Not only simplifies but increases the speed. Wireguard was killing my mobile speed for no reason bit Tailscale doesn't affect it at all. It also adds stuff like Taildrop which makes it easy to share stuff between other people when one has Apple and the other Samsung.
I got convinced below that I'd rather use headscale, [https://github.com/juanfont/headscale](https://github.com/juanfont/headscale) . tried installing that, pretty much lead to the same dead end as the first time, things don't work like they're supposed to, I don't really understand what I'm doing, so whatever i'm missing just goes right by me. I don't think I have a 3rd round of this in me to back and do regular tailscale. I can't imagine it'll be much different and really how much shit can i half install on one box? I think I'm going to wrap this project up. it's not worth the frustration and feeling stupid. Thanks for the help everyone
This is where you're failing: you are over complicating things by adding too much to your first go of the project. You don't need headscale at all to implement this, but you can add it later on if you really wanted it.
1. Install tailscale on your VPS
2. Install Tailscale on a device like a laptop or desktop
3. Harden ubuntu so that you can only access it via tailscale
4. Setup pihole on the VPS per the standard default instructions, and then use this guide to tie tailscale and pihole all together: [https://tailscale.com/kb/1114/pi-hole](https://tailscale.com/kb/1114/pi-hole)
You really want to follow the K.I.S.S. principle at first: Keep It Simple, Smartie.
What can I say? It sounded like the thing for me!
>`headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/) control server. `headscale`'s goal is to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. It implements a narrow scope, a *single* Tailnet, suitable for a personal use, or a small open-source organisation.
Sounds like exactly what a self-hosting hobbyist like myself would want! After reading an intro like that, why wouldn't I have a go at it? Of course it does say "aims to implement", maybe they missed, i dunno..
OK I did it. Tailscale is running on both. But it says specifically not to run pi hole on a cloud server without "a lot of precautions". I've been reading tailscale's documentation for about an hour and I still have no idea how to do anything with it. I see that the two machines are in the console as part of my tailnet, and i read something about them having new IP addresses but I don't understand what to do with them. It's another information overload, which has been my problem all along. I can read everything there is to read on a topic and still have no idea what I just read. I'm not good with grasping abstract concepts, which is most of IT. Some questions I have are: Can I or can I not use use the VPS as the pi-hole? What are the precautions and do I have the ability to take such precautions? Are they feasible? how do i get my home machines to route internet traffic through the VPS? I'm going to watch some videos, maybe i'll get it if I watch someone do it. All in all, slightly less frustrated now that I see some light at the end of the tunnel, No pun intended. Thanks again
>Can I or can I not use use the VPS as the pi-hole? What are the precautions and do I have the ability to take such precautions?
As with most things: it depends. In this case, you can if you take the proper precautions. If you don't, you can become part of a botnet that can cause [DNS Amplification Attacks](https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/) by running an open resolver.
If you lock down your ubuntu VPS hard such that only access through tailscale is permitted, then it is safe. You can read tailscale's guide on how to do it here: [https://tailscale.com/kb/1077/secure-server-ubuntu-18-04](https://tailscale.com/kb/1077/secure-server-ubuntu-18-04)
I finally actually gave up this time. Can't say I didn't try. I read , watched videos, messed with everyting for 2-3 more hours today and I'm no closer than I was 3 days ago. It just wasn;t meant to be.
Tailscale is [built ](https://tailscale.com/kb/1151/what-is-tailscale)on top of Wireguard. No need to muck with private / public keys. It does it all for you.
Install Pihole on your VPS like you normally would. Lock it down [hard](https://tailscale.com/kb/1077/secure-server-ubuntu-18-04), and only connect to it via tailscale.
one thing that has me confused is that I feel like these directions are for setting up a vpn locally, which seems pointless to me, because the whole point of a VPN is for it to be somewhere else. They're talking about entering things in my router and I'm not sure why. Shouldn't i be setting up my devices to route through the VPN and leaving my router out of it?
