block every
ad.
500k+
Domains blocked
0ms
Added latency
£0
Forever free
HexBlock runs on your own hardware. DNS filtering protects every device without installing anything on them. WireGuard VPN encrypts traffic wherever you go.
DNS enginednsmasq
VPN protocolWireGuard
Added latency0 ms
RAM at idle~200 MB
Proxy supportTraefik / Caddy / Nginx / CF
2FATOTP (optional)
LicenceMIT — free forever
Two layers.
Total coverage.
DNS filtering blocks ads at the network level — nothing to install on any device. WireGuard encrypts everything in transit, even away from home.
Your devices
Point your router DNS at HexBlock. Every device — phones, TVs, consoles, smart home — protected automatically. Zero configuration required.
Zero configWireGuard VPN
Connect any device via WireGuard and traffic routes through HexBlock wherever you are. QR code onboarding. End-to-end encrypted.
EncryptedDNS filtering
dnsmasq resolves queries. Blocked domains return NXDOMAIN instantly — no connection ever made. Six preset categories plus custom rules.
500k+ domainsUpstream DNS
Allowed queries forwarded to Cloudflare, Quad9, or Google over DNS over HTTPS. Your ISP cannot see which names you resolve.
DNS over HTTPSEverything.
Nothing gated.
Every feature is free. No paid tier, no premium plan.
Default blocklist
500k+
Hagezi Ultimate, EasyList, Pi-hole lists. Auto-updates daily. No manual maintenance.
Always currentQuery log
Live DNS query log
Every DNS query in real time with device attribution. Filter, search, export. 7-day rolling retention.
Real-timeSecurity
Hardened by default
Argon2id hashing. Brute-force lockout. CSRF protection. Optional TOTP 2FA. Full admin audit log.
TOTP 2FABrowser extension + video
HexBlock Watch — ad-free YouTube
Visit hexblock.co.uk/watch or replace youtube.com in any URL. No install, no account, SponsorBlock built in. DNS handles the network; Shield handles inline video ads DNS cannot reach.
Ad-free videoHardware
5W
Runs 24/7 on a Raspberry Pi. 200 MB RAM at idle. No cloud, no subscription.
200 MB RAMRules
Custom allow & deny
Per-domain rules that override all blocklists. Applied instantly — no restart required.
Instant applyVPN
WireGuard VPN
Automatic key generation. QR code onboarding. Traffic encrypted and filtered everywhere.
EncryptedProxy
Proxy ready
Traefik, Caddy, Nginx, or Cloudflare Tunnel. Setup script writes all config files.
Zero config SSL10:24:01──hexblock starting — 521,847 rules loaded
10:24:18ALLOWyoutube.com→ 1.1.1.1
10:24:18BLOCKdoubleclick.net×47
10:24:19BLOCKgoogleadservices.com×12
10:24:19ALLOWgooglevideo.com→ 1.1.1.1
10:24:20BLOCKpagead2.googlesyndication.com×8
10:24:21ALLOWgithub.com→ 1.1.1.1
10:24:21BLOCKtracking.twitter.com×3
10:24:22ALLOWapi.github.com→ 1.1.1.1
10:24:22BLOCKamazon-adsystem.com×6
1,284
Blocked today
47
Segs skipped
4m
Time saved
HexBlock
Shield.
DNS blocks ads at the network. Shield catches what is inside the browser — YouTube ads and sponsor segments DNS can never touch.
01
YouTube + SponsorBlock
Skips pre-roll, mid-roll, and sponsor segments. Only a 4-character hash of the video ID is sent to the SponsorBlock API.
02
EasyList + EasyPrivacy
Industry-standard filter lists via declarativeNetRequest. Fast, battery-friendly. Detects other blockers and avoids conflicts.
03
Twitch ad hide & mute
Pre-roll ads are server-side — Shield detects them and hides + mutes the player. You see a dark screen instead of the ad.
04
Gateway connection test
Enter your HexBlock server URL in settings. Shows CONNECTED, UNREACHABLE, or TIMEOUT in real time.
Your server.
Your choice.
The interactive setup script asks five questions and writes every config file.
Most common
Home network
No domain needed. Script sets a static IP and local hostname automatically. Access via IP on your LAN.
No domainStatic IPRaspberry Pi
Recommended
Cloudflare Tunnel
Zero open ports. Cloudflare handles SSL. Dashboard never exposed to the internet. Works behind CG-NAT.
No open portsAuto SSLTraefik
Self-managed
Nginx / Caddy
Caddy fetches SSL automatically. Or use the generated Nginx config with Certbot. Script prints exact commands.
Let's EncryptDocker
Run it
today.
One command on any Linux server. The setup script handles everything — Docker, WireGuard, DNS, and SSL.
$ sudo bash <(curl -fsSL hexblock.co.uk/install.sh)