Pi Hole - network-wide ad blocking
-
Pi-Hole: https://pi-hole.net/
Especially interesting for on-premises Cloudrons- Network-wide ad blocking via your own Linux hardware
- Block Over 100,000 Ad-serving Domains: Known ad-serving domains are pulled from third party sources and compiled into one list.
- Block Advertisements On Any Device: Network-level blocking you to block ads in non-traditional placed such as mobile apps and smart TVs, regardless of hardware or OS.
- Improve Overall Network Performance: Since ads are blocked before they are downloaded, your network will perform better.
- Reduce Cellular Data Usage: Pair your Pi-hole with a VPN for on-the-go ad-blocking and save on data costs.
- Monitor Performance And Statistics: The Web interface shows how many ads were blocked, a query log, and more.
- API: Utilize Pi-hole’s API in your scripting or programing projects.
Docker image: https://hub.docker.com/r/diginc/pi-hole/
Pi-Hole on Docker how-to: https://dxpetti.com/blog/2018/running-pi-hole-on-docker/ (part 1) and https://dxpetti.com/blog/2018/keeping-your-pi-hole-container-fresh-with-cron/ (part 2) -
Looks like this can be easily packaged as an app once we have UDP support in Cloudron. https://git.cloudron.io/cloudron/box/issues/504
-
Should ideally provide an option to limit access to the local network only. I wonder if this would entail changes to
box
though -
For "Pi Hole" read "Pi-hole"
-
@girish said in Pi Hole - network-wide ad blocking:
Looks like this can be easily packaged as an app once we have UDP support in Cloudron. https://git.cloudron.io/cloudron/box/issues/504
Since this issue has been closed - can we now have pi-hole on Cloudron?
-
This is easy to get on Cloudron indeed. Two outstanding issues are:
- Cloudron currently does not allow apps to use port < 1024. DNS requires port 53. This is fixable, I guess.
- Exposing Pi-Hole on port 53 would mean, anyone can access it, not just you. DNS has no auth mechanism afaik. So, I can start using your Pi-Hole server as well as the DNS. Not sure if that is good/bad. Maybe with some firewall rules we can make it so that it is IP locked.
-
@girish Would be nice to either have the possibility of keeping it open, or (my preferred option) to be able to add IP rules for oneself (ie. add rules so I can choose IPs/IP-ranges that could access this Pi-Hol).
-
@girish it would be great to have Pi-hole in Cloudron and I agree with you it should be save so it would be great to have it together with WireGuard.
Is it possible to make a Cloudron-app with Pi-hole in VPN so you can make use of it anywhere AND safe!?
Kind regards,
Marcel. -
Upvoted! I'd love to see Pi-hole on Cloudron.
-
I love getting to know more about Pi Hole: blocking ads throughout the network, it is very useful for me that I am starting in this. Thank you
-
@hiyukoim this is only possible/safe behind a VPN server like OpenVPN or even better WireGuard. I would really like to see an app with Pi-Hole and WireGuard.
-
Sorry to ask. I don't understand the use case. Why do you need Pi-hole on Cloudron?
For your local network and 53 portforward?
For (potential) ads/bugs inside apps from the appstore?
For your local network with a local Cloudron instance?
??? -
@luckow said in Pi Hole - network-wide ad blocking:
For your local network with a local Cloudron instance?
I think this, as I’ve read about several home-hosters.
-
@yusf Ok. That makes sense. (but it's not my use case)
-
We can also use it on a VPS and point the DNS to the VPS. Sure, dns queries are a bit slower but maybe websites load faster because of the ad block
-
@girish yep. Perfectly understandable. But a raspberry pi costs $50, and you can install your smarthome system (e.g. homeassistant or openHAB.) on the same pi. And then it runs on your local network. I'm just thinking.
-
Pi-Hole on Cloudron is useless IMHO for only internal "filtering".
Only in combination with a VPN like WireGuard it's a perfect combination to be online, outside of your 'safe home wifi', without sniffing of mobile providers proxies and "free open wifi", and with a kind of safetynet by Pi-Hole.
@luckow yes I do have a RaspberryPi with Wireguard AND Pi-Hole at home, but as an extra "external" backup its very welcome (and very easy) to have Pi-Hole+WireGuard in a Cloudron app.
