I travel frequently and use public WiFi often. Two things bother me about that: the lack of privacy and the ads. This guide solves both: WireGuard routes my traffic through a cloud server for privacy, and Pi-hole running on the same server filters ads and trackers at the DNS level for every device on the VPN.
The result: all my devices — laptop, phone, tablet — route through my VPN, ads are blocked before they even load, and trackers can't build a profile across my browsing. One cloud server handles everything.
I run this on Tencent Cloud Lighthouse. The entry-level plan handles both WireGuard and Pi-hole easily — they're both lightweight. The key choice for a VPN+Pi-hole setup is region: pick a data center that matches where you want your traffic to appear to originate. Lighthouse has data centers in North America, Europe, Singapore, Tokyo, and more. The fixed bandwidth allowance also means routing all your browsing traffic through the VPN doesn't generate per-GB charges — predictable costs regardless of how much you browse.
- Key Takeaways
Your Device → WireGuard tunnel → Cloud Server → Internet
↓
Pi-hole
(DNS filter)
↓
Blocked ads/trackers
never reach your device
When you're connected to the VPN:
| Requirement | Details |
|---|---|
| Server | Ubuntu 22.04, 1 GB+ RAM |
| Open ports | 51820/udp (WireGuard), 53/tcp+udp (DNS, internal only) |
| Domain | Optional — not needed for basic setup |
| Devices to connect | Any — WireGuard runs on all major platforms |
sudo apt update
sudo apt install -y wireguard
# Install the easy-setup script
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
sudo ./wireguard-install.sh
Follow the prompts:
1.1.1.1laptop)The script generates:
/etc/wireguard/wg0.conf~/laptop.conf (or wherever it saves it)sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo systemctl status wg-quick@wg0
sudo ufw allow 51820/udp
sudo ufw reload
Also open port 51820/udp in your Lighthouse console firewall.
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-wireguard.conf
sudo sysctl -p /etc/sysctl.d/99-wireguard.conf
curl -sSL https://install.pi-hole.net | bash
During installation, choose:
wg0 (WireGuard interface) — if it asks which interface to listen onAt the end, note the admin password printed. You can also reset it:
pihole -a -p newpassword
Pi-hole listens on the server's local IP. The WireGuard server assigns itself 10.0.0.1 by default.
ip addr show wg0
# Look for: inet 10.0.0.1/24
Pi-hole will be reachable at 10.0.0.1 from VPN clients.
In Pi-hole admin UI (http://10.0.0.1/admin from within the VPN):
wg0Or via command line:
sudo nano /etc/pihole/pihole-FTL.conf
Add:
REPLY_ADDR4=10.0.0.1
Restart Pi-hole:
pihole restartdns
Update the WireGuard server config to use Pi-hole for DNS.
sudo nano /etc/wireguard/wg0.conf
In the [Interface] section, there should be a PostUp and PreDown rule. Make sure the server config doesn't redirect DNS — it's handled at the client level.
Edit existing client configs and any new client configs to use 10.0.0.1 as DNS:
Open the client config file (e.g., ~/laptop.conf):
sudo nano ~/laptop.conf
Find the [Peer] or [Interface] section with DNS:
[Interface]
PrivateKey = ...
Address = 10.0.0.2/24
DNS = 10.0.0.1 # ← Change this to Pi-hole's IP
For new clients, the setup script generates configs — edit them before distributing to devices.
In Pi-hole admin → Settings → DNS:
Upstream DNS servers (what Pi-hole uses after filtering):
Uncheck any others to use only one provider.
Run the setup script again:
sudo ./wireguard-install.sh
Choose "Add a new client", give it a name. The script creates a new config file and a QR code.
Or manually add a peer:
# On server
wg genkey | tee /tmp/client_private.key | wg pubkey > /tmp/client_public.key
# Add to server config
sudo nano /etc/wireguard/wg0.conf
Add at the end:
[Peer]
PublicKey = CLIENT_PUBLIC_KEY_HERE
AllowedIPs = 10.0.0.3/32
Restart WireGuard:
sudo wg-quick down wg0 && sudo wg-quick up wg0
Create the client config file:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.0.0.3/24
DNS = 10.0.0.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
# Show QR code for a client config
sudo qrencode -t ansiutf8 < ~/laptop.conf
Or if using the install script, it generates a QR code automatically.
