Ads are evil.
Yes, there’s an argument to be made for they’re a necessary evil to keep the
internet (with all its content) afloat. But so many ads are just horrible - they
slow down your web browsing, and they track your movements across the internet.
This is a feature, not a bug. The modern internet has
real-time ads. When a
visitor comes to a site, a bunch of companies will get information on the new
visitor. Bots will then bid for ad space on that page the user is currently
visiting as it is loading for the user.
This entire process means the ad companies need to harvest data about you.
Zappos might not want to advertise to you, unless you have a history of buying
shoes online. That data, your previous browsing habits, is required for the
real-time ad markets to function (as well as being lucrative for other, non-ad
so people have an interest in getting it.
Ad blockers are a simple, effective solution - they speed up your browsing (by
allowing pages to load without all those ads from third-party servers) and they
protect your privacy (by blocking the various tracking websites that build data
on you). But they have a limitation - most ad blockers only work at the browsers
level - they can’t defend you from ads within applications (either on phone or
on PC), nor on locked-down devices, like game consoles.
Pi-Hole is a network-level, DNS (Domain Name System) ad blocker.
Ok, what does that mean?
We’ve talked about DNS before on this blog, but as a quick refresher, when you
enter in the name of a website (like seanzwrites.com), your computer does a DNS
lookup to translate that human-readable address to the numerical IP address of
The Pi-Hole acts as a DNS server on your home network, resolving your computer’s
DNS lookups (and those of other devices on your network). But, when your
computer asks for an known ad service (like doubleclick), the Pi-Hole simply
responds that it couldn’t find it, so the ad is never loaded, the page loads
faster, and the ad tracking networks don’t receive as much information about
To be clear, ad networks have plenty of ways of getting your browsing data, but
we’re at least stopping one of them.
While the Pi-Hole might
not be as effective at blocking ads in browser
as your friendly browser plugin, it can
defend every device on your home network from ads, in every app.
That’s important - that means it blocks ads:
- On your phone (including inside apps)
- On your gaming console
- On all applications on your computer
Better still, it comes with a really nice, friendly, website where you can
view detailed statics about your internet, so if you wanted to know
how much data your internet-connected toaster was sending back to the
manufacturer, it will happily show that to you.
While you can technically run the Pi-Hole software on any device, you’ll
probably want to run it on a Raspberry Pi - the $35 computer.
The pi is cheap, small, silent, and consumes a fraction of the power your desktop
does, which are all important attributes as the Pi-Hole needs to be running 24/7.
OK - so assuming I’ve sold you on the power of network-level ad blocking, here’s
an excellent tutorial at Motherboard on how to setup a Raspberry Pi with
One small caveat for advanced users (newbies please disregard) - you don’t
actually need a mouse/keyboard/monitor to setup your Raspberry Pi - if you are
comfortable with using SSH already, just place a file called
ssh on the SD
you boot the pi, you can ssh in with with username
pi and the password
OK - once you’ve followed that tutorial, you hopefully banished ads from your
home, and there was much rejoicing.
…But what about when you’re not at home?
You’ve setup your Raspberry Pi, you’ve declared victory against the ads in your
house, but you probably go outside sometimes (or, at least, you used to, in the
‘Before COVID’ time). Wouldn’t it be great if you could have your Pi-Hole
shielding you from ads when you’re riding the bus, or in a coffee shop?
You can. We’re going to setup a home VPN (Virtual Private Network). This will
allow us to take advantage of our Pi-Hole setup wherever we are.
Unlike a commercial VPN (something like NordVPN, Private Internet Access, etc),
which is often used for hiding your web browsing history from your ISP, our home VPN will act more
like a corporate VPN - enabling us to access resources on our home network (in
this case, the Pi-Hole) while we’re traveling and not connected to our home
Home VPNs have several nifty uses, like limiting how many devices are exposed to
the internet. For example, internet-connected webcams are a mess to secure -
there were several articles on how burglars have been exploiting
internet-connected cameras to know when you’re not
Placing the cameras on your home VPN enables you to still access them remotely,
without exposing them to the dangers of the open internet.
However, we’re going to be talking about connecting devices to the Pi-Hole. By
connecting to your VPN at home, which is protected by a Pi-Hole, your devices on
the VPN will have access to the same ad-blocking protection, wherever they are.
To do this, we’re going to setup a Wireguard VPN server on the same Raspberry
Pi that’s running the Pi-Hole software, that will let us connect to our home
network wherever we are.
But I like IKE (IPSec)
Ok, time for a technical aside.
There are several VPN technologies out there. The ‘good’ ones
are OpenVPN, IKEv2/IPSec, and Wireguard.
Wireguard is the youngest of the three. However, it’s incredibly-well regarded,
it’s faster than the other two, and it’s far easier to setup, so it’s what I’ll
be talking about in this article. But, you’re probably fine with any of the
three. As long as you don’t use PP2P or L2TP (which are very old and have
security/performance concerns), you’re likely safe.
If you need a VPN protocol that works without installing any software on your
PC, go with IKEv2/IPSec instead. There’s an excellent tutorial on setting up
StrongSwan (the open source IKEv2/IPSec)
and you can easily do this on your Raspberry Pi.
