this post was submitted on 29 Nov 2024
141 points (98.0% liked)

Selfhosted

40493 readers
727 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
top 34 comments
sorted by: hot top controversial new old
[–] [email protected] 22 points 5 days ago (1 children)

Tailscale has an technical article on this if you are starting from scratch.

If you can't install tailscale on the pi-hole directly, you can also use a subnet router and a /32 with just that address to expose it to tailscale.

[–] [email protected] 2 points 5 days ago

Came here to say this. Now I just need to upvote.

[–] [email protected] 2 points 3 days ago (1 children)

“It incurs additional battery usage.“

Does it? I always use a vpn on my phone and laptop and it’s not even measurable. Sure there’s gonna be more CPU usage, but with hardware acceleration and whatnot it’s almost nothing.

[–] [email protected] 2 points 3 days ago (1 children)

This is anecdotal experience, but last time I left Wireguard on for an entire day and it accounted for 5% of battery usage that day.

[–] [email protected] 2 points 3 days ago (1 children)

Fair enough, this is 10 days of usage for me always being on.

[–] [email protected] 2 points 5 hours ago

Mine is so low it says "no usage".

[–] pax0707 17 points 5 days ago (2 children)

For me its been wireguard with split tunnel but that had a glaring issue with my home IP change (running 2 Pi-hole+unbound instances on separate network segments and hardware). Some time ago I switched to tailscale and added a Pi-hole on a VPS. Closed system, nothing exposed to the wide internet, works 99.99…% of the time, whole family protected against low hanging fruit attacks and adds.

[–] [email protected] 18 points 5 days ago* (last edited 5 days ago) (2 children)

Use ddns on your router with a domain so you can then get something like wireguard.example.com and then use that as the endpoint in your wireguard.

Set the wireguard DNS as your pihole.

To make life easier set your home network IP space to something that another WiFi would never use, ie 192.168.46.xx

That way it will never conflict if you are on a public WiFi and you can access anything on your home lab when you need.

I've been using this setup for years on laptop, phone etc

[–] [email protected] 4 points 5 days ago (2 children)

I do exactly this as well. Works great! Dynamic DNS is kind of a hilarious hack.

Quick question: since I use wireguard, do I need to use DNS-over-HTTPS for security? My assumption is that my entire session is already encrypted with my wireguard keys, so it doesn't matter. But I figured I should double check.

[–] [email protected] 3 points 5 days ago (1 children)

Depends, do you have pihole/unbound setup to only recursively resolve? Or do you forward requests to an upstream (either as a fallback or just as a primary). If that's the case, and depending on your threat model, you'll want to set up DoH or DoT as your DNS requests will be forwarded in plaintext

[–] [email protected] 1 points 4 days ago

Fortunately I set up unbound ages ago, and disabled every other upstream option in my pi.hole. However, I imagine that still "leaks" some information about my DNS queries, just indirectly -- it's not like my pi.hole has every domain mapped all the time!

[–] [email protected] 1 points 5 days ago (1 children)

You do not need anything else. DNS requests are all sent over Wireguard with encryption

[–] [email protected] 1 points 5 days ago (1 children)

Excellent to have confirmation, thanks. What about the VPN connection handshake? I always assumed it was OK over non-SSL, because the exchange should use signed keys. But that is quite an assumption on my part.

[–] [email protected] 2 points 5 days ago (1 children)

Wireguard uses public and private keys which are designed from the ground up to be used over plain text to establish the handshake so it isn't an issue. Same idea with ssh keys and ssl keys

[–] [email protected] 1 points 5 days ago (1 children)

Thanks. Wild that folks build SSH and HTTP around the same time without realising that HTTP could benefit from some of that same tech!

[–] Serinus 1 points 4 days ago

At the time, everything HTTP was supposed to be public.

[–] pax0707 3 points 5 days ago

I have ddns on Cloudflare. It works great, until your home IP changes. After that wireguard will happily hammer the old IP, till something breaks the tunnel and it reestablishes it to the new IP. Working as intended. My workaround was forcing the IP change over night while everyone was home.

Tailscale sorts all the issues I had.

