Introduction
We have previously seen how you can Spin up your own VPN on Ubuntu 20.04. Among many benefits, one of the benefits of the VPN is geographical anonymity.
Today we are going to discuss and set up yet another benefit. We are going to tweak our VPN server set up a little bit to enable ad-blocker out of the box. Meaning that you won’t have to install an ad-blocker on your browser. It will be enabled connection-wide. You won’t be seeing any ads on devices that you can’t control ads on, like smart TV, etc.
So without further ado, let’s get started.
Provision OpenVPN on Ubuntu 20.04
Let me go briefly on how to get the OpenVPN installed on a VM on AWS. I am going to use another installer this time. But for the rest of the configuration, I’ll anyway ask you to refer to my last post. It’s a gem.
Step 1. Download and run the installation script from GitHub.
curl -sL https://git.io/vpn -o openvpn-install.sh
sudo bash openvpn-install.sh
Step 2. Go through the instruction and enter the details as you go.
Welcome to this OpenVPN road warrior installer!
This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [xxx.xxx.xxx.xxx]:
Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]:
What port should OpenVPN listen to?
Port [1194]:
Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]:
Enter a name for the first client:
Name [client]: ubuntu
On the script is done running, you’d get an ovpn file at the /root/
directory. Download the file to your local system and verify by connecting to the server. Please find the instruction in my last post on how to retrieve this .ovpn configuration file and how to run it.
Confirm the VPN connection
Before VPN connection IP (redacted for privacy):
After VPN connection IP (redacted for privacy):
Do not proceed from here if you are not able to connect to the VPN.
When you can see your IP changed, proceed to the next section of installing the ad-blocker.
How to install Ad Blocker
First confirm that you see ads
It’s better to first disable/remove all the ad-block related plugins you might be using on your browser. If you are using Brave or another privacy-focused browser, please disable them for this testing and confirm that you can see ads everywhere you go.
As you can see in the above Google search result page, the entries starting with Ad are indeed the ads. We are tasked to make those links disappear.
Make note of the newly created tunnel network interface
With the installation of OpenVPN, you’d see a new network interface added to your system. You can see this by:
ip a show tun0
Note: If you have more than 1 tunnel interface, you might have to find an appropriate name. E.g. tun1, tun2 etc.
As the above command run, it will show output like this:
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.8.0.1/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::2d29:1edf:7724:149d/64 scope link stable-privacy
valid_lft forever preferred_lft forever
10.8.0.1/24. Remember this address. We’re gonna need this at a later stage.
Install Pi-hole
What is Pi-hole? Pi-hole is a Linux-based network-level advertisement and Internet tracker blocking application that acts as a DNS sinkhole and optionally a DHCP server. You can find more at https://pi-hole.net/.
So it blocks the DNS lookups for ad/tracking domains. The name includes Pi because it was intended to be used on Pi, but was made available to the entire Linux community.
Why choose Pi-hole? There were other options available for ad/tracker blocking. But I chose Pi-hole because of its web interface where you can see stats. You can also add your domain to the block.
Now enter these commands to install:
curl -sL https://install.pi-hole.net -o basic-install.sh
sudo bash basic-install.sh
It should output something like this:
[✓] Root user check
.;;,.
.ccccc:,.
:cccclll:. ..,,
:ccccclll. ;ooodc
'ccll:;ll .oooodc
.;cll.;;looo:.
.. ','.
.',,,,,,'.
.',,,,,,,,,,.
.',,,,,,,,,,,,....
....''',,,,,,,'.......
......... .... .........
.......... ..........
.......... ..........
......... .... .........
........,,,,,,,'......
....',,,,,,,,,,,,.
.',,,,,,,,,'.
.',,,,,,'.
..'''.
[✓] Update local cache of available packages
[✓] Checking apt-get for upgraded packages... 7 updates available
[i] It is recommended to update your OS after installing the Pi-hole!
[i] Checking for / installing Required dependencies for OS Check...
[✓] Checking for grep
[i] Checking for dnsutils (will be installed)
[i] Waiting for package manager to finish (up to 30 seconds)
[i] Processing apt-get install(s) for: dnsutils, please wait...
And then continue to install packages.
The installer will also ask some questions. I’m going to guide you through it.
Screen 1:
Nothing much to do on this screen. Pretty self-explanatory.
Screen 2:
Donate if you like the software.
Screen 3:
This is a fair warning here. You might be installing Pi-hole in a home environment. Or on the wild internet. In both cases, please make sure IP is not changed as the device loses power. Otherwise, Pi-hole might not function properly.
Screen 4:
On this screen, choose the tunnel we created as part of the OpenVPN installation.
Screen 5:
Next, we choose the DNS Provider. Choose anyone you like.
Screen 6:
Pi-hole only comes with one. But we can add another after the installation has been done.
Screen 7:
How can I not turn the web admin interface On? This was the reason I chose Pi-hole.
Screen 8:
I have none of those PHP packages as well as any HTTP server on my system. I will tick the On option here as well.
Screen 9:
In this particular setup I’m doing, I’m the only one who is going to use the VPN server. If you are planning to connect multiple devices or want to start a company around this, please be aware that logs will need more storage.
Screen 10:
Once again, I’m the only one using the server. So I’ll store everything.
Screen 11:
Please make note of the admin webpage password here. I think it won’t be shown again. Not sure.
Confirm Pi-hole is working
At this point, if you try to access any domain which is listed on one of the block lists we have opted for. It should loop back to your localhost.
You can confirm this by running ping on one of the ad serving domains:
$ ping pagead2.googlesyndication.com
PING pagead2.googlesyndication.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.046 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.052 ms
As you can see, the response is coming from the localhost instead of the actual originating server.
Configure OpenVPN to use Pi-hole DNS
Update DNS Server
You need to locate the OpenVPN server config file and open it in an editor.
sudo vim /etc/openvpn/server/server.conf
You have to look for line(s) saying dhcp-option DNS
and comment on all of them. Prepend #
to start the line to comment.
Now, paste this line:
push "dhcp-option DNS 10.8.0.1"
Please note that 10.8.0.1
is the tunnel address we fetched at the start of this post. If your tunnel has any address other than this, please use that here.
Now it’s time to restart the OpenVPN service.
sudo systemctl restart openvpn-server@server
unable to resolve host my-hostname: No address associated with hostname
This might not be relevant to you. But I have been getting this error and preventing me to restart the openvpn service mentioned above. So I had to add the following line to my /etc/hosts
file.
127.0.0.1 <my-hostname>
After this, I was able to restart the openvpn service.
Open ports for OpenVPN subnet
If you have set up the system till now, there is one last step remaining. Right now the connection is blocked between the Pi-hole and the OpenVPN clients. At this point, if you try to access any site, you’d still see ads.
I’m using Ubuntu, so the firewall is managed with ufw, I had to issue these commands:
ufw allow proto tcp from 10.8.0.0/24 to 10.8.0.1 port 80
ufw allow proto tcp from 10.8.0.0/24 to 10.8.0.1 port 53
ufw allow proto udp from 10.8.0.0/24 to 10.8.0.1 port 53
Please note that port 53 is used for DNS.
Restart your VPN connection from your client. And you’d see no ads:
Web Admin
Well, I don’t have much to talk about the web admin right now. I’ll have to sit down and traverse through all the settings and info available through the web admin area.
All I can do is share a screenshot of my web admin.
Conclusion
Today we learned how we can use Pi-hole to enable ad-blocking on our VPN connection. This VPN connection can be used by clients like our phones and TVs for which ad blockers are not available system wide.
Related reading: