These are my install notes for creating a virtual private server (VPS; Amazon AWS EC2 free tier) with PiHole, PiVPN (wireguard), and unbound on the VPS to connect to my clients (phone, laptop, family's devices, etc). I’m able to connect to PiVPN with my wireguard profile that I generated (e.g., for my phone), and access my PiHole admin page. Split-tunnelling is used to only route the DNS (vs., all data) for speed and to save bandwidth on the free tier.
- This setup lets you run PiHole, from anywhere, for free without needing any hardware
- Basically, you'll be setting up PiHole on a virtual private server (VPS), connecting to your virtual PiHole using a VPN called PiVPN.
- This setup forces your devices to use only the DNS provided by the PiVPN connection (i.e., the PiHole; this is called a split-tunnel), not your full data (i.e., full tunnel). This makes it fast/light and keeps it free.
- This setup uses WireGuard to connect to your PiVPN (and PiHole) which makes it fairly easy to add to devices.
- I used a free tier of Amazon Web Services [AWS] but this should work on whatever ones you choose (e.g., Google, etc.)
- You can then keep connected to PiHole from any devices (e.g., laptop, phone, etc.), from anywhere (i.e., not just on your home network)
- It's relatively easy to do yourself, and since it's all done manually (vs., a script) you can learn a bit as you go!
- update: added unbound recursive DNS server for safety/privacy!
- Create an AWS account
- Go to EC2, click launch instance, select “free tier” and choose Ubuntu (I picked 20.04)
- Manually configure, and click through each step until you get to Security groups, and add the following: Custom UDP, Port Range: 51820, Source: 0.0.0.0/0, and Description: Wireguard
- Download your new keypair and save it to .ssh (on mac, I created a folder called .ssh in my main user folder). I called mine PiVPNHOLE
- In your EC2 terminal, note your PublicDNS (IPv4), it’ll look like: ec2-###.location.com, I call this [your host] below
- Click Elastic IP to create an Elastic IP, then click actions and associate, and associate the Elastic IP to your new server
Note: If you are planning to use this as a VPN (no split tunelling), use LightSail. AWS has a £0.12 / gb cost on outbound transfers. This means that if you use 1tb / month, you'll spend £120. If you use Lightsail, the £3.50 tier gets you 1tb / month which saves you £116.50.
ssh -i /Users/[your user]/.ssh/PiVPNHOLE.pem ubuntu@[your host]
curl -sSL https://install.pi-hole.net | bash
- Take note of your PiHole's web interface IP and the password
curl -L https://install.pivpn.io | bash
pivpn add -n [config name]
- where [config name] is a unique name for each of your devices (e.g., mphone, mlaptop). You can repeat this step for as many devices that you want to connect to your Pi-hole.
sudo nano /etc/wireguard/configs/[config name].conf
- Change AllowedIPs from "0.0.0.0/0, ::0" to "[PiHole IP address]/32, [DNS IP]/32".
- The [DNS IP] is listed in [interface] and by default 10.6.0.1/32.
- Note spit-tunnelling only routes the DNS (i.e., PiHole ad-blocking) vs., all of your data through your VPN which will save bandwidth to keep you on the free tier.
- You'll need to repeat this for each [config name] you created in step 5.
pivpn -qr [config name, e.g., mphone]
scp -i /Users/[Your Name]/.ssh/PiVPNHOLE.pem ubuntu@[your host]:~/configs/[config name, e.g., mlaptop] [destination on your computer, e.g., ~/Documents/wireguard]
Here's an example because this can be confusing:
scp -i /Users/example/.ssh/PiVPNHOLE.pem [email protected]:~/configs/ /Users/example/wireguard
This will download all of your config files to a folder on your computer called wireguard
- Scan your QR code for your mobile devices, and/or install the downloaded configs for your laptop/desktop/other devices, turn them on.
- I set them to "on-demand" meaning it'll always be on
- Go check out your PiHole at the address you saved in Step 2!
- Connect back to your Ubuntu VPS in terminal
- Follow this guide, it's pretty straight forward
- One thing to note, when you get to Configure Unbound instruction, it'll say "/etc/unbound/unbound.conf.d/pi-hole.conf", you actually need to add "sudo nano" to the start of that code in your Terminal to be able to create and paste in the configuration (or else you'll just get an error). Then just copy/paste in the text from the guide and hit save/exit.
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
- Before being able to remotely log in, I had to run the command
chmod 600 /Users/[your name]/.ssh/PiVPNHOLE.pem
- After clicking "generate keys" in PiVpn, you may get
/tmp/setupVars.conf permission denied
. I solved this by deleting that file. - You may need to run the piVpn script as sudo. Run with
curl -L https://install.pivpn.io | sudo bash
- Thanks to @SuspectTyrannosaurus for fixing creating user profiles.
- Special thanks to @DasJason for inspiring this project, troubleshooting, and various code tips/tricks.
- Thanks to Thank you to @afruitpie for helping me figure out split-tunnelling and how to download the configuration files.
- Thanks also to @kryten2k35 for making sure this method of PiHole isn't exposed to the entire world (i.e., double checking port 53 is closed so the DNS isn't public).
- Thanks to @bee-san for troubleshooting tips and solutions
If you found this guide helpful, please consider buying me a coffee by clicking the link below. I'll do my best to keep this guide up to date and as user-friendly as possible. Thank you and take good care!