My setup for using Pi-hole outside my home
My setup for using Pi-hole outside my home
I present an alternative way to use Pi-hole outside the home network by leveraging Encrypted DNS (aka DNS-over-TLS and DNS-over-HTTPS) instead of the usual VPN.
Tailscale has an technical article on this if you are starting from scratch.
If you can't install tailscale on the pi-hole directly, you can also use a subnet router and a /32 with just that address to expose it to tailscale.
it's also dead simple with netbird few clicks in the gui to setup a subnet router or join the dns box to netbird, then add it as the dns for all or whatever subdomains you want.
Came here to say this. Now I just need to upvote.
For me its been wireguard with split tunnel but that had a glaring issue with my home IP change (running 2 Pi-hole+unbound instances on separate network segments and hardware). Some time ago I switched to tailscale and added a Pi-hole on a VPS. Closed system, nothing exposed to the wide internet, works 99.99…% of the time, whole family protected against low hanging fruit attacks and adds.
Use ddns on your router with a domain so you can then get something like wireguard.example.com and then use that as the endpoint in your wireguard.
Set the wireguard DNS as your pihole.
To make life easier set your home network IP space to something that another WiFi would never use, ie 192.168.46.xx
That way it will never conflict if you are on a public WiFi and you can access anything on your home lab when you need.
I've been using this setup for years on laptop, phone etc
I do exactly this as well. Works great! Dynamic DNS is kind of a hilarious hack.
Quick question: since I use wireguard, do I need to use DNS-over-HTTPS for security? My assumption is that my entire session is already encrypted with my wireguard keys, so it doesn't matter. But I figured I should double check.
I have ddns on Cloudflare. It works great, until your home IP changes. After that wireguard will happily hammer the old IP, till something breaks the tunnel and it reestablishes it to the new IP. Working as intended. My workaround was forcing the IP change over night while everyone was home.
Tailscale sorts all the issues I had.
Whats the issue with the Home IP changing? - Have you setup a DynDns hostname?
It may since have been fixed, but the Android client didn't handle IP changes well in my experience. From my understanding, it only checks DNS when it initially connects, and so if the public IP changes the connection just stops working. This might be fine if the public ip changes infrequently or if you frequently connect and disconnect rather than leave the client always on, but not so much otherwise.
Tailscale (and headscale) handles this gracefully, and you also get the nice NAT traversal features so no need to worry about CGNATs which are becoming more common.
It will resolve the IP from the domain when the tunnel goes up and will keep using that one. Working as intended.
Overlay networks solve that issue.
A big problem for me is, that Android is not allowing custom DoT servers. Even though the system supports DoH and is even using it for their built in resolver (Google/cloud flare) Networks that only whitelist TCP 433 (some guest wifis) will fail to use DoT.
I believe you swapped DoT (TLS, port 853) and DoH (HTTPS) in your message. I have yet to be in a network that restricts port 853, but if I could I would rather use DoH on Android.
I use Home Assistant DuckDNS and Nginx addons. DuckDNS handles the dynamic DNS updating when my ISP inevitably changes my IP address. Let's Encrypt for certificates. Nginx for proxying to IPs on my network
If pi-hole blocks all ads how does the web look? Do pages have a lot of blank areas on them or what?
I haven’t set up this yet, but I use AdGuard on my phone and yes, it does leave blank space. Sometimes I don’t realized there was more text to read because it’s empty.
It’s not about the adblocker though. It’s on the quality of the developer. A good developer tells the browser to leave space for ads before it loads them. It makes the page load faster and also prevents the page jumping around as each item loads.
Ironically, a bad developer that doesn’t do that, probably has better website layouts for people who use adblockers. 🙃
Yes and no. You just have to see its beauty to get it. I also have been using it for a long ass time, almost a decade, so I could not even tell even tell you what sites look like with ads.
I imagine it's like me trying to watch a TV show with commercials after 20 years of Netflix. Holy crap, I don't know how I ever grew up with all that noise.
“It incurs additional battery usage.“
Does it? I always use a vpn on my phone and laptop and it’s not even measurable. Sure there’s gonna be more CPU usage, but with hardware acceleration and whatnot it’s almost nothing.
