Roll your own Adblocking And secured VPN

This is a how to guide to creating your own VPN server that also blocks malicious domains to enhance your security and privacy while browsing.

How does this work?

Quite simply, this guide will set you up with a Linux server that runs OpenVPN, with Dnsmasq, with a modified hosts file that routes offending sites to 0.0.0.0.

Prerequisites

• You will need a Debian/CentOS/Ubuntu server to run your OpenVPN server on.
  • If you don't have one, you can get a low cost VPS from a provider like Bandwagon Host
  • Disclaimer: Wherever you get a server from, be sure you're obeying their TOS. I'm not responsible for anything you do from following this guide.

Instructions

1. Update the system:

sudo apt update && sudo apt upgrade

2. Install iptables-persistent so any iptables rules we make now will be restored on succeeding bootups. When asked if you want to save the current IPv4 and IPv6 rules, choose No for both protocols.

apt install iptables-persistent

Add IPv4 rules: iptables-persistent stores its rulesets in the files /etc/iptables/rules.v4 and /etc/iptables/rules.v6. Open the rules.v4: Explicitly allow what can be accessed within the VPN:

These commands will allow DNS and HTTP needed for name resolution:

iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT

You will also want to enable SSH and VPN access from anywhere:

iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT

The next crucial setting is to explicitly allow TCP/IP to do "three way handshakes":

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Also, we want to allow any loopback traffic, i.e. the server is allowed to talk to itself without any limitations using 127.0.0.0/8:

iptables -I INPUT -i lo -j ACCEPT

Finally, reject access from anywhere else (i.e. if no rule has matched up to this point):

iptables -P INPUT DROP
Blocking HTTPS advertisement assets¶
Since you're :head-desk:ing with iptables, you can also use this opportunity to block HTTPS advertisements to improve blocking ads that are loaded via HTTPS and also deal with QUIC.

iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable

Depending on the systems you have connecting, you may benefit from appending --reject-with tcp-reset to the command above. If you still get slow load times of HTTPS assets, the above may help.

Save your iptables

If things look good, you may want to save your rules so you can revert to them if you ever make changes to the firewall. Save them with these commands:

iptables-save > /etc/pihole/rules.v4

3. Get OpenVPN installed on your server. For this, we will use Nyr's fantastic OpenVPN installer script

• wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
  • Follow the instructions to get it set up, it should take about 1 minute
  • It will generate an .ovpn file which you will use to connect to the VPN with from your client. We'll need this later on, so feel free to scp it to your client machine.

4. Now we're going to overwrite our hosts file to route malicious domains to 0.0.0.0 by using StevenBlack's amazing hosts project.

• wget https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -O /etc/hosts

5. Install Dnsmasq

• sudo apt-get install dnsmasq

6. We need to edit the dnsmasq config file to do a few things:

• sudo vim /etc/dnsmasq.conf
  • Enable domain-needed and bogus-priv
  • Add in some alternative DNS servers (if you don't like the one provided by your host). For this example, we'll add Google DNS

  server=8.8.8.8
  server=8.8.4.4
  

  • Tell dnsmasq to listen on both localhost and to the subnet that OpenVPN created

  listen-address=127.0.0.1
  listen-address=10.8.0.1
  

7. Edit the OpenVPN config file to resolve dhcp through dnsmasq

• vim /etc/openvpn/server.conf
  • Add push "dhcp-option DNS 10.8.0.1"
  • Delete any other lines about "dhcp-option"

8. Create a crontab entry that updates your hosts file every night at midnight:

• crontab -e
  • Add the following line 0 0 * * * wget https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -O /etc/hosts && service openvpn restart

9. Restart the services

• sudo service dnsmasq restart && sudo service openvpn restart

10. At this point, we have an OpenVPN server routing traffic through Dnsmasq, which is checking our hosts file for malicious hosts, and falling back to a DNS provider for non-malicious hosts. Using the .ovpn file from earlier, you can now connect to the VPN from your client.

• Mac: Tunnelblick
• iOS: OpenVPN Connect
• Android: OpenVPN Connect

Adding/Removing Users

Thanks to the thoughtful work on Nyr, we can just use their script from the first step to manage users. It will detect that OpenVPN is already installed and prompt you to Add a new User, Removing existing user, or Remove OpenVPN completely: wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

License

These instructions are licensed under an MIT License