- Published on
Simple Digital Security for everyone
- Authors
- Name
- Vinayak Ganapuram
- @vinayakkg
Background
Post pandemic I had invested some time setting up my digital security, especially ensuring the usage of a high performance VPN across devices where possible and have been using DoH where possible on devices when I am on the move.
You may refer my previous articles about setting up DoH across devices at Don't Let Your Data Slip Away - A Comprehensive Look at Data Leakage Online
Also I had written on how to setup Pihole and wiregaurd and setting DoH using nginx as well
I still felt this was very complicated and required multiple dependencies like Nginx, nginx-module-mjs (to convert HTTP requests to DNS requests), nginx configuration, lighttpd, pihole, wireguard, certbot or acme_tiny et al.
I stumbled on caddy that is very simple and manages SSL certificates on its own but getting DoH to work with caddy was a big pain and there was no online or LLM help.
New Setup 💿
Fast forward to 2025, I took some cleaning of the above setup and given below is the list of steps that will hopefully help someone who would like to maintain a certain digital security
Pi-Hole
Setting up pi-hole is very easy. Spin up a Debian VPS online and run the below command curl -sSL https://install.pi-hole.net | sudo bash and it will guide you through with easy to follow steps.
Pi-Hole v6 has a ton of improvements on the UI, more importantly it does not rely on a separate lighttpd rather it uses it own embedded webserver that runs under pihole-ftl process.
Configure Upstream
/etc/pihole/pihole.toml can be used to setup upstreams of your choice. I run cloudflared as a local DoH proxy using Cloudflare's DoH endpoint. You may ignore this if you are fine running upstream DNS setup by pi-hole while installing.
Configure SSL
Letsencrypt/Certbot command line can easily generate certificate using the current webserver and save certificates in the designated path as mentioned below without requiring any manual intervention or custom DNS txt records as long as you have DNS entry for the public ip of the VPS mapped to the domain name for which you are looking to generate SSL.
You may install certbot using sudo apt install certbot
sudo certbot certonly --webroot -w /var/www/html -d c.vinayakg.dev -m vinayak@abc.com --agree-tos --rsa-key-size 4096 --non-interactive
The above command generates private and public key with full chain of the SSL certificate in letsencrypt default location with the domain name as under /etc/letsencrypt/live/c.vinayakg.dev/privkey.pem and /etc/letsencrypt/live/c.vinayakg.dev/fullchain.pem.
You just need to concatenate both private key and public key with full chain using below command
sudo cat /etc/letsencrypt/live/c.vinayakg.dev/privkey.pem /etc/letsencrypt/live/c.vinayakg.dev/fullchain.pem'| sudo tee /etc/pihole/tls.pem > /dev/null
The above step replaces the default certificate generated by pi-hole setup. So you may back it up if you need to. Otherwise, you are all set with SSL for pi-hole interface.
A cron job can also be configured using the certbot command to renew the certificate periodically. This job runs every 3 months on the 28th of the month and renews the certificate.
0 0 28 1,4,7,10 * sudo certbot renew --quiet && sudo sh -c 'sudo cat /etc/letsencrypt/live/c.vinayakg.dev/privkey.pem /etc/letsencrypt/live/c.vinayakg.dev/fullchain.pem'| sudo tee /etc/pihole/tls.pem > /dev/null
Pi-VPN (Wireguard) 🔐☁️
The next step is to install wireguard VPN. The install instructions are same and can be followed from install vpn section
Generate as many clients as needed and use Native wireguard clients from all your devices to connect to this vpn.
DoH Server
You may use doh-server written in Rust, to run your own DoH server. Install by downloading the needed file and simply run it
wget https://github.com/DNSCrypt/doh-server/releases/download/0.9.11/doh-proxy_0.9.11-1_amd64.deb
sudo apt install ./doh-proxy_0.9.11-1_amd64.deb
Or set a service file /etc/systemd/system/doh-proxy.service as below. And start using sudo systemctl restart doh-proxy.service
[Unit]
Description=DNS over HTTPS server proxy
After=syslog.target network-online.target
[Service]
Type=simple
ExecStart=sudo /usr/local/bin/doh-proxy -u 127.0.0.1:53 -l 0.0.0.0:5000 -H c.vinayakg.dev -p /QzABcdef-dns-query --tls-cert-key-path /etc/letsencrypt/live/c.vinayakg.dev/privkey.pem --tls-cert-path /etc/letsencrypt/live/c.vinayakg.dev/fullchain.pem
Restart=on-failure
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target
doh-proxy is highly configurable and allows you to supply certificate path using --tls-cert-path and --tls-cert-key-path, configure upstream with -u, listen on custom port with -l , path using '-p and domain using -H. See the ExecStart section above.
That's it. You are all set to use DoH from your browser or OS profile using https://c.vinayakg.dev:5000/QzABcdef-dns-query .
Summary & Next Steps
If you need to hide your location and browse securely, use pihole with wireguard VPN. If you want to just block unwanted domains, just run pihole and doh-proxy
I am looking to create a docker file with all the steps so its one easy to manage and allows faster setup.