivpn.io | bash
- A series of prompts displays. Validate them by pressing the OK button until you are asked under which user the OpenVPN application should run. Select the previously created
openvpn
user and validate by pressing the OK button: - Choose the OpenVPN protocol in the prompt and validate by pressing the OK button:
- PiVPN provides a default configuration, accept it by pressing Yes:
- Keep the value for the UDP transport protocol unless you have specific requirements and validate by pressing the OK button:
- You can leave the default OpenVPN port
1194
unless your network configuration requires another port. Confirm by pressing the OK button: - The PiVPN installer automatically detects the presence of Pi-hole and asks to use it. Validate the prompt by confirming with the Yes button:
- The Pi-hole installer asks you if you want to use a custom search domain. Keep the default value and press the No button unless you have specific requirements:
- The following prompt asks you if you want to use the Instance’s IP address or a custom domain name to connect to your VPN. Keep the default setting, using the public IP address of your Instance and validate by pressing the OK button.
- During the installation, PiVPN prompts you if you want to use Elliptic Curves to provide higher connection speed and improved security over RSA. Confirm by pressing the Yes button. If you are using some devices using legacy OpenVPN clients that do not support this feature, select No.
- Select the desired key size for the certificate. In this tutorial, we use the recommended size of 256 bits. Confirm by pressing the OK button:
- The following prompt informs you that the server key and HMAC key are now being generated. Confirm by pressing the OK button.
- The installer now prompts you to enable unattended upgrades, which allow you to update the software on your server automatically to make sure it is using the latest version of the software available in the repository. Validate by pressing the Yes button.
- The installation of PiVPN is now complete. You can reboot your Instance as suggested by the installer by pressing the Yes button.
Adding VPN users
You can now add users to your filtered VPN service. It is recommended to create a user profile for each device you want to connect to the VPN. Sharing profiles between devices is not recommended for security reasons.
-
Run the
pivpn add
command to launch the interactive user creation wizard. -
Enter each parameter of the user and validate by pressing the Enter key on your keyboard:
Enter a Name for the Client: client <- the identifier of your userHow many days should the certificate last? 1080 <- the validity of the user's certificate. You can leave the default valueEnter the password for the client: <- a secret password for your user (Note: the password is not shown when you type for security reasons)Enterthe password again to verify: <- enter the password again to confirm itThe certificate and user profile is now generated and once it is ready, the following message displays:
========================================================Done! client.ovpn successfully created!client.ovpn was copied to:/home/openvpn/ovpnsfor easy transfer. Please use this profile only on onedevice and create additional profiles for other devices.======================================================== -
Download the generated
*.ovpn
configuration file on your device and import it into your OpenVPN client. -
Connect to your VPN to use your secure and filtered internet connection.
-
Open the following URL in your web browser to connect to the Pi-hole web interface:
http://10.8.0.1/admin/
. The web interface allows you to further configure Pi-hole and view statistics about your DNS requests:
Blocking unwanted traffic
To avoid keeping an open DNS resolver on the Internet, we restrict the requests from outside our infrastructure. This is very important, as unprotected DNS servers can be abused and participate in DNS Amplification attacks.
- From your Scaleway console, click Instances in the Compute section of the side menu.
- Click the Security groups tab. A list of your existing security groups displays.
- Click Create a security group to go to the security group creation page:
- Enter the details for your new security group:
- Security group name: a friendly name for your security group, (e.g.
block-remote-dns
) - Description: An optional description for your security group
- Available Zone: Choose the geographic region in which your security group will be deployed. The region must match the region of your Instance.
- Rules: Configure rules in your security group to block incoming traffic on Port 53 (DNS) to block external requests to your Pi-hole Instance:
1 . Click Add inbound rule
2 . Select the rule
Drop
, the ProtocolTCP
, untick the boxAll Ports
, and enter the Port number53
. 3 . Click Add inbound rule 4 . Select the ruleDrop
, the ProtocolUDP
, untick the boxAll Ports
, and enter the Port number53
.
- Security group name: a friendly name for your security group, (e.g.
Your configuration should look like the following example:
- Click Add an Instance and select your Pi-hole Instance from the drop-down list.
- Click Create a new security group to launch the creation of the security group.
Your Instance is now protected against requests to the DNS server running on it from external hosts. For more information about security groups, refer to our dedicated documentation.
Conclusion
You now have configured a secure and filtered OpenVPN connection to the internet. Pi-hole automatically filters unwanted advertising and helps to save bandwidth on metered plans. The web interface allows you to view detailed statistics about the DNS requests made, and you can white or blacklist additional entries.