Connecting to the Internet using Pi-Hole, Tailscale and Cloudflare
This isn’t a full How-to post, it’s the description of a result of an idea I put together tonight. While it’s not rocket science, it is quite an interesting project.
The thing I’m looking to implement is a simple solution.
I use Cloudflare to host my DNS addresses externally and more importantly internally.
At home I have every device I use connected to a Tailscale network (tailnet), All the services I have such as VM’s or Docker Containers are only available if you are connected to the Tailnet
My Phone and Tablet have an always on connection to the Tailscale network, so I get the same network experience to my home services no matter where I am, Home WiFi, 5G, Hotel or Public WiFi. I’m constantly connected to home.
If I want to I can either pass all my traffic over the VPN via (what Tailscale call) an Exit Node, useful in McDonalds or Shopping Mall WiFi. Otherwise I can split (tunnel) the traffic between the local WiFi and the Tailnet.
In order to reach the services at home, I’ve put them all behind a NginX Proxy Manager Reverse Proxy (NPM). This is setup to front the service (supported or not) with an https endpoint, so all the services are accessed via the web (or phone apps) over SSL.
To do this, I link the NPM to Cloudflare to generate a 90 Day certificate and use Cloudflare to provide the internal DNS
As an example, Plex
Plex by default provides access on the Tailscale Network
http://10.100.100.123:32400/web/
I setup Plex on the NginX Proxy Manager to respond to
On Cloudflare I point the DNS A record for plex.homelan.com to the Tailscale IP of the NPM server.
The final item is to point Tailscale DNS to the provided Cloudflare DNS for my domain.
Now any client which connects to the Tailnet has its DNS requests pointed to Cloudflare and this resolves the Cloudflare hosted DNS A records.
This all works well, and if you are interested DM me and I’ll write this up as a specific HowTo.
What this setup doesn’t give me is DNS protection, which historically I’ve used NextDNS for, NextDNS would replace Cloudflare in the above for DNS A Records and the Tailscale DNS Address and provide protection against problematic DNS entries be they marketing, malware etc.
NextDNS however became VERY poor, slow and for a chargeable service wasn’t personally working for me.
So how do I get the DNS protection added to this setup?
The answer to this was simpler than I thought…
I introduced PiHole onto my home network.
Pihole can be installed on most Linux servers, I happen this time to be running it on my RPi4 (which is a backup VPN point on the edge of my network)
With Pihole setup listening on the Tailscale Interface on the RPI, a small selection of Blocking lists added to Pihole the final step was linking this all up.
I pointed Tailscale DNS to the Tailscale IP the PiHole is listening on
I’ve setup the Piholes next DNS hop to be the cloudflare DNS Tailscale was pointing to..
I end up with
- My Phone/Tablet/PC connecting to my Tailscale network
- My Internal Services globally available over Tailscale
- My DNS requests being checked by PiHole
- If not on a block list the requests get forwarded to Cloudflare for either internal DNS on the homelan.com domain or public
If you are interested in the specifics of how I did this, or to discuss further reach out https://davidfield.carrd.co