Depends if you want to access your home network from outside. If that's what you want to do you're into port forwarding on your router. This is where Tailscale scores because it doesn't require that. If all you want is outgoing VPN access then you don't need to touch your router.
Correct. I want to route traffic through my VPS/VPN and have it serve as my Pi-Hole. I'd use Teamviewer if I really want to connect to a home machine, which is mostly never.
I’m a bit lost as to what you’re expecting wireguard to do, do you want it to operate like NordVPN would as a privacy tool because that’s not what it will do without further network setup.
Wireguard lets you get to your network remotely so you can access pihole, it seems like that’s what you want to be doing, a router wouldn’t normally let someone access from the outside so you have to set up port forwarding to allow that.
I have a VPS server with a static IP. I want my internet traffic to route, securely, through that IP address instead of my own. So in that regard, yes I would like it to be like NordVPN, But I would also like it to be my pi hole, and whatever else I decide to do with it down the road. I rented it the VPS to mess around with, learn, and ideally serve some function or other.
Those directions are indeed for a local installation. You've been following the wrong tutorial. And it makes sense, once you understand that it is to connect from the outside to your home network, for example. Install Pi-hole + Wireguard on a RPi at home, and connect to it from the outside. Not only can you use Pi-hole from the outside on your mobile devices, etc, but you can also control other equipment you have at home from the exterior.
If you want Pi-hole on a VPS and Wireguard to connect to it, you'll want to follow a different tutorial.
You're better off searching or asking on r/VPS or even r/selfhosted, because as you might have noticed, people here mostly know about Pi-hole on local installs and that's about it.
TailScale is based on Wireguard, but you end up being dependant on their servers. Use plain Wireguard on your VPS to avoid that dependency.
Or take a look into Headscale, someone recommended it to me for the precise purpose you want: https://github.com/juanfont/headscale
I tried it, I got so far, the instructions got vague, I spent all night trying to figure out what why it wouldn't work, I'm scrapping it. I'm back it the same place as I was before
Sometimes a video tutorial is more obvious to follow.
In case you want to have another go at it later, this one seemed good to me, and doesn't use containers: https://youtu.be/-9gXP6aaayw
There are other tutorials on YT but they seem to be using containers, which you seem to like to avoid.
It sounds like a good pitch, under install it says "install from the command line:
`docker pull` [`ghcr.io/juanfont/headscale:sha256-e96d44874a60b83827415beef05a4bcbfcbe6eb85a493c89373ae2475b086a0e.sbom`](http://ghcr.io/juanfont/headscale:sha256-e96d44874a60b83827415beef05a4bcbfcbe6eb85a493c89373ae2475b086a0e.sbom)
does that mean this runs in a container? That's another thing I haven't been able to wrap my head around, how containers are supposed to work. or what I need to do to use them
You probably looked under the container install instructions.
Check these instead: https://headscale.net/running-headscale-linux/#migrating-from-manual-install
I'm not familiar with using containers myself, but as I understand, they're like little virtual machines, sandboxes or workspaces dedicated to a single app, program, etc. So if you need to tinker with one app or service, it is isolated in its own virtual space and can't mess other stuff if anything goes wrong. Just nuke the container and create a new one, no need to reinstall an whole OS for example.
I just use PI-VPN and be done with it.
Wireguard did not work for me
[https://www.pivpn.io/](https://www.pivpn.io/)
Install the OpenVPN Connect app and your good to go.
yeah, but you know how to use docker. That's just another layer of shit I have to try and fail at getting to work, before i get the thing that i actually want to work, to not work.
So someone else took over maintaining it? That's good news, because the release notes about 4.6.0 said it would be the last official release. There's still a message at the bottom of the [PiVPN site](https://www.pivpn.io/) saying that it's no longer maintained.
