How to easily use your Pi-Hole outside of your personal network

You've your Pi-Hole installed on your personal network, but you want to use it outside of your home? If that's the case stick with me and follow this tutorial that will explain to you how to integrate your Pi-Hole with Zerotier, an easy virtual network accessible from anywhere around the world where all traffic is encrypted end-to-end!

Advantages of using Zerotier instead of a traditional VPN

  • Zerotier works even on your personal network so you won't have to change your DNS settings nor connect to your VPN every time you leave your house.
  • You can still use the existing Internet connection that you are using outside of your house instead of routing your current Internet connection trough your home network like you would with PiVPN and thus losing some bandwidth if your home connection is not powerful enough.
  • You don't need to set up a dynamic DNS nor having a static IP nor configuring the port forwarding because Zerotier will do all the job for you to automatically setup the best configuration according to your network.
  • Zerotier works out of the box in every network environment (unless the administrator explicitly ban Zerotier servers), even on very restrictive network that allow only HTTP and HTTPS (proof here).

Requirement

  • An already installed Pi-Hole server

Tutorial

First part : Configure Pi-Hole on your Zerotier Network

  1. Create an account on the Zerotier website: ZeroTier Central
  2. After creating your account head over the network section: ZeroTier Central and then click on the Create Network blue button.
  3. A new network should come up:
  4. Click on the new network and then let the page opened you will need the network ID just after a couple of steps:
  5. You may want to change the name of the network and the IPv4 Auto-Assign to numbers that are easier to remember, for example: 192.168.192.*:
  6. Open an SSH connection to your Pi-Hole server and then install Zerotier using this command:
curl -s https://install.zerotier.com/ | sudo bash
  1. When you get this message: Success! You are ZeroTier address. You are ready to join your virtual network using this command:
sudo zerotier-cli join network_id

You need to replace network_id with the Network ID specified on the Zerotier Central page that you opened a minute ago.

  1. Then you should get a success message: 200 join OK, if that's the case return on the Zerotier Central page.
  2. Scroll down until the One device has joined this network. message.
  3. You will now need to accept your Pi-Hole server to join the network by checking the box just below the Auth?:
  4. Then wait a bit until the red line switches to green and that you get a third IP in the Managed IPs column.
  5. Give a name to your Pi-Hole server in the short name field.
  6. Change the IP of your Pi-Hole server in the Managed IPs column to numbers that are easier to remember, for example mine is 192.168.192.1 because the network is set to 192.168.192.* inside the IPv4 Auto-Assign box. Don't forget to delete the old managed IP.
  7. Open a page to your Pi-Hole DNS Settings: http://pi.hole/admin/settings.php?tab=dns
  8. Check the Listen on all interfaces box to allow the devices from your Zerotier Network to use your Pi-Hole and then save:
  9. That's it you now have configured your Pi-Hole server with Zerotier!

Second part: Configure your device(s) to use your Pi-Hole trough your Zerotier Network

Windows (7, 8, 8.1 and 10)

Setup Zerotier

  1. Install the Zerotier application: https://download.zerotier.com/dist/ZeroTier%20One.msi (don't uncheck the Start Zerotier at end the of the installation).
  2. A Zerotier One window will come up, you have to login with your account.
  3. You will then be greeted to join a network you just have to join your network:
  4. Click on done and then accept the new blue network window on the right if you are on Windows 8/8.1/10.

