
Setting Up an Ad-Blocking VPN with WireGuard and Pihole - sethgecko
https://drexl.me/guides/wireguard-pihole-vpn-setup.html
======
dclusin
I found DNS ad-blocking solutions to be pretty lackluster and lots of ads were
still getting through. With uBlock Origin only sites ahead of the curve were
getting their ads through (porn sites, facebook, etc.). Couple this with
Bypass Paywalls[1] browser extension and the web is pretty usable.

I also tried to go one step further and setup mitm-proxy to man in the middle
all of my traffic to see if I could do more invasive but thorough ad
filtering. Certificate pinning from the likes of instagram, facebook, apple,
and google really stymied this approach. So all in all, I don't see much
benefit from DNS adblocking instead of ublock origin.

1 - [https://github.com/iamadamdev/bypass-paywalls-
chrome](https://github.com/iamadamdev/bypass-paywalls-chrome)

~~~
stevesearer
I count my site to be ahead of the curve in a different direction in that we
sell and host our own advertising (static jpgs) and do not use any 3rd parties
for ads. This helps us control the ads content as well as get to keep 100% of
ad revenue.

The only 3rd party thing we use is Google Analytics and a Google font, but the
site still works fine when users block them.

~~~
smolder
This is the best thing for the web, I think. It's doesn't seem as good for
advertisers in terms of utility for targeting, but on the flip side, I for one
am more willing to support sponsors when they have a direct relationship with
the content provider.

~~~
stevesearer
You don't really need advanced targeting analytics when your content is narrow
enough and draws a particular type of reader.

In our case, readers are likely interested in office design/office furniture
products because all we do is publish office design project images and
information.

I have an idea I'm hoping to work on in the coming years which aims to move
the web back in this direction now that I've had some years of experience
doing it.

------
oil25
The rationale stated for this work is preventing ISPs from being able to
monitor and potentially sell information about Internet usage, which is
reasonable and worthwhile. But by hosting a VPN with a third party, haven't we
simply reassigned the same responsibility to someone else rather than absolve
it? Is Digital Ocean more trustworthy than, say Cox Communications? How is
this risk to be calculated, especially by a layperson?

I believe low-latency anonymizing networks like Tor might be a better more
suited for accomplishing the task of obscuring one's own network traffic. In
fact, I'm typing this comment from Firefox with uBlock Origin configured to
use a Tor SOCKS proxy which is always running locally - eliminating ads and
making little attributable netflow in my wake.

~~~
yjftsjthsd-h
> Is Digital Ocean more trustworthy than, say Cox Communications?

Dunno about Cox, but I promise you I trust Digital Ocean far more than I will
ever trust Comcast or AT&T. Even if they didn't have a history of being bad
actors (and they do), a lot of people have exactly one choice of ISP but
dozens of choices for hosting in the cloud, so the incentives are much more
favorable.

~~~
leetbulb
Most of these residential ISPs that people hate are also major (T1/T2)
upstream providers for companies like DO. If not already, at some point, these
providers are going to just sniff VPN traffic straight off of their backbones.

Say your ISP is Comcast... If Comcast knows your are connected to some VPS via
VPN, it's likely that anything coming out of that VPN is yours. And if Comcast
(or some subsidiary or partner) is also the upstream provider for that VPS,
they could pretty easily make some correlations.

~~~
davidu
This isn't really true. The wholesale networks are operating at speeds that
make _this kind_ of sniffing impractical. I'm not saying they don't ever
siphon traffic for LEO or other reasons, but not for privacy-violating/ad-
targeting reasons. DO probably is running 40gbps alone with each transit
provider, plus sending traffic over peering circuits, so it's just way less
practical.

So what you are suggesting isn't actually true, and it's hardly hypothetically
even possible.

~~~
kingosticks
Maybe I misunderstand by why is this considered impossible? Network processors
read data from a packet, make decisions based on that, and then rewrite
arbitrary parts of the packet. All on the fast path. This sounds doable if you
had the custom firmware that did that. It'd just be a huge waste of money
considering your very, very expensive network box.

~~~
kingosticks
Ahh so maybe it's because the packet, once out of the VPN and heading to it's
destination, is (normally - it is 2019 after all!) TLS encrypted so you can't
just modify the payload like I said. Fair enough.

------
corysama
Tangentially related: The best feature of FireFox Focus for iOS is that it
also works as a free, local-only (no VPN routing) ad-blocker for Mobile
Safari. So, you can install it, never actually run it, and it makes Safari so
much more usable.

Probably works similarly for Android

~~~
chewz
No Safari on Android, so no ad-blocking doesn't work like on iOS :-)

Firefox Focus itself works all right on Android Pie. You can even set it as
default browser for opening links in place of Android Web View.

Android Pie has DNS-over-TLS for both WiFi and LTE so I am ad-blocking via my
private DNS server and blacklists.

------
nominated1
Seemingly every other week for months now a Pihole post makes the front page
on HN. Every time I wonder why. IMO, it's just a DNS black hole with a slick
interface.

Before adblockers came along I had a script that updated my hosts file. I then
moved to a DNS black hole but it’s been more than a decade since I’ve used
either solution.

Do you people have that many hostile IoT / Smart thingies connected to your
networks? Are you just unwilling to pay for the ad-free versions of apps. Are
you using apps/services on these devices that don’t offer an ad-free option,
if so why? I’m genuinely curious.

~~~
buro9
> IMO, it's just a DNS black hole with a slick interface

This is why it gets to the front page.

It's a DNS black hole with a slick interface.

