Pi-hole on Cloud VPS: Block Ads Everywhere for Free
Most Pi-hole guides assume you have a Raspberry Pi at home. But what about when you're at a coffee shop? Hotel WiFi? Your phone on mobile data? A cloud-based Pi-hole works everywhere—and with free cloud credits, it costs nothing to set up.
Last updated: July 2026
What You'll Get
- Block ads on all devices — phones, laptops, tablets, even smart TVs
- Works anywhere — not just your home network
- Encrypted DNS — when paired with WireGuard VPN
- No app installs needed — blocks at the DNS level
- Cost: $0 using Oracle Cloud's always-free tier or cloud credits
Why Cloud-Based Pi-hole?
A Raspberry Pi at home only blocks ads when you're home. Your phone on cellular? Ads everywhere. Hotel WiFi? Ad-infested. A cloud Pi-hole fixes this:
- Access from anywhere with an internet connection
- Faster than home connections — datacenter speeds vs. residential upload
- Always-on — no worries about power outages or SD card failures
- Pair with WireGuard for encrypted DNS that hides your queries from ISPs
Choose Your Cloud Provider
Any VPS with 512MB RAM works, but 1GB is better if you want extensive blocklists. Here are the best options:
| Provider | Free Offer | Duration | Best For | Get Started |
|---|---|---|---|---|
| Oracle Cloud | Always Free Tier 2 VMs, 1GB RAM each | Forever | Permanent free hosting | Always Free → |
| DigitalOcean | $200 credit | 60 days | Easiest setup | Get $200 Free → |
| Vultr | $100 credit | 30 days | Most locations | Get $100 Free → |
| Linode | $100 credit | 60 days | Good performance | Get $100 Free → |
| Hetzner | No free tier | ~€3.79/mo | Cheapest long-term (EU) | View Plans → |
Our pick: Oracle Cloud for permanent free hosting. DigitalOcean for easiest setup if you're new to VPS.
For detailed provider comparisons and setup guides, see our Free Cloud Hosting Comparison.
Step 1: Deploy Your VPS
Create a VPS with these specs:
- OS: Ubuntu 22.04 LTS or Debian 12
- RAM: 1GB minimum (512MB works but may limit blocklists)
- Storage: 10GB+ (Pi-hole is lightweight)
- Location: Choose a region close to you for lower latency
Once deployed, SSH into your server:
ssh root@YOUR_SERVER_IP Step 2: Install Pi-hole
Update your system first:
apt update && apt upgrade -y Run the official Pi-hole installer:
curl -sSL https://install.pi-hole.net | bash The installer will ask several questions:
- Interface: Select your network interface (usually
eth0orens3) - Upstream DNS: Choose a privacy-respecting provider:
- Quad9 (9.9.9.9) — blocks malware, privacy-focused
- Cloudflare (1.1.1.1) — fast, privacy policy
- Custom — you can use NextDNS or your own resolver
- Blocklists: Accept the default StevenBlack list
- Web Interface: Yes — needed for management
- Logging: Your choice — I recommend "Show everything" initially, then reduce later
After installation, save your admin password shown on screen. Change it with:
pihole -a -p Step 3: Secure Your Pi-hole
Critical: A Pi-hole exposed to the internet without protection becomes an open DNS resolver—usable for DNS amplification attacks. You MUST secure it.
Option A: WireGuard VPN (Recommended)
The best approach: only allow DNS queries from devices connected via WireGuard. This encrypts your DNS traffic AND prevents abuse.
Install WireGuard:
curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh
chmod +x wireguard-install.sh
./wireguard-install.sh When asked for DNS server, enter your server's private WireGuard IP (usually 10.66.66.1 or similar).
Now configure Pi-hole to only listen on the WireGuard interface:
- Go to Pi-hole admin → Settings → DNS
- Under "Interface settings", select "Allow only local requests"
- This restricts Pi-hole to your VPN tunnel only
See our Build Your Own VPN guide for detailed WireGuard setup.
Option B: Firewall Restrictions
If you don't want VPN, restrict DNS to specific IPs:
# Allow your home IP
ufw allow from YOUR_HOME_IP to any port 53
# Allow your phone's IP (if static)
ufw allow from YOUR_PHONE_IP to any port 53
# Block everything else on port 53
ufw deny 53
# Enable firewall
ufw enable Problem: Most home IPs and phone IPs change. You'll need to update firewall rules constantly. That's why WireGuard is better.