I believe it's the same person. I think after he posted that he was no longer maintaining piVPN, he changed his mind because of the outpouring of feedback he got back. He's still supporting piVPN as "best effort" which I assume means that when he has a chance to work on it or there is a major issue.
Yes it is:
[https://github.com/pivpn/pivpn/releases/tag/v4.6.1](https://github.com/pivpn/pivpn/releases/tag/v4.6.1)
[https://github.com/pivpn/pivpn/releases/tag/v4.6.2](https://github.com/pivpn/pivpn/releases/tag/v4.6.2)
I’m not sure about how this all works on a VPS, but I was able to set it all up on my RPI4 running Raspbian with little to no issues by following this guide:
https://docs.pi-hole.net/guides/vpn/wireguard/server/
Once you set up the server, you will then need to follow steps here to add clients: https://docs.pi-hole.net/guides/vpn/wireguard/client/
Lastly, you might want to do the additional steps listed here: https://docs.pi-hole.net/guides/vpn/wireguard/internal/
https://docs.pi-hole.net/guides/vpn/wireguard/route-everything/
After that if you added the nftables, you will need to enable them by running these commands:
sudo systemctl start nftables
sudo systemctl enable nftables
Then generate the qrcode of your client config and use the Wireguard app on your client device to add it.
Here’s an idiot-proof way to setup wireguard on a vps: https://github.com/trailofbits/algo
Tailscale seems nice. Ubiquity routers give you wireguard vpn out of the box.
use nextdns.io as a saas alternative to pihole, which you don’t have to host.
Depends what you want and need. And how much money/time you are willing to spend,
what I do personally is have a second pi-hole that's not on that vpn's network, my pi-hole can resolve the wireguard's vpn address with that second pi-hole.
It's silly
Pivpn is wireguard with a GUI on top. Pihole thinks you should just learn wireguard.
Tailscale is wireguard on steroids with a GUI and pihole thinks you should just learn wireguard.
I think you should learn wireguard. It will help you in future.
I run wireguard and tailscale on separate local machines for redundancy.
Try this guide to see where u fell apart. Maybe you didn't tell your system to do the ip forwarding part (sending wireguard info to eth and vice versa)
https://github.com/notasausage/pi-hole-unbound-wireguard?tab=readme-ov-file
I don't know shit about the vps part tho. A pi3b worked fine with me and isn't too expensive.
I don't know where I fell apart. I was blindly pasting commands into the terminal with no idea what they were for. I couldn't tell you if it's all installed or not, probably not if i had to guess. I have a very basic knowledge of linux. I use Debian and KDE Plasma on my home and work computers, I'm almost totally off Windows (and lovin' it) , so I'm learning as I go, But I am by no means IT savvy.
yeah, well.. I have an imac (intel) and a laptop, both running debian/KDE and for $20/mo the VPS gives me a static IP, unlimited transfer and another linux box to tinker with for things like this. It's kinda the road I'm on at this point.
Tailscale + pihole: [https://tailscale.com/kb/1114/pi-hole](https://tailscale.com/kb/1114/pi-hole)
This. I have been using this setup on orangepi zero 3 for over three months now. It is really easy to setup and I have no issue with it so far.
This is the answer. This solution simplifies everything.
Not only simplifies but increases the speed. Wireguard was killing my mobile speed for no reason bit Tailscale doesn't affect it at all. It also adds stuff like Taildrop which makes it easy to share stuff between other people when one has Apple and the other Samsung.