You run it and it does great by itself, manages the updates, and when it does
do something you don't want (or vice versa) there's this really slick
interface for figuring it out and correcting it.

We underestimate how much slick interfaces are worth, especially when they
make a chore that was almost entirely CLI driven and making it a non-chore for
a bigger audience.

~~~
asutekku
This is a thing a lot of engineers don’t seem to get. Slick interface is the
most important thing for public, no one wants to use terminal or advanced
settings to actually do anything related to your product.

------
sneak
Pihole is run by people who have no idea what they are doing.

[https://github.com/pi-hole/pi-hole/issues/2704](https://github.com/pi-
hole/pi-hole/issues/2704)

[https://github.com/pi-hole/pi-hole/pull/2706](https://github.com/pi-hole/pi-
hole/pull/2706)

~~~
snowwindwaves
Downloading a dns black list over http instead of https is not that big a deal

------
medius
I use [https://github.com/dan-v/algo](https://github.com/dan-v/algo) fork
which has Wireguard VPN and PiHole combined. It takes minutes to spin up a
Digital Ocean VPN and have it working on all my devices. I'm very happy with
this setup.

~~~
seppin
What does Algo use as default ad blocking if you select it in the setup?

~~~
angott
It doesn't really integrate the Pi-Hole distribution itself, but by default it
uses two hosts file (see
[https://github.com/trailofbits/algo/blob/master/config.cfg](https://github.com/trailofbits/algo/blob/master/config.cfg)
at line 72).

~~~
seppin
Interesting, have you tried the default and pi-hole and would be able to
compare the two?

~~~
medius
Pi-hole dashboard is quite useful to see what's being blocked and add new
domains/lists easily. For example, I also add all facebook domains
([https://github.com/jmdugan/blocklists/blob/master/corporatio...](https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all))
and sometimes Hacker news when I want to be productive.

------
sa1
algo is great for an automated setup of a secure Wireguard(and IPsec) server
with ad-blocking capabilities. DNS adblocking is necessary to block tracking
in iOS apps. Content Blockers only work with Safari.

------
wpowiertowski
I setup a similar system but with IPSec
([https://github.com/jawj/IKEv2-setup](https://github.com/jawj/IKEv2-setup))
and Pi-Hole on DO. The best part is that the linked IPSec setup is trivial to
install and also generates profile files that leverage the OS VPN capability
in any iOS device without needing to install extra apps (and also force VPN
connectivity by default so you don't need to remember to enable it)

------
sirtoffski
I wrote a couple of bash scripts to easily configure WireGuard server and
hosts. Automatically generates keys and puts them in correct configs. Adds
client info to the server config as an option. As a bonus it can configure
some iptables to enable NAT, vpn tracking, etc.

[https://github.com/SirToffski/WireGuard-
Ligase](https://github.com/SirToffski/WireGuard-Ligase)

------
gdoptimizer
I did something similar by installing Wireguard as part of Streisand and then
PiHole on a VPS. One caveat was this combination accepted public DNS queries
by default. You would need to block it on your own. Otherwise the experience
was good for various connection scenarios and adblocking was a breeze.

Now I am using Algo + Steven's hosts files for the similar idea. No complaint
thus far yet.

------
iDemonix
I setup PiHole and removed it about 2-3 days later. UBlock Origin is perfect
for laptops, but I wanted to see if it'd block YouTube ads and similar on my
Smart TV and mobile devices - it didn't. If anything it just caused me grief
by interfering with non-ad web services, so I canned it and everything started
working again.

I need UBlock Origin as a remote proxy.

~~~
crankylinuxuser
> it'd block YouTube ads and similar on my Smart TV and mobile devices - it
> didn't

thats because you need to tell DHCP to use the pihole's address as primary DNS

~~~
Nas808
Even if you do that, there’s some devices (Chromecast, Google Home) that have
Google’s DNS hardcoded and ignores the servers passed by DHCP.

~~~
sgroppino
What happens if you set your firewall to block 8.8.8.8 and 8.8.4.4?

~~~
amaccuish
You can use an iptables rule on your router to rewrite the address to your
custom server, which I have done specifically because Google devices were
ignoring DHCP.

Something like...

iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to x.x.x.x:53

...should work, and repeat for tcp

------
gesman
Does it bypass "Please unblock or you won't see any content" type of web
behaviors?

------
a012
I'm using this setup as well (I have Ansible to do it), but for some websites
those use Akamai CDN will block you if your exit IP is from well-known
networks like VPN providers, AWS, DO, etc.

~~~
intopieces
Yes this has been my trouble as well, to the point that sometimes I switch off
the VPN with piHole and just rely on a commercial VPN that rolls IPs +
adblocker software for those occasions. Imperfect, and expensive comparatively

~~~
yjftsjthsd-h
I'm surprised that commercial vpns don't offer an ad blocking option; from
their perspective, it's not only a great feature to market, but it reduces
their bandwidth costs.

~~~
ridgewell
To be perfectly fair, a good chunk of VPN providers primarily see P2P/bulk
downloading and streaming traffic.

Ordinary web browsing probably isn't a significant part of VPN traffic when
you think about it.

Agree it would reduce bandwidth costs, but there's also a cost to maintaining
such infrastructure.

------
sysashi
Also was hyped about the setup and did Cloudflared + Pihole + Wireguard via
dokku.

Wireguard is super cool. Hoping for an official windows client and then all
the platforms I use are covered :)

------
microcolonel
With a VPN, you also have the option to do IP blocking, though I guess the
blocklists are not as well developed.

------
gesman
Which VPS provider(s) offers the best cost/speed/bandwidth ratios?

