When a device on my network uses a private VPN (like IPVanish, NordVPN, etc.) to connect to the internet, it uses the PiHole for DNS rather than the private VPN's DNS service.
Actual Behaviour:
When connected to a private VPN, clients bypass the PiHole and use the VPNs DNS service. As a result, ads are present.
Summary of setup
Router --> Tomato
PiHole --> RPI3, connect to the Tomato router via eth0
VPN --> Paid service provider, NordVPN. On Linux clients, the VPN connection is established using NetworkManager and static OpenVPN config files downloaded from NordVPN to /etc/openvpn. An example config file is:
client
dev tun
proto tcp
remote 209.58.144.228 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
auth-user-pass
comp-lzo
verb 3
pull
fast-io
Goal
Force clients using a private VPN connection to use PiHole's DNS.
Appreciate the response, but I'm not clear on exactly what you are saying. Is dhcp-option DNS ###.###.###.### an entry I should add to the OpenVPN config file? And if so, does the entry includ the capitalized "DNS." Or are you referring to something else?
Excellent!!! That did it. I just appended dhcp-option DNS ###.###.###.### (where ##... is the IP address for the PiHole) to the end of the VPN config file. Now with the VPN on, PiHole is still blocking ads.
Does this not give a chance of DNS leaking IP addresses / requests? Surely the Pi doesnt cache the whole DNS list and will forward requests on to a public server which would be logged... (I guess no log on the actual website that you visit in theory so thats better though ISP logs would be full of stuff from DNS). Other option is to put the VPN on the Pihole connection too so the DNS forward requests go through VPN on their way to DNS upstream...?
I have also got a paid VPN service and was looking at ways to enable it while keeping the PiHole (which I have become very accustomed to!). Have been using the Browser plugin, but clearly that wont allow any customisation of DNS requests....