Hosts: Block the bullshit web V2

Advertisements, tracking scripts, and other countless lines of code downloaded on to your machine to spam and monitor you whenever you connect to the internet.

Host is a project to block advertisements, tracking scripts, and other websites including pornographic content.

We will use Pi-Hole as our DNS resolver which will be tunnelled via OpenVPN. Both the applications will be hosted on Oracle Cloud.

Step-by-step guide

Caution: We will enable the root access for convenience, which is strongly discouraged. If you are familiar with SSH, then I recommend using this approach. Please proceed with caution.

Instructions

1. I have covered only configuration changes, and suggest leaving the rest as untouched/recommended/system default.

2. This guide is written from Ubuntu OS perspective. [Note: This guide's previous version was for Windows. However, as of 22nd of October 2023, I am updating this for Ubuntu]

Set up an instance

1. Create an Oracle Cloud free tier: https://www.oracle.com/cloud/free

2. Setup an instance

   1. Switch the OS from Oracle Linux to Ubuntu

   2. Download and save the default generated a) public and b) private keys [Important to later access your server]

   3. Note down Public IP and Private IP

3. Log in to Shell and switch to root: sudo su - root

4. Change root password: passwd root

[Note: The common practice is not to do this. Here the use case is security vs. convenience, where this approach is convenient but may be risky to permit remote access via root]

5. Install nano text editor (or your favourite alternative): sudo apt install nano -y

6. Search Internet on Oracle web GUI

7. Navigate to > Internet Gateway vcn-XXXXXXXX-XXXX 

8. Left column > Navigate to > Security Lists

9. Navigate to > Default Security List for vcn-XXXXXXXX-XXXX 

10. Add Ingress Rules

    1. Source CIDR: 0.0.0.0/0

    2. IP Protocol: UDP

    3. Destination Port Range: 1194 [Step 20]

Login to the server

11. Open Terminal at local

12. From Terminal, navigate to the folder with Private key

13. Execute the following command in the directory: ssh -i <private key file name> <server username>@<public IP>

14. We will execute in the root mode: sudo - su root

Install and configure Pi-Hole

15. Install and configure Pi-Hole: https://github.com/pi-hole/pi-hole/#one-step-automated-install

16. Select interface: tun0

17. Change the Pi-Hole password: sudo pihole -a -p

18. Configure block lists

    1. I suggest using the OISD block list, which covers almost every sub-list known to humankind: https://oisd.nl/ [follow instructions on the website and pick on need basis]

    2. Pi-Hole supports multiple block lists. You can even curate your own list

Install and configure OpenVPN

19. Install and configure OpenVPN server using the following script: https://github.com/angristan/openvpn-install

20. Select Port: 1194

21. Create a default client after installation and download it [Step 30]

22. Edit the SSH config file: sudo nano /etc/ssh/sshd_config

23. Change following entries

    1. PasswordAuthentication no > PasswordAuthentication yes

    2. PermitRootLogin prohibit-password > PermitRootLogin yes

[Note: As mentioned earlier, do this at your own risk - this method allows you to easily connect to VM and grab any file from anywhere but this may pose a security risk]

24. Point the server/VPN to detect Pi-Hole as DNS server: sudo nano /etc/openvpn/server.conf

25. Change push "dhcp-option DNS <pihole private IP>"

26. Restart sshd: sudo systemctl restart sshd

27. Restart the VM from the Console

CRUD client profiles

28. Pre-requisite: Login as per step 10 to 14

29. To add/revoke OpenVPN client certificates aka profiles: ./openvpn-install.sh

30. After creating a new client certificate, to copy the certificate to Home directory to download via Remmina

    1. cp /root/<client profile name>.ovpn /home

    2. Login to Remmina [via Private key] and navigate to /home and download the client certificates to local

31. Load the client certificate in OpenVPN app on your device, connect to the VPN and enjoy [OpenVPN client for your device: https://openvpn.net/vpn-client]

Accessing Pi-Hole admin and maintenance

32. Access Pi-Hole web interface/dashboard

    1. Connect to OpenVPN [Client certificate as per step 31]

    2. Open your web browser and navigate to: https://<private ip>/admin [Password as per step 13]

33. Use following commands for periodic updates

    1. Pre-requisite: Login as per step 10 to 14

    2. Ubuntu: apt update && apt upgrade && apt dist-upgrade

    3. OpenVPN: apt update && apt upgrade

    4. Pi-Hole: pihole -up

    5. Pi-Hole Gravity (adblock lists): pihole -g

    6. Restart after update: reboot

34. Optional: to auto connect VPN on Ubuntu: nm-connection-editor

Performance stats

Credits

• Awesome folks at Pi-Hole and OpenVPN

• Angristan for the brilliant script

• Hosts file by OISD block list

• Thanks to r/pihole community for their love and support.

• Huge shout-out to my dear friend, Karlis K 🇱🇻 for helping me through this.