How to easily use your Pi-Hole outside of your personal network

Thanks for the guide @unixfox, and welcome to the community!

1 Like

Thanks for the how-to, didn't know Zerotier before.

I use OpenVPN on the Raspi by only routing DNS to use Pi-hole on my iPhone. This also works over my company's WiFi as the OpenVPN server listens on TCP/443 - mostly open. Unfortunately Zerotier isn't usable in companies as you need access to UDP/9993 - mostly closed.

3 Likes

So they close 9993 outbound as well? That's strange since most of the company networks I've seen have unrestricted outbound while inbound is usually closed.

1 Like

Thank you for your feedback!

Actually according to the README of the project Zerotier is capable to automatically switch to the 443 port to avoid restriction.

It will be slower than a direct route to your server because the encrypted packets will go through the root servers but it should be perfectly fine for DNS requests.
I'll try to replicate this type of environment tonight on my VM to see if it's viable.

2 Likes

I think every properly and seriously configured company network only allows outgoing web-connections (80/443, maybe 8080/8443 too), all other ports are blocked.

I'm getting back to you with my tests to checkout if Zerotier works in a similar network as your company and the result is yes it works but a bit slower than a direct route (it was expected).

Here are my firewall rules on the local network:


If I ping a device (hosted in Europe) inside my virtual network I get a ping of around 210ms, probably because the Zerotier root servers are located in the USA and I'm in Europe so depending on your location you will probably have a lower ping than mine:

user@ubuntu:~$ ping 192.168.192.1
PING 192.168.192.1 (192.168.192.1) 56(84) bytes of data.
64 bytes from 192.168.192.1: icmp_seq=1 ttl=64 time=209 ms
64 bytes from 192.168.192.1: icmp_seq=2 ttl=64 time=210 ms
64 bytes from 192.168.192.1: icmp_seq=3 ttl=64 time=210 ms
64 bytes from 192.168.192.1: icmp_seq=4 ttl=64 time=210 ms
64 bytes from 192.168.192.1: icmp_seq=5 ttl=64 time=209 ms
--- 192.168.192.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 209.236/209.896/210.163/0.457 ms

So for the DNS requests I get around 0.5s of response time:

user@ubuntu:~$ time nslookup google.com 192.168.192.10
Server:		192.168.192.10
Address:	192.168.192.10#53

Non-authoritative answer:
Name:	google.com
Address: 172.217.168.206
Name:	google.com
Address: 2a00:1450:400e:80c::200e

real	0m0.487s
user	0m0.015s
sys	0m0.014s

Which is not bad compared to without the firewall restriction:

user@ubuntu:~$ time nslookup google.com 192.168.192.10
Server:		192.168.192.10
Address:	192.168.192.10#53

Non-authoritative answer:
Name:	google.com
Address: 172.217.168.206
Name:	google.com
Address: 2a00:1450:400e:80c::200e


real	0m0.100s
user	0m0.019s
sys	0m0.009s

So in conclusion, there is around 400ms of additional latency (in Europe) when running Zerotier behind a very restrictive firewall but Zerotier can really work in every network.

Maybe I'm wrong, but I think the above configuration doesn't work while on a cellular connection. On mobile devices you can change the DNS server for a WiFi connection, but not for a cellular connection.

While joining a ZeroTier network there is also an option "Use custom DNS Servers" in the client. What if we enter the Pi-hole IP address there?

Sorry for my very late reply.

According to a reddit user, it's possible to use your pihole trough zerotier on a cellular connection.
Like you said you need to set "use custom DNS Servers" to the IP of your pihole server assigned in zerotier network.

EDIT: I just updated the tutorial with this new setting so if you refollow the Android section it will work even on a cellular connection.

3 Likes

Fantastic guide. Works perfectly.
Now I wish that from outside my network I can access all devices (beside 192.168.192.x that have Zerotier installed) also those 192.168.1.yyy

Tried a couple of guides but didn't work

Thank you for your feedback! I really appreciate.

I haven't setup a way to access my LAN from Zerotier yet, so I won't be able to help you but you could ask on the Zerotier's community forum for some help :smiley:: https://my.zerotier.com/community.

1 Like

Thanks, tried, but no answer, probably because they do not have a proper forum,

A post was split to a new topic: Zerotier + Pi-hole not working

After the step of connecting my pi to the zerotier network it lost internet connection

Do all the right thing but my phone could not ping the pi hole, both joined the network though.
Using iphone 7 plus, ios 12.3.1

This is wonderful, I used this setup and the performances really impress me, considering that my home connection is very limited.

Thanks for sharing it!

Thanks for the guide :+1:

1 Like

This really is awesome, I am so glad I ran into this post. Thanks so much for it.

Hey thanks for the guide! Unfortunately I tried this multiple times now and it never worked. I am a little lost on what to do... I never managed to make a client forward a dns request through zerotier. Whenever I activate it on my phone it just loses internet connection and my windows computer too.

I made sure I followed your steps very precisely so I wonder what is missing?

I am using pi hole on fedora, android and windows 10.

what is the advantage of this method then accessing home network via wiregaurd/openVPN? only limitation with later method is open port on router for VPN?

Thanks a lot for that. This is exactly what i was looking for, with my isp cgn this the only working guide and it is way faster than other vpn methods.

Btw did you find a way to connect to other devices on the lan without ZeroTier installed?