I want to make a few points to help clarify some of the choices and why I made them. This is very helpful and I appreciate all the comments as it highlights how some things are clear in our head but we don't end up sharing that with anyone reading. So:
1. I looked at AdGuardHome but I preferred PiHole because I found its documentation a bit more helpful for my purpose (the Unbound sample, the Wireguard setup, etc)
2. I saw the docker compose package, but I wanted something that runs at the OS level. There are docker packages for Wireguard too and I had also a look at Mistborn (https://gitlab.com/cyber5k/mistborn)
3. The VPN is the main thing I wanted setup to reach resources on my home network, adblocking and DNS came a bit later, so you can run this without a VPN, but its central for my setup.
4. I really wanted this setup at the OS level and to hopefully learn more about the whole process.
I just use blocklists in Unbound without having to bother with Pi-Hole. Nothing against Pi-Hole, I just find it easier long-term to maintain fewer services.
I have looked at that briefly, I think I had gone with pihole in the end for the ability of having a UI to easily see any resolution issues and local dns management (which, I think, is also present in Unbound but not in a UI but via configs).
I have a similar setup, but with AdGuardHome. I used Pi-Hole in the past, but AdGuardHome's UI is from this century at least. That, and the fact that with Pi-Hole it was very difficult have IPv6 working.
I have an instance on my router in my home network for covering all devices by default, and a hosted one to which I connect when outside via mobile network. Split-tunneling with only the DNS routed, so that I don't have to push all traffic through the VPN.
You don't need a VPN! I host an AdguardHome instance and just expose TCP/853. I put my domain name in the Private DNS settings of my Android and I get 24/7 adblocking without the hassle and battery drain of my Wireguard VPN (which I still use to access private stuff)
Sadly, the Wireguard protocol is easily identified and blocked, and need to add obfuscation layer to make it work.
I want to make a few points to help clarify some of the choices and why I made them. This is very helpful and I appreciate all the comments as it highlights how some things are clear in our head but we don't end up sharing that with anyone reading. So:
1. I looked at AdGuardHome but I preferred PiHole because I found its documentation a bit more helpful for my purpose (the Unbound sample, the Wireguard setup, etc)
2. I saw the docker compose package, but I wanted something that runs at the OS level. There are docker packages for Wireguard too and I had also a look at Mistborn (https://gitlab.com/cyber5k/mistborn)
3. The VPN is the main thing I wanted setup to reach resources on my home network, adblocking and DNS came a bit later, so you can run this without a VPN, but its central for my setup.
4. I really wanted this setup at the OS level and to hopefully learn more about the whole process.
Thanks again for the suggestions though!
I just use blocklists in Unbound without having to bother with Pi-Hole. Nothing against Pi-Hole, I just find it easier long-term to maintain fewer services.
I have looked at that briefly, I think I had gone with pihole in the end for the ability of having a UI to easily see any resolution issues and local dns management (which, I think, is also present in Unbound but not in a UI but via configs).
May be helpful for others. Fully packaged version
https://github.com/IAmStoxe/wirehole
I have a similar setup, but with AdGuardHome. I used Pi-Hole in the past, but AdGuardHome's UI is from this century at least. That, and the fact that with Pi-Hole it was very difficult have IPv6 working.
I have an instance on my router in my home network for covering all devices by default, and a hosted one to which I connect when outside via mobile network. Split-tunneling with only the DNS routed, so that I don't have to push all traffic through the VPN.
I didn’t have a problem with IPv6 necessarily with pihole as much as my ISP, AT&T, didn’t play well with me wanting to use another DNS for IPv6.
I ended up just going to NextDNS. All my devices are Apple so I could install the certificate and it works away from home too.
You don't need a VPN! I host an AdguardHome instance and just expose TCP/853. I put my domain name in the Private DNS settings of my Android and I get 24/7 adblocking without the hassle and battery drain of my Wireguard VPN (which I still use to access private stuff)
Another solution to consider is Tailscale. There is a vast free tier and it makes securing your network really simple.
I mentioned that as an alternative along with Headscale and Nebula. Not for me though! At least not now.
Ah you are right, sorry. Somehow I learned on the networks section and stuff for there. Sorry for that.
I went through the journey of having multiple technologies VPNs to my home lab and cross-places. This is fun, a rewarding exercice.
I switched to first Headscale, and then Tilescale for the ease of setting this up, which frees time for other home lab activities