
Secure and Ad-Free Internet Anywhere with Streisand and Pi Hole - markthethomas
https://ifelse.io/2019/01/12/secure-ad-free-internet-anywhere-with-streisand-and-pi-hole/
======
TheCraiggers
>I recently took some time off of work to spend time with family. During that
time I worked on a few side projects like getting our backups in order and
getting a Raspberry Pi 3 running Pi Hole.

I know what the original intent is, but still- I found this quite humorous.

Still, this seems like a very nice noob-friendly guide, and that's a very good
thing when VPNs are concerned.

~~~
markthethomas
hah! I meant "in my free-time" lol but glad you enjoyed!

~~~
NKosmatos
Thanks, nice post. Also enjoyed your write up about backups:
[https://ifelse.io/2018/12/05/better-faster-more-secure-
backu...](https://ifelse.io/2018/12/05/better-faster-more-secure-backups-with-
restic/)

The funny thins is that I’ve been thinking something similar during Christmas.
I now know that I’m not the only one thinking about taking days off work to
sort out my backups and network :-)

~~~
markthethomas
awesome! glad you enjoyed it :) trying to write up the things I find super
helpful (code-related or not) and share them. especially when I can't find any
good docs on how to get something working lol

------
QuadrupleA
I run a pi-hole equivalent on a Raspberry Pi at home (dnsmasq with pi-hole's
block lists). One word of warning, its list tends toward over-zealous,
blocking sites / links you might want (e.g. Google Shopping links). You can
add manual domain exceptions but it's tedious and takes a long time to restart
dnsmasq due to the enormous list size and the RPI's relatively slow
performance.

Blocker extensions are nice becuase you can selectively disable them or open
an incognito tab in cases when you need to bypass the list. Easier than
temporarily changing your DNS server to 1.1.1.1, etc.

Still, nice to have automatic adblocking for all devices in the house.

~~~
gnicholas
I had the same problem with overzealous blocking. I had to disable temporarily
about once per day, and my wife found it bothersome also (especially because
she didn't know how to manually disable it). We turned it off last month and
I've just been using Brave instead. Works great on my MBP (fan doesn't run
nearly as much as with FF & Chrome), though of course our mobile devices
aren't protected anymore.

If anyone has a good solution for the overprotectiveness of the Pi-Hole, I'd
love to hear it!

~~~
NoPicklez
Isn't the overprotectiveness of Pi-Hole in relation to the blocklists not Pi-
Hole itself. I'd suggest findings different blocklists.

There is one particular website that is extremely popular, I can't remember
what it is now but it has blocklists showing which are likely to cause false
positives.

~~~
Method-X
[https://firebog.net/](https://firebog.net/)

Only add the ones with a checkmark.

------
rinchik
Pihole is great! Great revelation was that over 50% of the requests generated
by devices in my network are "malicious", ad or tracking related.

The greatest offenders were phone apps and roku TV. Also roku tv scans your
HDMI data stream (if you connect your laptop to the Roku TV) which is purely
evil!

Also worth to note that to have pi-hole to recognize and block over 50% of the
requests, constant gravity updates are required (i have over 3.5M unique
domains in block-list)

Also get VPN for your phone. All traffic on my iPhone goes though pi-hole
(check OpenVPN and DNS Override iPhone apps in store)

~~~
bytematic
I have 2 roku tvs and my live pi-hole blocking log is just a relentless spam
from their servers.

~~~
rcates
Yeah I'm in the same boat even with just one roku

------
DyslexicAtheist
how about a 3-pronged approach:

    
    
      1) pi-hole
      2) steve blacks hosts file
      3) ublock origin
    
    
      3 = most conservative filtering configuration that can easily be tweaked from the browser
      2 = use modules (-e gambling -e porn etc)
      1 = most basic blocking configuration
    
    

this way you don't have to do much fidgeting on the router. this comes at a
tradeoff for putting some of the burden on the hosts #2 & #3 but with the
advantage of better usability for non-tech users.

