Running my free cloud-based Pihole, notes

harman · September 21, 2018, 2:46pm

Google Compute Engine offers a free f1-micro VM (free forever tier).

Provision it using the Debian GNU/Linux 9 (stretch) image.

Add a static public IP for this instance.

Installation of Pihole was flawless using the curl/bash command-line. Use Google DNS as the backend resolver.

Add a firewall rule (using the Google Cloud VPC network settings) to allow public DNS queries (allow 0.0.0.0/0 to access TCP/UDP port 53) for this instance. If you are only using Google cloud to run this little instance, then you might as well apply this firewall rule to all instances in your VPC instead of specifying which instances the firewall rule is applicable to (which may require you to tag instances etc.).

Replace the DNS server entry in /etc/resolv.conf on this instance with 127.0.0.1.

Test out the Pihole resolver from your home computer by setting the instance's public IP to be your DNS server in your TCP/IP settings.

...

To ensure I am always using it, I added the public IP of this instance to my wi-fi router. But the wi-fi router was still adding itself as a secondary DNS server and there was no way to override it. So, sometimes, since the latency to the Google instance was obviously greater, my computer was using the wi-fi router as the DNS server which was in-turn getting its DNS queries resolved via the ISP. Not good.

But there was an easy fix. In the router's WAN settings, I updated the DNS server to be again the Pihole. So, even if my home computer was referring to the router's IP address as the DNS server, I was still able to use Pihole.

Now that the home network was ad-blocked, the next step was to ad-block my phone, no matter which network I was using.

I installed the DNS Changer app ( https://play.google.com/store/apps/details?id=com.burakgon.dnschanger&hl=en_US) on my Android phone. This app creates a virtual VPN which uses your specified DNS server on all networks (even on mobile data). Keep the VPN running, it doesn't consume much in terms of CPU/RAM.

This is working beautifully so far.

There was a hiccup when Pihole showed "0 domains blocked" for some reason. I just updated the gravity (query lists) again and all was well.

The easiest way to test was to to go to an ad-block test site, or to nslookup retailwith.com. It should return 0.0.0.0.

It has been running for a few days now, and the cpu usage on the google instance is less than 0.1%. I see many clients depending on how many IP addresses my phone gets as it roams through cell towers.

Hope you find it useful.

Mcat12 · September 21, 2018, 2:56pm

Please do not operate an open DNS resolver: http://openresolverproject.org/

It is recommended to instead use a VPN: Redirecting...

jfb · September 21, 2018, 3:09pm

Have you created a DNS server (Pi-Hole) that is open to the internet?

harman · September 21, 2018, 3:11pm

yes, so far. but i intend to install OpenVPN to restrict it.

jfb · September 21, 2018, 3:14pm

This is a very bad practice. Just one of many articles on this subject: DNS Amplification Attacks | CISA.

harman · September 21, 2018, 4:51pm

Running it under OpenVPN now. No open ports and no public DNS. Thanks guys!

RajanNPatel · January 9, 2019, 1:38am

Here is a step by step guide for others looking to accomplish this on Google Cloud Platform:

Set up a Pi-Hole Ad Blocking VPN Server with a static Anycast IP on Google Cloud's Always Free Usage Tier and configure Full Tunnel or Split Tunnel OpenVPN connections from your Android, iOS, macOS, & Windows devices

Both Full Tunnel and Split Tunnel VPN connections provide DNS based ad-blocking over an encrypted connection to the cloud. The differences are:

A Split Tunnel VPN allows you to interact with devices on your Local Network (such as a Chromecast or Roku).
A Full Tunnel VPN can help bypass misconfigured proxies on corporate WiFi networks, and protects you from Man-In-The-Middle SSL proxies.

Tunnel Type	Data Usage	Server CPU Load	Security	Ad Blocking
full	+10% overhead for vpn	moderate	100% encryption	yes
split	just kilobytes per day	very low	dns encryption only	yes

elliot123 · January 18, 2019, 10:47pm

@RajanNPatel absolutely amazing guide. Got everything up and running in no time, you are a legend.

I only have one question though. When I do a whatsmyip in Google while connected on any of the VPN tunnels, it says I am using an American IP address however while setting up my virtual machine I selected a European location in Google Cloud. Does Google Cloud default to their American servers or am I missing something very simple here?

Thanks man and keep up the good work.

RajanNPatel · January 20, 2019, 2:35am

I would encourage you to use the Split Tunnel VPN and not the Full Tunnel VPN - when your IP changes to your Google compute engine server - you are using full tunnel. This can get expensive over time, whereas split tunnel keeps you well within the free tier and does not change your IP

thisisphi · January 27, 2019, 5:16pm

@RajanNPatel Thank you for your guide!! All the steps are very clear!

I managed to get it working on my ios device, even though ios only allows one vpn to be connected at a time (only udp is connected). However, I cant block ads on my laptop (macos). I've checked all the steps multiple times and even restarted the process from the pi-hole installation step. I made multiple vpn client profiles and tried both tunnelblick and viscosity.

On both devices, I can connect to the UDP profile but not to the TCP profiles.

At the moment, I don't know really how to troubleshoot this. Could you help me out?

Thank you in advance!

