- My iphone and my Ubuntu laptop are permanently connected to the Wireguard VPN server at home which encrypts all traffic (web and local) and uses Pi-Hole and Unbound,- Tor is another problem because when using an exit node, everything is in the clear and nothing prevents the exit node from recording the traffic haha.
It’s like with my DNS server, no way I’m using a commercial VPN. It’s the same, the ISP sees that we access a site (but not in clear) and nothing prevents the VPN provider to keep the logs.
Ad VPN: if you’re in the EU, then switching to a VPN has no sense, as ISP’s are under the GDPR and have to face stringent rules about PI/SPI processing. VPN’s are often out of the EU jurisdiction.
IDK how that applies if your exit point is in the EU, but that exit point has it’s own ISP, which will still be under GDPR, and one just switches which ISP and which VPN will have their data.
However this may be somewhat useful if one uses their own VPN to their own server/vserver. Then one may switch from a ISP associated with their PI, like name, address, etc, to a ISP for the datacenter their’ll be using. Which may disassociate the browsing data from one’s billing/address data (strong probability that this does not apply to law enforcement). TL;DR: I’m doubting it’s usefulness, unless one has a specific scenario/threat model.
Edit: reworded for more general pronouns.
I see in the Pi-hole logs. Now, with that can my website traffic or also my ISP know?
Passing all traffic via a VPN has the downside of not helping a lot against trackers (some VPNs don’t block trackers at all, and the ones who do block them don’t tell you which ones are blocked you have to trust them). In many cases, the trackers can by themselves tell the website who you are, even without knowing your IP.
Using your DNS resolution service (Pihole+Unbound) while behind a VPN lets you hide your IP from ISP + the website, instead of just the ISP.
The problem is that it allows DNS leakage.
The solution is to put your DNS service (i.e. Unbound) behind the VPN as well.
My iphone and my Ubuntu laptop are permanently connected to the Wireguard VPN server at home which encrypts all traffic (web and local) and uses Pi-Hole and Unbound,-
Yes. But that is of course when you are away from home, connecting from the outside into your home network. Once the traffic is there, it goes to your home ISP again, without VPN.
Tor is another problem because when using an exit node, everything is in the clear and nothing prevents the exit node from recording the traffic haha
Yep.
It’s like with my DNS server, no way I’m using a commercial VPN. It’s the same, the ISP sees that we access a site (but not in clear) and nothing prevents the VPN provider to keep the logs.
Yes.
- My iphone and my Ubuntu laptop are permanently connected to the Wireguard VPN server at home which encrypts all traffic (web and local) and uses Pi-Hole and Unbound,- Tor is another problem because when using an exit node, everything is in the clear and nothing prevents the exit node from recording the traffic haha.
I used to do this, but then realized that I don’t really need to pass all my data through a tunnel, I only really wanted Pi-Hole blocking on mobile, so I set up a split tunnel (Allowed IPs: 192.168.1.0/24) instead.
These domains are only accessed by you, so yes. Your DNS “leaked” your IP to the website, that’s why you can see your IP address in the DNS section. Potentially any website can find your IP address from this method, although most don’t bother.
In a normal situation without a VPN: your IP is given to the websites, trackers make it worse, and your ISP knows what website you visit.
With a VPN: your IP and traffic is hidden to everyone (except your VPN) but you are likely still tracked (unless your VPN stops trackers like Pihole does? But I doubt it).
You may be tempted to use your VPN AND at the same time filter DNS queries with your local Pihole+Unbound.
Problem: DNS queries go to the website with your IP address, so the website can still figure out who you are, as https://ipleak.net does.
Solution: put Unbound (+Pihole if you want) behind a VPN, use the VPN on PC/browser/phone/etc, and route your DNS queries to your Pihole+Unbound. This way, your IP is better hidden from websites (no DNS leak), trackers are blocked, and your ISP doesn’t know the websites you visit.
a better solution is to educate users that DoT and DoH have nothing to do with anonymity and privacy and everything to do with attack mitigation.
thank you for all this information, I still have work to do to secure my home
Could you better explain the latest IPs allowed?
So it would be like installing WireGuard + Unbound + Pi-hole in UpCloud for example?
This is how my Wireguard profile is set up on my phone.
I run 2 Pi-Hole instances, both set as DNS in Wireguard profile, and in “Allowed IPs” I have 192.168.1.0/24 entered because I only want DNS requests to be routed through the VPN tunnel, nothing else. I could’ve listed a single IP (just one if the Pi-Holes), but by having listed /24 I can also access the whole home network. I hope my explanation is understandable.
That would work, as it would hide your IP from websites + let you avoid trackers + hide your traffic from ISP.
Since UpCloud would be your VPN provider, you may want to check UpCloud’s privacy policy (in particular what logs they keep), and depending your privacy needs you may want to check if UpCloud could spy on you on order of a government. For example, if they’re in 5/9/14 eyes countries, then they can get forced to record everything you do online and not warn you. It’s fairly unlikely to happen, but worth to know about.
And where is it connecting? Do you have a server on your router or other device?
I’m not the guy you’re replying to, I run my VPN tunnels on dedicated servers, but there’s absolutely no reason why you couldn’t host it on the same machine as the Pi-hole instance.
Wireguard is running on my home router.
But how does WIreGuard know that you only want DNS traffic to go through it? Just by putting 192.168.1.0/24?
The DNS servers in Wireguard profile is set as 192.168.1.3 (and .4), it overrides system DNS when the profile is active. “Allowed IPs” setting is 192.168.1.0/24 so only the traffic that is bound into that network (where DNS servers are located) is routed through the secure tunnel, everything else goes through a cell carrier network. This is so called split tunnel configuration where only some traffic gets router through a tunnel.
In my client configuration file, I have put as IP 192.168.3.2/32 (192.168.3.1/24 is the server) and as DNS 192.168.1.1 which is my router and in IP allowed 192.168.1.0/24. When I connect to another network, I see that I have the public IP of that network and not that of my router, therefore I think it is well configured.
