Four Raspberry Pi advertisingand tracking blockers


© Lead Image © Vitaliy Gaydukov,

© Lead Image © Vitaliy Gaydukov,

Article from Issue 269/2023

A Raspberry Pi with the right software filters out annoying ads and nasty trackers for end devices on your local network.

Advertising on the Internet can be intrusive and annoying, often with trackers that spy on web browsing behavior. For standalone workstations, such unwanted content can be easily restricted or blocked by browser extensions. However, if you want to configure several workstations, setting up the extensions can take a great deal of time. Luckily, special appliances can block unwanted content centrally before it reaches the intranet. I looked at different strategies and their implementations for blocking ads and trackers on websites.


The solutions presented in this article can be integrated directly downstream of the router on the local network so that all incoming and outgoing data traffic runs through the tools. These appliances act as DNS servers in this process, except upribox, which sets up a wireless network you can use to access the Internet securely. Some of the solutions also offer integrated VPN servers and anonymize IP addresses. From outside the VPN, the workstations on the internal network can no longer be identified by their IP addresses. All of the solutions discussed are also free software, and the hardware usually is based on a Raspberry Pi.

One of the main advantages of centralized appliances is that you only need to connect and configure them once on the local network. For the most part, the systems automatically update during operation, which avoids additional overhead for customization and regular updates. Manual configuration of the clients is also largely eliminated. The tools support a wide variety of devices. In addition to computers, smartphones, tablets, and Internet of Things (IoT) devices are automatically protected.

AdGuard Home

The AdGuard Home [1] DNS server blocks certain domains that distribute advertising and spy on surfing behavior. Known malware domains can be blocked with blocking lists. The software does not require a client on the end device: Just install it on a Raspberry Pi and it protects the whole network.

As its home base, AdGuard requires an installed operating system, such as Raspberry Pi OS. The recommendation is to give the small-board computer (SBC) a static IP before the install to avoid problems caused by an address change after a reboot. The application can then be installed and started with a single command at the Raspberry Pi's terminal:

$ curl -s -S -L | sh -s -- -v

The software automatically detects the hardware you are using, sets up the system, and shows at the end of the routine information on how to access the tool's web interface and control the application at the prompt. As soon as you call the specified URL in a web browser, a graphical setup wizard launches. The wizard guides you through the basic configuration in five steps, requiring you to create a user account and password to protect the system.

The wizard also provides detailed instructions for configuring the router and various device classes. For the AdGuard home server to work correctly, you need to modify the DHCP and DNS settings on the router for Internet access; otherwise, problems could occur. After completing the basic setup, log in to the web browser and access the dashboard (Figure 1).

Figure 1: AdGuard Home's start-up window is straightforward.

The dashboard displays statistics about the connected clients, DNS requests, denied requests, and filtered web pages in a graphical form. Underneath is a table of clients, a list of the most frequently requested domains, and a list of the most frequently blocked domains. AdGuard Home does not update these statistics continuously, but you can update them manually by clicking Refresh statistics.

After closing and reopening the administration interface, you do not need to specify the port number in the URL unless you changed the default values during the basic setup.

Various services (e.g., a parental control filter) are enabled in the Settings | General Settings menu. In this dialog, you also specify how often you want AdGuard Home to update the blocking lists. The Enforce safe search option blocks predefined web pages.

Depending on the size of the local network and the volume of the data traffic, you might want to modify the log intervals. In General settings | Log configuration, you can define how long the server keeps the logs and whether the client IP addresses are anonymized.

In Settings | DNS settings, you can enter additional DNS services on top of the existing upstream DNS server. With multiple DNS services, the software supports load balancing and gives priority to the fastest server, but you can change this behavior by clicking on the radio button to the left of one of the alternatives.

If the logging function is enabled, AdGuard Home lists all requests in the Query log tab. It not only lists the times, the requested servers, and the status messages of the requests, but also – in the Client column – the computer on the local network from which the request originated. You can use these logs to readjust the filter settings if necessary. For individual clients, certain server requests can be blocked by clicking Block (Figure 2).

Figure 2: The AdGuard Home logging function supports manual domain blocking.

The Filters | DNS blocklists menu already contains two filter lists with a total of 55,000 blocked domains. Checking a box enables a list, whereas clicking the Check for updates button lets you update the enabled lists.

To add additional lists, click Add blocklist. In the next dialog, you can then decide whether or not to enable one or more items from a list of predefined blocking lists (Figure 3) or to add your own blocking list. The selection dialog for predefined blocking lists lets you include general lists with advertising and tracker domains and integrate malware domain lists. Also, you will find regional lists sorted by country.

Figure 3: In AdGuard Home, you can add additional blacklists at the push of a button.

For heterogeneous environments with Windows clients, you can also enable a spy list specially adapted to the vulnerabilities of your operating system.


eBlocker [2] is a complete solution for the Raspberry Pi, the Banana Pi M2+, and VirtualBox virtual machines. eBlocker started life as a hybrid hardware and software solution. However, the manufacturer stopped distributing commercial eBlocker devices in 2019, while continuing to maintain the software as eBlockerOS in what has become a non-profit project.