-
Actually, one could do this (if you know what you're doing) by offering the pihole externally. In order to be safe, you would want to make sure to whitelist ONLY the IPs coming in to connect to it you intend to allow, otherwise you open your self up to DNS hijacking. I do this now by exposing a pihole on Azure that only my home router can connect to. Works great. FWIW, I took a look at packaging pihole the other day, cause of my use case. It looks...possible, but there are a LOT of moving parts and it really wants some pretty low level access, so, challenges will persist.
-
looking really forward for PI-Hole and Wireguard really
-
@imc67 @doodlemania2 Right now I am using this setup on a separate, cloud hosted VM. Wireguard and Pihole, configured so that the system can only be accessed over VPN, not by external parties. Works beautifully and would be so cool, if this was working on Cloudron.
Excellent idea and request. Thanks for bringing this up.
-
Currently, what is holding back pi-hole is a couple of Cloudron limitations:
-
Cloudron reserves port 53 (dns) on the server. Have to fix unbound to listen only on internal interfaces (we listen on 0.0.0.0 and rely on firewall and access control policies to block requests).
-
Some IP based firewall as @savity has been requesting in another thread. This is required to block requests to pi-hole to just your machines/network.
-
-
@girish you don't have these issues if you combine with Wireguard.
-
@imc67 indeed. If we bundle them together, it's not a problem. Is this the "preferred" way to package pi-hole?
-
yeah i mean it would be for me
i would never create pihole acessable for others its for private reasons vpn+pihole. So pihole would be listening, lets say on 10.9.0.0
Maybe in the future the idea could to configure other apps only availaie in the same VPN Network
-
-
@Mallewax i think this would lead also to new people using cloudron
-
@savity couldn’t agree more. For me it would be a killer feature. And would make for a nice campaign on Twitter, Reddit et. all. Just look how many people google this and try to establish it manually....this is a mainstream feature, that would be appreciated by the entire user base, much more than specific applications that appeal only to certain users.... my opinion
-
@girish definately!
-
Haha, Pie Hole / Cake Hole is British for your mouth, as in; shut your pie hole
-
@marcusquinn
Pi-hole, not Pie hole -
@Hillside502 3.14159265359... hole
-
How is the progress here?
-
@timbo Yeah any information this ?
-
Last I checked it was quite tricky to deploy pi-hole with docker. Does anyone have experience with this style of deployment? It was really made like a "distribution"/"OS" instead of a separate app.
-
@girish It's pretty straightforward as far as I can tell. I've got two instances hosted via Docker on Raspberry Pis at my home.
I agree with folks above suggesting though that it'd be best to expose only to internal services and likely inside a VPN. There is probably a decent way to do this in a single app, but I wonder if there is value in creating a new way to expose particular Apps to other apps via a shared network.
This would allow exposing a Pi-Hole app that has no "public" ports to any VPN app (OpenVPN, Wireguard, etc) with an internal hostname (app name?).
-
@iamthefij So, let's say the VPN app had a way to set a custom name server and one could just edit some file and set it to the pi-hole app, would this be good enough already? Given that the OpenVPN app is custom anyway, we can even add a simple UI that allows a user to set the DNS server IP (as you say, this might be the internal host name since IP might be dynamic actually).
This seems quite doable.
-
I've got one up and running on a public endpoint, no sweat. I just set the server to only allow queries from my IP range, deny all by default.
-
@girish yea, that's pretty much all that should be required. As long as the two containers can communicate via their internal host names, it should be sufficient.
The other advantage here is that it enables you to use the DNS from a mobile phone. Otherwise whenever you switch to a new network you receive the networks DNS via DHCP.
-
@doodlemania2 I'm not sure exactly what you've configured, but many folks do not have static IP addresses to do this with. Not only does my home network frequently change IP addresses, but my mobile network does as well.
-
@Mallewax said in AdGuard - Network-wide ads & trackers blocking DNS server:
Pihole plus Wireguard
Let's vote more here: https://forum.cloudron.io/topic/1355/pi-hole-network-wide-ad-blocking
In short why:
WireGuard is a very fast, safe and stateless VPN, great with mobile apps to be ALWAYS CONNECTED via your own VPN & covered by the Pi-hole adfilter & security platform. Faster (mobile) connections (no more ads and bulky stuff) to your own safe VPN (no more sniffing by mobile providers or obscure VPN providers).
Need to say more
-
@iamthefij For OpenVPN, I started a new thread - https://forum.cloudron.io/topic/3139/openvpn-admin-ui
-
Cool! Do apps already have access to each other through the bridge? Or would that need to be made possible as well?
