How to configure Tailscale with Pi-Hole

How to configure Tailscale with Pi-hole, so you can block ads even when you're not at home.

tailscale
raspberry-pi
pi-hole

Published on 8/26/2021

Intro

Recently, I setup a Raspberry Pi 4 (rpi) with Pi-hole so that I wouldn’t get bombarded with banner ads while I surfed the web. It works great, but only if I’m at the house using my Wifi.

{% include figure image_path=“/assets/images/pihole/pi-hole-stats.png” alt=“Pi-hole dashboard” caption=“Pi-hole admin dashboard” %}

Now that the pandemic is nearly over and we can go and mingle outside, I want to be able to leave the house, yet not see any ads.

The simplest/old way of doing this is to create a VPN connection back to the rpi and then going about my business. I thought about setting up Wireguard on the Raspberry Pi but kept running into issues when setting up client keys.. The main issue probably being my own stupidity.

Then I remembered some tweets from people I follow mentioning Tailscale and how it provided them with a no hassle private network, so I thought I’d try it out. It’s been 24 hours and things are working great, so I decided to share this blog post.

Goal

Be able to access/use the Pi-hole server at home, when I’m out and about on someone else’s wifi, or using my mobile data plan.

Requirements

  1. An account at Tailscale
  2. Tailscale client on your phone
  3. Tailscale client on your Raspberry Pi
  4. Pihole-FTL (DNS server) running/accessible to all active clients within your Tailscale organization.

Signing up and getting a client up and running on your mobile device is very simple, so I’m not going to get into it here.

Install Tailscale on the Raspberry Pi

I am assuming you have installed Raspian, or Raspian Lite on your Pi, and not some other flavor of Linux.

Start with the simple instructions on how to install Tailscale on a Pi .

Once the client is running on the Pi, go to your Tailscale dashboard and verify that all your clients are showing up properly. {% include figure image_path=“/assets/images/pihole/tailscale-machine-list.png” alt=“tailscale machine list” caption=“Tailscale Machine List” %}

Verify connectivity from one client to the other with a simple ping.

{% include figure image_path=“/assets/images/pihole/tailscale-machine-ping.png” alt=“Tailscale ping” caption=“Tailscale Machine Ping” %}

Reconfigure Pi-hole

Login to the Pi-hole admin interface, go to Settings -> DNS and make sure that interface listening behavior is set to Listen on all interfaces, permit all origins.

{% include figure image_path=“/assets/images/pihole/pihole-dns-permit-all-origins.png” alt=“Pihole DNS Setting” caption=“Make sure the permit all origins is turned on.” %}

Verify Admin Inteface is accessible via Tailscale IP

{% include figure image_path=“/assets/images/pihole/pihole-admin-on-tailscale-interface.png” alt=“Pihole Admin” caption=“Notice the ip address is one that Tailscale assigned the rpi” %}

You should also make sure that you can connect to port 53 of the Tailscale IP.

nc -v -z 100.114.93.47 53 ◼◼◼◼◻◻◻◻◻◻
Connection to 100.114.93.47 port 53 [tcp/domain] succeeded!
 ~
»

Configure Tailscale to use this rpi as the DNS server for all clients.

Now tell Tailscale to use this ip address as the Nameserver for all clients.

{% include figure image_path=“/assets/images/pihole/tailscale-dns-settings-override-local-dns.png” alt=“Tailscale DNS ” caption=“Make sure the ‘override localdns’ option is set. ” %}

And you’re all set!.