Product Features Watch GitHub Install free

v1.2.2 — free, open source, self-hosted

BLOCK EVERYTHING. DNS + WireGuard + Tailscale

Your TV is phoning home. Your phone is tracking you. Your browser is being sold. HexBlock stops all of it — on every device, without touching any of them.

Install free Source →

500k+

Ad & tracker domains blocked

One command on a Raspberry Pi. Point your router at it. Every device on your network — phones, TVs, consoles, smart home — protected without touching a single one of them.

DNS engine

dnsmasq

Added latency

0 ms

RAM at idle

200 MB

VPN

WireGuard

Dashboard

Your network.
In real time.

Every DNS query logged as it happens. Blocked or allowed, which device, which domain, which blocklist caught it. Live — not polled.

HexBlock hexblock.home

Protection Active

Overview

Dashboard

Query Log 957

Protection

Blocklists 10

Custom Rules

Network

VPN / WireGuard

Devices

System

Security

Settings

Queries today

16,684

Blocked

5,736

34.4%

Devices

8

seen recently

Active lists

10

blocklists

Traffic 24h

Active Blocklists 10 Lists

StevenBlack HostsAds81,382

Phishing ArmyMalware143,410

WindowsSpyBlockerTelemetry347

Hagezi ProTrackers520,123

Phishing.txtMalware190,222

Live query log

telemetry.sdk.inmobi.com

blocked

192.168.10.102

21:09

api.github.com

allowed

192.168.10.101

21:09

amazon-adsystem.com

blocked

192.168.10.103

21:08

fonts.gstatic.com

allowed

192.168.10.101

21:08

doubleclick.net

blocked

192.168.10.104

21:07

connectivitycheck.gstatic.com

allowed

192.168.10.101

21:07

Devices 8 Active

I

iPhone-15-Pro

192.168.10.101

21:09

M

MacBook-Air

192.168.10.102

21:08

S

Samsung-TV

192.168.10.103

21:05

P

iPad-Pro

192.168.10.104

20:59

What it does

Built to be left
running forever.

No paid tier. No premium plan. No features gated behind a subscription. Everything below is free on every install.

01

DNS Ad Blocking

500k+ domains

Blocked domains return NXDOMAIN in under a millisecond. No connection ever reaches the ad server. Works on every device the moment you point your router at it.

02

WireGuard + Tailscale VPN

CGNAT ready

WireGuard for home. Tailscale as an exit node when direct connections aren't possible — behind carrier-grade NAT, Three UK, or any restricted network. Filtering follows you everywhere.

03

Live Query Log

Real-time SSE

Every DNS query logged as it happens. Device attribution, blocklist name, timestamp. 7-day rolling retention. Filter by blocked, allowed, or device.

04

Blocklist Management

All formats

Import any list by URL. Parses hosts, dnsmasq, AdBlock, AdGuard, and plain domain formats. Six preset categories. Auto-updates daily without restarts.

05

HexBlock Shield

Chrome · Firefox

Catches the ads DNS can't reach. YouTube inline ads, overlays, sponsor segments skipped automatically. SponsorBlock built in.

06

HexBlock Watch

No install needed

Ad-free YouTube at hexblock.co.uk/watch. Paste any URL or replace youtube.com in the address bar. Works on every device including smart TVs.

07

Security Hardened

TOTP 2FA

Argon2id hashing, brute-force lockout, CSRF protection, optional TOTP two-factor, full admin audit log. Runs in Docker as a non-root user.

08

Raspberry Pi Native

5W · 200MB RAM

200 MB RAM at idle. Designed to run indefinitely on five watts. No cloud dependency, no telemetry, no licence check.

DNS blocking is different from a browser extension. It happens at the network level, before any device makes a connection. Your smart TV doesn't have an extension slot. Your games console doesn't either. HexBlock doesn't care — it blocks for all of them.

Deploy

Your server.
Your call.

The setup script asks five questions and writes every config file. Pick how you want to run it.

Home network

No domain required. Static IP and local hostname set automatically. Access at hexblock.home from anything on your LAN.

No domainStatic IPRaspberry Pi

Domain requiredNo

SSLSelf-signed (auto)

Open ports53, 51820

Best forHome users, Raspberry Pi

Cloudflare Tunnel

Zero open inbound ports. Cloudflare handles SSL. Works behind carrier-grade NAT. Dashboard never exposed to the internet.

No open portsAuto SSLCG-NAT

Domain requiredYes

SSLCloudflare (auto)

Open ports51820 only

Best forMost users

Caddy

Fetches and renews Let's Encrypt certificates automatically. Zero certificate configuration. Runs alongside HexBlock in Docker Compose.

Let's EncryptAuto-renewDocker

Domain requiredYes

SSLLet's Encrypt (auto)

Open ports80, 443, 51820

Config requiredNone

Nginx

Setup script generates the Nginx config and prints the exact Certbot commands. For users already running Nginx on the same server.

Generated configCertbotExisting Nginx

Domain requiredYes

SSLCertbot / Let's Encrypt

Open ports80, 443, 51820

Config requiredMinimal (generated)

Free and open source — MIT licence

Run it
today.

$ sudo bash <(curl -fsSL hexblock.co.uk/install.sh)

GitHub Docs Shield extension Watch — ad-free YouTube