While it’s not really applicable to our home-VPN discussion, you should never
use custom-made VPN protocols (like a special app provided by a commercial VPN
provider). If you are using a commercial VPN, if they’re reputable, they will
give you an option to use OpenVPN or IKEv2/IPSec or Wireguard to connect to
A Home Of Our Own
Before I give you the Wireguard tutorial links, we’ll need to setup a domain for
ourselves. Remember, computers on the internet talk to each other using numerical
IP addresses, not friendly names. And, if you’re on normal residential internet,
your home IP address likely changes every so often.
To solve this, we’re going to grab ourselves a domain name, something that we can
point to our home internet address, and update when our IP address changes.
While you could pay for an actual domain (like I do for this site), since
all we need is an address to point to our home IP, we’ll use a free DNS service -
Afraid.org will offer us a free subdomain - so instead of getting
seanvpn.[one of their provided domains].org. They’ll also give us a
script we can run to keep our home address, and their record, in sync.
Afraid.org’s documentation, while functional, assumes some existing knowledge you
might not have. Instead, I’d take a look at this
on using their free DNS service. Once you’re setup, you’ll have an internet name
that you can use to connect to your VPN from anywhere.
Getting Our VPN Up And Running
Alright, we’ve got our ad blocker, we’ve got our public internet name, we’re ready.
I’m going to point you to two tutorials - both are excellent, but they offer
different levels of detail. Try one, and if it doesn’t work for you, or if you
get stuck, try the other!
Note: In the Sigmdel tutorial, in step 4.1, the tutorial references some scripts
that are a bit dated. They still work, but you may need to tweak them for your
Getting Wireguard Devices to Use Pi-Hole
Ok - you’ve likely finished the tutorial… and you still have ads. Don’t panic,
We’ll need to make two final changes, just two things before we’re add free!
First, we’ll need to tell the Pi-Hole to allow connections from the Wireguard
VPN. To do this, go to http://pi.hole from a computer on your
home network - this is the Pi-Hole admin interface.
Once you’ve logged in - you just have four clicks:
- Click on ‘Settings’ on the panel on the left.
- Click ‘DNS’ on the top of the settings nav-bar.
- Click ‘Listen On All Interfaces’
- Click Save (bottom of the page, not show in image)
Once you’ve done this, the Pi-Hole software will process requests from Wireguard clients.
But we now have one final step - to tell your Wireguard clients to use the Pi-Hole. Open
up your Wireguard client configuration (the .conf file you made in the tutorial for
your phone/computer), and change one last thing:
DNS = [Pi hole IP address here]
This should be the local IP address of the Pi-Hole on your home network, on the
Wireguard interface. This should be whatever is in the
Address field of your
Wireguard configuration file on your server (but without the slash). So if your
server configuration has:
Address = 192.168.2.1/24
Save your config file, start Wireguard, and the ads should be gone!
You’re done, you’ve finally defeated ads. Good job.
Epilogue: I can’t connect to my local network resources when I’m on WiFi?
If you don’t need this section, ignore it - be free and happy. If you notice
that sometimes, when using Wireguard, you’re able to connect to your VPN
server, you can browse the web, but you can’t access something on your local
home network, like a NAS, or a webcam, let’s talk about IP address conflicts.
Briefly. (Look, this is a complex topic, and you’ve earned your rest, but this
bit me, so, since it might help someone…)
Also, we’re only going to discuss this for Windows, though a lot of the same
theory may apply to other operating systems.
Anyway, you might find sometimes a local network address that worked perfectly
fine on your phone, or at home, doesn’t work when you’re at a friend’s home, or
at a small store with free WiFi.
This is likely an IP address conflict.
Let’s say your on your VPN, and you want to access your web camera, which has an
IP address on your local network of
192.168.1.12 on your home network. So, you
plug that in, and nothing loads. But you’re connected to Wireguard. Everything
looks like it should work. But it doesn’t.
What’s probably happening is your friend’s WiFi, or the coffee shop, or whatever
WiFi you’re on, uses the same address range as your network at home. So your
computer sees “oh, the user is trying to connect to
192.168.1.12, and I’m
currently assigned the address
192.168.1.100 - well I’m on the same subnet, so
I’ll just send this directly to that IP address and not go through the Wireguard
Wireguard, however, is clever. And wants to prevent you from sending data that’s
not going through Wireguard. So, it blocks the connection.
What we need to do is tell the computer “hey, when I navigate to
I want you to go through the VPN no matter what, even if there’s already a
device, on this network, with that exact IP address. Welcome to the wonderful
world of manual routing.
You can see how Windows is routing connections - open a terminal (type
powershell into your start menu), and type
excellent tutorial on HowTo Geek,
but, here’s the incredibly short version: we need to tell Windows to route over
the Wireguard channel. To do this, follow the tutorial, but when you get the
step about adding a static route, what you’ll enter will be something like this:
route ADD [Client Wireguard IP Address] MASK 255.255.255.255 [IP Address of your NAS/Camera/etc]
Client Wireguard IP is the IP address you’ve told Wireguard to assign to
this device (the Wireguard application, on Windows, will show you this when you’re
connected, under “Addresses”) - leave off any slash.
OK - that, hopefully should be everything. For real. Good night, and rest easy
for you have defeated ads, and made your network safer.