David's Space

Raspberry Pi: Wireguard and Pi-Hole

Securing Public WiFi and Adblocking with Raspberry Pi

I recently got the urge to try both Wireguard vpn server and Pi-Hole DNS software to help the more secure use of public wifi and reduce cellular data usage by blocking ads on my mobile phone. My current ISP allows multiple public IP addreses so I have an unmanaged switch inline between my cable modem and my main network firewall. This allows my Raspberry Pi to have a public IP address without having to port forward or risk compromising the security of my main network.

My long term goal is to create my own private "cloud" to replace Google services, Dropbox, and others with open source alternatives. I am currently evaluating Seafile as a file syncing solution.

Pi-Hole DNS Black Hole Software: Pi-Hole is a DNS server software package that is designed to be a local DNS server that runs on your local network and functions as the primary DNS server for the network. It works by checking the blacklist for the DNS query and returning nothing for the IP address if the DNS name is found on a blacklist. It blocks adservers or phishing sites from loading the content while allowing the rest of the web page to load. The software is very simple to setup and their are a lot of good free blacklists availabe online. I highly recommend this software if you are someone who cares about privacy and security.

Wireguard VPN server: Wireguard is a relatively simple to set up, point to point VPN server that is reported to be much faster with lower overhead and simpler setup than Openvpn or IPsec. The Wireguard website offers good tutorials for installation and setup. I am currently using the beta android app on my phone and am very happy with the performance. I am running the Pi-Hole software headless without the web admin panel and doing all the administration over ssh.

I am running Ubuntu Mate as the operating system on my Raspberry Pi 3. I have disabled the desktop to save resources and uninstalled some of the desktop software that is bundled with the Raspberry Pi 3 image. Pi-Hole is currently accepting connections on all interfaces. To prevent Pi-Hole from being accessable on the public internet, firewall rules block all inbound connections except on the ports that Wireguard uses for the VPN tunnel as well as a non standard port for ssh. For security, I have enabled unattended upgrades and am protecting ssh with keys, no root login, and fail2ban. I leave the Wireguard tunnel enabled most of the time and have noticed a significant perceived increase in page load times due to this setup.

I am really happy with this project and would encourage others to try it also.