remote to pi-hole over the web and have my mobile devices use it even when I'm not on my LAN.
I followed this guide: Redirecting...
And I think I set it up correctly, but it is not clear how do I access pi-hole from the web and configure my mobile devices to use pi-hole when I'm away from home.
Where do you host pihole? At home or on a cloud server?
In any case, you need to setup a VPN to access your pihole from everywhere
https://docs.pi-hole.net/guides/vpn/overview/
Pi hole is hosted on local raspberry pi.
My Asus RE-AX88U has a VPN Server and a VPN Client.
Will one of these help to access the pi remotely?
I'd recommend putting this on hold until you've solved Pi-hole doesn't block according to dashboard - #27 and made yourself familiar with the way Pi-hole integrates into your network. 
The easy setup is to install pihole, then pivpn (using wireguard) and everything is set automagically.
Simple, easy.
Only thing you have to do yourself is for PiHole point the DNS in your router to the ip address of your raspberry and to set the portforwarding on your router to your raspberry for the PiVPN to connect.
.
Thanks, I'll have a look at PiVPN.
Since my router support VPN Server - OpenVPN, I wonder if that would do with minimal setup, since the Pi hole is behind my router.
If your router already suppports OpenVPN, that may already be sufficient, i.e. you may not need to setup a VPN server in your network.
That would of course depend on both your router's exact abiities and your planned usage of VPNs.
@Bucking_Horn
You're right
Still the full RPI setup is much easier to knot together (automagic) than constructing the router VPN to the RPI.
When inside the router VPN you're not directly in the RPI
PiVPN gives straight (secure) access to your RPI.
I was able to configure VPN server on my router and set up my phone to connect to the router.
I switched from wifi to cellular and I got a direct access to P-hole WebUI and also it seemed to blocked ads.
I did exactly the same. I have OpenVPN server running on my router and then run OpenVPN for android on my phone. When I am not connected to my home network I have tasker connect to the VPN and pi-hole is my DNS.
I might have spoken too soon.
Today I ran a test and Pihole didn't block anything when I connected my phone to my router's VPN.
My assumption was: Since the pihole is behind the router, if I VPN to the router then I get the protection of Pihole.
I use the router's built-in VPN Server PPTP. Just because it was simpler to set up.
I wonder if since I started using Pihole's DHCP, this broke the functionality.
Trying to install OpenVPN to see if this resolved the problem of not blocking ads on my mobile device, I encounter this confusing question:
Update:
Since I didn't know how to proceed with OpenVPN installation on the Pi, I tried PiVPN with Wireguard.
I created a .conf file.
But I don't know how to carry on from here.
Your router's public facing IP may change, either on router restart or because your ISP habitually changes that IP. Depending on your country of residence, this may happen as often as once per day.
So it makes sense to have you confirm that IP address - or enter a public hostname instead.
For that hostname to work in conjunction with a regularly changing IP address, you'd need to enlist a DynDNS service.
The device that aspires to be accessible via that public hostname (usually your router) will contact the DynDNS service upon an IP address change and report its changed IP address. The DynDNS service will then update its public DNS records to point to the correct IP address.
Your router has to support DynDNS in order for this to work.
Having an RPi as VPN server is also quite possible, but will put considerably more load on your RPi than just Pi-hole (i.e. it handles all VPN network traffic now, instead of just DNS).
Commonly, a router's hardware is better equipped for that job. Depending on your Internet plans upload bandwidth in comparison to your RPis (quite possibly halved) network link speed, your RPi may become a bottleneck (and that's even before taking the computational costs of VPN encryption into account).
Understood. It was not clear to me that it requires a confirmation.
I am using DDNS. My router supports it. I stopped the installation and proceeded with PiVPN instead, which also raised questions about the set up process.
Ok, I didn't think about that. Why does no guide mention that load issue on the poor Pi?
By all the articles I read, it looks like running Pihole+VPN+DoH is easy peasy.
So if I'm recalculating my goal based on your input, it would be Pihole+DoH+Unbound (yet to continue with unbound) + have Pihole on the go, i.e. get it's adblocking protection while my mobile device is on a public network.
Given the load issues you mentioned, is there another way to get my mobile devices to use Pihole when on a public network?
It's highly specific to your device, its network integration, both your ISP and your router's Internet download and upload bandwidths, and your aspired usage of VPN (few vs. many, full vs. DNS only, often vs. sporadic,...), so there can be no one-off generic advice.
What RPi are you using?
How is that RPi connected to your network?
What are your ISP upload and download bandwidths?
The more I learn... I promise I'll get it... eventually 
I use RPi 3 B+ with 32GB storage. Aside from my main PC, all other home clients are wireless.
It is connected via ethernet cable to my beefy router, Asus RT-AX88U.
My typical download speeds: Average 85Mbps
Upload average: 32Mbps
I use NordVPN mainly to unlock US Netflix content and for privacy when I use torrents or Kodi addons.
I'd like to get ad-blocking for home and public networks when I'm not at home (if feasible).
Secure DNS connections
Privacy as much as possible.
At home, I have about 18 clients. Only 3 are heavily used.
When on public network, it's mainly my mobile and/or laptop, so 2 or 3 clients at most.
KISS
Skip you router's VPN and go for the RPI solution
The only thing you have to do is the portforward incoming VPN connections to your RPI and point your router's DNS to your RPI
This isn't strictly Pi-hole related, so you may want to consider alternate sources for acquiring additional insights.
So you want to make use of VPN both as a client (to NordVPN) and as a server (for your mobile devices when away from home).
Since you already have a NordVPN subscription, your nomadic use devices (mobile and laptop) may already be covered by that. In that case, transfer speeds will likely be significantly better if you stick with the NordVPN clients on those.
