A Guide for WireGuard VPN Setup with Pi-Hole Adblock and Unbound DNS(psyonik.tech)

171 pointsby pSYoniK2 days ago9 comments

vanillax2 hours ago
This is a neat guide. Its baked in already if you have a Firewalla device. Cool to see this roll your own approach. I always found their guide helpful.
From the Firewalla Site -
How to Choose Your DNS Strategy If you have NO concerns at all, just use traditional DNS from your ISP or configure some public DNS for your LAN networks if you like. If you need simple filtering to protect your network from unwanted online content, choose Family Protect -> Native mode. It won't conflict with other DNS services. If you trust your DNS service provider but don't trust your ISP, choose DNS over HTTPS. If you do not trust any single DNS server other than the root and authoritative DNS server, choose Unbound. If you do not want any DNS queries getting changed or filtered, use Unbound. If you do not want any DNS queries getting changed or filtered and want to add a layer of encryption so that your ISP can't see your DNS requests, use Unbound and turn on DNS over VPN under it.
https://help.firewalla.com/hc/en-us/articles/4570608120979-F...
pSYoniKa day ago
I want to make a few points to help clarify some of the choices and why I made them. This is very helpful and I appreciate all the comments as it highlights how some things are clear in our head but we don't end up sharing that with anyone reading. So:
1. I looked at AdGuardHome but I preferred PiHole because I found its documentation a bit more helpful for my purpose (the Unbound sample, the Wireguard setup, etc)
2. I saw the docker compose package, but I wanted something that runs at the OS level. There are docker packages for Wireguard too and I had also a look at Mistborn (https://gitlab.com/cyber5k/mistborn)
3. The VPN is the main thing I wanted setup to reach resources on my home network, adblocking and DNS came a bit later, so you can run this without a VPN, but its central for my setup.
4. I really wanted this setup at the OS level and to hopefully learn more about the whole process.
Thanks again for the suggestions though!
- Telaneoa day ago
  > 1. I looked at AdGuardHome but I preferred PiHole because I found its documentation a bit more helpful for my purpose (the Unbound sample, the Wireguard setup, etc)
  Probably the right call, but funnily enough, I had to go the other way. PiHole started using 100% of the CPU on my Raspberry Pi 1B after an update to version 6.x, which then obviously slowed the entire network to a crawl and made it unusable. Although later versions supposedly fixed that, whatever was the latest version at the time still had that problem for me, even on a completely fresh install.
  AdGuardHome worked for me without any hassle, but I would never have even considered it, given I'd been happy with PiHole for 5+ years, if it hadn't been for the fact that whatever update PiHole did completely borked its usability.
- leetrouta day ago
  > I saw the docker compose package, but I wanted something that runs at the OS level
  For my curiosity: because you wanted to use systemd or didn't want to run another piece of software (docker) or something else?
  - pSYoniKa day ago
    I had wireguard on docker before for some containers, but it felt clunky and it over complicated the network stack in my head (I'm unfortunately not very skilled in networking in general). So I said that I'd go back to the root and run it at OS level because then I can expose Proxmox to the world or any of the other VMs I run by having them join the wireguard network. Which in turn means that I can connect to any machine I want/need directly. I am also playing around with writing my own dynamic DNS worker in C# and I was curious on how I could have that run as a systemd process but bypass the wireguard tunnel to keep updating IP addresses. A lot of these were tied to me just being a bit more curious about the whole stack.
    leetrouta day ago
    Understood. Thank you!
gentooflux2 days ago
I just use blocklists in Unbound without having to bother with Pi-Hole. Nothing against Pi-Hole, I just find it easier long-term to maintain fewer services.
- pSYoniK2 days ago
  I have looked at that briefly, I think I had gone with pihole in the end for the ability of having a UI to easily see any resolution issues and local dns management (which, I think, is also present in Unbound but not in a UI but via configs).
byteknight2 days ago
May be helpful for others. Fully packaged version
https://github.com/IAmStoxe/wirehole
syntaxinga day ago
I self host a lot of things, pihole and adguard is one thing I no longer self host for about five years now. $20/year for NextDNS for the whole family is worth every penny and most importantly spouse approved. My spouse doesn’t mind what we self host as long as the friction to use it is not too high.
- crossroadsguya day ago
  NextDNS support now doesn't even bother to respond when you face a problem. If you are lucky a fellow user will comment which most probably won't solve the problem and it would rather be a "same here" comment. I had to stop using before even my first year's subscription finished.
  - syntaxing21 hours ago
    That’s a shame, I haven’t had the need to use their support before though.
- mtlyncha day ago
  Does using NextDNS mean that you both can see a list of all the websites anyone in your family visits?
