Sign in Subscribe
pi-hole

Tailscale for Pi-hole

Use the free features of Tailscale to SDN, DNS, reverse proxy, and generate/maintain certificates with Pi-hole as proof-of-concept.

Jeffrey Stuhr

2 min read
Tailscale for Pi-hole
Photo by Praveen Thirumurugan / Unsplash

I've been using Tailscale as an easy-to-setup WireGuard SDN for my devices at home for a couple of years now. I'm using their personal plan which is entirely free for 3 users and 100 devices – completely overkill for my homelab. Recently I've looked over some of their documentation and found some new features since last time I looked at them.

Anyways, I see that you can use your Pi-hole as DNS for your tailnet and their documentation is great, I won't rehash that here except to put emphasis on tailscale up --accept-dns=false when you initially start it on the Pi-hole and to ensure you have the key expiry disabled for that host. Having this makes it so you can use Pi-hole DNS blocking on roaming tablets, laptops on a public wifi, and phones. Nifty.

You can share your Pi-hole with friends too! All they need is their own free personal tailnet and you can share with unlimited friends/family. Alternatively, your personal account has room for 2 other users, so if they don't have a need for their own tailnet you can add them to yours.

But there's more! They now have Tailscale Serve which is a great way to knock out reverse proxy and certificates for your services. So now that you have the Pi-hole in your tailnet, run sudo tailscale serve --bg http://localhost:80/admin and now you can hit the admin page of your Pi-hole from any of your tailnet devices via <hostname>.<magicdnsname>.ts.net on your browser, and it includes the https cert! Of course, this is not necessarily needed for Pi-hole as http://pi.hole will direct to the admin page on any device that is using it as DNS, but that does not include the certificate, obviously.

Finally, the last thing you can do with Tailscale on this device is lock down SSH to tailnet devices. Raspbian does not come with UFW by default but that's easy enough to install and then resume following along.

To summarize with Tailscale we now:

  • Have adblocking via DNS for all tailnet devices.
  • Shared Pi-Hole with your friend who doesn't have the resources for their own.
  • Able to access admin portal from tailnet with just hostname (note the tailnet host name can be different from device host name) and have a cert.
  • Only allow SSH via tailnet devices.

These steps were mainly for Pi-hole that is on an actual Raspberry Pi, or virtualized. I'll make another post for Tailscale Serve and Funnel for docker containers. I hope it was useful as overall proof-of-concept, ex: most of the above can be adapted to Proxmox or AdGuard Home.