Force Private/Paid VPN (like IPVanish or NordVPN) to use Pi-Hole DNS

TheRoarkster · February 26, 2018, 4:32am

Expected Behaviour:

When a device on my network uses a private VPN (like IPVanish, NordVPN, etc.) to connect to the internet, it uses the PiHole for DNS rather than the private VPN's DNS service.

Actual Behaviour:

When connected to a private VPN, clients bypass the PiHole and use the VPNs DNS service. As a result, ads are present.

Summary of setup

Router --> Tomato
PiHole --> RPI3, connect to the Tomato router via eth0
VPN --> Paid service provider, NordVPN. On Linux clients, the VPN connection is established using NetworkManager and static OpenVPN config files downloaded from NordVPN to /etc/openvpn. An example config file is:

```
client
```
```
dev tun
```
```
proto tcp
```
```
remote 209.58.144.228 443
```
```
resolv-retry infinite
```
```
remote-random
```
```
nobind
```
```
tun-mtu 1500
```
```
tun-mtu-extra 32
```
```
mssfix 1450
```
```
persist-key
```
```
persist-tun
```
```
ping 15
```
```
ping-restart 0
```
```
ping-timer-rem
```
```
reneg-sec 0
```
```
remote-cert-tls server
```
```
auth-user-pass
```
```
comp-lzo
```
```
verb 3
```
```
pull
```
```
fast-io
```

Goal

Force clients using a private VPN connection to use PiHole's DNS.

Tntdruid · February 26, 2018, 10:16pm

dhcp-option DNS 123.123.123.123

Replace the 123 whit the pi-hole ip

TheRoarkster · February 27, 2018, 2:07am

Appreciate the response, but I'm not clear on exactly what you are saying. Is dhcp-option DNS ###.###.###.### an entry I should add to the OpenVPN config file? And if so, does the entry includ the capitalized "DNS." Or are you referring to something else?

TheRoarkster · March 3, 2018, 6:00am

Edited the question to make it clearer what I'm trying to accomplish. Hopefully, someone here is using both a private VPN and PiHole.

Mcat12 · March 3, 2018, 5:46pm

Yes, it is as you expect.

dhcp-option DNS ###.###.###.###

TheRoarkster · March 4, 2018, 3:32am

Excellent!!! That did it. I just appended dhcp-option DNS ###.###.###.### (where ##... is the IP address for the PiHole) to the end of the VPN config file. Now with the VPN on, PiHole is still blocking ads.

cjcharles · March 8, 2018, 1:06pm

Does this not give a chance of DNS leaking IP addresses / requests? Surely the Pi doesnt cache the whole DNS list and will forward requests on to a public server which would be logged... (I guess no log on the actual website that you visit in theory so thats better though ISP logs would be full of stuff from DNS). Other option is to put the VPN on the Pihole connection too so the DNS forward requests go through VPN on their way to DNS upstream...?

I have also got a paid VPN service and was looking at ways to enable it while keeping the PiHole (which I have become very accustomed to!). Have been using the Browser plugin, but clearly that wont allow any customisation of DNS requests....

system · March 29, 2018, 1:06pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.