[–] [email protected] 5 points 5 days ago (2 children)

Whats the issue with the Home IP changing? - Have you setup a DynDns hostname?

[–] [email protected] 4 points 5 days ago (2 children)

It may since have been fixed, but the Android client didn't handle IP changes well in my experience. From my understanding, it only checks DNS when it initially connects, and so if the public IP changes the connection just stops working. This might be fine if the public ip changes infrequently or if you frequently connect and disconnect rather than leave the client always on, but not so much otherwise.

Tailscale (and headscale) handles this gracefully, and you also get the nice NAT traversal features so no need to worry about CGNATs which are becoming more common.

[–] [email protected] 2 points 5 days ago

that's how it works on desktop too regarding DNS, but when it receives a response from a new IP, it should send future traffic there as I know

[–] friend_of_satan 2 points 5 days ago (2 children)

From my understanding, it only checks DNS when it initially connects, and so if the public IP changes the connection just stops working.

This is pretty standard TCP network behavior for long duration connections. The client queries dns for the IP address, opens a socket, and leaves it open as long as needed.

One thing that would help here is some kind of keepalive feature, like a client to server TCP connect or SYN, or better yet a higher level protocol signal. Check your client to see if there is some tunable keepalive. It may be set so something long like 1h.

[–] [email protected] 3 points 4 days ago

Wireguard does have a KeepAlive option, but I found it didn't seem to help in practice.

Could be bugs with the client, which is pretty barebones.

[–] pivot_root 4 points 5 days ago
[–] pax0707 1 points 5 days ago

It will resolve the IP from the domain when the tunnel goes up and will keep using that one. Working as intended.

Overlay networks solve that issue.

[–] fightforlife 9 points 5 days ago (1 children)

A big problem for me is, that Android is not allowing custom DoT servers. Even though the system supports DoH and is even using it for their built in resolver (Google/cloud flare) Networks that only whitelist TCP 433 (some guest wifis) will fail to use DoT.

[–] [email protected] 4 points 5 days ago

I believe you swapped DoT (TLS, port 853) and DoH (HTTPS) in your message. I have yet to be in a network that restricts port 853, but if I could I would rather use DoH on Android.

[–] dantheclamman 3 points 4 days ago

I use Home Assistant DuckDNS and Nginx addons. DuckDNS handles the dynamic DNS updating when my ISP inevitably changes my IP address. Let's Encrypt for certificates. Nginx for proxying to IPs on my network

[–] LovableSidekick 2 points 4 days ago* (last edited 4 days ago) (2 children)

If pi-hole blocks all ads how does the web look? Do pages have a lot of blank areas on them or what?

[–] [email protected] 7 points 4 days ago (1 children)

I haven’t set up this yet, but I use AdGuard on my phone and yes, it does leave blank space. Sometimes I don’t realized there was more text to read because it’s empty.

It’s not about the adblocker though. It’s on the quality of the developer. A good developer tells the browser to leave space for ads before it loads them. It makes the page load faster and also prevents the page jumping around as each item loads.

Ironically, a bad developer that doesn’t do that, probably has better website layouts for people who use adblockers. 🙃

[–] LovableSidekick 2 points 4 days ago* (last edited 4 days ago) (1 children)

LOL yeah I actually understand that last part LOL (former web dev, retired). Sites jinking around while the ads load and I've already started reading the content are super annoying.

[–] [email protected] 3 points 4 days ago (1 children)

Don’t you love scrolling right when the page loads and you click an ad instead?

It’s a feature, not a bug! Haha!

[–] LovableSidekick 2 points 4 days ago

One thing I really do hate is a download page with a giant green DOWNLOAD button that's just an ad link, and the thing I went there to download is a tiny text link.

[–] TK420 1 points 4 days ago (1 children)

Yes and no. You just have to see its beauty to get it. I also have been using it for a long ass time, almost a decade, so I could not even tell even tell you what sites look like with ads.

[–] LovableSidekick 2 points 4 days ago

I imagine it's like me trying to watch a TV show with commercials after 20 years of Netflix. Holy crap, I don't know how I ever grew up with all that noise.