Download the WireGuard client from wireguard.com.
Import the .conf file (copy it to your device via SCP or paste the contents):
# Copy config to local machine
scp ubuntu@YOUR_SERVER_IP:~/laptop.conf ~/Downloads/laptop.conf
Pi-hole comes with the default Steven Black list (~100k+ domains). This blocks most major ad networks.
In Pi-hole admin → Group Management → Adlists → Add new adlist:
Popular additions:
| List Name | URL | Blocks |
|---|---|---|
| OISD Full | https://big.oisd.nl |
Ads + trackers + malware |
| Hagezi Pro | https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/pro.txt |
Comprehensive |
| Developer Dan | https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt |
Ads + tracking |
After adding, run:
pihole -g
This downloads and updates all block lists.
If Pi-hole blocks something you need:
# Whitelist a domain
pihole -w yourdomain.com
# Or via admin UI: Whitelist → Add
In Pi-hole admin → Query Log: see every DNS query in real time. This is useful for identifying what's being blocked and what's generating traffic.
After setting everything up, Pi-hole was working when I tested from the server itself, but connected VPN clients weren't getting ad filtering — DNS queries were going through, just not being filtered.
The issue: WireGuard clients were using DNS = 10.0.0.1 in their config (Pi-hole's IP on the WireGuard network), but Pi-hole was only listening on eth0 (the server's main interface), not on wg0.
Two symptoms:
The fix:
sudo nano /etc/pihole/pihole-FTL.conf
Add:
LISTEN_LOCALONLY=no
Then in the Pi-hole admin under Settings → DNS → Interface settings: choose "Permit all origins" instead of "Listen only on interface eth0".
After pihole restartdns, VPN clients' queries started flowing through Pi-hole.
Security note: "Permit all origins" means Pi-hole listens on all interfaces. Since port 53 is not exposed in UFW/Lighthouse firewall (only port 51820/udp for WireGuard is open), external access to Pi-hole's DNS is blocked at the network level. VPN clients reach it through the WireGuard tunnel.
| Issue | Likely Cause | Fix |
|---|---|---|
| VPN connects but no internet | IP forwarding not enabled | sysctl net.ipv4.ip_forward=1 |
| DNS not filtering ads | Pi-hole not on wg0 | Set "Permit all origins" in Pi-hole DNS settings |
| Can't reach Pi-hole admin | Wrong IP | Admin is at 10.0.0.1/admin when connected to VPN |
| All DNS failing | Pi-hole upstream issue | Check Pi-hole upstream DNS in settings |
| Client disconnects frequently | No keepalive | Add PersistentKeepalive = 25 to client config |
| Too many false positives | Overly aggressive block list | Remove stricter lists; whitelist needed domains |
| Pi-hole stats show no queries | Wrong DNS IP in client | Verify client config has DNS = 10.0.0.1 |
✅ What you built:
The combined setup blocks 20-40% of DNS queries on average (mostly ads and trackers that never load). Browsing feels noticeably cleaner, and pages load faster without fetching ad content.
How many simultaneous connections can a VPN server on a VPS handle?
For personal or small team use, a VPS handles 10–30 simultaneous VPN connections comfortably. Bandwidth is usually the limiting factor, not CPU or RAM.
Will a self-hosted VPN make all my traffic private?
Your traffic is encrypted between your device and the VPN server. After the VPN server, traffic goes to its destination normally. The VPN protects against network-level eavesdropping but doesn't make you anonymous on the public internet.
What region should I choose for my VPN server?
Choose based on your use case: for low latency, pick the region closest to you. For a specific exit IP location (e.g., to access a region-specific service), pick accordingly. Lighthouse has data centers in North America, Europe, and Asia-Pacific.
Is WireGuard more secure than OpenVPN?
Both are considered secure. WireGuard's codebase is substantially smaller (4,000 lines vs 70,000+), making it easier to audit. OpenVPN has a longer track record. For most users, WireGuard is the better choice for new deployments.
👉 Get started with Tencent Cloud Lighthouse
👉 View current pricing and launch promotions
👉 Explore all active deals and offers