This page looks best with JavaScript enabled

This is how you add Ad Blocker to OpenVPN enabled VPN

 ·  ☕ 8 min read

Introduction

We have previously seen how you can Spin up your own VPN on Ubuntu 20.04. Among many benefits, one of the benefits of the VPN is geographical anonymity.

Today we are going to discuss and set up yet another benefit. We are going to tweak our VPN server set up a little bit to enable ad-blocker out of the box. Meaning that you won’t have to install an ad-blocker on your browser. It will be enabled connection-wide. You won’t be seeing any ads on devices that you can’t control ads on, like smart TV, etc.

So without further ado, let’s get started.

Provision OpenVPN on Ubuntu 20.04

Let me go briefly on how to get the OpenVPN installed on a VM on AWS. I am going to use another installer this time. But for the rest of the configuration, I’ll anyway ask you to refer to my last post. It’s a gem.

Step 1. Download and run the installation script from GitHub.

curl -sL https://git.io/vpn -o openvpn-install.sh
sudo bash openvpn-install.sh

Step 2. Go through the instruction and enter the details as you go.

Welcome to this OpenVPN road warrior installer!

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [xxx.xxx.xxx.xxx]: 

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 

What port should OpenVPN listen to?
Port [1194]: 

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 

Enter a name for the first client:
Name [client]: ubuntu

On the script is done running, you’d get an ovpn file at the /root/ directory. Download the file to your local system and verify by connecting to the server. Please find the instruction in my last post on how to retrieve this .ovpn configuration file and how to run it.

Confirm the VPN connection

Before VPN connection IP (redacted for privacy):

Before VPN Connection IP
Before VPN Connection IP

After VPN connection IP (redacted for privacy):

After VPN Connection IP
After VPN Connection IP

Do not proceed from here if you are not able to connect to the VPN.

When you can see your IP changed, proceed to the next section of installing the ad-blocker.

How to install Ad Blocker

First confirm that you see ads

It’s better to first disable/remove all the ad-block related plugins you might be using on your browser. If you are using Brave or another privacy-focused browser, please disable them for this testing and confirm that you can see ads everywhere you go.

Best place to see ads is on Google's first page
Best place to see ads is on Google's first page

As you can see in the above Google search result page, the entries starting with Ad are indeed the ads. We are tasked to make those links disappear.

Make note of the newly created tunnel network interface

With the installation of OpenVPN, you’d see a new network interface added to your system. You can see this by:

ip a show tun0

Note: If you have more than 1 tunnel interface, you might have to find an appropriate name. E.g. tun1, tun2 etc.

As the above command run, it will show output like this:

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.8.0.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::2d29:1edf:7724:149d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

10.8.0.1/24. Remember this address. We’re gonna need this at a later stage.

Install Pi-hole

What is Pi-hole? Pi-hole is a Linux-based network-level advertisement and Internet tracker blocking application that acts as a DNS sinkhole and optionally a DHCP server. You can find more at https://pi-hole.net/.

So it blocks the DNS lookups for ad/tracking domains. The name includes Pi because it was intended to be used on Pi, but was made available to the entire Linux community.

Why choose Pi-hole? There were other options available for ad/tracker blocking. But I chose Pi-hole because of its web interface where you can see stats. You can also add your domain to the block.

Now enter these commands to install:

curl -sL https://install.pi-hole.net -o basic-install.sh
sudo bash basic-install.sh

It should output something like this:

  [✓] Root user check

        .;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
                 .. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
          ....''',,,,,,,'.......
        .........  ....  .........
        ..........      ..........
        ..........      ..........
        .........  ....  .........
          ........,,,,,,,'......
            ....',,,,,,,,,,,,.
               .',,,,,,,,,'.
                .',,,,,,'.
                  ..'''.

  [✓] Update local cache of available packages

  [✓] Checking apt-get for upgraded packages... 7 updates available
  [i] It is recommended to update your OS after installing the Pi-hole!

  [i] Checking for / installing Required dependencies for OS Check...
  [✓] Checking for grep
  [i] Checking for dnsutils (will be installed)
  [i] Waiting for package manager to finish (up to 30 seconds)
  [i] Processing apt-get install(s) for: dnsutils, please wait...

And then continue to install packages.

The installer will also ask some questions. I’m going to guide you through it.

