We all hate ads. Using a Pi-hole server is a great way to reduce ads across your whole home network, including devices that can’t run adblock services such as mobile apps, Roku, Apple TV, etc. Now that’s great and all, but setting one up to run on your home network can be a bit of a pain, especially if your not a hardware person.
Say no more. You can easily setup a great performing Pi-hole server on Amazon AWS cloud, and it works great on Amazon’s free tier. For this how-to, I’m going to assume that you know nothing about AWS, and I’m not going to try and re-write other, much better thought out tutorials on other aspects of setting up and configuring a Pi-hole.
Part A – AWS Setup
1. Setup your AWS account
You will first need to create your AWS account, assuming you don’t already have one. Follow Amazon’s instructions on how to do that:
2. Access AWS EC2
Log into AWS
- Bring up the AWS Management Console
- Enter EC2 in the Search bar and follow the top result.
3. Launch (create) a new EC2 Instance.
For those of you new to this, an instance is just a virtual machine or virtual server, i.e., a server in the cloud. This is the first step to creating and configuring your new instance. Click the “Launch Instance” button.
Choose the image you will use for the new instance. In this tutorial we will be using the Ubuntu Server 18.04 LTS image. Search for “ubuntu”. Use the “64-bit (x86)” image. Click the Select button to continue.
Make sure that you have selected to use a “t2.micro” instance type. The instance type determines the resources (processors, memory) available to your machine. Pi-hole runs just fine on a t2.micro and it can be used in the free tier.
Click on the “4. Add Storage” link at the top. It will remember the tier selection.
Now you need to set the amount of stage you expect to use. It defaults to 8 GB, but you can set it for up to 30 GB. I personally set mine to 20 GB but I’m currently only using about 5 GB total.
If you’re not sure, enter 20.
After setting the size of your drive click the “Next: Add Tags” button at the bottom.
Click the “Add Tag” button. For the Key, enter “Name” and for Value enter “Pi-hole Server”.
You can use any descriptive name you want, but without a name, all you have is a crazy hex code to identify it by.
Click the Next button.
Now you will need to setup your Security Group. This is the most complex part of this process. The Security Group is basically a firewall around your server. It indicates which traffic is allowed through and what isn’t. I lean towards a very locked down server.
Set the Security Group Name to be “pihole-securitygroup”.
We need to add several rules in order for the Pi-hole server to be accessible and work. Note: /32 means only that single IP address is allowed. /24 allows a range of everything in X: 1.2.3.X. For more info or to calculate, take a look at the ipaddressguide: https://www.ipaddressguide.com/cidr
|HTTP||18.104.22.168/32||LetsEncrypt renewal server||To verify your LetsEncrypt site, it will need to access the site over HTTP.|
|HTTP||[Your IP]/32||Home LAN HTTP access||This will allow you to access and test the server from your home system|
|SSH||[Your IP]/32||Home LAN SSH access||This is needed to allow you to remote into the machine after we have it setup. Nothing worse than a machine you can’t access.|
|DNS (UDP)||[Your IP]/32||UDP DNS resolution||Allows your home network to use the Pi-hole as a DNS server (that’s the whole point).|
|DNS (TCP)||[Your IP]/32||TCP DNS resolution||Same, just with TCP|
|HTTPS||[Your IP]/32||Home LAN HTTPS access||Will allow you secure SSL access to the Pi-hole admin panel after we set it up with LetsEncrypt.|
When you’ve entered all the rules, click the “Review and Launch” button.
On the Review Instance Launch page, you will see a nice summary of all the configurations that you’ve made. Double check them and if everything looks good, hit “Launch.
You will need to create a key pair for the new instance. A key pair is a way of authenticating using SSH without the use of a username and password. It’s very important that you don’t loose the private key or you won’t be able to access the server through SSH in the future.
Set the new key pair name to be something identifiable and useful. Feel free to use anything you want, but this tutorial we will use:
After entering the name, make sure you click “Download Key Pair” to get your key. Put it some place you will find it again, say your desktop for now.
Now click “Launch Instances”.
Click “View Instances”. You will be shown a list of the EC2 instances and their current state. Give the server 5 minutes or so before you try to use it. When you click on the new server, you will see the assigned IP address. You could also use the public DNS, but who has the time for that.
Write down the IP address for the new instance.
4. Access your new AWS server
Create a new session in the software of your choice. When configuring the session set
- Remote host: IP address of the server
- Use a private key: Yes
- Private key: The downloaded key file “aws-key-admin-pihole.pem”
Once configured, go ahead and start the session.
Part B: Install & Configure Pi-hole, and Your LAN
Now it’s time to setup your Pi-hole server on the newly created instance. Please follow one of the very well researched and written tutorials out there. I like this one:
https://linuxincluded.com/install-pi-hole-on-ubuntu/ (read the notes below before doing this)
For your AWS instance, make sure you do these things:
- Make sure you install lighttpd as part of the install.
- Use the default IP addresses for static, no need to change them.
- To browse to the admin interface, you will need to use your AWS server Public IP address, not the address listed on the Installation Complete page.
- http://<aws public ip address>/admin
If you did everything correctly, Pi-hole should come up. Go ahead and click on Login. Enter your new super secure password.
When configuring your LAN, update your router and again use the AWS Public IP address as the address for your DNS server.
Part C: Setup SSL for Pi-hole
Since your installation is outside of your (hopefully) safe LAN, I highly recommend that your setup SSL for administering your Pi-hole. This will protect you when entering your password to access the admin page. Always best to not be submitting a password in clear text across the internet.
I recommend this tutorial: https://www.netweaver.uk/letsencrypt-ssl-pihole/
One addition to that tutorial is to update /etc/cron.d/certbot so that it will make updates that are compatible with lighttpd. To do that, comment out the existing job and add the following:
# run the 2nd of every month at 3:44am. Adjust as needed 44 3 2 * * root certbot renew –post-hook “cat /etc/letsencrypt/live/cert.pem /etc/letsencrypt/live/privkey.pem > /etc/letsencrypt/live/combined.pem; systemctl restart lighttpd”
Congrats! You now have an AWS Pi-hole!
- yubiuser on the pi-hole discourse discussion pointed out that the Security Group is limited to a single IP address. If you are using a non-static IP address, you will need to update the Security Group rules whenever your IP address changes. Note that I don’t have a static IP, but it has remained the same for over a year.
- t0m5k1 on the reddit discussion pointed out that it would be more secure to use pivpn to connect to your cloud server. Even with IP restrictions in place, an attacker could spoof your IP to attempt to access the cloud server.
- AWS Free Tier might be limited to 12 months, and then charge afterwards.