Option C: Configure Pi-hole Interface Settings
In Pi-hole admin → Settings → DNS → Interface settings:
- "Allow only local requests" — Safest, requires VPN
- "Respond only on interface X" — Limits to one interface
- "Permit all origins" — DANGEROUS without firewall protection
Step 4: Add More Blocklists
The default blocklist is minimal. Add more for comprehensive ad blocking:
Go to Pi-hole admin → Group Management → Adlists and add:
# OISD Full (comprehensive, well-maintained)
https://big.oisd.nl/
# HaGeZi Pro++ (aggressive blocking)
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt
# 1Hosts Pro (lite version for less breakage)
https://o0.pages.dev/Pro/adblock.txt After adding lists, update gravity:
pihole -g Warning: Aggressive blocklists may break some websites. Start with OISD and add more as needed.
Full Tunnel vs. Split Tunnel
When using WireGuard + Pi-hole, you have two options:
Full Tunnel (Route all traffic through VPN)
All your internet traffic goes through the VPS. Pros:
- Hides your IP from websites
- Encrypts all traffic on untrusted networks
- ISP can't see what sites you visit
Cons:
- Speed limited to VPS bandwidth (Oracle caps at ~10Mbps)
- Uses VPS data transfer quota
Split Tunnel (Only DNS through VPN)
Only DNS queries go through the VPN. Regular traffic uses your normal connection. Pros:
- Full internet speed (no VPN bottleneck)
- Minimal data usage on VPS
- Still blocks ads via Pi-hole DNS
Cons:
- Websites see your real IP
- Non-DNS traffic isn't encrypted by the VPN
For split tunnel, modify your WireGuard client config:
[Peer]
# Only route DNS traffic (split tunnel)
AllowedIPs = 10.66.66.1/32
# Instead of full tunnel:
# AllowedIPs = 0.0.0.0/0, ::/0 Connect Your Devices
With WireGuard (Recommended)
- Install WireGuard client on your device
- Import the config file generated during setup
- Connect — your DNS now goes through Pi-hole
Apps: WireGuard apps for all platforms
Without VPN (Static IP Required)
If your device has a static IP and you've allowed it in the firewall:
- Go to your device's network settings
- Set DNS server to your VPS's public IP
- That's it — DNS queries go to Pi-hole
Not recommended: Most devices have dynamic IPs. Use WireGuard instead.
Test Your Setup
After connecting, verify Pi-hole is working:
- Visit ads-blocker.com/testing
- Check Pi-hole admin → Query Log to see blocked domains
- Visit a news site — no ads should load
Maintenance
Update Pi-hole
pihole -up Update Blocklists
pihole -g View Statistics
Access the web interface at http://YOUR_SERVER_IP/admin (or via WireGuard tunnel IP).
Whitelist Broken Sites
If a site breaks, add it to the whitelist:
pihole -w example.com Troubleshooting
DNS Not Working
- Check if Pi-hole service is running:
pihole status - Verify firewall allows port 53:
ufw status - Test locally on server:
dig @127.0.0.1 google.com
Slow DNS Resolution
- Choose an upstream DNS closer to your VPS location
- Enable "Conditional forwarding" for local names if needed
Too Many Sites Blocked
- Remove aggressive blocklists
- Check Query Log to find the blocked domain
- Whitelist as needed
Privacy Bonus: DNS Over HTTPS (DoH)
For extra privacy, configure Pi-hole to use encrypted upstream DNS. Install cloudflared or dnscrypt-proxy as your upstream resolver. This encrypts the connection between Pi-hole and upstream DNS providers.
Cost Summary
| Provider | During Free Period | After Free Period |
|---|---|---|
| Oracle Cloud | $0 | $0 forever |
| DigitalOcean | $0 (60 days) | $4-6/mo |
| Vultr | $0 (30 days) | $5-6/mo |
| Linode | $0 (60 days) | $5/mo |
| Hetzner | N/A | €3.79/mo |
References
- Pi-hole Official Site
- How to Deploy Pi-hole on Vultr
- Pi-hole and WireGuard on Oracle Cloud Free Tier
- WireGuard VPN with Pi-hole DNS Resolver
- Pi-hole VPS Tutorial
Related Guides
- Free Cloud Hosting Comparison — Get $700+ in free credits
- Build Your Own VPN — WireGuard setup for encrypted traffic
- Encrypted DNS Comparison — Quad9 vs NextDNS vs Cloudflare
- Ad Blocker Comparison — Pi-hole vs uBlock Origin vs AdGuard
- Self-Hosted Cloud Storage — Nextcloud on your VPS
- Self-Hosted Password Manager — Vaultwarden setup