protip: if you can live with not accessing unicode domains at all (counter
measure to avoid domain squatters and some phishermen) patch[1] your dnsmasq
and add this in dnsmasq.conf:

    
    
       address=/:xn--*:/0.0.0.0
    

[1] [https://github.com/spacedingo/dnsmasq-
regexp_2.76.git](https://github.com/spacedingo/dnsmasq-regexp_2.76.git)

EDIT: for mobile I used to have a VPS running openvpn. Make Android connect to
the vpn by default routing all traffic through it. Run something like
opensnitch[1] to MiTM and whitelist the mobile traffic and sinkhole shit you
want to get rid off. This isn't for the fainthearted since new versions of
apps might make different API calls and break your rules. Apps will just stop
working. If you only have 2 or 3 apps and want to kill traffic from built-in
carrier spyware it works nicely and is well worth the effort. Nice way to
study what your device does.
[https://github.com/evilsocket/opensnitch](https://github.com/evilsocket/opensnitch)

~~~
driverdan
I agree this is the best setup. Locally using uBlock Origin and Steve Blacks
host file is all you really need for a computer but doesn't protect devices
which aren't as configurable (eg Roku, gaming systems, phones). By using all
three you maximize your protection on your local network and also on your
computer when outside that network.

------
danvittegleo
For those that prefer algo, there is an open issue to add Pi-Hole
([https://github.com/trailofbits/algo/issues/1258](https://github.com/trailofbits/algo/issues/1258))
and in my fork I've added Pi-Hole support:
[https://github.com/dan-v/algo](https://github.com/dan-v/algo). It's a really
nice setup especially on mobile devices where you typically have to choose
between using a VPN or using adblock as they typically require a local VPN
hack to function.

~~~
TimTheTinker
Algo user here -- it's really great for ISP-oriented privacy protection. I
have a $5/month droplet running Algo in DigitalOcean, and an auto-on mobile
config on my iPhone that uses it when I'm not on WiFi.

I also set up my home pfSense router to route all traffic through it (via an
IPSec/IKEv2 tunnel). This works great, except when we're using Netflix or
Amazon video -- I have to turn it off since those services block DigitalOcean
IPs. Still haven't figured out how to configure the pfSense tunnel to route
requests to those services through my ISP instead.

------
Fnoord
This is a great initiative!

I'm using a similar setup. I have my ISP's router in bridge modus, an ERLite‑3
router by Ubiquiti, and a NAS server by Synology. It could've been a router by
PC Engines, a Router7, an unRAID, or a Pi too. Ever since I got the Synology
NAS (which can run Docker) my Pi is gathering dust.

The NAS runs Docker and uses PiHole(dnsmasq)/Unbound to take the main traffic.
The ERLite‑3 router is second choice and uses PiHole/Unbound as well. The
setup provides redundancy. All DNS traffic not generated by the router and not
coming from the NAS is redirected to the NAS. Both PiHoles have each other as
redundant server as well. Both utilize Quad9's DNSSEC servers with DNS over
TLS [1]. Though I suppose ideally you want DNSCrypt [2] this should also be
possible with Quad9. The advantage this is going to work on any client. Since
the ERLite‑3 allows WireGuard (and only that; no OpenVPN or OpenSSH or
anything) clients such as my smartphone or laptop have secure and ad-free
internet. Since I'm also using Quad9's blocklist, things such as porn are also
blocked. The only caveat is that these clients have access to my LAN. While
that's intentional, it increases the attack surface of my devices. I shouldn't
trust my wife's devices on the LAN remotely. Then again, all internal LAN
services are behind strong passwords.

[1] [https://www.quad9.net/faq/](https://www.quad9.net/faq/)

[2] [https://dnscrypt.info/faq](https://dnscrypt.info/faq)

~~~
wil421
Do you lose any bandwidth in bridge mode? I’m about buy a new Ubiquiti Edge
router and a few APs.

With AT&T I can’t do a true bridge mode or use my own modem. Their gateway has
to do the authentication to the network and I’m stuck with it if I want
gigabit fiber. People on dslreports lost a good bit of bandwidth on a gigbit
connection writing rules on the edge router to authenticate back through the
gateway.