If you decide to route your traffic from your mobile devices through your home network filtered by Pi-hole and then to NordVPN, I'd recommend testing the alternatives of using your RPi or your router as VPN gateway.
In general, your router may have three advantages when compared to your RPi:
a) It has a dedicated uplink port to your ISP.
It can download data from the Internet on that port and send data to your clients on all others at the same time.
Your RPi will have to share one port for sending and receiving data, effectively halving that port's bandwidth, while also sharing it between all of its clients.
b) It may feature encryption enhancements or even dedicated h/w encryption support.
It will be considerably faster encrypting and decrypting your VPN traffic without increasing CPU load.
ARM designs in general are also capable of encryption, but that attracts extra licensing costs, and so all RPi CPUs lack h/w encryption support.
c) It may feature h/w switching logic for its network ports.
Its CPU then wouldn't need to inspect your network traffic.
An RPi will have to employ RAM and CPU to handle network traffic.
On a 3B+, adding an additional Ethernet dongle as dedciated upstream link may improve its performance, but only by so much: Ethernet throughput is limited internally by the USB2 bus interface, so caps at 480Mbit/s raw - and that's shared among all USB client devices, i.e. your two Ethernet ports plus any other USB devices you use (mouse, keyboard, harddrive,...).
An RPi has but one advantage:
It can use whatever VPN solution is available for it.
Your router very likely limits you in your choice of VPN protocols and implementations.
If your router wouldn't support WireGuard, this may allow the RPI to gain some ground, as WireGuard may be considerably faster than IPSec or OpenVPN.
As for encryption/decryption speeds, I can only offer anecdotical data from using WireGuard on my own RPis, a Zero (Fast Ethernet dongle) and a 3A (WiFi 5GHz at 120Mbit nominal). But I don't consider those measurements to be representative.
Serving a WireGuard VPN connection, the Zero was able to sustain about 18 Mbps for both download and upload with nearly 100% CPU load. On the 3 A+, it was only slightly faster at about 25% to 30% load (so also using about 1 core).
I suspect single core frequency to impact performance more than having multiple cores, and I suspect link speed to also have an impact, so your Ethernet link on your 3B+ likely improves performance.
Loads dropped to below 10% with occasional peaks when streaming 720p videos at about 4 to 5 Mbps.
Even a Zero may thus be sufficient as VPN server to saturate a 20 Mbps uplink before becoming a bottleneck, so certainly enough on a 50/10 DSL or a 200/20 cable connection.
Your download speed becomes relevant if you are planning to establish a gateway to connect your home network to NordVPN. Your RPi's decryption speed then has to match your ISPs download bandwidth, or at least the decryption speed of your router.
When testing is a close match or only slightly in favour of your router, I'd probably try to use WireGuard as my VPN server anyhow, for one reason: You will notice a lot less reconnection attempts when on the move. WireGuard handles connection drops much better than OpenVPN.
Of course, this would be relevant for you only when using your VPN when not stationary, e.g. working with your laptop while commuting.
I'm aware that NordVPN has added WireGuard suport only recently, and they extended it somehow to address some potential privacy issues when using WireGuard.
I'd recommend to also consult with NordVPN whether they would offer software for running their custom WireGuard protocol on an RPi.
Thank you very much for the detailed reply.
Very insightful.
I think that what confuses me is the term VPN Client vs. VPN Server. When I look at my router's setting that offers both Client/Server settings for PPTP, OpenVPN and IPSec, I wasn't sure what to with it in the context of accessing my Pi remotely and enjoying the adblocking protection while on the go.
It never occurred to me to think of performance impacts, etc. I'm not a network savvy by all means, so I struggle with concepts and how communication travels between endpoints.
Given NordVPN is a paid service, I know that I'd like to stop my subscription and use my own VPN, mainly for the Adblocking. Privacy would be an added bonus.
Also, from the learning perspective of it, I would just like to try and see how my RPi handles Wireguard.
I was able to install PiVPN + Wireguard but it blocked me from remoting to my RPi, so clearly I don't understand what I'm doing.
It's one of those things that reading instructions and applying it, are two different things.
So Pihole is working as intended and I'm happy about that. I was hoping to extend on its capabilities with VPN and/or unbound for added security+privacy because I won't stay with NordVPN for long.
It's about the mindset of "who do you really trust?" which in this case, myself... therefore I want to leverage on the RPi as a VPN solution.
I'll check if a custom router firmware allows for Wireguard instead of OpenVPN.
Thanks!
Running a VPN server in your home network will allow your clients to connect to your home network from a remote and possible unsafe network in a secure fashion. Once a VPN connection to your home network is established, all the traffic between your client and the VPN server is encrypted and safe from being spied on in real-time.
In that scenario, your home ISP upload bandwidth becomes the maximum achievable download speed for your client.
Enlisting the services of a VPN provider would grant your mobile clients the same protection from spying, while likely being limited by the download bandwidth of the network your clients are currently connected to, and also by the capacity of the VPN providers private network.
In your home network, your router may become the sole VPN client of your VPN provider, acting as a transparent gateway for all your client's public traffic.
But a VPN service also conceals your IP address from the servers you contact, which may also conceal your geo-location, and this would also apply for all your home network clients. It may even allow you to spoof a location by routing the traffic to corresponding exit nodes, so you can access services that may be denied otherwise, e.g. streaming your favourite home TV programme when abroad.
A single VPN Server in your home network cannot offer those features.
That's always a good reason to cast away any other considerations. 
Also, with as few as one or two clients that would stream a video from time to time, you'd hardly notice a difference, whether it's a VPN service, router or RPi serving your data. You will however very likely see an immediate impact if you download high volumes of data regularly.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
