How to setup OpenVPN with ad blocking on Raspberry Pi or a VPS

Ad Overload happens.. Is Ad Blocking possible in NYC?

Using a VPN (Virtual Private Network) can help to protect your privacy. You can use a VPN to appear like you are in another country so you can reach a website that was previously blocked. You can also use a VPN to stop your ISP from restricting you to certain websites, and when travelling to protect your data while using insecure WiFi. There are many many more reason. However, there can be an extra benefit to using a VPN that people don’t usually think about: Automatic content blocking (also known as ad blocking).

Why?

Ad blocking is now a necessity because of dangerous ads. Some ad networks have had problems with ads containing malicious JavaScript which is actually malware. Even recently YouTube was showing ads that contained a cryptocurrency miner. An add-on like uBlock Origin for Firefox or Chrome can help. And customizing your Firefox privacy settings will also help. But what if apps on your phone are showing dangerous ads? Or, what if you have an old phone that’s no longer getting updates and you want better protection from the recent Meltdown vulnerability? A browser add-on alone will not help you.

OpenVPN with ad blocking

Now, combine the benefits of a VPN, and ad blocking into one solution. This is where OpenVPN with ad blocking using dnsmasq comes in. For this to work you need control of the OpenVPN server configuration. So using a VPN provider is not an option. But, this way is cheaper! Plus you get the satisfaction of setting up your own VPN!

Setup a Raspberry Pi with OpenVPN

You can create your own VPN with a Raspberry Pi. If you live in Canada, a good way to get started is with the Raspberry Pi 3 CanaKit. There are many guides for setting up a Raspberry Pi with OpenVPN.

However, this method won’t help if a website restricts your country, or if your ISP blocks you from certain content, since you will have the Raspberry Pi at home. But, you can still use this method to protect you when using open WiFi while travelling, or when at home to get the benefit of ad blocking on your mobile devices.

Setup a VPS with OpenVPN

If using a Raspberry Pi isn’t your thing, you can buy an inexpensive VPS (Virtual Private Server) and host your VPN from there. This may seem like more work, but it’s pretty easy. And with a VPS you don’t need to worry about exposing your home network to the public internet. Also, when using a VPS that is only for OpenVPN, you can use common ports to have a better chance of being able to connect to your VPN.

Linode is a great VPS provider for $5 per month. Or, Vultr offers a VPS for $2.50 per month! (For IPv6 only, IPv4 is $3.50). Whichever VPS provider you choose, make sure to create your VPS in a country that’s right for you. For example, if you need to access a website usually only available to a certain country. Also make sure you obey their TOS.  I’m not responsible for anything you do from following this guide!

When using your own VPS, I suggest setting it up with OpenVPN using the Streisand project. It has many options to bypass blocking if you live in an oppressive country. Note that the commands below will only install OpenVPN (with stunnel) if using Streisand. Plus, Streisand does a good job at protecting your VPS with security tweaks and automatically updating packages.

Install OpenVPN

You can install OpenVPN many different ways. Here are two ways I recommend:

To install OpenVPN via PiVPN, follow these steps.

To install (only) OpenVPN (also with stunnel) via Streisand, follow the prerequisites steps, and then run:

$ remote_server_IP=1.2.3.4  # Change IP to your VPS/remote server IP
$ git clone https://github.com/ryandaniels/ansible-role-dnsmasq-adblock.git ~/ansible/roles/dnsmasq-adblock
$ git clone https://github.com/StreisandEffect/streisand.git && cd streisand
$ ~/streisand/deploy/streisand-existing-cloud-server.sh --ip-address $remote_server_IP --ssh-user username123 --site-config ~/ansible/roles/dnsmasq-adblock/files/streisand-local-site.yml

Change “remote_server_IP” to your server’s IP.
This will use the user “username123” with ssh keys for a passwordless ssh connection. Be sure to use a use that you’ve setup with ssh keys.

Setup ad blocking for OpenVPN using dnsmasq

Now that you have OpenVPN setup on a RaspberryPi or your own VPS you are ready for the last step, ad blocking. For this you can use a program called dnsmasq. It performs DNS lookups and you can modify the dnsmasq behaviour to block certain domains.

Manually install and configure dnsmasq on Ubuntu

These steps were modified from this github project by Bob Nisco and also uses Steve Black’s host project.

Install and configure dnsmasq using the DNS servers from OpenDNS:

$ sudo apt-get -y install dnsmasq
$ sudo wget https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -O /etc/hosts_blocked

$ sudo cat > /etc/dnsmasq.conf << 'EOF'
domain-needed
bogus-priv
no-resolv
server=208.67.222.222
server=208.67.220.220
listen-address=127.0.0.1
listen-address=10.8.0.1
addn-hosts=/etc/hosts_blocked
EOF

Configure OpenVPN:

$ sudo vi /etc/openvpn/server.conf

Add below, and make sure no other lines have “dhcp-option DNS”:

push "dhcp-option DNS 10.8.0.1"

Create a script to update the domains being blocked. And have it run every week:

$ sudo cat > /etc/cron.weekly/adblock_dl_hosts << 'EOF'
#!/bin/bash
wget https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -O /etc/hosts_blocked && systemctl restart dnsmasq.service
EOF

$ sudo chmod +x /etc/cron.weekly/adblock_dl_hosts

Restart dnsmasq and OpenVPN:

$ sudo systemctl restart dnsmasq.service 
$ sudo systemctl restart openvpn.service

Using Ansible to automatically install and configure dnsmasq on Ubuntu

If you are familiar with Ansible, then you can add a new role to handle the installation and configuration of dnsmasq for ad blocking automatically. If you are not familiar with Ansible but want to know more, check out my post explaining what is Ansible.

I’ve created this Ansible role to configure dnsmasq on Ubuntu or Raspbian.

Create the Ansible Playbook:

$ cat > ~/ansible/install-dnsmasq-adblock.yml << 'EOF'
---
- hosts: '{{inventory}}'
  become: yes
  roles:
  - dnsmasq-adblock
EOF

If using PiVPN or a normal OpenVPN installation (and not Streisand), clone the git repository and run the Ansible Playbook:

$ git clone https://github.com/ryandaniels/ansible-role-dnsmasq-adblock.git ~/ansible/roles/dnsmasq-adblock
$ ansible-playbook install-dnsmasq-adblock.yml --extra-vars "inventory=openvpn-server" -i hosts

If you are using Streisand, then you already cloned the git repositories. Just run the Ansible Playbook:

$ ansible-playbook install-dnsmasq-adblock.yml --extra-vars "inventory=streisand-host adblock_manage_openvpn=false" -i ~/streisand/inventories/inventory-existing

Conclusion

In conclusion, now you are more secure by using OpenVPN with ad blocking on your own Raspberry Pi or VPS. And if you are using your own VPS you can use the Streisand project to secure your installation and also to expose common ports to have a higher chance of being able to connect to your VPN from anywhere.