Block advertisements and trackers using Pi-Hole in OracleCloud Always Free tier

Full Tunnel or Split Tunnel IPv6 + IPv4 Wireguard VPN connections to an ad blocking Pi-Hole server, from your Android, iOS, Chrome OS, Linux, macOS, & Windows devices

The goal of this project is to enable you to safely and privately use the Internet on your phones, tablets, and computers with a self-run VPN Server in the cloud, or on your own hardware in your home. This software shields you from intrusive advertisements. It blocks your ISP, cell phone company, public WiFi hotspot provider, and apps/websites from gaining insight into your usage activity.

Both Full Tunnel (all traffic) and Split Tunnel (DNS traffic only) VPN connections provide DNS based ad-blocking over an encrypted connection to the cloud. The differences are:

• A Split Tunnel VPN allows you to interact with devices on your Local Network (such as a Chromecast or Roku).
• A Full Tunnel VPN can help bypass misconfigured proxies on corporate WiFi networks and protects you from Man-In-The-Middle SSL proxies.

Tunnel Type	Data Usage	Server CPU Load	Security	Ad Blocking	Bandwidth usage
full	+10% overhead for vpn	low	100% encryption	yes	Local & Oracle Network
split	just kilobytes per day	very low	dns encryption only	yes	Local + few KBs on OCI

When you use full tunnel, you consume bandwidth on your local network as well as from Oracle Cloud network. Oracle offers 10 TB network traffic per month with cap on speed around 10 Mbps. Using the split tunnel consumes data only from your local network with some MB data from Oracle Cloud network, but your internet speed is not capped.

Oracle Cloud Infrastructure provides more than the cloud instance. Check the full list here.

While Pi-hole was originally authored to run on a Raspberry Pi, people have followed this guide to deploy securely hosted instances of Pi-hole with VPN only access on Google Cloud, AWS, Heroku, Azure, Linode, Digital Ocean, Oracle Cloud, and on spare hardware at home.

---

Quickstart

1. I suggest using Ubuntu 22.04 image provided by Oracle, you can also use Ubuntu 20.04 as the Wireguard Module natively shipped in the Linux Kernel.
2. Download and execute setup.sh from this repository to:
   1. install the latest Wireguard packages
   2. install the latest Pi-Hole, and configure it to accept DNS requests from the Wireguard interface
   3. display a QR Code for 1 Split Tunnel VPN Profile, so you can import the VPN Profile to your device without having to type anything

sudo su -
curl -O https://raw.githubusercontent.com/anbuchelva/Pi-hole-and-Wireguard-on-Oracle-Cloud-always-free-tier/master/setup.sh
chmod +x setup.sh
bash ./setup.sh

1. Make sure your router or firewall is forwarding incoming UDP packets on Port 51515 to the Ubuntu Server, that you ran the setup.sh script on.
2. Create another VPN Client Profile by running ./setup.sh again, you can create 253 profiles without modifying the script.
3. Enable Wireguard VPN Connections on your devices

---

Server Setup Guide

Set up a Pi-Hole Ad Blocking VPN Server with a static Anycast IP on Oracle Cloud Infrastructure’s Always Free Usage Tier

You can run your own privacy-first ad blocking service within the Free Usage Tier on Oracle Cloud Infrastructure. Step 1 of this guide gets you set up with a Oracle Cloud account, and Step 2 walks you through setting up a full tunnel or split tunnel VPN connection on your Android & iOS devices, and computers.

This simple 2 step process will get you up and running:

• STEP 1 Oracle Cloud Login, Account Creation, & Server Provisioning

Oracle Cloud Account and Instance Creation

Go to https://signup.cloud.oracle.com/ and choose a region of your choice. Important Note You cannot change the region once you choose it. If you want better speed, choose a region near by your place. If you want to access services that are available on specific country, then choose that country.

Compute Instance Creation

1. Compute Engine

Click the hamburger menu on left top of the page, then choose Compute > Instances.

2. Create Instance

Choose Compartment on the left side, which you have mentioned while creating the account, then click Create Instance button

3. Name your Instance

Give a name for your instance and make sure the chosen compartment is right. Then click Change Image button

4. Choose Instance Image

Choose Ubuntu 22.04 instead of Oracle 8. Optional: You may choose Ubuntu 20.04 or minimal editions, the choice is yours.

5. SSH Key

Choose the SSH Key option based on your choice. If you don’t know what is SSH key, then choose the option mentioned in the screenshot. Make sure you download both Public Key and Private Key in a safe place. Optional: You can google it how to create SSH key using terminal and paste the public key in the given option.

6. Advanced Options (this step is optional)

If you don’t want Oracle running multiple tracking services to check the compute instance’s performance, you can disable them.

