- I found only pre-built droplets on DigitalOcean and a lot of instructions about setting up Pi-hole and WireGuard, but I do not want to configure everything each time with so many settings. Ansible is an easy method to write some "setup notes" one time, and DigitalOcean has traffic limits on droplets.
- When I use ad-blocker DNS, my phone stays cool and works for a full day (now it works 24 hours without charging, i finally measured it) :) It is truly the best method to increase battery lifetime.
- I dislike spyware.
Look at screenshot. 80% requests it is spyware!
Prerequirements:
- Remote host with ssh access
- Ubintu 22.04 on remote host (tested only with Ubuntu and multiple VPS providers)
Install steps:
- On LOCAL computer
sudo apt-get install ansible
- Edit
group_vars/vpn
. It is file with main settings. - Edit
inventory
file to add IP of your remote hosts to install VPN+Pihole, in this file possible to set ssh access params - Execute command on LOCAL computer (in dir with deploy.yml file)
ansible-playbook --ask-become-pass ./deploy.yml
If you do not need some actions just use tags. Available tags: [user_cration,vpn_installation,docker_installation,pi_hole_installation,adblock_add,adblock_remove,disable_ubuntu_user] example command:
ansible-playbook --ask-become-pass ./deploy.yml --tags adblock_add
- insert REMOTE sudo password to prompt. At first run it is default for Ubuntu empty sudo password, next runs it is password from
group_vars/vpn->user_password
- After installation will be created dir
clients
in playbook dir. It is configuration files for clients and QR codes to scan from phone for connectiong to VPN. - At the end of instalation adblock lists from adlists_add.txt will be loaded to pihole and from adlists_remove.txt will be removed.
It is possible to run
adblock_add
adblock_remove
tags separately if need at any time.
ansible-playbook ./deploy.yml --tags adblock_add,adblock_remove
- At last step will be disabled login with
ubuntu
default user for Ubuntu. Next logins possible only withgroup_vars/vpn->user_to_add
user name. So at first runinventory
host description was
....3.eu-north-1.compute.amazonaws.com:22 ansible_ssh_user=ubuntu ansible_ssh_private_key_file=../../ubuntu.pem
at next runs after first success run it will be
....3.eu-north-1.compute.amazonaws.com:22 ansible_ssh_user={{ from common_vars.yml->user_to_add }} ansible_ssh_private_key_file=../../key.pem
- You do not need to doing something on remote host at all ;)
- Playbook is not fully idempotent, but you can run it multiple times, but every time you will get new clients configs for connection to VPN. If you got any errors, just run it again. It is playbook for personal use, so we can just generate X configs for all our devices one time.
- Docker is installed on the remote host.
- Pi-hole DNS is installed on the remote host.
- All requests to port 53 inside the VPN will be redirected to the Pi-hole DNS, even if some spyware attempts to make a direct request to 8.8.8.8.
- Zram is installed. It is a good method to expand VPS RAM on the remote host.
- WireGuard is installed on the remote host.
- Client configuration files are generated on the localhost.
- If default
group_vars/vpn->wireguard_listen_port
port is blocked all traffic from portsgroup_vars/vpn->fallback_wireguard_listen_ports
will be redirected togroup_vars/vpn->wireguard_listen_port
- Install wireguard client to phone
- Scan QR code of any client from client dir (config_*.txt files it is QR codes) and connect to VPN
- Open http://pi.hole/admin in browser (access only from VPN, password from
group_vars/vpn->pi_hole_admin_password
)
Command to install wireguard
sudo apt-get install wireguard
Command for import client configuration from file to NetworkManager:
nmcli connection import type wireguard file ./client_4.conf
Command to connect:
nmcli connection up client_4
Command to disconnect:
nmcli connection down client_4
Command to delete connection:
nmcli connection delete client_4
- If you have problems with freezes tasks try to comment
inventory->ssh_connection
options. It is slower but may resolve some problems. - Do not forget to open ports 22 (SSH), 51820 (default VPN) on providers firewall
- If you still have freezes it may be trait of low memory on remote VPS host, try to restart VPS or add memory :)