Screen 1:

First screen of the Pi-hole installer
First screen of the Pi-hole installer

Nothing much to do on this screen. Pretty self-explanatory.

Screen 2:

Second screen of the Pi-hole installer
Second screen of the Pi-hole installer

Donate if you like the software.

Screen 3:

Host should have static IP
Host should have static IP

This is a fair warning here. You might be installing Pi-hole in a home environment. Or on the wild internet. In both cases, please make sure IP is not changed as the device loses power. Otherwise, Pi-hole might not function properly.

Screen 4:

Choose tunnel we created in prior section
Choose tunnel we created in prior section

On this screen, choose the tunnel we created as part of the OpenVPN installation.

Screen 5:

Choose DNS Provider for Pi-hole
Choose DNS Provider for Pi-hole

Next, we choose the DNS Provider. Choose anyone you like.

Screen 6:

Select a block list
Select a block list

Pi-hole only comes with one. But we can add another after the installation has been done.

Screen 7:

Select whether you want to install web admin interface
Select whether you want to install web admin interface

How can I not turn the web admin interface On? This was the reason I chose Pi-hole.

Screen 8:

Install packages required by web admin interface
Install packages required by web admin interface

I have none of those PHP packages as well as any HTTP server on my system. I will tick the On option here as well.

Screen 9:

Want to log queries?
Want to log queries?

In this particular setup I’m doing, I’m the only one who is going to use the VPN server. If you are planning to connect multiple devices or want to start a company around this, please be aware that logs will need more storage.

Screen 10:

How much info you want to store on the server?
How much info you want to store on the server?

Once again, I’m the only one using the server. So I’ll store everything.

Screen 11:

Configuration complete window
Configuration complete window

Please make note of the admin webpage password here. I think it won’t be shown again. Not sure.

Confirm Pi-hole is working

At this point, if you try to access any domain which is listed on one of the block lists we have opted for. It should loop back to your localhost.

You can confirm this by running ping on one of the ad serving domains:

$ ping pagead2.googlesyndication.com
PING pagead2.googlesyndication.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.046 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.052 ms

As you can see, the response is coming from the localhost instead of the actual originating server.

Configure OpenVPN to use Pi-hole DNS

Update DNS Server

You need to locate the OpenVPN server config file and open it in an editor.

sudo vim /etc/openvpn/server/server.conf

You have to look for line(s) saying dhcp-option DNS and comment on all of them. Prepend # to start the line to comment.

Now, paste this line:

push "dhcp-option DNS 10.8.0.1"

Please note that 10.8.0.1 is the tunnel address we fetched at the start of this post. If your tunnel has any address other than this, please use that here.

Now it’s time to restart the OpenVPN service.

sudo systemctl restart openvpn-server@server

unable to resolve host my-hostname: No address associated with hostname

This might not be relevant to you. But I have been getting this error and preventing me to restart the openvpn service mentioned above. So I had to add the following line to my /etc/hosts file.

127.0.0.1   <my-hostname>

After this, I was able to restart the openvpn service.

Open ports for OpenVPN subnet

If you have set up the system till now, there is one last step remaining. Right now the connection is blocked between the Pi-hole and the OpenVPN clients. At this point, if you try to access any site, you’d still see ads.

I’m using Ubuntu, so the firewall is managed with ufw, I had to issue these commands:

ufw allow proto tcp from 10.8.0.0/24 to 10.8.0.1 port 80
ufw allow proto tcp from 10.8.0.0/24 to 10.8.0.1 port 53
ufw allow proto udp from 10.8.0.0/24 to 10.8.0.1 port 53

Please note that port 53 is used for DNS.

Restart your VPN connection from your client. And you’d see no ads:

OpenVPN with Pi-hole enabled == no ads
OpenVPN with Pi-hole enabled == no ads

Web Admin

Well, I don’t have much to talk about the web admin right now. I’ll have to sit down and traverse through all the settings and info available through the web admin area.

All I can do is share a screenshot of my web admin.

Pi-hole dashboard
Pi-hole dashboard

Conclusion

Today we learned how we can use Pi-hole to enable ad-blocking on our VPN connection. This VPN connection can be used by clients like our phones and TVs for which ad blockers are not available system wide.

Related reading:

Share on

Santosh Kumar
WRITTEN BY
Santosh Kumar
Santosh is a Software Developer currently working with NuNet as a Full Stack Developer.