Block most ads on any device (Wireguard + Pi-Hole)
Martin André
Posted on May 13, 2021
We all know how ads can be annoying and blocking them typically involve installing an ad-blocker on each device, browser, ... In this guide I'll show you how you can block ads on most device (iPhone, Mac, Android, Windows, ...).
Overview
Pi-Hole is a general purpose network-wide ad-blocker that protect your network from ads & trackers. It's main advantage over browser's ad-blocker is that it block ads on any type of software.
Prerequisites
- A VPS (near you or in the country you want to be)
- Know the basics of Linux
- Some 30 free minutes in your schedule
There is plenty of VPS provider, I've personally chosen Hetzner but Linode is also really good ! (you can use my Hetzner link to get $20 cloud credits)
Setting up Wireguard
It takes no time to install Wireguard on Linux thanks to angristan.
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh
Go read the README to learn how to use the script.
Setting up Pi-Hole
All you need is running this simple command:
curl -sSL https://install.pi-hole.net | bash
During the setup you will be able to choose the interface for Pi-Hole to listen to, choose wg0.
Optional: install Unbound
sudo apt install unbound
You might have to configure Unbound for it to be fasttttt.
vim /etc/unbound/unbound.conf.d/pi-hole.conf
server:
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: yes
prefer-ip6: no
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
edns-buffer-size: 1472
prefetch: yes
prefetch-key: yes
minimal-responses: yes
cache-min-ttl: 300
cache-max-ttl: 86400
serve-expired: yes
msg-cache-size: 50m
rrset-cache-size: 100m
num-threads: 1
so-reuseport: yes
so-rcvbuf: 4m
so-sndbuf: 4m
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
You can finally restart unbound.
sudo service unbound restart
Optional: Configure Pi-Hole for Unbound
As you use Unbound, you will have to disable Pi-Hole DNS cache as well as redirecting to the right DNS server instead of using Cloudflare, ...
vim /etc/pihole/setupVars.conf
WEBPASSWORD=
BLOCKING_ENABLED=true
ADMIN_EMAIL=
WEBUIBOXEDLAYOUT=traditional
WEBTHEME=default-dark
PIHOLE_INTERFACE=wg0
IPV4_ADDRESS=
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=0
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=127.0.0.1#5335
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
REV_SERVER=false
And finally you can repair Pi-Hole using:
pihole -r
You can now go on your Pi-Hole dashboard: http://ip/admin.
And check that your settings are correctly configured.
Dashboard > Settings > System > FTL Information
>>> DNS cache size should be = 0.
Dashboard > Settings > DNS > Upstream DNS Servers
>>> Custom 1 (IPv4) = 127.0.0.1#5335
>>> Everything else should be unchecked.
Dashboard > Settings > DNS > Interface listening behavior
>>> Listen only on interface wg0.
Conclusion
And that's pretty much it!
All you have to do now is to generate a config client for your Wireguard server, install it on any device and once the connection will be established, you can say bye bye to ads and hello to anonymity.
Posted on May 13, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
