Tailscale for Pi-hole or AdGuard Home Worksheet

Written By Dad, the Engineer

THE TUTORIAL IS MEANT TO BE USED WITH THIS VIDEO!

YouTube tutorials can be a pain to actually follow, so here’s the worksheet that accompanies the video - for your convenience.

I recommend both printing this out, to use as a checklist, and keeping the page up, so you can copy-and-paste the entries.

What you need:

  1. 1 or 2 instances of Pi-hole or AdGuard Home on Raspberry Pis

  2. SSH access to both Raspberry Pis

STEP 1: Create a Tailscale account

  1. Visit login.tailscale.com/start

  2. Create a free Tailscale account

STEP 2: Install Tailscale on your RPis

Connect to your primary Pi-hole instance via SSH:

open a terminal window on your Windows computer, WIN + R > cmd > Enter

[copy/paste >] ssh USERNAME@IP_ADDRESS_OF_RPi

(for example: ssh netserv@192.168.0.11)

Enter password from step 1, #6 of the primary Pi-hole’s worksheet

[copy/paste >] curl -fsSL https://tailscale.com/install.sh | sh
[copy/paste >] sudo tailscale up --accept-dns=true

You will be given a login URL in the terminal window. Navigate to this URL on your PC to finish authorizing the device

Repeat this step for your secondary Pi-hole instance, if you have one

STEP 3: Configure Tailscale Machines

On the Machines tab of the Tailscale web admin:

  1. Select the icon on the far right of the primary Pi-hole machine row

  2. Select Disable Key Expiry

  3. Repeat this for the secondary Pi-Hole, if present

  4. Record primary Pi-hole Tailscale IP here: ______________________

  5. Record secondary Pi-hole Tailscale IP here: ____________________

STEP 4: Configure Tailscale DNS

On the DNS tab of the Tailscale web admin:

  1. Toggle Override DNS Servers to ON

  2. Select Add Nameserver, then Custom

  3. Enter the Tailscale IP for the primary Pi-hole (Step 3, #4)

  4. Repeat #2 & #3, for secondary Pi-hole (Step 3, #5), if applicable

STEP 5: Configure Pi-hole to allow Tailscale

(in the primary Pi-hole web UI):

  1. Navigate to System > Settings > DNS, with Expert toggle enabled

  2. In Interface settings change allow only local requests to permit all origins

  3. Click Save and Apply 

  4. Repeat for secondary Pi-hole, if applicable

ALTERNATE STEP 5: Configure AdGuard Home to allow Tailscale

(in the primary AdGuard Home web UI):

  1. Navigate to Settings > DNS settings > Use Private reverse DNS resolvers

  2. Uncheck (if checked) and click Apply

  3. Go to the Allowed Clients section of the Access Settings section, and make sure the textbox is empty

  4. Repeat for secondary AdGuard Home instance, if applicable

STEP 6: Install Tailscale on mobile clients

(from your mobile device):

  1. Navigate to tailscale.com/download

  2. Install the appropriate client

  3. Log into your Tailscale account to complete machine registration

  4. Turn off Android Private DNS or Apple Private Relay

Dad, the Engineer
Next

What you think, what you know, and what you can prove…