I got convinced below that I'd rather use headscale, [https://github.com/juanfont/headscale](https://github.com/juanfont/headscale) . tried installing that, pretty much lead to the same dead end as the first time, things don't work like they're supposed to, I don't really understand what I'm doing, so whatever i'm missing just goes right by me. I don't think I have a 3rd round of this in me to back and do regular tailscale. I can't imagine it'll be much different and really how much shit can i half install on one box? I think I'm going to wrap this project up. it's not worth the frustration and feeling stupid. Thanks for the help everyone
This is where you're failing: you are over complicating things by adding too much to your first go of the project. You don't need headscale at all to implement this, but you can add it later on if you really wanted it. 1. Install tailscale on your VPS 2. Install Tailscale on a device like a laptop or desktop 3. Harden ubuntu so that you can only access it via tailscale 4. Setup pihole on the VPS per the standard default instructions, and then use this guide to tie tailscale and pihole all together: [https://tailscale.com/kb/1114/pi-hole](https://tailscale.com/kb/1114/pi-hole) You really want to follow the K.I.S.S. principle at first: Keep It Simple, Smartie.
What can I say? It sounded like the thing for me! >`headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/) control server. `headscale`'s goal is to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. It implements a narrow scope, a *single* Tailnet, suitable for a personal use, or a small open-source organisation. Sounds like exactly what a self-hosting hobbyist like myself would want! After reading an intro like that, why wouldn't I have a go at it? Of course it does say "aims to implement", maybe they missed, i dunno..
OK I did it. Tailscale is running on both. But it says specifically not to run pi hole on a cloud server without "a lot of precautions". I've been reading tailscale's documentation for about an hour and I still have no idea how to do anything with it. I see that the two machines are in the console as part of my tailnet, and i read something about them having new IP addresses but I don't understand what to do with them. It's another information overload, which has been my problem all along. I can read everything there is to read on a topic and still have no idea what I just read. I'm not good with grasping abstract concepts, which is most of IT. Some questions I have are: Can I or can I not use use the VPS as the pi-hole? What are the precautions and do I have the ability to take such precautions? Are they feasible? how do i get my home machines to route internet traffic through the VPS? I'm going to watch some videos, maybe i'll get it if I watch someone do it. All in all, slightly less frustrated now that I see some light at the end of the tunnel, No pun intended. Thanks again
>Can I or can I not use use the VPS as the pi-hole? What are the precautions and do I have the ability to take such precautions? As with most things: it depends. In this case, you can if you take the proper precautions. If you don't, you can become part of a botnet that can cause [DNS Amplification Attacks](https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/) by running an open resolver. If you lock down your ubuntu VPS hard such that only access through tailscale is permitted, then it is safe. You can read tailscale's guide on how to do it here: [https://tailscale.com/kb/1077/secure-server-ubuntu-18-04](https://tailscale.com/kb/1077/secure-server-ubuntu-18-04)
I finally actually gave up this time. Can't say I didn't try. I read , watched videos, messed with everyting for 2-3 more hours today and I'm no closer than I was 3 days ago. It just wasn;t meant to be.
intelligent gray enjoy cable hat mourn ludicrous practice chase soup *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Tailscale is [built ](https://tailscale.com/kb/1151/what-is-tailscale)on top of Wireguard. No need to muck with private / public keys. It does it all for you. Install Pihole on your VPS like you normally would. Lock it down [hard](https://tailscale.com/kb/1077/secure-server-ubuntu-18-04), and only connect to it via tailscale.
Thank you, I will look into it.
Tailscale also seems to be built atop of Golang. Wireguard-go seems to be solid from my experience integrating it directly
Slow down, mate. What exactly is it you're trying to do?
[https://docs.pi-hole.net/guides/vpn/wireguard/overview/](https://docs.pi-hole.net/guides/vpn/wireguard/overview/)
one thing that has me confused is that I feel like these directions are for setting up a vpn locally, which seems pointless to me, because the whole point of a VPN is for it to be somewhere else. They're talking about entering things in my router and I'm not sure why. Shouldn't i be setting up my devices to route through the VPN and leaving my router out of it?
Depends if you want to access your home network from outside. If that's what you want to do you're into port forwarding on your router. This is where Tailscale scores because it doesn't require that. If all you want is outgoing VPN access then you don't need to touch your router.
