Wireguard AdBlocker: It's Easy to Block Ads Anywhere

As I quickly showed in my previous BONUS TRACK, we could use Wireguard VPN to take advantage of all the features and customized configurations of our local AdBlocker.

After the publication, some of you, both from article's comments and Discord server, have raised interesting questions. So, in this Wireguard AdBlocker guide we'll take a few additional steps inside this configuration, in order to clarify all.

This article is focused on using Wireguard VPN to access our local AdBlocker on-the-go and it's taken for granted that all the necessary components, Wireguard for the VPN and Pi-Hole for the AdBlocker, have already been configured.
Otherwise, the links for the tutorials needed to get it all done, are reported in this article.

Table of Contents

1. Pi-hole Configuration
2. Wireguard Configuration
- A) PEERDNS Environment Variable for Wireguard
- B) ALLOWEDIPS Environment Variable for Wireguard

Membership Required
- 3. Wireguard PiHole = AdBlocker Ready
Additional Information
Concluding Remarks on Wireguard Adblocker

1. Pi-hole Configuration

Pihole Basic Dashboard — Pi-Hole Adblocker

For our configuration, I'm going to focus on a good old friend, that have been almost covered in past articles: Pi-Hole.
Here's the link for the useful tutorial by anand and w3techie, if you need some configuration help:

Pi-hole Configuration Posts:
Ultimate Pi-Hole Raspberry Pi Setup
How to Run PiHole in Docker on Ubuntu, w/ and w/o Reverse Proxy

Even AdGuard Home is a great alternative to Pi-hole, and could be implemented instead of Pi-Hole.

Pi-hole and AdGuard comparison and configurations:
Ultimate AdGuard Home Raspberry Pi: Kill Annoying Ads in 15 min
AdGuard Home Docker Compose

Loading ...

2. Wireguard Configuration

For the Wireguard configuration here's my previous guide.

As I already said in the main guide, two important things have to been kept in mind for this configuration:

A) PEERDNS Environment Variable for Wireguard

Set the environment variable PEERDNS with our Pi-Hole IP address, as shown in the docker compose snippet below:

version: '3.9'

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: Wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - SERVERURL=<OUR PUBLIC IP>                      
      - PEERS=Profile1,Profile2,OtherProfile
      # Fill with the local IP of the AdBlocker
      # (ex: 192.168.x.x)       
      - PEERDNS=<OUR ADBLOCKER IP>                   
      - INTERNAL_SUBNET=192.168.10.0/24
      # Traffic completely routed in the VPN tunnel         
      - ALLOWEDIPS=0.0.0.0/0                  
      - LOG_CONFS=false                          
    volumes:
      - $DOCKERDIR/appdata/wireguard:/config
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

B) ALLOWEDIPS Environment Variable for Wireguard

Edit the environment variable ALLOWEDIPS adding our Pi-Hole IP address.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here

version: "3.9"

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: Wireguard
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - SERVERURL=<OUR PUBLIC IP>
      - PEERS=Profile1,Profile2,OtherProfile
      - PEERDNS=<OUR ADBLOCKER IP>
      - INTERNAL_SUBNET=192.168.10.0/24
      #
      # SINGLE IP CONFIGURATION:
      #
      # Only the AdBlocker is reachable and used
      # as DNS server
      #
      - ALLOWEDIPS=<OUR ADBLOCKER IP>
      #
      # MORE IPs CONFIGURATION:
      #
      # AdBlocker and other local devices
      # are reachables
      #
      # - ALLOWEDIPS=<OUR ADBLOCKER IP>, 192.168.1.30, 192.168.1.55
      #
      # SUBNET CONFIGURATION:
      #
      # Assuming that our AdBlocker
      # is on the subnet 192.168.1.0/24, we'll
      # set the variable with the subnet only,
      # otherwise we'll set the subnet and the
      # AdBlocker IP
      #
      # - ALLOWEDIPS=192.168.1.0/24
      # OR
      # - ALLOWEDIPS=<OUR ADBLOCKER IP>, 192.168.1.0/24
      #
      - LOG_CONFS=false
    volumes:
      - $DOCKERDIR/appdata/wireguard:/config
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

For the purpose of this guide, the only IP that we need to allow is our AdBlocker's one.

3. Wireguard PiHole = AdBlocker Ready

Everything needed has been done, the last step is to turn on our Wireguard VPN and test if our AdBlocker is doing his job correctly.

We could use some pages to accomplish this task:

Can You Block It?
d3ward GitHub AdBlock Test
Adblock Tester

Additional Information

Is Wireguard an AdBlocker?

Wireguard is not an AdBlocker. When I say Wireguard AdBlocker I intend using Wireguard to reach our local AdBlocker.

Is the Traefik's configuration for Wireguard necessary?

No, the Traefik's configuration part is optional, as the Wireguard Docker Compose Configuration with Optional Fields and the appropriate port forwarding are enough.

I included it anyway to monitor the exposed ports of our Docker Compose Stack, other than the usual ones, from Traefik Dashboard, and because if someone wanted to try setting up a Spectrum application for using them customized domain name, it would only be necessary to add the appropriate Traefik HTTP router rules defining it.

- "traefik.http.routers.wg.rule=Host(`wireguard.mycustom.domain`)"

I never configured a Spectrum application with Cloudflare, as it is for paid plans only, so I cannot guarantee that it would work.

How could I set a static IP to my Pi-Hole device/container?

Physical device (Debian Distro and based)
set a static ip editing file /etc/network/interfaces:

auto eth0
iface eth0 inet static 
address x.x.x.x           # Static IP
netmask x.x.x.x
gateway x.x.x.x

Container
we could use the same address of our Docker Compose Stack, coupled with a free port number, to reach our AdBlocker, setting the network mode to host, and environment variable WEB_PORT:

services:
  pihole:
    container_name: AdBlock
    image: pihole/pihole:latest
    network_mode: "host"      # Configure this
    [...]
    environment:
    [...]
    WEB_PORT: '12345'       # Configure this      
    [...]

We could also create a new network section, in the Docker Compose configuration, add a new subnet for AdBlocker and assign a static ip to it.

version: '3.9'

networks:
  [...]
  adblock_net:             # Network for containers
    name: adblock_net
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.0.0/24

services:
  pihole:
    [...]
    networks:
      adblock_net:
        ipv4_address: 192.168.x.x  # Static IP
    [...]

For the entire process, please refer to Anand's guide

This is too complex. Is there an all-in-one solution?

Yes of course. Our objective is to teach you. But there are some awesome self-contained all-in-one solutions that can achieve what is described in this guide. Take a look at the following projects:

PiVPN - Pi-Hole + VPN
GuardLlama - Open-Source VPN, Ad-blocker, and DNS Resolver

Concluding Remarks on Wireguard Adblocker

There are many approaches to achieving AdBlocking on the go. A combination of Wireguard PiHole is what we propose in this guide, which again can be achieved in multiple ways.

If you want to assign a dedicated device such as Raspberry Pi that is intended to do only one job, then a self-contained Wireguard AdBlocker such as PiVPN or GuardLlama might be the way to go.

On the other hand, if you prefer tinkering and having more control over how you setup applications in your infrastructure then manually setting up Wireguard as described in this guide might be the better route.