RajanNPatel · January 29, 2019, 5:11am

I have been trying to help another user with a similar issue, and that discussion is tracked here.

github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs

UDP:1194 split tunnel didn't work in Tunnelblick until I routed all IPv4 traffic through the VPN

opened 10:06AM - 17 Jan 19 UTC

JoeNoPhoto

question

I just wanted to mention, by default, the configuration settings tab in Tunnelbl…ick has **Route all IPv4 traffic through the VPN** unchecked. As a result, the following warning appears shortly after trying to connect: > This computer's apparent public IP address was not different after connecting to [.ovpn file]. It is still [redacted IP address]. > This may mean that your VPN is not configured correctly. Selecting the option and attempting to reconnect seems to have fixed the issue and is the only way I've been able to get it working using the following server/client config file setup: **server.conf** ```nano dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server_[redacted].crt key /etc/openvpn/easy-rsa/pki/private/server_[redacted].key dh none topology subnet server 10.8.0.0 255.255.255.0 # Set your primary domain name server address for clients push "dhcp-option DNS 10.8.0.1" push "block-outside-dns" # Override the Client default gateway by using 0.0.0.0/1 and # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. # push "redirect-gateway def1" client-to-client # keepalive 1800 3600 keepalive 10 60 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key # cipher AES-256-CBC cipher AES-128-GCM auth SHA256 user nobody group nogroup persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 4 #DuplicateCNs allow access control on a less-granular, per user basis. #Remove # if you will manage access by user instead of device. #duplicate-cn # Generated for use by PiVPN.io # performance stuff fast-io compress lz4-v2 push "compress lz4-v2" ``` **client.ovpn** ```nano client dev tun proto udp remote [redacted] 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server tls-version-min 1.2 verify-x509-name server_[redacted] name cipher AES-128-GCM auth SHA256 auth-nocache verb 4 <ca> -----BEGIN CERTIFICATE----- [redacted] -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- [redacted] -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- [redacted] -----END PRIVATE KEY----- </key> <tls-crypt> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- [redacted] -----END OpenVPN Static key V1----- </tls-crypt> ``` **Can you confirm that I haven't done anything "wrong" by selecting that option?** **Side Question:** The _push "block-outside-dns"_ line in server.conf causes a warning/error, apparently because the line is for Windows computers. **Outside of commenting out the line entirely(which I don't want to do), is something I can add to my non-windows client .ovpn files that would get rid of the warning altogether?** I've tried both of the following options, with no luck and keep getting a "files or directories don't exist" even though '/etc/openvpn/update-resolv-conf' is on my VM. ``` script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf ``` and ``` setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf down-pre ``` If my side question is too far out of the scope of the original issue, I can submit a new one. Thanks

If the recommendations offered in that thread are not helpful, please log a new issue with your specific details and I can try and reproduce your setup and issue.

thisisphi · January 29, 2019, 3:44pm

Thank you for getting back to me. I removed the manually configured DNS servers and it now shows 10.9.0.1 greyed out. The split tunnel configuration seems to be blocking ads on all devices for now. The status on blockads.fivefilters.org for MacOS has changed from 'none' to 'partially blocking'.

Issues remaining are:

I still get the warning message from tunnelblick as indicated in that thread
Can't connect to TCP profiles on any of the devices.

However, I will try the current configuration for now and monitor performance before logging an issue.

RajanNPatel · January 31, 2019, 12:21am

If Tunnelblick is warning you that your IP Address isn't changing to the public IP address of your Google Compute Engine instance when you connect using the Split Tunnel UDP .ovpn profile - this is safe to ignore. This is purposefully done to send a minimal amount of traffic to the cloud. Only your DNS requests go to the cloud for the Pi-Hole filtering treatment.

Not being able to connect to the TCP Profiles is something that will likely not be addressed in the future. I am working on improvements that include setup and configuration instructions for stunnel, so that OpenVPN can masquerade as regular SSL traffic. Simply connecting with OpenVPN directly over Port 443 is not good enough for public Wi-Fi hotspots that perform deep packet inspection, to detect and block VPN usage.

Stay tuned, updates will be coming in the not so near future

thisisphi · January 31, 2019, 2:18pm

Thanks for your message, everything you explain is very clear! I've recommended your approach to my friends. Looking forward to your future work!

RajanNPatel · April 3, 2019, 12:36am

The TCP connection issue is resolved; and the current guide reflects the steps necessary to make it work.

TimO · April 11, 2019, 5:20pm

Great guide but have some questions. I was able to set this up on my android and windows computer without issue. Now i am trying to get the same setup as i had running pi-hole locally on a raspberry pi. How would i setup my router so that all DNS goes through the pi-hole on the google cloud?

Mark_Levos · May 2, 2019, 1:08am

With this setup is it not possible to use pihole for DNS on my router or is there a way to still do this? This is cool but it's not super convenient to have to have all my devices connect to VPN to get ad blocking

1985kasper · January 13, 2020, 12:28am

Would the same be achievable with wireguard instead of OpenVPN?

I am currently looking for a solution that would work on cellular network as well. It's just a bit of a hassle using OpenVPN because of the certificates. Wireguard is a lot more versitile.
Currently i run something in the cloud for adblocking using the firewall to make sure it's not a open DNS resolver. Just not sure how to setup wireguard for split tunneling so only DNS traffic goes through the tunnel.

RajanNPatel · June 5, 2020, 11:39pm

Sure, I put this project together for you and others asking for a Wireguard version: Set up a Pi-Hole Ad Blocking Wireguard VPN Server with Full Tunnel or Split Tunnel IPv6+IPv4 connections for your Android, iOS, Linux, macOS, & Windows devices, either in your home, or in the cloud.

There is a convenient setup.sh file which can configure Wireguard on many server distributions, but Ubuntu 20.04 is recommended, because you can benefit from the Wireguard Module which is available natively in the Linux Kernel, on that Linux distribution.

Setup time is under 5 minutes if you use the setup script, but you can certainly read through it and run the commands manually for the same effect.

songo-github · June 7, 2020, 4:53pm

Using WG on 20.04, but had to upgrade the kernel manually to 5.6 from ubuntu mainline in order to have the kernel based wireguard. Multiple Ways To Upgrade Linux Kernel In Ubuntu 20.04 LTS | Itsubuntu.com No affiliation, but that is the link I used (method 3) to easy upgrade kernel