Developers of eBlockerOS stipulate a minimum requirement of a Raspberry Pi with at least 1GB of RAM, but they recommend a fourth generation model with at least 2GB of RAM. The system requires an 8GB SD card as a minimum that should at least meet the recommended class 10 specification [3]. In terms of the power supply, the project advises you go for at least 3A. Additionally, you need a free local area network (LAN) port on the router or switch to connect the Raspberry Pi.

The developers also provide a list of compatible routers and repeaters that have been tested in combination with eBlockerOS. The list does not claim to be complete, but most commercially available devices and the all listed browsers are compatible, although some browsers have certain functions that cannot be used in combination with eBlockerOS.

To begin, download the latest eBlockerOS image, which weighs in at nearly 740MB, and unpack the image with an archiving tool. The resulting image is about 4.2GB, which you can transfer to a microSD card with a tool such as balenaEtcher [4] or the command:

$ dd if=eBlocker-2.8.2-raspberry-pi.img of=/dev/mmcblk0 bs=4M

From the image, boot the Raspberry Pi, which must be connected to the router with a standard LAN cable. The Raspberry Pi does not need a keyboard, mouse, or screen.

After a wait of a couple of minutes, you can enable eBlockerOS on the Raspberry Pi with any workstation on the network from The eBlocker system now uses address resolution protocol (ARP) spoofing to locate end devices on the LAN automatically and to intercept the data traffic as a gateway. A small orange eBlocker icon appears in the upper right corner of the screen, along with some status information relating to the current system. From this point on, eBlocker analyzes all data packets with the help of deep packet inspection, additionally checking notorious data collector domains by DNS blocking and modifying the user agent identifier that is sent.

To configure eBlockerOS, click on Dashboard for this device. A dialog appears telling you that you can create a bookmark for the browser. You are then taken to a spartan dashboard. Click on the gear icon in the top right corner of the dashboard to configure the system. In the setup wizard, select Continue, accept the license agreement, and then go on to set the time zone in the next step. The wizard prompts you for a name for the eBlocker system, but this name is only important if you will be running multiple eBlockers on the LAN.

The next step relates to automated activation of eBlocker for devices that you add to the network. By default, eBlocker is not enabled for new devices. In the last step you need to enter the license key, a relic from the time of the commercial eBlocker version. A valid license key will already be displayed, and you just need to enter a valid email address. This address is used to contact you at short notice in case of emergencies.

If updates are available, the wizard prompts you to update eBlockerOS. After completing the update, the Raspberry Pi reboots, and a notification window appears telling you about the installed updates.

After clicking the Continue button again, you will be taken to the dashboard (Figure 4). In the Device List, you will see all the devices on the LAN that the system located during setup. From the settings bar, you can configure the various options as needed. In the future, you will be able to access the dashboard by entering the IP address of the eBlocker system followed by port number 3000.

Figure 4: The eBlocker configuration options are grouped sensibly.

To configure the system in detail and protect it from unauthorized access, first set an admin password by clicking System at bottom left in the vertical bar and then the Admin Password link.

You can also change other security options. To anonymize the IP addresses, eBlocker provides two options in the IP Anonymization group: By default, data packets are routed through the Tor network, although a VPN connection with a public service provider can be configured as an alternative.

You can also set various options for the DNS firewall, parental controls with blacklists and whitelists, and mobile device protection in the appropriate categories. You can also view status indicators in the Doctor category. The Devices dialog box is where you switch eBlocker protection on or off for individual terminal devices.

For each terminal device on the LAN, you can view up-to-date status information in the web browser. Type the IP address of the eBlocker system in the browser, followed by a colon and port number 3000. Alternatively, just type

eBlockerOS opens a window with numerous status "cards" (Figure 5). You can view system messages in the Messages card or enable IP anonymization for the current workstation from the Anonymization card. You can also check the function of the tool or pause eBlocker for the workstation from the card at top center. Also useful is the option to manage lists of domains you want to block or allow by adding them to the Block Domains and Allow Domains cards.

Figure 5: Statistics displays in eBlocker give an overview of filtered content.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Pi-hole

    Supporting browser plug-ins, network-based DNS blockers like Pi-hole help protect you against online tracking and unwanted content.

  • The sysadmin's daily grind: Pi-hole

    A strange rule seems to dictate that the most useless products and services have the most annoying online advertising. Columnist Charly blocks the garish advertising for all computers on his network centrally with the Pi-hole tool, which is not only for Raspberry Pi devices.

  • upribox 2.0: secure communication on the Internet

    Upribox 2.0 acts as a router and filters both trackers and ads, saving you the annoying task of manually hardening your web browser with countless add-ons.

  • FOSSPicks

    The promised profusion of extra time has failed to materialize for Graham this month, leaving him with too many synth kits to build, a table littered with components, and a leaking toilet.

  • Mistborn

    Mistborn bundles important Internet services on your home network and secures them with a WireGuard VPN tunnel, Pi-hole, iptables rules, and separate containers.

comments powered by Disqus