Creating a Remote Pi-Hole for Your Whole Home

The world has been in a weird state for the last few years. A global pandemic has disrupted human and material capital resulting in shattered supply lines for shared components. One such component heavily impacted was the global supply of semiconductors used in most electronics. As computers became more expensive, people turned more heavily toward things like Raspberry Pis for their home projects. This, in turn, resulted in skyrocketing costs for Pis, with a Pi Zero costing upwards of $50 (a 1000% increase over their base price of $5).

While browsing Reddit, I came across this post, which made me wonder, “how can I make a Pi-Hole in the cloud for my whole home?”.

There are plenty of posts talking about how to set up a Google Cloud Platform free tier VPS with Pi-Hole and PiVPN to enable remote Pi-Hole, and while this works, it only works for individual devices which can act as a VPN client. This, unfortunately, means many smart home and IoT devices won’t be able to use Pi-Hole for their privacy.

This blog post will address setting up a GCP Pi-Hole and enabling it for your home network while not opening it up to the entire internet. We’ll follow this post mostly, but we’ll add some custom firewall rules in UFW to make it more secure. Now hold on before you say, “but my home IP is dynamic, so this will break” read on because I have a solution for that.

You’re going to need a DDNS service

Let’s explain what going to happen here before we go any further. The idea here is to use UFW on the Linux OS to only allow DNS requests from the home network. The problem we already identified is that most users will have a dynamic IP address assigned by the ISP. This IP can change at random intervals determined by the ISP and if the IP changes but the DNS server isn’t updated then DNS requests will be blocked and we’ll have no way to update the DNS server. So we’re going to create a script which regularly pings out DDNS address then automatically updates the UFW rules with the returned IP.

You will need a DDNS service to consistently monitor your public IP address. Thankfully, most home routers now have a DDNS service built-in; however, if yours doesn’t (ala Google Wifi), I recommend stopping now.

Set up your DDNS service according to the service’s instructions, and then go back to GCP. We’re going to write some custom code automatically update the firewall.

#!/bin/bash
echo "Started"
        IP=`nslookup <DDNS Domain> | grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -Ev "127"`
        ufw --force reset
        ufw allow from $IP to any port 22,53,80 proto tcp 
	ufw allow from $IP to any port 53 proto udp
        ufw enable

So what does this code do? First, it runs a nslookup on your DDNS domain; afterward, it greps out the IP addresses, and since the system will attempt to check its host file first, we grep out the local host IP by doing an inverse grep. This results in pulling the IP address for our DDNS domain and assigning it to the variable “IP.”

After that, I reset the UFW rules because we want to ensure that we only allow our IP, so we need to clear out any other IPs. Don’t worry; this step does not make you vulnerable because the default configuration of UFW is to block everything.

Next up, the script takes the variable IP we created earlier and puts it in a firewall to allow traffic to port 22 (SSH), 53 (DNS), and 80 (HTTP) over TCP, and then a second rule to allow port 53 over UDP.

Open a text editor in the command line;

nano /bin/firewall.sh

and paste the above code into it. Save with CTRL+X, then y, and make the file executable

sudo chmod +x /bin/firewall.sh

Next, we need to make sure this command runs on time so

sudo crontab -e 

Then press 1 to enter the nano editor. Type out

@hourly /bin/firewall.sh

This will tell the system to run your firewall script every hour on the hour with root permissions (required to modify firewall logs).

You should now have a Pi-Hole remotely hosted in GCP that only accepts input from your home IP address. If your IP changes, the firewall will update with the new IP on the hour and let you back in.

Disclaimer

You might get stuck in a loop depending on how your DDNS service works. If your DDNS sends the update information to a domain, you might get stuck if the router cannot resolve the domain and, therefore, cannot up the DDNS IP.

There are only really two options here. You can either set the router itself to use a reliable DNS server like OpenDNS or AdGuard DNS and pass the Pi-Hole IP through DHCP to the clients; or put a secondary DNS IP in the router with a reliable server and hope the router doesn’t choose to use that over the Pi-Hole.

Conclusion

I don’t actually recommend doing this, at least not long term. If you’re doing it while waiting for Raspberry Pi prices to drop, this should work fine as long as you take the disclaimer to heart.

WordPress Appliance - Powered by TurnKey Linux