If you really like Pi-hole for ad-free and improved privacy browsing, and want to turbo-charge it so you can use it anywhere—on 5G, at the airport, or at a café, on any device—this is the ultimate privacy upgrade. This setup is more geeky than just setting up a Pi-hole at home, but it is quite doable with some knowledge of web servers and networking.

Use Pi-hole everywhere to block ads and trackers

Note: This post assumes you have some basic knowledge of the tools mentioned. If anything needs clarification, please ask questions in the comments.
The Ingredients: An Idle VM and an Unused Domain

Many of us have an idle VM sitting around and an unused domain collecting dust. If you don't, getting started is incredibly cheap:

  • Free VM: You can get a high-performance VM for free with OCI (Oracle Cloud Infrastructure). Read our post here.
  • Cheap Domain: $1.10/month with IONOS Basic Mail, which includes a free domain of your choice. I personally don’t use its mail service — I only use it for the domain registration.
Pro Tip: You can technically multi-task a production VM with a production domain to save resources, but it's probably not the best idea. Keeping your DNS gateway on a dedicated "Ghost VM" keeps your main services clean and secure.
1. Link the VM and Pi-hole with Tailscale

To make this work securely, you must link your Cloud VM and your home Pi-hole. Install Tailscale on both machines to create a private encrypted tunnel between them.

This ensures your DNS traffic never touches the public internet until it reaches your home.

2. Install Nginx and Certbot

On your Cloud VM you need two pieces of software:

  • Nginx — acts as the encrypted DNS entry point
  • Certbot — manages SSL certificates

# Install Nginx and the Stream module
sudo apt update
sudo apt install nginx libnginx-mod-stream -y

# Install Certbot
sudo apt install certbot -y
3. Configure IONOS API Credentials

To automate SSL renewal, create a credentials file. This allows Certbot to verify your domain ownership using the IONOS API.


mkdir -p ~/.secrets/certbot/
nano ~/.secrets/certbot/ionos.ini

Paste the following:


# IONOS API credentials for Certbot
dns_ionos_prefix = YOUR_PUBLIC_PREFIX
dns_ionos_secret = YOUR_SECRET_KEY
dns_ionos_endpoint = https://api.hosting.ionos.com

Secure the file:


chmod 600 ~/.secrets/certbot/ionos.ini
4. Configure the Wildcard A Record

Go to your IONOS DNS dashboard and create a Wildcard A Record.

This ensures any subdomain request reaches your VM, allowing you to hide your DNS endpoint behind a long secret hostname.

  • Host: *
  • Points to: Your VM Public IP
5. Generate the Wildcard Certificate

Next, request a wildcard TLS certificate:


sudo certbot certonly \
--dns-ionos \
--dns-ionos-credentials ~/.secrets/certbot/ionos.ini \
-d *.yourdomain.com \
-d yourdomain.com

This certificate allows encrypted connections from any subdomain.

6. The Ghost Mode Nginx Configuration

This configuration uses SNI filtering so only devices that know your secret hostname can reach your Pi-hole.


map $ssl_server_name $dns_backend {
    your-super-long-secret-string.yourdomain.com pihole_backend;
    default '';
}

stream {

    upstream pihole_backend {
        server 100.x.y.z:53;
    }

    server {

        listen 853 ssl;

        ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;

        ssl_handshake_timeout 10s;
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 4h;

        proxy_pass $dns_backend;
    }
}
7. Automate the Renewal (Cron Job)

Certbot only checks for certificate renewal when triggered. We'll create a cron job to check nightly.

We also reload Nginx after renewal because it keeps certificates in memory.


sudo crontab -e


0 3 * * * certbot renew --post-hook "systemctl reload nginx"
8. Final Steps: Firewall and Device Setup

Open port 853 and restart Nginx:


sudo ufw allow 853/tcp

sudo nginx -t
sudo systemctl restart nginx

On Android:

Go to Settings → Network → Private DNS

Select Private DNS provider hostname and enter:

your-super-long-secret-string.yourdomain.com

This works on all devices. Please set the DNS accordingly.

The Stealth Advantage: Wildcard Flexibility

The beauty of using a wildcard DNS record together with a wildcard TLS certificate is flexibility.

Because any subdomain is valid, your secret hostname can be changed whenever you want.

If the hostname ever leaks, simply change the string in nginx.conf, reload Nginx, and update your device settings.

Success!

Your device is now protected by Pi-hole on any network with virtually zero maintenance.