I just bought Raspberry Pi 4 and I am really looking forward to setup Pi-hole and PiVPN.
This is all new to me but I did some research online and I have couple of questions if I can.
My setup: ISP's modem (internet speed 150 Mbit/s), router TP-Link Archer C6 V2, 1x Raspberry Pi 4, small network with 2 laptops and 3 smart phones. No static IP address. I also have Mullvad account.
My goal: I want use Pi-Hole to get rid of the ads and telemetry on all devices. I want to install PiVPN and Wireguard to be able to connect to my network from outside.
1Q: Should I add these lists to default one or less is more? I would like to avoid false positive.
2.Q: I am little bit confused about DNS. My present idea is to set IP address of my rpi in my router as DNS server to be able to use Pi-hole on all my devices. Do I set secondary DNS same as primary? Do I have to turn off DHCP on my router and turn it on on rpi?
3.Q: I will try Cloudflare as my upstream DNS provider. Is it worth it to also install cloudflared do have DoH?
4.Q: Should I bother with unbound?
5.Q: During the installation of PiVPN with Wireguard, is it advisable to change port 51820 to something else to make life harder for potential intruder? Can I just add random number at the end?
6.Q: As I don't have static IP, I will use www.noip.com. Do I have to set up noip.com also in my router or just on rpi?
7.Q: I need to use Mullvad VPN from time to time, will it run on my setup?
Hope these questions are not too stupid. Many thanks.
It's your choice. The more blocklists, the more opportunity for false positives. If you don't see ads now, you don't need more blocking.
That said, the ticked lists from that collection are fairly safe.
Depends on the router. You want Pi-hole to be the only DNS server available to clients. Some routers will auto-fill an empty second slot with the ISP DNS, for example. You can enter the same IP twice, if the router supports it. If not, then try 0.0.0.0 or an unused IP from your LAN range.
Unbound will offer you greater privacy than using a third party upstream DNS server - nobody is collecting your DNS history. Plus, you have complete control of your own resolver; no filtering, etc.
Not really. Changing ports doesn't provide any meaningful security improvement.
It will run, but when you use a commercial VPN your DNS traffic will no longer go to Pi-hole. This is done to prevent DNS leaks (DNS traffic outside the tunnel).