Running my free cloud-based Pihole, notes

#1

Google Compute Engine offers a free f1-micro VM (free forever tier).

Provision it using the Debian GNU/Linux 9 (stretch) image.

Add a static public IP for this instance.

Installation of Pihole was flawless using the curl/bash command-line. Use Google DNS as the backend resolver.

Add a firewall rule (using the Google Cloud VPC network settings) to allow public DNS queries (allow 0.0.0.0/0 to access TCP/UDP port 53) for this instance. If you are only using Google cloud to run this little instance, then you might as well apply this firewall rule to all instances in your VPC instead of specifying which instances the firewall rule is applicable to (which may require you to tag instances etc.).

Replace the DNS server entry in /etc/resolv.conf on this instance with 127.0.0.1.

Test out the Pihole resolver from your home computer by setting the instance’s public IP to be your DNS server in your TCP/IP settings.

To ensure I am always using it, I added the public IP of this instance to my wi-fi router. But the wi-fi router was still adding itself as a secondary DNS server and there was no way to override it. So, sometimes, since the latency to the Google instance was obviously greater, my computer was using the wi-fi router as the DNS server which was in-turn getting its DNS queries resolved via the ISP. Not good.

But there was an easy fix. In the router’s WAN settings, I updated the DNS server to be again the Pihole. So, even if my home computer was referring to the router’s IP address as the DNS server, I was still able to use Pihole.

Now that the home network was ad-blocked, the next step was to ad-block my phone, no matter which network I was using.

I installed the DNS Changer app ( https://play.google.com/store/apps/details?id=com.burakgon.dnschanger&hl=en_US) on my Android phone. This app creates a virtual VPN which uses your specified DNS server on all networks (even on mobile data). Keep the VPN running, it doesn’t consume much in terms of CPU/RAM.

This is working beautifully so far.

There was a hiccup when Pihole showed “0 domains blocked” for some reason. I just updated the gravity (query lists) again and all was well.

The easiest way to test was to to go to an ad-block test site, or to nslookup retailwith.com. It should return 0.0.0.0.

It has been running for a few days now, and the cpu usage on the google instance is less than 0.1%. I see many clients depending on how many IP addresses my phone gets as it roams through cell towers.

Hope you find it useful.

#2

Please do not operate an open DNS resolver: http://openresolverproject.org/

It is recommended to instead use a VPN: https://docs.pi-hole.net/guides/vpn/overview/

2 Likes
Massive requests - tail log (open DNS resolver)
#3

Have you created a DNS server (Pi-Hole) that is open to the internet?

#4

yes, so far. but i intend to install OpenVPN to restrict it.

#5

This is a very bad practice. Just one of many articles on this subject: https://www.us-cert.gov/ncas/alerts/TA13-088A.

1 Like
#6

Running it under OpenVPN now. No open ports and no public DNS. Thanks guys!

3 Likes
#7

Here is a step by step guide for others looking to accomplish this on Google Cloud Platform:

Set up a Pi-Hole Ad Blocking VPN Server with a static Anycast IP on Google Cloud’s Always Free Usage Tier and configure Full Tunnel or Split Tunnel OpenVPN connections from your Android, iOS, macOS, & Windows devices

Both Full Tunnel and Split Tunnel VPN connections provide DNS based ad-blocking over an encrypted connection to the cloud. The differences are:

  • A Split Tunnel VPN allows you to interact with devices on your Local Network (such as a Chromecast or Roku).
  • A Full Tunnel VPN can help bypass misconfigured proxies on corporate WiFi networks, and protects you from Man-In-The-Middle SSL proxies.
Tunnel Type Data Usage Server CPU Load Security Ad Blocking
full +10% overhead for vpn moderate 100% encryption yes
split just kilobytes per day very low dns encryption only yes
2 Likes
#8

@RajanNPatel absolutely amazing guide. Got everything up and running in no time, you are a legend.

I only have one question though. When I do a whatsmyip in Google while connected on any of the VPN tunnels, it says I am using an American IP address however while setting up my virtual machine I selected a European location in Google Cloud. Does Google Cloud default to their American servers or am I missing something very simple here?

Thanks man and keep up the good work. :slight_smile:

1 Like
#9

I would encourage you to use the Split Tunnel VPN and not the Full Tunnel VPN - when your IP changes to your Google compute engine server - you are using full tunnel. This can get expensive over time, whereas split tunnel keeps you well within the free tier and does not change your IP

#10

@RajanNPatel Thank you for your guide!! All the steps are very clear!

I managed to get it working on my ios device, even though ios only allows one vpn to be connected at a time (only udp is connected). However, I cant block ads on my laptop (macos). I’ve checked all the steps multiple times and even restarted the process from the pi-hole installation step. I made multiple vpn client profiles and tried both tunnelblick and viscosity.

On both devices, I can connect to the UDP profile but not to the TCP profiles.

At the moment, I don’t know really how to troubleshoot this. Could you help me out?

Thank you in advance!

#11

I have been trying to help another user with a similar issue, and that discussion is tracked here.

If the recommendations offered in that thread are not helpful, please log a new issue with your specific details and I can try and reproduce your setup and issue.

#12

Thank you for getting back to me. I removed the manually configured DNS servers and it now shows 10.9.0.1 greyed out. The split tunnel configuration seems to be blocking ads on all devices for now. The status on blockads.fivefilters.org for MacOS has changed from ‘none’ to ‘partially blocking’.

Issues remaining are:

  • I still get the warning message from tunnelblick as indicated in that thread

  • Can’t connect to TCP profiles on any of the devices.

However, I will try the current configuration for now and monitor performance before logging an issue.

#13

If Tunnelblick is warning you that your IP Address isn’t changing to the public IP address of your Google Compute Engine instance when you connect using the Split Tunnel UDP .ovpn profile - this is safe to ignore. This is purposefully done to send a minimal amount of traffic to the cloud. Only your DNS requests go to the cloud for the Pi-Hole filtering treatment.

Not being able to connect to the TCP Profiles is something that will likely not be addressed in the future. I am working on improvements that include setup and configuration instructions for stunnel, so that OpenVPN can masquerade as regular SSL traffic. Simply connecting with OpenVPN directly over Port 443 is not good enough for public Wi-Fi hotspots that perform deep packet inspection, to detect and block VPN usage.

Stay tuned, updates will be coming in the not so near future :slight_smile:

#14

Thanks for your message, everything you explain is very clear! I’ve recommended your approach to my friends. Looking forward to your future work!

#15

The TCP connection issue is resolved; and the current guide reflects the steps necessary to make it work.

#16

Great guide but have some questions. I was able to set this up on my android and windows computer without issue. Now i am trying to get the same setup as i had running pi-hole locally on a raspberry pi. How would i setup my router so that all DNS goes through the pi-hole on the google cloud?

#17

With this setup is it not possible to use pihole for DNS on my router or is there a way to still do this? This is cool but it’s not super convenient to have to have all my devices connect to VPN to get ad blocking

1 Like