DEV Community

Martin André
Martin André

Posted on • Updated on

Block most ads on any device (Wireguard + Pi-Hole)

We all know how ads can be annoying and blocking them typically involve installing an ad-blocker on each device, browser, ... In this guide I'll show you how you can block ads on most device (iPhone, Mac, Android, Windows, ...).

Overview

Pi-Hole is a general purpose network-wide ad-blocker that protect your network from ads & trackers. It's main advantage over browser's ad-blocker is that it block ads on any type of software.

Prerequisites

  • A VPS (near you or in the country you want to be)
  • Know the basics of Linux
  • Some 30 free minutes in your schedule

There is plenty of VPS provider, I've personally chosen Hetzner but Linode is also really good ! (you can use my Hetzner link to get $20 cloud credits)

Setting up Wireguard

It takes no time to install Wireguard on Linux thanks to angristan.

curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh
Enter fullscreen mode Exit fullscreen mode

Go read the README to learn how to use the script.

Setting up Pi-Hole

All you need is running this simple command:

curl -sSL https://install.pi-hole.net | bash
Enter fullscreen mode Exit fullscreen mode

During the setup you will be able to choose the interface for Pi-Hole to listen to, choose wg0.

Optional: install Unbound

sudo apt install unbound
Enter fullscreen mode Exit fullscreen mode

You might have to configure Unbound for it to be fasttttt.

vim /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    verbosity: 0
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: yes
    prefer-ip6: no
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1472
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes
    cache-min-ttl: 300
    cache-max-ttl: 86400
    serve-expired: yes
    msg-cache-size: 50m
    rrset-cache-size: 100m
    num-threads: 1
    so-reuseport: yes
    so-rcvbuf: 4m
    so-sndbuf: 4m
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
Enter fullscreen mode Exit fullscreen mode

You can finally restart unbound.

sudo service unbound restart
Enter fullscreen mode Exit fullscreen mode

Optional: Configure Pi-Hole for Unbound

As you use Unbound, you will have to disable Pi-Hole DNS cache as well as redirecting to the right DNS server instead of using Cloudflare, ...

vim /etc/pihole/setupVars.conf

WEBPASSWORD=
BLOCKING_ENABLED=true
ADMIN_EMAIL=
WEBUIBOXEDLAYOUT=traditional
WEBTHEME=default-dark
PIHOLE_INTERFACE=wg0
IPV4_ADDRESS=
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
CACHE_SIZE=0
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=127.0.0.1#5335
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
REV_SERVER=false
Enter fullscreen mode Exit fullscreen mode

And finally you can repair Pi-Hole using:

pihole -r
Enter fullscreen mode Exit fullscreen mode

You can now go on your Pi-Hole dashboard: http://ip/admin.
And check that your settings are correctly configured.

Dashboard > Settings > System > FTL Information
>>> DNS cache size should be = 0.
Enter fullscreen mode Exit fullscreen mode
Dashboard > Settings > DNS > Upstream DNS Servers
>>> Custom 1 (IPv4) = 127.0.0.1#5335
>>> Everything else should be unchecked.
Enter fullscreen mode Exit fullscreen mode
Dashboard > Settings > DNS > Interface listening behavior
>>> Listen only on interface wg0.
Enter fullscreen mode Exit fullscreen mode

Conclusion

And that's pretty much it!

All you have to do now is to generate a config client for your Wireguard server, install it on any device and once the connection will be established, you can say bye bye to ads and hello to anonymity.

Top comments (0)