~~~
anjbe
Reportedly you can max out gigabit AT&T even if you proxy the authentication
bits through the router:
[https://www.reddit.com/r/openbsd/comments/aaz2rf/openbsd_rou...](https://www.reddit.com/r/openbsd/comments/aaz2rf/openbsd_router_directly_connected_to_isp/ecwd2a1/)

~~~
wil421
Fantastic. It’s only 15 days old too.

------
cyberpip
Pihole and Pivpn on Google Cloud Platform free tier is working great for me:
[https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-
Compu...](https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-
Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs)

~~~
intopieces
Do you have any privacy concerns about using Google for this kind of service?
Serious question.

~~~
RajanNPatel
Author of that guide chiming in! None; Google Cloud Services is not a consumer
offering. The monetization approach is different from the model wherein you
give up privacy in exchange for a service. More info at:
[https://cloud.google.com/security/](https://cloud.google.com/security/)

------
leetbulb
For those running pfSense: pfBlockerNG is a great package. It allows for IP
and DNS based block lists. Between that and the built in OpenVPN server, I
have ad (and other malicious traffic) blocking even while remote. Pretty crazy
how much it catches on both levels.

------
ben1040
The one thing to keep in mind about running a VPN on AWS is that some services
just block whole AWS net blocks to stop scrapers.

For instance I used to run a VPN on a free tier micro instance, and I remember
not being able to hit Yelp or StackOverflow from a VPN.

~~~
trowawee
Yeah, this is a big problem. I set up a Streisand instance last year just to
play around with, and while the set-up was pleasantly simple and the results
were great as far as the VPN functionality, it shut down Netflix entirely for
me. Definitely a deal-breaker.

~~~
markthethomas
interesting! Haven't had any issues w/ netflix yet; wondering if it's an
eventually-consistent thing or a static config on their part (i.e. will I
eventually get blocked? not sure lol)

~~~
trowawee
From the stuff I was reading/folks I was chatting with when I ran into the
problem, it sounds like restarting your instance could sometimes fix it - I
assume Netflix is basically playing whack-a-mole with AWS-based scrapers.

------
nsporillo
I just setup the Pi Hole yesterday on the raspberry pi I had sitting on my
shelf and I must say it is a god send.

The bonus is my girlfriend noticed the coloring app on iOS she uses doesn't
have banner ads and after she's done with a picture, there is no longer popup
advertisements.

I only had to make one whitelist so far and it was graph.instagram.com
otherwise the app completely doesn't work.

~~~
n1c
I've noticed tons of blocked requests to graph.instagram.com but no side-
effects, why did you need to whitelist it?

------
unstatusthequo
Streisand is good for having options to get out of restrictive networks. I
would argue AlgoVPN might be a better mix for day to day use.

------
tyfon
I have basically the same implementation except it's running on my dedicated
openbsd router using openvpn/unbound/pf and scripts. It doesn't support
wireguard though but openvpn should be equivalent? I know the wireguard
developers claim it's more secure, however I think a properly secured openvpn
with certificate based authentication both ways should be fine for a home
setup.

For the lazy, someone other than me made scripts to both pi-hole (dns)
setup[1] and pf (firewall) setup[2] to block on network level too.

The scripts themselves are very easy to read and vet for bad stuff.

[1] [https://geoghegan.ca/unbound-adblock.html](https://geoghegan.ca/unbound-
adblock.html)

[2] [https://geoghegan.ca/pfbadhost.html](https://geoghegan.ca/pfbadhost.html)

~~~
DyslexicAtheist
The main selling point of wireguard is elimination of insecure ciphers and
less chance of shooting yourself in the foot with configuration. the protocol
is more lightweight too. openbsd has a port btw:

[https://marc.info/?l=openbsd-
ports&m=152712417729497](https://marc.info/?l=openbsd-ports&m=152712417729497)

~~~
tyfon
Yeah I know it's supposed to be more efficient too.

But thanks for the link to the openbsd port, I'll definitively look into that!
For some reason I thought it was only implemented as a linux kernel module.

------
_underfl0w_
I've heard nothing but praise for PiHole setups, though I personally have an
AdBlock service on my router.

If you're running OpenWRT, you can install adblock via opkg and there's even a
LuCI extension for the web interface.

This blocks the majority of ads on my Roku TV, though YouTube is almost
impossible.

------
pimlottc
What do the failure cases look like with Pi Hole? E.g. broken websites,
missing (legitimate) content, apps that crash when they can reach their ad
server?

And what kind of workarounds/remediations are available to deal with this,
ideally in a user-friendly way for non-technical users?

