How to setup remote PiVPN/Pihole/Unbound DNS Server

[PurSuiT]

Free PiVPN/Pihole/Unbound DNS Server for on-the-go using Linux (both the server and your computer) 

By: Badduxx (taken from WNYG Discord server 2/9/2021)

Create the instance

1. Create or sign into your AWS account 
2. In the services menu in the upper left part of the screen click EC2 
3. Click Launch Instance 
4. Select Ubuntu Server 20.04 LTS (HVM), SSD Volume Type / x86 
5. Select the entry that says “Free Tier Eligible” 
6. Click on the tab “6.  Configure Security Group.” 
   • Click “Add Rule” Choose HTTP from the dropdown and specify port 80 in port range box 
7. This will allow for your http traffic to be sent and received on the server you are setting up so that your phone traffic can be forwarded successfully. 
8. Click “Add Rule” again and select custom UDP and specify port 51820 in port range box 
   • This is the port that Wireguard (which we will set up through PiVPN later in the directions) 
9. Put 0.0.0.0/0 in Source for the UDP Entry 
10. Click “Review and Launch” 
11. Click Launch 
12. Choose “Create a new keypair” from the drop down 
13. Type “pi2go” or some other word you will remember (the command line directions henceforth will use “pi2go.pem” 
14. Download Keypair to a place where you won’t delete it (I will use ~/Documents) 
15. Click Launch 
16. Click the instance ID link in the confirmation message, then again on the following Instance screen 
17. Copy/note the public IP address for your instance
18. Open a terminal
    • sudo chmod 400 ~/Downloads/pi2go.pem(Chmod 400 (chmod a+rwx,u-wx,g-rwx,o-rwx) sets permissions so that, (U)ser / owner can read, can't write and can't execute. (G)roup can't read, can't write and can't execute. (O)thers can't read, can't write and can't execute.)
19. Enter the following command to log into your server using ssh
    • ssh -i  ~/Documents/pi2go.pem ubuntu@your.instance.ip
      • -i signifies that the next entry is the private key file
      • ubuntu is the default name on the Amazon instance
      • The ip is the one you wrote down or copied from the new Amazon instance
    • Type "yes" to add this key to your known hosts
20. Enter:
    • sudo curl -sSL https://install.pi-hole.net | bash
    • Press enter until the installer starts working (defaults are fine)
    • Press OK when the installer returns to exit
21. Enter:
    • pihole -a -p
    • This is the command to reset the password for the web interface
    • type and confirm your desired password
22. Open a browser and navigate to http://your.instance.ip/admin
23. Log into the web interface using the password you set
24. (Optional for an expanded blocklist) If you wish, click on Group Management --> Adlists
    • Open this text file https://1drv.ms/u/s!AsRYx5wd83COjbdrq3rFcne-rhVz8w?e=MtczFr
    • Select All, Copy
    • paste the morass into the address box (it will add all at once)
    • Click Add
    • In your terminal, run:
      • pihole -g
      • this updates your server with the new blocklists and also serves to update exisiting ones.
25. Enter:
    • sudo apt install unbound
      • installs unbound dns server from Ubuntu's repository
26. Enter:
    • sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
    • Creates and opens the pi-hole.conf file used by unbound
    • Copy and paste the stuff from this file:  https://1drv.ms/t/s!AsRYx5wd83COjbdtM7on-ddnbcc5rg?e=rPF1Hq
    • Ctrl+O
    • Enter
    • Ctrl-X
27. Enter:
    • sudo service unbound restart 
    • dig pi-hole.net @127.0.0.1 -p 5335
      • These commands start your local recursive server and test that it's operational.
28. Enter:
    • dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335
    • dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335
      • These commands test DNSSEC validation 
      • The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an Iaddress.
29. Go back to your pihole web interface, click on settings, then click the dns tab.
    • uncheck any of the other upstream dns providers and type the following into "Custom 1 (IPv4)": 27.0.0.1#5335
    • click save
30. Go back to your terminal (make sure you are still sshd into the amazon server)
31. Enter:
    • curl -L https://install.pivpn.io | bash
    • Press enter until the end until it says to reboot.  Now reboot.
32. ssh back into your amazon server after a few minutes
33. Enter:
    • pivpn add
    • type a name for your client
34. Enter
    • pivpn -qr
    • select your client
35. Install wireguard from your app store
36. press the plus button 
37. touch scan from qr code
38. Scan QR Code
39. Enjoy -- If you are especially sassy (on ios anyway) to use the "On Demand" setting and have it automatically turn on depending on what networks you are connected to.
40. If you go to your account page on aws and select billing preferences, you can set an alert if for some reason your instance starts incurring charges (I have not had that happen)  

Addendum for potentially better unbound performance 

• Log into pihole admin, navigate to settings, dns, make sure dnssec is unchecked 
  • there is no reason for the pihole to check for dnssec as it will be taken care of by unbound. 

• Enter: 
  • sudo nano /etc/dnsmasq.d/01-pihole.conf 
  • add a line or change the value of cache-size=0