7. Instance Status

It will take few minutes to create and run the instance. You will see the status on left turning from orange to green. Once you see it in green, click Public ‘Pubnet link’ to open ports.

Make a note of the public IP address in this step

8. Edit Public Subnet

Click the Public Subnet link

9. Update Security List

Click the Default Security list for your instance (the name might be different for you.)

10. Open UDP and TCP Ports

Click New Ingress Rule and add the UDP port 51515, this will be used when setting up Wireguard and Pi-hole

Click New Ingress Rule and add the TCP port 80, this will be used to access the Pi-hole web dashboard

• STEP 2 Software Installation & Configuration

Connect to Oracle Cloud Instance

Once you complete the above mentioned 10 steps, connect to the cloud instance from your terminal. You can use Windows Terminal (for Windows 11 users) or Power Shell (Windows 10 or Windows 11) or Putty (all windows versions) based on your need. Linux and Mac users can use the terminal that comes with the OS. Android users can use JuiceSSH client.

The following commane to be used for connecting to the instance.

ssh -i <path/to/your/private/key> -p 22 ubuntu@public.ip.of.instance

The real connection would look like that.

ssh -i ~/.ssh/id_rsa -p 22 ubuntu@172.173.174.175

Note: You may face connection issues, if the SSH key is open to all users. Get help from Google.

Install Pi-hole and Wireguard

1. The pi-hole installation step will install required packages. However, before you begin try updateing the packages by running sudo apt update && sudo apt upgrade -y
2. If the instance asks for restart, please do.
3. Then copy the below code to install the wireguard and Pi-hole.

   sudo su -
   curl -O https://raw.githubusercontent.com/anbuchelva/Pi-hole-and-Wireguard-on-Oracle-Cloud-always-free-tier/master/setup.sh
   chmod +x setup.sh
   bash ./setup.sh

• sudo su - script would give the root privileges.
• The curl command would download the setup script from this repository.
• The chmod + x command would give the execution privilege to the setup script.
• The bash ./setup.sh command would execute the setup process of wireguard and pi-hole.

1. Accept the default values provided throughout the entire installation process, once it is running, the only key you need to press is ENTER.
   • The Pi-Hole installation will begin after the Wireguard network interface is configured. You should accept all the default options throughout the Pi-Hole installation, by pressing ENTER.
2. At the end, you will get a QR code you can scan to connect your mobile devices. You could optionally use the provided .conf files to import your Wireguard Client Profiles into your devices.
3. To add additional Wireguard VPN Clients, run setup.sh again. You must run this script as the root user, from within the /root home directory. This can be accomplished by making sure you have performed Step 1 before performing this step.

bash ./setup.sh

It will automatically increment the IP Addresses for each new client profile, continue accepting all the default values the script provides. The option to edit values is provided for advanced users with edge case requirements.

1. Configure the Wireguard VPN Client on your device. Once your device is connected via Wireguard, all your DNS requests will flow through Pi-Hole. Your device will be identified by its IPv6 address in Pi-Hole’s admin interface, which will be accessible at both http://[fd42:42:42::1]/admin and http://10.66.66.1/admin. The default configuration (which is the recommended configuration) for all VPN profiles is Split Tunnel. If you wish to route all your traffic through the VPN (Full Tunnel), edit the Allowed IPs on your Client Profile on your device to read 0.0.0.0/0, ::/0.

Change MTU Value (Optional: if you face connection issues)

You may change the MTU value from the following file /sys/class/net/wg0/mtu

Steps to change:

1. sudo nano /sys/class/net/wg0/mtu
2. Change the value to 1420
3. Ctrl + x then y to save.

Sometimes the clients would take long time to connect. This will fix the issue.

Update Host Names (Optional Step)

edit /etc/hosts/ file to update the client names, if you wish to see the client names instead of the ip address of client devices.

sudo nano /etc/hosts would open the hosts file in edit mode.

Add clients like given below:

10.66.66.2 linux-dell-pc
fd42:42:42::2 linux-dell-pc
10.66.66.3 android-phone
fd42:42:42::3 android-phone
10.66.66.4 android-tv
fd42:42:42::4 android-tv

Ctrl + x then y to save.

Edge Case Requirements

Configure automated Pi-Hole updates and scheduled reboots

Pause and consider if you need this for mission critical Pi-hole Servers. If you are running multiple Pi-Holes for redundancy, and you choose to implement this, stagger the upgrade and reboot schedules. Be prepared to perform health-checks to ensure all services are operational. Blind upgrades are not gauranteed to be smooth.

Note: The following steps assume you have nano installed. You can use any other editor (e.g vim) to do this.