Change the DNS servers

I won't explain to you in details how to change your DNS servers because there are already loads of tutorials on the Internet to guide you but here is a good tutorial to help you: How to Change DNS Servers in Windows

At the configuration of the IP of the DNS server, 11th step if you followed the tutorial that I linked, you have to enter the managed IP (Zerotier) of your Pi-Hole server (available on the Zerotier Central page).
If you have followed the first part to the letter please make sure to enter 192.168.192.1 and having a similar result as mine:

Android

Setup Zerotier

  1. Install the Zerotier One app from the Google Play Store: https://play.google.com/store/apps/details?id=com.zerotier.one
  2. Run it and then tap on the + button right top side of the app:
  3. Enter your Network ID and then check the "Use Custom DNS servers" box:
    20190428_215243
  4. Enter the managed IP (Zerotier) of your Pi-Hole server in the first IPv4 DNS field and then tap the "Add Network" button:
  5. Return on the Zerotier Central page.
  6. You will see a new device that has a red vertical line, you just have to do the same thing as the first part click on the box in the column Auth? to allow the device to join the network.
  7. Now you are ready to initiate the connection on the Zerotier One app on your Android device by activating the slider inside the network box:

Linux (Ubuntu, Linux Mint, Fedora and more)

Setup Zerotier

The installation of Zerotier on Linux is very similar to the first part. You just have to follow from the 6th step to the 10th step.

Note to ArchLinux users. There is an official package for Zerotier: https://www.archlinux.org/packages/community/x86_64/zerotier-one/

Change the DNS servers

Configuring the DNS servers on Linux highly depend on the graphical interface, but here are anyway some tutorials for the popular Linux distributions:

At the configuration of the IP of the DNS server enter the managed IP (Zerotier) of your Pi-Hole server, if you have followed the first part to the letter please make sure to enter 192.168.192.1.

MacOS

Setup Zerotier

I don't personally own an Apple device but it's possible to install Zerotier on your Mac by installing the .pkg available on the Zerotier's download page: https://www.zerotier.com/download.shtml (Apple Macintosh).
If you need some help here is a good tutorial that I found on the Internet: https://www.stratospherix.com/support/setupvpn_02a.php

Change the DNS servers

Here is a tutorial to help you change the DNS servers on your Mac: https://serverguy.com/kb/change-dns-server-settings-mac-os/

At the configuration of the IP of the DNS server enter the managed IP (Zerotier) of your Pi-Hole server, if you have followed the first part to the letter please make sure to enter 192.168.192.1.

iOS (iPhone / iPad / iPod Touch)

Setup Zerotier

You can install Zerotier on your iOS device by installing the official app from the App Store: https://itunes.apple.com/us/app/zerotier-one/id1084101492?mt=8
If you need some help here is a good tutorial that I found on the Internet: https://www.stratospherix.com/support/setupvpn_03.php

Change the DNS servers

Here is a tutorial to help you change the DNS servers on your iOS based device: https://appleinsider.com/articles/18/04/22/how-to-change-the-dns-server-used-by-your-iphone-and-ipad

At the configuration of the IP of the DNS server enter the managed IP (Zerotier) of your Pi-Hole server, if you have followed the first part to the letter please make sure to enter 192.168.192.1.


I hope you liked my tutorial, please don't forget to up vote the post on Reddit & like this post on the forum and leave a feedback in the comments!

16 Likes

Thanks for the guide @unixfox, and welcome to the community!

1 Like

Thanks for the how-to, didn't know Zerotier before.

I use OpenVPN on the Raspi by only routing DNS to use Pi-hole on my iPhone. This also works over my company's WiFi as the OpenVPN server listens on TCP/443 - mostly open. Unfortunately Zerotier isn't usable in companies as you need access to UDP/9993 - mostly closed.

2 Likes

So they close 9993 outbound as well? That's strange since most of the company networks I've seen have unrestricted outbound while inbound is usually closed.

1 Like

Thank you for your feedback!

Actually according to the README of the project Zerotier is capable to automatically switch to the 443 port to avoid restriction.

It will be slower than a direct route to your server because the encrypted packets will go through the root servers but it should be perfectly fine for DNS requests.
I'll try to replicate this type of environment tonight on my VM to see if it's viable.

2 Likes

I think every properly and seriously configured company network only allows outgoing web-connections (80/443, maybe 8080/8443 too), all other ports are blocked.

I'm getting back to you with my tests to checkout if Zerotier works in a similar network as your company and the result is yes it works but a bit slower than a direct route (it was expected).

