What I've done:
VPS Server hosted offsite
FQDN
Install Pi-hole & PiVPN
exposed 1 external port that forwards to port 53 for PiVPN
password protected the Pi-hole admin page with a username and password (both of which are a jumble that is over 15 characters long and the password file is stored where it isn't reachable from the internet and the password is hashed onto a .htpasswd file)
Password to log into the admin portal itself is a totally unique 15+ character password
Site is secured with SSL
What I've Noticed:
Only VPN traffic is going through the Pi-hole
API function for mobile app access does not work (because of the lighttpd user/pass requirement) ~ Fixed this issue by changing the auth.require settings for lighttpd to exclude api.php. All other urls require auth.
I'm sure there's other things I've noticed but just can't think of them now.
Anyways, is this set up secure? What more could I do if it isn't?
I set this up so that all of my devices, whether at home or not could use the Pi-hole through the VPN.