Free PiVPN/Pihole/Unbound DNS Server for on-the-go using Linux (both the server and your computer)
By: Badduxx (taken from WNYG Discord server 2/9/2021)
Create the instance
Create or sign into your AWS account
In the services menu in the upper left part of the screen click EC2
Click Launch Instance
Select Ubuntu Server 20.04 LTS (HVM), SSD Volume Type / x86
Select the entry that says “Free Tier Eligible”
Click on the tab “6. Configure Security Group.”
Click “Add Rule” Choose HTTP from the dropdown and specify port 80 in port range box
This will allow for your http traffic to be sent and received on the server you are setting up so that your phone traffic can be forwarded successfully.
Click “Add Rule” again and select custom UDP and specify port 51820 in port range box
This is the port that Wireguard (which we will set up through PiVPN later in the directions)
Put 0.0.0.0/0 in Source for the UDP Entry
Click “Review and Launch”
Click Launch
Choose “Create a new keypair” from the drop down
Type “pi2go” or some other word you will remember (the command line directions henceforth will use “pi2go.pem”
Download Keypair to a place where you won’t delete it (I will use ~/Documents)
Click Launch
Click the instance ID link in the confirmation message, then again on the following Instance screen
Copy/note the public IP address for your instance
Open a terminal
sudo chmod 400 ~/Downloads/pi2go.pem(Chmod 400 (chmod a+rwx,u-wx,g-rwx,o-rwx) sets permissions so that, (U)ser / owner can read, can't write and can't execute. (G)roup can't read, can't write and can't execute. (O)thers can't read, can't write and can't execute.)
Enter the following command to log into your server using ssh
ssh -i ~/Documents/pi2go.pem ubuntu@your.instance.ip
-i signifies that the next entry is the private key file
ubuntu is the default name on the Amazon instance
The ip is the one you wrote down or copied from the new Amazon instance
Type "yes" to add this key to your known hosts
Enter:
sudo curl -sSL https://install.pi-hole.net | bash
Press enter until the installer starts working (defaults are fine)
Press OK when the installer returns to exit
Enter:
pihole -a -p
This is the command to reset the password for the web interface
type and confirm your desired password
Open a browser and navigate to http://your.instance.ip/admin
Log into the web interface using the password you set
(Optional for an expanded blocklist) If you wish, click on Group Management --> Adlists
Open this text file https://1drv.ms/u/s!AsRYx5wd83COjbdrq3rFcne-rhVz8w?e=MtczFr
Select All, Copy
paste the morass into the address box (it will add all at once)
Click Add
In your terminal, run:
pihole -g
this updates your server with the new blocklists and also serves to update exisiting ones.
Enter:
sudo apt install unbound
installs unbound dns server from Ubuntu's repository
Enter:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
Creates and opens the pi-hole.conf file used by unbound
Copy and paste the stuff from this file: https://1drv.ms/t/s!AsRYx5wd83COjbdtM7on-ddnbcc5rg?e=rPF1Hq
Ctrl+O
Enter
Ctrl-X
Enter:
sudo service unbound restart
dig pi-hole.net @127.0.0.1 -p 5335
These commands start your local recursive server and test that it's operational.
Enter:
dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335
These commands test DNSSEC validation
The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an Iaddress.
Go back to your pihole web interface, click on settings, then click the dns tab.
uncheck any of the other upstream dns providers and type the following into "Custom 1 (IPv4)": 27.0.0.1#5335
click save
Go back to your terminal (make sure you are still sshd into the amazon server)
Enter:
curl -L https://install.pivpn.io | bash
Press enter until the end until it says to reboot. Now reboot.
ssh back into your amazon server after a few minutes
Enter:
pivpn add
type a name for your client
Enter
pivpn -qr
select your client
Install wireguard from your app store
press the plus button
touch scan from qr code
Scan QR Code
Enjoy -- If you are especially sassy (on ios anyway) to use the "On Demand" setting and have it automatically turn on depending on what networks you are connected to.
If you go to your account page on aws and select billing preferences, you can set an alert if for some reason your instance starts incurring charges (I have not had that happen)
Addendum for potentially better unbound performance
Log into pihole admin, navigate to settings, dns, make sure dnssec is unchecked
there is no reason for the pihole to check for dnssec as it will be taken care of by unbound.
Enter:
sudo nano /etc/dnsmasq.d/01-pihole.conf
add a line or change the value of cache-size=0