Hacker News new | past | comments | ask | show | jobs | submit login
WireGuard as VPN Server on Kubernetes with AdBlocking (codingcoffee.dev)
113 points by coding_coffee on July 12, 2020 | hide | past | favorite | 37 comments

This writeup uses AdGuard for ad blocking, specifically "AdGuard Home". The "How to setup?" link from their homepage pointing to their github repo says that you accept a EULA[0] on clicking the link. The EULA seems to directly contradict their repo GPLv3 license. [1]

[0] https://adguard.com/en/eula.html [1] https://github.com/AdguardTeam/AdGuardHome/blob/master/LICEN...

For people using network level ad blocking, do you ever run into annoyances where there's a site you want to access and just can't? Mostly links that route through an analytics network. First time you click on a twitter link for example, or some referrer store links. And once you're stuck, there's normally nothing you can do. At least on the browser I can temporary turn off an extension, but I've found that network level blockers get in the way sometimes.

This is why I don't run pihole or NextDNS at the network level anymore, my wife had too many annoyances with slick deals and other things. Whitelists covered most but not everything.

> my wife had too many annoyances with slick deals and other things.

Running the browser remotely is one way. I usually abuse archive.is or brow.sh or startpage's anonymous browsing to that affect. Cloudflare bought a startup in the space...let's see what they come up with for the consumers: https://techstartups.com/2020/01/07/cloudflare-buys-remote-b...

May be, NextDNS and others through their in-browser plugin can optionally follow the redirects (remotely) to find if the eventual destination is not blacklisted (but that's too much of an ask since following HTTP redirects is different from DNS CNAMEs).

NextDNS will soon have a solution to auto-follow tracking links and allow some blocked domains temporarily from the blockpage. Just make sure you install the root CA on all devices.

pihole has an API to disable adblocking, which is just an HTTP request so it's pretty easy to trigger. For example, on iOS, write a shortcut so that you can "Hey Siri, disable pihole".

I gave her a shortcut that disabled Pihole via ssh but it was still annoying for her. I don't mind just running it on my devices. I pay for YouTube premium and other things already anyway.

When family members complain, I just configure their device to use for DNS with a static DHCP reservation.

There's an android app I use, called FlutterHole that gives you a one click way to temporarily disable the PiHole block. Under the covers it's using an API call.

AdGuard Home allows you to whitelist domains, and provides an interface to unblock blocked DNS queries directly from the logs.

If you run fancy enough network gear, you can run several SSIDs on different vlans and route them separately.

I think AdGuard and AdGuard Home are two different products? And so different licensing models.

EULAs and T&Cs should have a layperson readable maximum characters limit.

I believe that Kubernetes is artificially injected in your setup. You can just run your DNS server on the server and advertise it on the VPN address. You can still address it from anywhere in the VPN.

But then it wouldn't have made the first page

I did not downvote you but, serious question: is there a need for this kind of snark?

I understand the point that running a kubernetes cluster just for this would probably be hard to justify. But, if you deploy your services to kubernetes already, then this is a nice guide to do so, isn't it?

I find it hard to understand this attitude, especially in a forum dedicated to talk about technology.

But maybe, like in any social network, there is a bias on what is put in front page. And if you have an interesting project, you might want to add an extra layer of complexity and use Kubernetes in order to gain more visibility.

Well, making things intentionally difficult sounds really stupid, but you learn a whole lot in the process, and for a side project geared towards gaining knowledge, this seemed perfect :) And in the process of setting this up I figured a new way to debug my deployments for remote k8s clusters, using kilo. Also sidenote, yes I actually do host a couple other things on my cluster including my blog, so I didn't really want to spin up a new instance just for DNS and VPN

It's also a example of a project where you can learn more about a platform. Yes, it could be run outside of k8s, but perhaps the author wanted to add the extra layer of "difficulty".

Never thought of that. But OP maybe liked tinkering with k3s and kilo. But I believe kilo's best use is for cluster to cluster connection. This use case is a bit artificial in my opinion.

How do you run the server? Create a packer image? Init scripts (or something similar)? Keep track of whether it’s up or not?

For developers who have grown up with containers, kubernetes offers the simplest, most familiar way to deploy a service.

I recently had to setup a factorio server. The official guide mentions downloading the binary and using init scripts to get it running. I tried to debug obscure issues with the binary for a few hours before getting fed up and looking for a containerized image; once I found that, it was super easy to start one locally. GCP offers a “container on VM” feature which I then used to deploy the thing in minutes. The experience felt so easy.

Notice that I did not use kubernetes, just something that can run containers. But if I had more apps to run, most likely I would set up one.

A wise soul once wrote:

"You have a problem. You use Kubernetes to solve your problem. Now you have 8 problems."

Kubernetes is a godsend and it solves way more problems than it creates. But I just believe that this simple use case is an overkill. OP just wanted a remote DNS server that is addressable within the VPN. You don't really need Kubernetes or Kilo for that.

While it seems like overkill to set up a kubernetes cluster for this, and honestly, most things...

But if you already have one spooled you this is a valuable guide to throw it onto that infrastructure

Sure you can write a lengthy article to describe how to configure all the apps and servers manually. But with Kubernetes, you only need to throw some YAMLs in there and call it a day.

I don't think "using Kubernetes for running VPN and adblocking servers" is overkill. With k3s, you can deploy a Kubernetes cluster on a raspberry pi in one command. Anything that can run on raspberry pi in one command just can't be overkill in my opinion.

It's not artificially injected into my setup. I already host my blog, and a couple other services on my k3s setup, and I didn't want to bootup another server just to sever as a VPN and DNS

Algo [1] is a great option for a personal VPN, and it supports WireGuard + ad blocking. I really don't understand why you would want to use k8s for something like this unless it is just a pet project.

[1] https://github.com/trailofbits/algo

I have a hard time understanding why people use these small script bundles on top of wireguard. The VPN use case is the best documented one with a large amount of guides and the configuration is very simple.

Because it sets up everything in your VPS as well.

Getting to the front page? Just Wireguard often will, as will just Kubernetes, but combining the two is a guarantee.

I tried this setup for the first time recently (Algo and a Digital Ocean droplet) when traveling and can confirm it was excellent. In particular, you get a surprisingly polished UX for setting everything up in addition to all the usual benefits of WireGuard.

Can confirm Algo works great. Easy to setup the VPN while still having the benefits of leveraging Wireguard.

Not OP, but maybe it makes sense if you already deploy a set of applications or services on K8s.

great unless you want to use it as a vpn to watch Hulu from abroad haha. They require you to use a set of specific providers, which are all blocked by Hulu.

I ended up using openVPN on a home raspberry pi, but I want to figure out how to deploy IPSec or ZeroTier rather than OpenVPN

Looks like the author is using Android. Why not just use AdGuard Home as a DNS-over-TLS server (which is supported on Android P and above)? What's the benefit of plaintext DNS over VPN compare to DNS-over-TLS?

Cool, but you can avoid half this setup with Tailscale for free...

Yes you can avoid that open source setup for a buggy and even slower userspace wireguard commercial implementation for only 10$/month per user

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact