Skip to main content
Here's a recipe for your pie hole

VPN/DNS: Pihole - Wireguard - Unbound installation

original photo by Andrew Malone

This recipe is to create a cheap, low maintenance Virtual Private Network (VPN) server on a cloudhost, somewhere. Once online, it's not difficult to have your family client devices for example, connect to this server transparently, 24/7. The encrypted connection to this trusted server will be the first hop these interconnected devices will experience prior to requesting anything from the public internet, or to connect to your family's other gadgets.
Which means you don't need to trust the security of the local coffee shop, or your kids' school's router, which are best to assume have already been hacked by malware for all kinds of reasons. That's a valid, correct security posture to maintain. You can trust your family gadgets have an encrypted connection to any other trusted gadget in the family, and all the family gadgets will use this trusted server before any public internet requests are allowed, using a vast number of public, curated, Deny/Approve lists. Any requests made to a server known to host malware, possibly an infected adserver, go nowhere. And such threats are common and otherwise difficult to defend against. Also all the ads are blocked unless you choose to add a website to the Allow List.
This recipe also bypasses all the telecommunications infrastructure standing in the way between you and the public computer on the internet your gadgets are trying to talk to. So your local Internet Service Provider (ISP)'s, or even Google's or OpenDNS Nameservers are bypassed as you make direct requests to ICANN's global Domain Name System (DNS) directly, further increasing privacy. Nor can your land or wireless internet provider eavesdrop between your gadget and the server you're talking to.
This recipe also allows someone to overcome strict governmental internet censorship. It's a useful way to achieve lot's of stuff.
It must also be said, many commercial VPN providers are completely nefarious fakes, so it is paramount to use a trusted VPN server and honestly there's no way for you to have any faith in any commerical VPN service, and this is how to do it yourself to a very high standard securely while saving money.
The user interface is very nice, and the logs are easy to read, which might be nice for parents with young children and gadgets.
Examples of the family gadgets I am referring to are iPhones and your Android phones and your notebook PCs, (but it is also possible to add a 2nd trusted proxy server so as to include smart TVs, Amazon echos, and all the IoT devices around the house, to include VoIP phones enabled over SIP).

Install Ubuntu 20.04

I tried using Ubuntu 22.04 and it wasn't possible to do so as of the moment I tried, and the helpful error message told me so.

apt update
apt upgrade
apt autoremove
reboot

To reduce server maintenance, I recommend using Ubuntu's free Livepatch Service, available for a maximum of 3 computers.

Install Pi-hole

apt install curl

Pi-hole is a single line installer

curl -sSL https://install.pi-hole.net | bash

Change the Pihole admin password

pihole -a -p

Install PiVPN. This will automatically make a Wireguard VPN for us.

curl -L https://install.pivpn.io | bash
When following these instructions on a new server at a cloud platform like Digital Ocean or VULTR, you're probably logging in as the root user, so the installer will prompt you to create a user-level account and give it a <username>, because it needs somewhere to store user connection profiles that contain PGP key information. The location for these files is /home/<username>/configs.

Install Unbound.

Unbound is a recursive DNS resolver. At first, it’ll be slow as it caches our DNS but over time it'll be faster, and we're only measuring milliseconds. It's also privacy friendly!
sudo apt install unbound
Copy the entire script from here.
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
Paste your clipboard contents and save the configuration file. Keep reading the instructions on that page to test and "finally, configure Pi-hole to use your recursive DNS server by specifying 127.0.0.1#5335 as the Custom DNS (IPv4)".

Create WireGuard user profiles.

pivpn add -n <config name>
Where <config name> is a unique name with a maximum of 15 characters for each of your devices (e.g., mphone, mlaptop). You can repeat this step for as many devices that you want to connect to your virtual private network. This will create a text file to copy to each personal computer or smartphone, with a .conf extension. If you're using a smartphone however, the easiest way to connect the device is by generating a QR-code in the next step.
To restrict access future client access to the VPN, (for example if you lose your phone), either temporarily move or delete the <config name>.conf file on the server.

Display the QR codes to connect our mobile devices.

