Barbra's Pi-Hole

Recently, I have taken to using a VPN for the majority of web-browsing. This helps to prevent common ISP nonsense such as DNS hijacking as well as providing some convenient security on untrusted networks, such as public WiFi.

There are a variety of Free Software VPN tools out there, such as OpenVPN, {strong,libre,Open}swan, shadowsocks, and others. Additionally, if you are primarily a Linux user, than you can use the best VPN ever, WireGuard, created by Jason Donenfeld.

These days it’s easy to get a VPS from many different providers. I use both VULTR and, and I have also heard good things about DigitalOcean. Regardless, it is super easy to spin up an new VPS instance with any of these services, including pre-provisioning the new virtual machine with an SSH key. Once the box is up and running, for Pete’s sake change the root password, preferably to something very long and random that you can save in your password manager, and make sure to disable password-based login in the sshd_config:

## /etc/ssh/sshd_config

# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey
PermitRootLogin Yes

# Use kernel sandbox mechanisms where possible in unprivilegied processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox

# Enable PAM.
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

Now we can set up a the VPN on the new server. There are several options that can automate this for us these days such as Algo, made by the team at Trail of Bits and Streisand, originally started by Joshua Lund. While Algo has the benefit of a reduced attack surface, secure defaults, and potentially a simpler setup, it is not covered in this post because of the complexity of setting up IPsec on Linux desktop clients. It may be the right approach if you use one of the major proprietary nonfree operating systems on your desktop box.

This post is about Streisand which, like Algo, is deployed using a set of Ansible scripts stored in a git repository. This helps to automate deployment, and makes it trivial to think of the VPN-on-VPS combo as disposable. The defaults should work, for the most part, but in this case we will be deploying on an existing Ubuntu 16.04.3 LTS server. Choose Existing Server:

Which provider are you using?
  1. Amazon
  2. Azure
  3. DigitalOcean
  4. Google
  5. Linode
  6. Rackspace
  7. Localhost (Advanced)
  8. Existing Server (Advanced)
: 8
What is the IP of the existing server:

Enter the public IP address of the server here and the script will begin to setup the VPN. By default, the streisand script requires the server to be accessible using the ~/.ssh/ ssh key. If this key has a password and an ssh-agent is running, then it is possible to still get this to work, but it may be necessary to modify the ansible.config file to include the control_path variable to authorize the script to work with the memory-cached passphrase of the running ssh-agent process:

pipelining = True
control_path = /tmp/ssh-<some-string>  # wherever the location of the ssh control_path is

Assuming everything goes smoothly, after some time the script will complete, and depending on your desktop setup, your browser may open a local page with instructions to access your new streisand VPN.

The next step is to install a system-wide ad blocker on this new shiny VPS. For this purpose, we can use Pi-hole. While originally designed to turn a Raspberry Pi into a network-wide ad blocker. It installs and runs, however, on many different Linux distros. We can install the Pi-hole Software with an automated bash script. Keep in mind that piping internet commands into the shell is potentially dangerous.

Pi-Hole can be installed in one of the following ways:

curl -sSL | bash
git clone --depth 1 Pi-hole
cd Pi-hole/automated\ install/
wget -O

It is good security practice to read over the before running it on your box. The script will prompt for some basic instructions, but if installing on a VPS without a public-facing domain name and an SSL certificate, it’s probably best practice to say no to installing the webadmin interface and logging capabilities. Now enjoy server-wide ad blocking and a censorship-resistant VPN.