Here are my firewall rules on the local network:


If I ping a device (hosted in Europe) inside my virtual network I get a ping of around 210ms, probably because the Zerotier root servers are located in the USA and I'm in Europe so depending on your location you will probably have a lower ping than mine:

user@ubuntu:~$ ping 192.168.192.1
PING 192.168.192.1 (192.168.192.1) 56(84) bytes of data.
64 bytes from 192.168.192.1: icmp_seq=1 ttl=64 time=209 ms
64 bytes from 192.168.192.1: icmp_seq=2 ttl=64 time=210 ms
64 bytes from 192.168.192.1: icmp_seq=3 ttl=64 time=210 ms
64 bytes from 192.168.192.1: icmp_seq=4 ttl=64 time=210 ms
64 bytes from 192.168.192.1: icmp_seq=5 ttl=64 time=209 ms
--- 192.168.192.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 209.236/209.896/210.163/0.457 ms

So for the DNS requests I get around 0.5s of response time:

user@ubuntu:~$ time nslookup google.com 192.168.192.10
Server:		192.168.192.10
Address:	192.168.192.10#53

Non-authoritative answer:
Name:	google.com
Address: 172.217.168.206
Name:	google.com
Address: 2a00:1450:400e:80c::200e

real	0m0.487s
user	0m0.015s
sys	0m0.014s

Which is not bad compared to without the firewall restriction:

user@ubuntu:~$ time nslookup google.com 192.168.192.10
Server:		192.168.192.10
Address:	192.168.192.10#53

Non-authoritative answer:
Name:	google.com
Address: 172.217.168.206
Name:	google.com
Address: 2a00:1450:400e:80c::200e


real	0m0.100s
user	0m0.019s
sys	0m0.009s

So in conclusion, there is around 400ms of additional latency (in Europe) when running Zerotier behind a very restrictive firewall but Zerotier can really work in every network.

Maybe I'm wrong, but I think the above configuration doesn't work while on a cellular connection. On mobile devices you can change the DNS server for a WiFi connection, but not for a cellular connection.

While joining a ZeroTier network there is also an option "Use custom DNS Servers" in the client. What if we enter the Pi-hole IP address there?

Sorry for my very late reply.

According to a reddit user, it's possible to use your pihole trough zerotier on a cellular connection.
Like you said you need to set "use custom DNS Servers" to the IP of your pihole server assigned in zerotier network.

EDIT: I just updated the tutorial with this new setting so if you refollow the Android section it will work even on a cellular connection.

2 Likes

Fantastic guide. Works perfectly.
Now I wish that from outside my network I can access all devices (beside 192.168.192.x that have Zerotier installed) also those 192.168.1.yyy

Tried a couple of guides but didn't work

Thank you for your feedback! I really appreciate.

I haven't setup a way to access my LAN from Zerotier yet, so I won't be able to help you but you could ask on the Zerotier's community forum for some help :smiley:: https://my.zerotier.com/community.

1 Like

Thanks, tried, but no answer, probably because they do not have a proper forum,

A post was split to a new topic: Zerotier + Pi-hole not working

After the step of connecting my pi to the zerotier network it lost internet connection

Do all the right thing but my phone could not ping the pi hole, both joined the network though.
Using iphone 7 plus, ios 12.3.1

This is wonderful, I used this setup and the performances really impress me, considering that my home connection is very limited.

Thanks for sharing it!

Thanks for the guide :+1:

1 Like

This really is awesome, I am so glad I ran into this post. Thanks so much for it.

Hey thanks for the guide! Unfortunately I tried this multiple times now and it never worked. I am a little lost on what to do... I never managed to make a client forward a dns request through zerotier. Whenever I activate it on my phone it just loses internet connection and my windows computer too.

I made sure I followed your steps very precisely so I wonder what is missing?

I am using pi hole on fedora, android and windows 10.

1 Like

what is the advantage of this method then accessing home network via wiregaurd/openVPN? only limitation with later method is open port on router for VPN?