Scan your QR code for your mobile devices, and/or install the downloaded configs for your laptop/desktop/other devices, turn them on. I set them to “on-demand” meaning it’ll always be on, 24/7 unless that's undesirable.
pivpn -qr # <config name>, e.g., mphone

Installation on device-clients

Installation on Windows, MacOS, iOS, Android

All these Operating Systems have 'stores' where you can download and install the Wireguard GUI. Once installed, you upload the certificate file you created, from /home/<username>/configs. It will have the name you assigned with a .conf extension. If you're using iOS or Android you don't need this file at all, because you can read the QR code with the camera instead.
Once installed, it's easy to toggle on/off. During my testing with the Android GUI, it was simple to configure everything to pass-through the DNS server automatically, even after rebooting. During my testing on Android, pages load much faster without the ads on all installed browsers.

Tested Ubuntu workstation installation

Install Wireguard

sudo apt install wireguard openresolv

Download the configs for our Linux desktops (tested with Ubuntu)

sudo scp root@<12.34.56.78>:/home/<username>/configs/<config name>.conf /etc/wireguard

Connect to the VPN server

wg-quick up <config name>
wg-quick down <config name> # To disconnect
Notice how a sudo password is required? Also, an active connection will not survive a reboot. The next step manages that stuff well.

Create a Network-Manager command-line (NMCLI) profile

Once you create a Wireguard NMCLI profile on your Linux machine, you'll benefit from saved settings like being able to automatically connect to your various WireGuard VPNs. Read this for more about NMCLI options.
To list all installed NMCLI profiles:
nmcli connection show
Create a WireGuard NMCLI profile by importing the configuration file. Once you do, WireGuard will connect and also survive reboots by default.
sudo nmcli connection import type wireguard file /etc/wireguard/<config name>.conf
You can enable the auto connection option for the nyc-office-vpn but disable it for aws-ec2-vpn as follows:
nmcli connection modify nyc-office-vpn connection.autoconnect yes
nmcli connection modify aws-ec2-vpn connection.autoconnect no
Theoretically this GUI option should work at this point, but I failed to manage to see any usefulness with Ubuntu 22.04.

QNAP NAS client installation

https://www.qnap.com/en-us/how-to/tutorial/article/how-to-configure-wireguard-vpn-server-and-client-settings-in-qvpn-service-3

OpenWRT router client installation

https://www.vpnunlimited.com/help/manuals/open-wrt-wireguard-setup

Restrict access to the Administration panel

Once your workstations are configured correctly along with the VPN, you can restrict the administration panel to certain internet addresses by making it Whitelist only.
Replace the 4 IP addresses in the example code with your own white list. The last 3 IP addresses on the list follow the default Wireguard internal naming conventions if you had only created 3 profiles for example, and they all required access to the administration panel.
nano /etc/lighttpd/external.conf

# https://www.cyberciti.biz/tips/lighttpd-restrict-or-deny-access-by-ip-address.html
# https://discourse.pi-hole.net/t/password-protect-the-dashboard/223/5
# restrict access to server-status to listed IP hosts
$HTTP["remoteip"] !~ "12.34.56.78|10.108.172.2|10.108.172.3|10.108.172.4" {
 $HTTP["url"] =~ "^/admin/" {
   url.access-deny = ( "" )
 }
}

References

https://skerritt.blog/pihole-vpn/
https://docs.pi-hole.net/guides/unbound/

Videos:

You're running Pi-Hole wrong! Setting up your own Recursive DNS Server!
Is adding 3 MILLION domains to your Pi-Hole Block List a good thing?
High Availability Pi-Hole? Yes please!

Deny lists

https://firebog.net

Ultimate.Hosts.Blacklist:

Common things to Allow list

https://github.com/anudeepND/whitelist
https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212

Hosted, Virtual Machines in the cloud

$100 credit with Digital Ocean for new customers
https://www.vultr.com/?ref=7203554
Those links earn me a commission but won't increase prices for you.
You can follow this recipe and Netflix/HBOmax/etc. will work, however Netflix/HBOmax/etc. block all Digital Ocean and VULTR IP addresses as are most similar cloud hosts' IP address ranges blocked. For best results with Netflix/HBOmax/etc., use something like a Raspberry Pi and a residential IP address.
Since I want to use an Asterisk PBX server along with all my telephone extensions secured by the VPN, I prefer using a cloud server and Skyetel for PSTN termination. The smallest, cheapest (KVM) virtual machine cloud options work fine with better performance than a Raspberry Pi hosted somewhere, given LAN/NAT latency. I do not recommend OpenVZ cloud hosting.

Deployments with Ansible and Ansistrano

Deployment

Read more...

VideoJS Media block module has been released

old time movie projector

Read more...

Closed-source vs open-source website hosting

We use open-source software

Read more...

Fork an upstream GIT repository and make it your own

Fork an upstream GIT repository

Read more...