~~~
slenk
It really comes down to how many sites you block. It comes with some default
blocklists, but wally3k hosts a site tells you the status of different
blocklists: [https://firebog.net/](https://firebog.net/)

As for what is seen when a site fails - well, it could vary. If a JS file
fails to load, the site will either look bad or not at all. ANd yeah, some
apps may have issues, but pihole comes wiht a built in query log so you can
see which devices just made which DNS queries, along with an easy-to-click
whitelist button.

There are different blocking modes you can choose from that return different
response codes, so you can choose what works best for your environment:
[https://docs.pi-hole.net/ftldns/blockingmode/](https://docs.pi-
hole.net/ftldns/blockingmode/)

I would recommend checking out the pihole discourse([https://discourse.pi-
hole.net/](https://discourse.pi-hole.net/)) or subreddit. The community is
very active

~~~
pimlottc
Thanks for the links, I’ll check those out! Sounds like it’s pretty well
thought-out.

~~~
slenk
I suppose I should make it known that I am a patreon supporter. I may be a
superfan but I love what that team is doing

------
cmurf
I'm running pihole in a Docker container on an Intel NUC, performance is
great. Client (browser) performance has also improved remarkably. One problem
is getting ipv6 working between host, container and the outside world is non-
trivial and non-obvious compared to ipv4 - I still haven't figured it out.

Typically you go into your your router's DHCP settings and populate DNS with
the pihole DNS, or disable DHCP on your router and let pihole do DHCP. The
gotcha is if you have an ISP supplied router which has no DHCP interface at
all: no way to disable it, no way to customize DNS. All of Xfinity's hardware
now does this for residential, you have to pay for business service to set DNS
servers.

~~~
stordoff
> The gotcha is if you have an ISP supplied router which has no DHCP interface
> at all: no way to disable it, no way to customize DNS.

The way I get around this is by putting all of my devices behind another
router, and treating the ISP router as if it is part of an external network.
It introduces a second layer of NAT (ISP router gives my router a 192.168.0.x
address, which it treats as its WAN IP; devices get a 192.168.1.x address),
but in practice it's caused me no problems. I've been running a similar setup
for close to a decade now.

~~~
cmurf
And IPv6 then becomes an even more confusing clusterfk than it already is.

------
grepthisab
Looks like we're running Streisand as a VPN in AWS, and pihole at home on a
Raspberry Pi. Why not just run PiHole on the AWS instance alongside streisand
and save on the added complexity?

~~~
garettmd
I think he actually had pi-hole running on his AWS instance as well. He
mentioned using the "connect" button in the AWS console during the pi-hole
setup portion.

~~~
markthethomas
ah sorry if that's not clear; I started by running Pi Hole on my RBP, then
added it to a VPN setup. Nice to have it running at home to block our other
devices though

------
brookhaven_dude
Has anyone got it working with YouTube on Apple TV yet?

~~~
rhexs
Wouldn't you need some sort of intercepting MITM HTTPS proxy to be able to
inspect the traffic for ad content? Thought Google was using https and legit
domains to drive ads instead of just doing lookups to youtube-ads.google.com
etc.

Presumably you'd need a way to inject a cert into the Apple TVs trust store as
well, and I'm unclear if that is possible. Perhaps with a developer license?

