Block Ads Everywhere: A Complete Guide to Pi-hole + Tailscale on Raspberry Pi

Introduction

Online advertising is not only intrusive but also erodes privacy, introduces security risks, slows down browsing, and drains battery life. Traditional ad blockers are device-specific and require constant maintenance. Pi-hole blocks ads at the network level by acting as a DNS sinkhole, protecting all devices on your network without additional software. Tailscale creates a secure private network (tailnet) using WireGuard, allowing you to safely access your home network from anywhere. This guide explains how to combine Pi-hole and Tailscale on a Raspberry Pi to achieve always‑on ad blocking everywhere.

Attack Overview

The following diagram summarises the setup process:

[Raspberry Pi Setup]
    ↓
[Install Pi-hole] → Configure static IP, upstream DNS, blocklists
    ↓
[Secure Pi-hole] → Change admin password, permit all origins
    ↓
[Install Tailscale] → Disable key expiry, --accept-dns=false
    ↓
[Tailnet DNS Configuration] → Point custom nameserver to Pi's Tailscale IP
    ↓
[Test] → Enable Tailscale on any device → ads blocked globally
    ↓
[Bonus] → Configure home router DNS → whole-home blocking without Tailscale

Hardware and Prerequisites

• Raspberry Pi (Model B or later, 2GB+ storage, 512MB+ RAM)
• Raspberry Pi OS (latest version)
• Another device (phone or laptop) to set up Tailscale
• An email account (Google, Apple, or Microsoft) for Tailscale sign‑up

Step 1: Set Up Pi-hole on Your Raspberry Pi

Access the Raspberry Pi terminal (directly or via SSH):

ssh username@raspberry-pi-ip-address

Update the system and install Pi-hole:

sudo apt update
sudo apt upgrade -y
curl -sSL https://install.pi-hole.net | bash

During the installation wizard:

• Static IP: Select Yes to keep the Pi’s address consistent.
• Upstream DNS: Choose a reliable provider (e.g., Google, Cloudflare).
• Blocklists: Select Yes for the Steven Black unified list.
• Web Interface: Install the admin GUI.
• Privacy Settings: Choose your preferred logging level.

Secure Pi-hole

Set a strong admin password:

pihole -a -p

Access the web interface at http://your-pi-ip-address/admin and log in.

Critical Pi-hole Configuration (Tailscale compatibility)

Tailscale assigns devices special 100.x.x.x addresses. Configure Pi-hole to listen on the Tailscale interface:

1. Go to Settings → DNS.
2. Toggle Basic to Expert mode (upper right).
3. Under Interface settings, check Permit all origins.

Security reminder: Ensure the Raspberry Pi is behind a firewall and use a strong Pi-hole admin password.

Step 2: Create Your Tailnet

Download the Tailscale client on your phone or laptop and sign up using your email account. Verify that your device appears in the Tailscale admin console under Machines.

Step 3: Install Tailscale on the Raspberry Pi

Back on the Pi terminal:

curl -fsSL https://tailscale.com/install.sh | sh

Start Tailscale with DNS disabled (because the Pi itself is the DNS server):

sudo tailscale up --accept-dns=false

An authentication URL will appear in the terminal. Paste it into a browser and log in with your Tailscale account. The Pi will now appear in your Tailscale admin console.

Prevent DNS interruptions

Tailscale periodic re‑authentication can cause DNS outages. Disable key expiry for the Pi:

1. Go to Machines in the admin console.
2. Click the … next to your Raspberry Pi.
3. Select Disable key expiry.

Step 4: Configure Tailnet DNS

Point your entire tailnet to use the Pi-hole:

1. Go to the DNS page in the admin console.
2. Click Add nameserver → Custom.
3. Enter the Raspberry Pi’s Tailscale IP (starts with 100.x.x.x).
4. Click Save.
5. Enable Override DNS servers.

Testing the Setup

Connect to Tailscale on any device (phone, laptop, tablet). Visit a website known to display ads – pages should appear clean and ad‑free. Temporarily disable Tailscale to confirm that ads reappear, then re‑enable to verify the setup works.

Bonus: Whole‑Home Ad Blocking (Without Tailscale)

Configure your home router’s DNS settings to point to the Raspberry Pi’s local IP address (e.g., 192.168.x.x). This will protect every device on your home network, even those not running Tailscale.

Key Takeaways

Component	Purpose	Security Consideration
Pi-hole (DNS sinkhole)	Blocks ads and trackers at network level	Must listen on Tailscale interface (Permit all origins)
Tailscale (WireGuard VPN)	Secure access to Pi-hole from anywhere	Disable key expiry for DNS server; use --accept-dns=false
Raspberry Pi (hardware)	Low‑cost, low‑power always‑on host	Keep behind firewall; use strong admin passwords
Home router DNS override	Whole‑home blocking without per‑device VPN	Ensures non‑Tailscale devices also benefit

Resources

• Pi-hole — Network‑wide ad blocking
• Tailscale — Zero‑trust VPN
• Raspberry Pi — Single‑board computer
• Steven Black blocklist — Unified hosts file
• Tailscale DNS configuration docs