  - syntaxing21 hours ago
    Yes but that’s the case for any DNS (which is why your ISP loves it when you use their DNS, for “marketing” data they sell to others). However, similar to pihole and adguard, you can turn off logging if you want.
  - lemming21 hours ago
    Only to the domain level, not individual websites.
- floundya day ago
  I have two pi-holes running concurrently, mainly so it doesn’t ruin the internet for my wife if one goes down. In 4-5 years of running pi-hole I’ve had I think 3 complete failures, 2 were due to cheap SD card corruption and one due to a failed upgrade to pihole v6.
  I also excluded most of her devices from any filtering by the pihole because she wants to be able to click the sponsored links and ads on Google. Whatever.
  - syntaxinga day ago
    That’s why nextDNS is nice, there’s a “allow affiliated link” setting. So it blocks the ads but allows your wife to click on sponsored ad links. How’s do you manage Adblock when you’re not on your network? That’s the main draw of NextDNS for me. Works more or less anywhere
    floundya day ago
    Huh interesting feature, I'll have to check it out today to see if there's enough improvements over pihole to warrant a switch.
    I'm effectively always on my network because I use Wireguard to VPN back in to home, so I can easily access my server and RPi dashboards. Though at this point I've whitelisted a few dozen domains that were giving my wife or I issues, and excluded most of her devices because she doesn't want to be on it, so it's pretty hands-off. The only time I have to disable the pihole nowadays is when I'm unsubscribing from an email list and the link is a tracking link. And that's with over 3M domains blocked.
    syntaxing21 hours ago
    Do you notice a battery drain with the VPN always on? I used to use tailscale for this and there was a nontrivial battery penalty
    floundy2 hours ago
    I've never specifically noticed WireGuard anywhere in the top battery consumers on either Android or iOS. Friday I was out of the house all day, and Wireguard running on cellular all day used 1% of my iPhone battery.
plqbfbv2 days ago
I have a similar setup, but with AdGuardHome. I used Pi-Hole in the past, but AdGuardHome's UI is from this century at least. That, and the fact that with Pi-Hole it was very difficult have IPv6 working.
I have an instance on my router in my home network for covering all devices by default, and a hosted one to which I connect when outside via mobile network. Split-tunneling with only the DNS routed, so that I don't have to push all traffic through the VPN.
- inetknghta day ago
  > I used Pi-Hole in the past, but AdGuardHome's UI is from this century at least.
  I like Pi-Hole's UI. It's functional and simple.
- hk13372 days ago
  I didn’t have a problem with IPv6 necessarily with pihole as much as my ISP, AT&T, didn’t play well with me wanting to use another DNS for IPv6.
  I ended up just going to NextDNS. All my devices are Apple so I could install the certificate and it works away from home too.
muppetman2 days ago
You don't need a VPN! I host an AdguardHome instance and just expose TCP/853. I put my domain name in the Private DNS settings of my Android and I get 24/7 adblocking without the hassle and battery drain of my Wireguard VPN (which I still use to access private stuff)
- bealaa day ago
  I tried setting your domain as my resolver but no luck sadly.
  alex@thinkpad ~> kdig @muppetz.com +tls news.ycombinator.com
  ;; WARNING: connection timeout for 116.251.193.218@853(TLS)
  ;; ERROR: failed to query server muppetz.com@853(TCP)
  - muppetmana day ago
    Right, my post wasn't to suggest my Adguard is open for everyone :)
    1, it's bound to a particular subdomain (I'm sure you can figure that out) - And it's still the same IP so you'd have only gotten certificate mismatch warnings 2, it's behind a Firewall that only allows connections from the country I'm in - this is almost certainly what's stopped you being able to access the port.
    If you meet those two criteria you'll be able to query it.
    My point was it's quite easy to do this yourself though and then you don't need to bother with a VPN all the time, saving battery and the hassle of having to either a) Have it on all the time even when you're at home or b) Remembering to turn it on every time to leave home.
stoicfungia day ago
Sadly, the Wireguard protocol is easily identified and blocked, and need to add obfuscation layer to make it work.
- imcritica day ago
  So, AmneziaWG?
BrandoElFollitoa day ago
Another solution to consider is Tailscale. There is a vast free tier and it makes securing your network really simple.
- pSYoniKa day ago
  I mentioned that as an alternative along with Headscale and Nebula. Not for me though! At least not now.
  - BrandoElFollitoa day ago
    Ah you are right, sorry. Somehow I learned on the networks section and stuff for there. Sorry for that.
    I went through the journey of having multiple technologies VPNs to my home lab and cross-places. This is fun, a rewarding exercice.
    I switched to first Headscale, and then Tilescale for the ease of setting this up, which frees time for other home lab activities