Building a VPN
Excited after my success with PiHole and it's privacy-centric ad-blocking DNS, I felt empowered to do more. The thing about living with near-perfect ad blockers is that you don't really notice them when they are active, but you REALLY notice them when they are gone. Using a phone or laptop outside made me feel completely bombarded by advertisements, and my experience with my own DNS server made me realize just how much of my browsing history and apps are discoverable when I am on someone else's network. Fortunately, there is a solution to both of these problems: building my own VPN
Many people choose to use VPN services like Tunnelbear and NordVPN to protect their privacy. However, these services, while great at masking activity from man-in-the-middle attacks, do not allow you to run your own custom DNS (and thus ad block), which is the key reason why I wanted to set up my own VPN. Besides, using someone else's VPN service just takes away all the fun.
Fortunately, some crazy other hackers have made setting up your own VPN service easy. A tool called PiVPN can convert a Raspberry Pi into a VPN server. To install, just flash an image of Raspbian onto the Pi and type the following command into terminal:
curl -L https://install.pivpn.io | bash
This downloads and starts an installer for the PiVPN software. After that, setup is pretty straightforward, with the only major modifications for this use case being resetting the DNS server from defaults like Google or CloudFlare to the local PiHole device (otherwise, I might as well use any other VPN service). As with the PiHole, some configuration is necessary on the router, including granting the PiVPN a static IP address, but this time you must also forward ports to the Pi. Forwarding ports effectively tells external connections to my router on a specific port to talk to a specific device on my network. (sorry for lack of pictures here, but I prefer to keep the port numbers secret to make the lives of any attacker a little harder).
Many people also choose to use a DDNS (dynamic DNS) service in conjunction with their VPN to make signing on easier. This DDNS means that they can use a static easy to remember name like freddysvpn.net to always point to their home's public IP address. This is particularly important when you anticipate your home's public IP address is likely to change often, and you want to avoid any traffic moving unencrypted. Because I am primarily using this as a method to block ads and telematics, this wasn't a big issue for me, and I chose to point just to my public IP address, and change it when necessary, rather than pay for a DDNS service.
Once the server is set up, all that is left is the clients. On the server side, you want to create a file for each client that instructs it on how to connect to the server. For each unique client (phone, tablet, laptop, etc) open the terminal and type
Create a unique passphrase (password) for each client, and the system will output a .ovpn file. On the client, install an Open VPN client, open the .ovpn file, and type in your passphrase. Now a secure, encrypted tunnel has been created.
This is an extremely complicated way to get around advertisements, and I certainly don't recommend it for everyone. I still am working out a few kinks, such as dropped connections when switching from cellular to Wi-Fi, and some other small issues with latency. Ideally, I would like to configure the VPN to automatically disable itself when I am home, and re-enable itself when I am away, but those are projects for another day.
My Raspberry Pis running PiHole (top) and PiVPN (bottom) amongst other equipment in my server rack.