Skip to navigationSkip to main contentSkip to footerScaleway Docs

Creating an ad-blocking VPN using Pi-hole and OpenVPN/WireGuard

firewall
Pi-hole
pihole
vpn
OpenVPN
WireGuard
pivpn
security
privacy

Pi-hole is a DNS sinkhole that blocks unwanted ads and trackers at the network level. When combined with a VPN, it provides a secure and ad-free internet browsing experience.

This guide will show you how to:

  • Deploy a secure ad-blocking VPN using Pi-hole
  • Install either OpenVPN or WireGuard using PiVPN
  • Implement best security practices to protect your Instance

Before you start

To complete the actions presented below, you must have:

Deploying the Instance

  1. Log in to the Scaleway console and create a new Instance.
  2. Choose Ubuntu 22.04 LTS as the operating system.
  3. Once the Instance is created, connect to it via SSH:
    ssh root@your_instance_ip
  4. Update and upgrade your system:
    apt update && apt upgrade -y

Installing Pi-hole

  1. Download and run the installer:
    wget -O basic-install.sh https://install.pi-hole.net
    chmod +x basic-install.sh
    ./basic-install.sh
  2. Follow the on-screen prompts:
    • Select an upstream DNS provider (Google, Cloudflare, Quad9, etc.)
    • Choose IPv4 + IPv6 filtering
    • Install the Pi-hole Web Interface
    • Set a strong password using:
      pihole -a -p
  3. Configure Pi-hole for local access only:
    pihole -a -i local

Optimizing Pi-hole

To enhance privacy, you can set up Unbound, a local recursive DNS resolver:

apt install unbound -y

Then, edit Pi-hole settings to use 127.0.0.1#5335 as your custom upstream DNS.

Installing PiVPN (OpenVPN or WireGuard)

PiVPN allows us to configure a VPN server with either OpenVPN or WireGuard.

Run the following commands to install PiVPN on your Instance.

wget -O pivpn-install.sh https://install.pivpn.io
chmod +x pivpn-install.sh
./pivpn-install.sh

During installation, you will be prompted to choose:

  • OpenVPN (wider compatibility with older devices, but slower)
  • WireGuard (faster, modern encryption, recommended)

Follow the setup prompts and select:

  • A non-root user (openvpn or wireguard)
  • Default settings for encryption and networking
  • Custom port (e.g., 4343 or 23854 instead of the default 1194 to increase security)

Enhancing security

Firewall configuration

Restrict access to only necessary services:

ufw allow 22/tcp
ufw allow 53/udp
ufw allow 4343/tcp  # If using OpenVPN on port 4343
ufw allow 23854/udp  # If using WireGuard
ufw enable

Change OpenVPN default port

Edit OpenVPN’s configuration file:

nano /etc/openvpn/server.conf

Change port 1194 to port 4343 (or another port of your choice), then restart OpenVPN:

systemctl restart openvpn

Enable Fail2Ban

Prevent brute-force attacks by installing Fail2Ban:

apt install fail2ban -y
systemctl enable fail2ban --now

Adding VPN users

For OpenVPN:

pivpn add

For WireGuard:

pivpn wg add

Download the VPN configuration file securely using SCP or SFTP.

Testing your VPN

  • Connect your device using an OpenVPN or WireGuard client.
  • Verify that your IP has changed by visiting whatismyip.com
  • Check if ads are blocked

Conclusion

You now have a secure, ad-blocking VPN setup using Pi-hole and OpenVPN/WireGuard. This setup ensures privacy, security, and a better browsing experience across all your devices.

For further optimizations, consider adding a DNS-over-HTTPS setup or custom blocklists for Pi-hole.

Questions?

Visit our Help Center and find the answers to your most frequent questions.

Visit Help Center
No Results