Create the script to check if a reboot is required or not, by checking for the presence of the /var/run/reboot-required file, by running:

sudo nano /etc/cron.daily/zz-restart-if-required

Paste the following into /etc/cron.daily/zz-restart-if-required:

#!/bin/sh
if [ -f /var/run/reboot-required ]; then
 /sbin/shutdown -r now
fi

Set the correct permissions:

sudo chmod 755 /etc/cron.daily/zz-restart-if-required

Check for Pi-Hole updates and perform an update if one is available:

Create the script to update PiHole:

sudo nano /etc/cron.daily/update-pi-hole

Paste the following into /etc/cron.daily/update-pi-hole:

#!/bin/sh
/usr/local/bin/pihole -up

Set the correct permissions:

sudo chmod 755 /etc/cron.daily/update-pi-hole

Enabling or Blocking communication between Wireguard Clients

If you wish to enable communication between select Wireguard clients, using the same CIDR notation under Allowed IPs in each Client Configuration file is necessary. This table could help you plan which devices get what IPs.

There is no value in setting up DNS over HTTPS or DNS over TLS on a cloud hosted instance, because your DNS requests to the cloud are encrypted by Wireguard.

---

Client Setup Guide

To connect and use the VPN, you will need to install the Wireguard VPN software on your device or computer: Review some common Wireguard VPN Client configuration steps

Common Wireguard VPN Client Configuration Steps

At the end of the Quickstart or Server Setup Guide, a Wireguard configuration file named wg0-client-1.conf should have been created. This allows a client to connect to the VPN. A visual representation of the wg0-client-1.conf configuration file also appears as a QR Code, and the VPN Profile can be scanned using the Android or iOS Wireguard apps.

If you are setting up a Wireguard Client on a computer or server, obtain the contents of the wg0-client-1.conf file and copy it to the device you want to connect from.

You can print the contents of the wg0-client-1.conf file in the command line interface of the Wireguard Server, by running this command:

sudo cat /root/wg0-client-1.conf

The output can be copy and pasted into a blank text file on your client device, and this configuration file should be saved on your client device as wg0-client-1.conf

---

Android & Chrome OS

Install the official Wireguard Android App and use a QR Code to import your VPN profile.

 

To configure a persistent tunnel on Android, that reconnects after the device restarts, you have to edit the system-wide VPN settings:

Device	Steps to enable Always-on VPN Tunnel
Pixel Phones	Settings > Network & Internet > Advanced > VPN > ⚙ (for Wireguard) enable Always-on VPN
Samsung Phones	Settings > Connections > More Connection Settings > VPN > ⚙ (for Wireguard) enable Always-on VPN
Huawei Phones	Settings > More connections > VPN > press and hold (on Wireguard) > Edit enable Always-on VPN

Arch Linux

Install an open source Wireguard plugin for Network Manager.

1. Install Wireguard plugin

From the Arch User Repository, you can install networkmanager-wireguard-git.

2. Import the configuration

1. Right click on Network Manager applet
2. Select Modify connections
3. At the bottom left, click on the + symbol
4. From the dropdown menu, select Import saved VPN configuration and confirm
5. Select the wg0-client-1.conf file and confirm.
6. You are free to change the name of the VPN configuration if you want. Once done, click Save and you should see the VPN connection appear in the list.

iOS

Install the official Wireguard iOS App and use a QR Code to import your VPN profile.

Steps to enable Always-on VPN Tunnel:

• Edit the Tunnel in the Wireguard App
• Click Edit on the top right
• Scroll down to On-Demand Activation and Enable Cellular and Wi-Fi toggles

macOS

Install the official Wireguard macOS Client and use the wg0-client-1.conf file to import your VPN profile.

Windows

Install the official Wireguard Windows Client and use the wg0-client-1.conf file to import your VPN profile.

Get the latest Windows Client from wireguard.com/install

Delete Clients from Server

Print list of all clients on the server:

sudo wg show

Sample output may look like this:

peer: txUZ0iqCyu69qQFq08U420hOp3/A4lYtrHVrJrAYBys=
 preshared key: (hidden)
 endpoint: 99.99.99.99:99999
 allowed ips: 10.66.66.2/32, fd42:42:42::2/128
 latest handshake: 4 days, 20 hours, 4 minutes, 20 seconds ago
 transfer: 4.20 MiB received, 4.20 MiB sent

Make note of the unique string after the word peer: for the client you wish to delete. In the example above, it is txUZ0iqCyu69qQFq08U420hOp3/A4lYtrHVrJrAYBys=.

Remove the client:

sudo wg set wg0 peer txUZ0iqCyu69qQFq08U420hOp3/A4lYtrHVrJrAYBys= remove

Replace txUZ0iqCyu69qQFq08U420hOp3/A4lYtrHVrJrAYBys= in the command above with the appropriate peer: you wish to delete on your server.