~~~
wogg
This is network level, and it's taking the name lookups, which are done before
picking the connecting endpoints, so SSL doesn't matter. It's not rewriting
the stream, it's just saying, someone is trying to get an endpoint at this
particular name and I am going to give it a different IP than the "world"
would. Nothing of that is happening inside the https link. Eg, you get
[https://whatever.com/whateverelse..](https://whatever.com/whateverelse..). it
will see the DNS lookup for whatever.com regardless of procotol.

~~~
stordoff
I believe rhexs's point is that it's using the same domains for video data and
ad data - i.e. you're seeing hxxps://youtube.com/video_data,
hxxps://youtube.com/ad_data, hxxps://youtube.com/video_data..., so filtering
at the DNS level doesn't work.

------
ajmarsh
I would be willing to pay a decent premium to be able to buy a replacement
cable modem with this built in. Cool project.

------
tlrobinson
> I even started noticing some network calls our ISP appears to be making

I'm curious what this means. AFAIK the only way your ISP could make network
requests that appear in Pi Hole is if they're running some kind of software
within your network.

~~~
nickik
ISP control your router, if you set your DNS on the router to your PiHole, the
router might do requests for all kind of reasons.

~~~
tlrobinson
True for most people, I suppose, but my ISP certainly doesn't control _my_
router.

~~~
glitchc
I think the OP means modem plus router combo that most ISPs offer. The modem
is most definitely patched OTA, has been true for most modems since DOCSIS 3.0
was introduced.

~~~
tlrobinson
Yeah I get it. I always run my own router behind the modem provided by the
ISP, if any, so there's no way my ISP would be able to make requests that Pi
Hole would see.

~~~
glitchc
Because the ISP is upstream, it could potentially reject all DNS queries from
your router or supplant the IP within the DNS query with its own IP.

~~~
tlrobinson
Sure, but that wouldn't show up in Pi Hole.

------
berbec
With all the people running piholes at home, could a subscription pihole
service work? A small vps could run with authentication of some sort (mac-
whitelisting seems simple and easy to implement). Allow customization of
blocklists per MAC.

~~~
whiskeykilo
That just sounds like AdGuard. Plenty of consumer routers offer VPN server
capability for free. That combined with DuckDNS or a similar free service
would be a better option I think

------
meuk
I recently set up a RPi with Pi-hole, only to find out that my ISP gave me a
router that prevents you from using another DNS server.

I can still use the Pi-hole, but I have to set up the DNS manually for every
device. Quite a pain in the ass.

~~~
ensignavenger
Pi-hole can be used as your dhcp server too, if you can disable the ISP
routers DHCP service.

[https://discourse.pi-hole.net/t/how-do-i-use-pi-holes-
built-...](https://discourse.pi-hole.net/t/how-do-i-use-pi-holes-built-in-
dhcp-server-and-why-would-i-want-to/3026)

------
fonosip
For a Managed Service of this try
[https://ba.net/adblockvpn](https://ba.net/adblockvpn)

Disclosure: I work at ba.net

~~~
dinedal
The problem is simple, trust. How can we trust that you're not going to be
skimming data going through the VPN, MITM attacks, etc?

There's not even a privacy policy on that page, no indication where your
servers are hosted or what laws they are subject to.

~~~
fonosip
For the business solution we setup the servers, and give you the root password
(for you to change). We use DO or AWS.

TOS is here
[https://ba.net/adblockvpn/privacy1.html](https://ba.net/adblockvpn/privacy1.html)

------
equalunique
Personally I like to use OpenBSD for IPSec VPN, but I like to see guides like
this that present a solution for a wider set of problems.

------
arbie
Why not AdGuard DNS?

It has worked well for my home network for months and requires a single one-
time configuration (change DNS settings on router).

~~~
ape4
Then you have to trust them.

------
ape4
I would just like something that blocked Facebook and all its many services.
(sign-in, ads, etc)

------
jackallis
How user friendly is this for noob, who have no experience in networking?

~~~
aklemm
We can surmise no grandmas are using "Pi Hole" on the daily.

~~~
jackallis
what about grandsons?

~~~
aklemm
Haha, I don't really know but the name cracks me up. You should take a shot at
it and the report back any problems you hit so they can improve it for n00bs.