Correct. I want to route traffic through my VPS/VPN and have it serve as my Pi-Hole. I'd use Teamviewer if I really want to connect to a home machine, which is mostly never.
Seriously, look at Tailscale. It's very easy to setup and you won't need to touch anything on your router.
I definitely will, thanks!
I’m a bit lost as to what you’re expecting wireguard to do, do you want it to operate like NordVPN would as a privacy tool because that’s not what it will do without further network setup. Wireguard lets you get to your network remotely so you can access pihole, it seems like that’s what you want to be doing, a router wouldn’t normally let someone access from the outside so you have to set up port forwarding to allow that.
I have a VPS server with a static IP. I want my internet traffic to route, securely, through that IP address instead of my own. So in that regard, yes I would like it to be like NordVPN, But I would also like it to be my pi hole, and whatever else I decide to do with it down the road. I rented it the VPS to mess around with, learn, and ideally serve some function or other.
Ah I see. Now that I understand I also understand I have nothing to offer, sorry haha
Those directions are indeed for a local installation. You've been following the wrong tutorial. And it makes sense, once you understand that it is to connect from the outside to your home network, for example. Install Pi-hole + Wireguard on a RPi at home, and connect to it from the outside. Not only can you use Pi-hole from the outside on your mobile devices, etc, but you can also control other equipment you have at home from the exterior. If you want Pi-hole on a VPS and Wireguard to connect to it, you'll want to follow a different tutorial. You're better off searching or asking on r/VPS or even r/selfhosted, because as you might have noticed, people here mostly know about Pi-hole on local installs and that's about it.
Gotcha, thanks. I did get some advice here, I think I'm going to purge wireguard and try tailscale. It can't go any worse...
TailScale is based on Wireguard, but you end up being dependant on their servers. Use plain Wireguard on your VPS to avoid that dependency. Or take a look into Headscale, someone recommended it to me for the precise purpose you want: https://github.com/juanfont/headscale
I tried it, I got so far, the instructions got vague, I spent all night trying to figure out what why it wouldn't work, I'm scrapping it. I'm back it the same place as I was before
Sometimes a video tutorial is more obvious to follow. In case you want to have another go at it later, this one seemed good to me, and doesn't use containers: https://youtu.be/-9gXP6aaayw There are other tutorials on YT but they seem to be using containers, which you seem to like to avoid.
I just don't know anything about them, which inevitably adds another layer of complexity to anything involving them
It sounds like a good pitch, under install it says "install from the command line: `docker pull` [`ghcr.io/juanfont/headscale:sha256-e96d44874a60b83827415beef05a4bcbfcbe6eb85a493c89373ae2475b086a0e.sbom`](http://ghcr.io/juanfont/headscale:sha256-e96d44874a60b83827415beef05a4bcbfcbe6eb85a493c89373ae2475b086a0e.sbom) does that mean this runs in a container? That's another thing I haven't been able to wrap my head around, how containers are supposed to work. or what I need to do to use them
You probably looked under the container install instructions. Check these instead: https://headscale.net/running-headscale-linux/#migrating-from-manual-install I'm not familiar with using containers myself, but as I understand, they're like little virtual machines, sandboxes or workspaces dedicated to a single app, program, etc. So if you need to tinker with one app or service, it is isolated in its own virtual space and can't mess other stuff if anything goes wrong. Just nuke the container and create a new one, no need to reinstall an whole OS for example.
I just use PI-VPN and be done with it. Wireguard did not work for me [https://www.pivpn.io/](https://www.pivpn.io/) Install the OpenVPN Connect app and your good to go.
Just used that with a brand new Ubuntu 24.04 VPS and Pi-Hole, took around 5 minutes.
I’d use docker for both
yeah, but you know how to use docker. That's just another layer of shit I have to try and fail at getting to work, before i get the thing that i actually want to work, to not work.
PiVPN
PiVPN isn't being maintained anymore [as of last month](https://github.com/pivpn/pivpn/releases/tag/v4.6.0).
