Dual Pi-hole + Tailscale

This might be the perfect Pi-hole setup!

With this new setup I have redundancy for my DNS as well as the simplest VPN setup ever. Now when I am on the go not only can I access my home network with ease I am also able to take advantage of the ad blocking of Pi-hole.

Here are the basic steps to get things setup. There are more configuration steps available for each installation. Please check their websites for full details before proceeding.

Step 1:

Install Pi-hole on two Raspberry Pis.

curl -sSL https://install.pi-hole.net | bash


In the Pi-hole Admin page in Settings > DNS, make sure that Listen on all interfaces, permit all origins is selected.

Tailscale traffic comes in on the tailscale0 network interface, so this option is needed to allow your Pi-hole to respond to Tailscale-based DNS traffic. When using this option, make sure your Pi-hole is properly firewalled.

Step 2:

Install Gravity Sync on both Raspberry Pis.

curl -sSL https://gravity.vmstan.com | bash

Step 3:

Run the first Gravity Sync from the Raspberry Pi that is fully configured with all your settings.

gravity-sync push

Step 4:

Setup Gravity Sync automation on both Raspberry Pis.

gravity-sync auto

Step 5:

Install Tailscale on both Raspberry Pis.

curl -fsSL https://tailscale.com/install.sh | sh

Step 6:

Enable IP forwarding on both Raspberry Pis.

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

Step 7:

Start Tailscale on both Raspberry Pis.

sudo tailscale up --advertise-exit-node --advertise-routes= --accept-dns=false --accept-routes=true

Step 8:

Login to Tailscale and click the "three dots" menu next to the Machine entry for each Pi-hole. Select "Disable key expiry" from the drop-down. Since the Pi-holes are not directly exposed to the internet it is safe to not require re-authentication. Then select "Edit route settings..." from the same drop-down menu and enable both options. See image below.

Next copy the Tailscale IP address for each Pi-hole and use them as the Global Nameservers on the DNS tab. Set them override local DNS. See image below.

Turn on MagicDNS on the DNS tab. This way the Pi-hole's interfaces will work when on or off the Tailscale network using their hostnames.

Step 9:

Configure your router to use the Pi-hole's local IP addresses for your DNS.

Step 10:

Install Tailscale on other devices such as your phone so you can connect to your Tailscale network.

Thats it!

Now you should have all your devices setup with ad blocking and VPN. Now when you are connected to your Tailscale network you will also get ad blocking even when you are not on your local network.

Posted on