This is a (relatively) simple configuration question, so I hope I am asking it in the right place.
I have two Windows Server 2016 machines running the DNS role in my house, as primary and secondary DNS Zones (Luke @ 10.0.1.2 and Beau @ 10.0.1.3). Previously, both zones were using OpenDNS as forwarders for external queries.
To start off and establish a proof of concept, I set up Pi-Hole on a Paspberry Pi 3 and configured it to forward external queries to OpenDNS, then changed the Windows Servers to forward queries to the Pi-Hole (Roscoe @ 10.0.1.15), essentially placing the Pi Hole between my internal devices and OpenDNS to perform its sinkhole duties. It all worked great, except that the Pi Hole dashboard was only showing query information for two clients (Beau and Luke) instead of the actual client machines. I can live with that.
I REALLY want devices outside of the network to also use the Pi Hole and OpenDNS. Setting up my DNS as WAN-facing comes with the obvious security vulnerabilities, so I took a look at the docs on using OpenVPN and liked what I saw. The problem is that the howto doesn’t consider use cases like mine where there are actual DNS servers on the local network that clients need access to when they are local.
I set up the OpenVPN server on the Raspberry Pi and tested using an Android device that was on mobile data. The content and ad filtering is still working, but it is using the office gateway and I only want DNS queries going over the VPN. I made the change suggested here and it broke internet access for the VPN clients. Maybe I missed something in the .ovpn file? Input appreciated there.
Also, when the VPN clients are local, they need to be able to use the Windows DNS servers for local hostname resolution, which the VPN config bypasses.
Instead of having Luke and Beau forward external queries to the Pi Hole (which then forwards them to OpenDNS), I was thinking I would change the DHCP server (Luke) to send clients the Pi Hole as the DNS server, have it forward queries to 10.0.1.2 and 10.0.1.3, and then have them forward queries to OpenDNS. That way I would have more accurate client information in the Pi Hole admin console and local devices would not be bypassing the Windows DNS servers, even if they are connected to the VPN.
Assuming the last paragraph above is a viable solution (I’d love to hear potential problems and alternative ideas if it is not), how to do need to configure my openvpn.conf and client.ovpn files?