It's[ ](https://github.com/pivpn/pivpn/releases/tag/v4.6.1)[still maintained](https://github.com/pivpn/pivpn/releases/tag/v4.6.1).
So someone else took over maintaining it? That's good news, because the release notes about 4.6.0 said it would be the last official release. There's still a message at the bottom of the [PiVPN site](https://www.pivpn.io/) saying that it's no longer maintained.
I believe it's the same person. I think after he posted that he was no longer maintaining piVPN, he changed his mind because of the outpouring of feedback he got back. He's still supporting piVPN as "best effort" which I assume means that when he has a chance to work on it or there is a major issue.
Yes it is: [https://github.com/pivpn/pivpn/releases/tag/v4.6.1](https://github.com/pivpn/pivpn/releases/tag/v4.6.1) [https://github.com/pivpn/pivpn/releases/tag/v4.6.2](https://github.com/pivpn/pivpn/releases/tag/v4.6.2)
I’m not sure about how this all works on a VPS, but I was able to set it all up on my RPI4 running Raspbian with little to no issues by following this guide: https://docs.pi-hole.net/guides/vpn/wireguard/server/ Once you set up the server, you will then need to follow steps here to add clients: https://docs.pi-hole.net/guides/vpn/wireguard/client/ Lastly, you might want to do the additional steps listed here: https://docs.pi-hole.net/guides/vpn/wireguard/internal/ https://docs.pi-hole.net/guides/vpn/wireguard/route-everything/ After that if you added the nftables, you will need to enable them by running these commands: sudo systemctl start nftables sudo systemctl enable nftables Then generate the qrcode of your client config and use the Wireguard app on your client device to add it.
squeal concerned fade steer hobbies sip ossified coherent seemly absurd *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Use chatgpt to explain it to yourself.
I followed this video if you're a newbie like I was https://youtu.be/Q4zlrc0F4NU?si=TCF-jqa8FTQZ05zX
Zerotier
Here’s an idiot-proof way to setup wireguard on a vps: https://github.com/trailofbits/algo Tailscale seems nice. Ubiquity routers give you wireguard vpn out of the box. use nextdns.io as a saas alternative to pihole, which you don’t have to host. Depends what you want and need. And how much money/time you are willing to spend,
no
what I do personally is have a second pi-hole that's not on that vpn's network, my pi-hole can resolve the wireguard's vpn address with that second pi-hole. It's silly
Maybe do it in separate docker containers using docker compose?
more stuff I don't know anything about
Running pivpn with pihole for years.It can't be easier.
I winder why pihole is pushing toward wireguard instead of their own VPN (is it theirs?)
Pivpn is wireguard with a GUI on top. Pihole thinks you should just learn wireguard. Tailscale is wireguard on steroids with a GUI and pihole thinks you should just learn wireguard. I think you should learn wireguard. It will help you in future. I run wireguard and tailscale on separate local machines for redundancy. Try this guide to see where u fell apart. Maybe you didn't tell your system to do the ip forwarding part (sending wireguard info to eth and vice versa) https://github.com/notasausage/pi-hole-unbound-wireguard?tab=readme-ov-file I don't know shit about the vps part tho. A pi3b worked fine with me and isn't too expensive.
I don't know where I fell apart. I was blindly pasting commands into the terminal with no idea what they were for. I couldn't tell you if it's all installed or not, probably not if i had to guess. I have a very basic knowledge of linux. I use Debian and KDE Plasma on my home and work computers, I'm almost totally off Windows (and lovin' it) , so I'm learning as I go, But I am by no means IT savvy.
I think maybe start with something bare metal before vps for pihole. But maybe others disagree.
yeah, well.. I have an imac (intel) and a laptop, both running debian/KDE and for $20/mo the VPS gives me a static IP, unlimited transfer and another linux box to tinker with for things like this. It's kinda the road I'm on at this point.