-
While there is network connectivity between the apps (docker's
icc
is true), the apps do not know the internal IPs and thus cannot easily discover each other. We have to come up with some sort of standard hostname naming mechanism to allow easy configurability. -
Being able to host Cloudron behind Wireguard in a way where apps would only be accessed through WG would be a nice feature for security-demanding deployments.
Edit: Sorry, wrong thread.
-
Are there any news Regarding Wireguard and Pihole in Cloudron?
-
@imc67 said in Pi Hole - network-wide ad blocking:
Only in combination with a VPN like WireGuard it's a perfect combination to be online, outside of your 'safe home wifi', without sniffing of mobile providers proxies and "free open wifi", and with a kind of safetynet by Pi-Hole.
This is a common misconception - Just because you are using a VPN does not mean you are completely safe. Sure you maybe safe from traffic sniffers at your local mcdonalds or starbucks, but a VPN that is tied to your name and a device that has other software on it like facebook, twitter, etc still makes you vulnerable to data leakage, tracking and more.
-
@murgero Exactly that! There's a reason why not one single bank in the world has "Login with Google/Facebook/Twitter" etc.
-
@savity I did give pi-hole a try but it was really hard to package from source easily. I managed to instead package the new kid in the block - AdGuard. Some reviews here https://home-assistant-guide.com/2020/09/26/adguard-home-vs-pi-hole-2020-two-ad-and-internet-tracker-blockers-compared/ and https://mariushosting.com/synology-adguard-vs-pi-hole/ . It requires some support from the platform, depending on time we might add it to Cloudron 6 (or the release after). https://forum.cloudron.io/topic/3075/adguard-network-wide-ads-trackers-blocking-dns-server is the forum topic for that.
-
@girish Sad to hear thath Pi-hole didn't workout but lets see how AdGuard is
Thanks for your Work
-
@girish I have adguard installed via homeassistant on a RPi4 and it works just as pi-hole does. Admin UI looks similar as well. I'd suspect you will find little to no complaints on packaging adg or pih.
-
@murgero Yes, it also seems adh has some important features like DoH.
-
Adguard Home will be available in Cloudron 6 - https://forum.cloudron.io/topic/3075/adguard-network-wide-ads-trackers-blocking-dns-server . It is similar to pi hole (and more feature rich).
-
@girish i would love to see PI-Hole in Cloudron.
And option to setup Pihole with Android Private DNS which requires DNS-over-TLS
and i wrote a quick setup script for Pihole DNS-over-TLS
https://github.com/varunsridharan/pi-hole-android-private-dns/blob/main/pi-hole5.sh
-
I have added an option to make the DNS server of the OpenVPN app configuration - https://forum.cloudron.io/topic/3875/adding-custom-dns-server . So, you can install AdGuard Home and OpenVPN and then make OpenVPN use AdGuard as the DNS server.
-
Just leaving a note here for people looking into pi-hole. Starting 6.2, Cloudron also supports DoT (DNS over TLS) in AdGuard Home. This makes it work out of the box in Android phones.
-
@girish so if I've got this right, I could AdGuard to stop any ads ever being shown on the Android tablet my kids use? (most are blocked already either using uBlock Origin in the browsers or e.g. NewPipe instead of YouTube - although I can't uninstall YT on this machine and no doubt the kids will find and open it at some point)
Could I somehow achieve that using a Cloudron installed on a VPS, or is AdGuard something I'd need running on a machine at home? Thanks!
-
@jdaviescoates
yes, you can do that (mind you that you can filter ads based on domains etc - there are sneaky ads that you can’t catch with a DNS filter (e.g. if they come from the same domain as the content, etc). But it helps a lot.IMHO it’s easier though to just get a dedicated Raspberry Pi, put www.dietpi.com on it, and you should be good to go with Pi-Hole, Unbound, and encrypted DNS in minutes. It has A LOT of other apps as well including AdGuard Home (and many you won’t even find on Cloudron such as Wireguard, Home Assistant, Pydio, Plex, etc.) - though not dockerized - but I like to have this dedicated little device kept simple and not facing the internet.Just servicing the local network with some services.
-
@necrevistonnezr thanks, so just be clear it sounds like I would need a machine at home to take advantage of this stuff, right?
Or is it somehow possible to use a VPS too?
Thanks!
-
@jdaviescoates yes, a „machine“
at home (well, it’s just a tiny box)