HN Reader

I just use blocklists in Unbound without having to bother with Pi-Hole. Nothing against Pi-Hole, I just find it easier long-term to maintain fewer services.

I want to make a few points to help clarify some of the choices and why I made them. This is very helpful and I appreciate all the comments as it highlights how some things are clear in our head but we don't end up sharing that with anyone reading. So:

1. I looked at AdGuardHome but I preferred PiHole because I found its documentation a bit more helpful for my purpose (the Unbound sample, the Wireguard setup, etc)

2. I saw the docker compose package, but I wanted something that runs at the OS level. There are docker packages for Wireguard too and I had also a look at Mistborn (https://gitlab.com/cyber5k/mistborn)

3. The VPN is the main thing I wanted setup to reach resources on my home network, adblocking and DNS came a bit later, so you can run this without a VPN, but its central for my setup.

4. I really wanted this setup at the OS level and to hopefully learn more about the whole process.

Thanks again for the suggestions though!

May be helpful for others. Fully packaged version

https://github.com/IAmStoxe/wirehole

I self host a lot of things, pihole and adguard is one thing I no longer self host for about five years now. $20/year for NextDNS for the whole family is worth every penny and most importantly spouse approved. My spouse doesn’t mind what we self host as long as the friction to use it is not too high.

This is a neat guide. Its baked in already if you have a Firewalla device. Cool to see this roll your own approach. I always found their guide helpful.

From the Firewalla Site -

How to Choose Your DNS Strategy If you have NO concerns at all, just use traditional DNS from your ISP or configure some public DNS for your LAN networks if you like. If you need simple filtering to protect your network from unwanted online content, choose Family Protect -> Native mode. It won't conflict with other DNS services. If you trust your DNS service provider but don't trust your ISP, choose DNS over HTTPS. If you do not trust any single DNS server other than the root and authoritative DNS server, choose Unbound. If you do not want any DNS queries getting changed or filtered, use Unbound. If you do not want any DNS queries getting changed or filtered and want to add a layer of encryption so that your ISP can't see your DNS requests, use Unbound and turn on DNS over VPN under it.

https://help.firewalla.com/hc/en-us/articles/4570608120979-F...

I have a similar setup, but with AdGuardHome. I used Pi-Hole in the past, but AdGuardHome's UI is from this century at least. That, and the fact that with Pi-Hole it was very difficult have IPv6 working.

I have an instance on my router in my home network for covering all devices by default, and a hosted one to which I connect when outside via mobile network. Split-tunneling with only the DNS routed, so that I don't have to push all traffic through the VPN.

You don't need a VPN! I host an AdguardHome instance and just expose TCP/853. I put my domain name in the Private DNS settings of my Android and I get 24/7 adblocking without the hassle and battery drain of my Wireguard VPN (which I still use to access private stuff)

Sadly, the Wireguard protocol is easily identified and blocked, and need to add obfuscation layer to make it work.

Another solution to consider is Tailscale. There is a vast free tier and it makes securing your network really simple.