Openvpn client gateway + pihole on the same device

I have raspi that runs Pihole, dnscrypt and Home assistant, pihole queries the dns through dnscrypt. This works great as it is. Now I want to add OpenVPN client service that connects to my vpn subscription all the time. This will run on the same raspi that runs the pihole+dnscrypt, and Home Assistant combo. Before I mess everything, I want to make sure if they will work together, or do i have to put the openvpn on separate device?

My current network topology is simple:

ISP modem <-> Mikrotik Router <-> Pi hole <-> client devices

My router doesn't support openvpn, and I don't want to use pfsense because I will have to install it on dedicated PC box. That means a pc that will be on 24/7, the power draw will increase the electricity bill dramatically.

First hit searching DuckDuck:

I would try to get the router to dial in first.
Combining OpenVPN client, IP-forwarding/masquerading plus Pi-hole on a Raspi isnt for the faint harted.
And depending upstream ISP speed and model Raspi, could degrade your link to the Internet substantially.
Earlier models only did 100mbit on the ethernet port and speed was also confined to the USB2 bus limit (no PCI etc) of I believe around 300mbit.
For requirements and possible conflicts have a read below:

EDIT: typo

Actually before posting this. I already had a look into resources regarding my router. It doesn't support vpn auth without username & password. Meanwhile, my vpn service use generated config file credential to connect. So, dial in VPN using mikrotik is out of equation.

I have raspi 3B and my isp speed is only 50mbps max. So, it should be ok. Also, my main reason for using VPN is because my isp throttling most services like torrent, and even general browsing. Now, torrent download is only capped at 8mbps, general web browsing is also significantly slower. When I connected to VPN speed is way much better.

So, I can use the pi to run vpn service in conjunction with the pihole+dnscrypt right?

While we are good at helping with Pi-hole issues, your situation seems to revolve more around VPN gateways and RPis in general.

That said, I have still pondered this a bit. (click for more)

First, you should be aware that by setting up your RPi as a VPN gateway, you will effectively turn it into a router, probably forcing all your outbound network traffic through your RPi.
This is is substantially different from your Pi-hole just handling DNS requests, which is but a tiny fraction of your network load.

Would that be a model 3B or 3B+?

With a 3B, you'd already max out its single 100Mbit/s network interface with 50Mbit/s ISP download, since traffic has to travel in from ISP and out to your individual clients simultaneously, effectively halving your RPi's bandwidth.

By the bare numbers, this is just an inch from becoming a bottleneck if only ISP traffic is involved, but it may become one if you consider local network traffic as well. So don't host any additional services like your music and video collection on the same RPi.

Encryption will come on top of that, taking a bite off your transfer speed (potentially -and ironically- relaxing bandwith limits a bit).
Your router may be better equipped to do this, as it may feature some hardware encryption support.
It's probably worth noting that while the 3B's BCM2837 CPU is based on an ARMv8 Cortex-A53, it is lacking its crypto extensions (due to extra licensing cost according to this RaspberryPi forum discussion).
A Rock64 (also a Cortex-A53 design, but with ARMv8 crypto support built-in and enabled) does encryption significantly faster (about an order of magnitude).
I don't know about your router, but Microtik offers hardware acceleration for sha1 and sha256 on quite a few models.

You could try to alleviate bandwith issues by adding a second Ethernet adapater as an USB dongle, using the built-in for ISP connection exclusively.
If you decide on a Gbit one to handle your local network, you should be aware of the USB speed limit mentioned by deHakkelaar:
USB 2.0 max transfer speed is specified as 480Mbit/s, and that is shared by all USB devices connected to your 3B, including built-in Ethernet. This would nominally leave around 430Mbit/s for the second Ethernet dongle when maxing your ISPs download speed of 50Mbit/s with built-in Ethernet, though actual transfer speeds may be slower. (Similar limitations would apply to the only nominal GBit Ethernet interface on a 3B+.)
Also, lack of dedicated switching hardware (which again your router may have) means all traffic will have to pass through your 3B's memory and CPU.

Since all this combined will put considerably peak loads on your RPi for sustained periods at times, a good power supply and cable for your RPi becomes even more crucial, and you may want to think about effective cooling as well, lest your encryption rates and transfer speeds will drop to due your RPi throttling down CPU freq to counter heat built-up.

All in all, while it is certainly possible to run a VPN client gateway next to Pi-hole, I'd support @deHakkelaar in recommending to try enabling this on your router first.

You may have better chances for more specific advice by frequenting your router's or your aspiring VPN provider’s forums. :wink:

1 Like

Whats the VPN provider ?
Maybe can dissect that config file to get the details needed to setup on Mikrotik.

vpn provider is airVPN, I already found a post that confirms mikrotik doesn't support auth without username/password. reference url

Aha using TLS authentication.
Found below :wink:

the old 3B. Btw, My router is Mikrotik RB1100.

Hmm.. that local network traffic didn't cross my mind. I do have local media server, some of my family members watch movies streamed to tvs in lounge room and bedroom. I was thinking only forwarding the internet traffic from router to raspi. And the local traffics should stay with the router without going to raspi. is this scenario possible?

This is probably sound stupid of me, but I have to ask, in this scenario. does it mean the raspi role become router? And the actual router(my mikrotik) is no longer necessary. Because AFAIK there can only be one router in a network.

Thanks for the information. It was a very good read. it gives me a new insight.

Most anything is possible.
But as you have to ask these questions, it seems your lacking sufficient knowledge to do so.
Having the router dial in would still be easier.

No, you can have as many as you like.

As long as that media (or any data, really) is served by a device different from your Pi-hole machine, the switching logic in your Microtik will take care of delivering traffic directly between devices on the same network segment (i.e. devices connected to your router). Hence my above advice not to host a music or video server on your 3B Pi-hole machine.

I might add that setting up your 3B as a WiFi access point will of course aggregate all traffic of devices connecting through it on your 3B, no matter where data is actually hosted.

Strictly speaking, no - effectively, yes: By introducing your 3B as a VPN client gateway, it becomes the connection point between your local network and the Internet (or more specific, to your chosen VPN provider's network) while adding encryption to it. It doesn't mean your 3B will replace or take over the duties of your Mikrotik. Specifically, your Microtik will remain the ultimate gateway to your ISP, no matter how you define traffic flow through your network. Depending on how you actually design this, you may also have to put some thought to firewalling your 3B.

But all of this is really beyond the scope of Pi-hole.

Like said before, it is certainly possible to run a VPN client gateway next to Pi-hole, but you may have better chances for advice on your specific environment by frequenting your router's or your aspiring VPN provider’s forums.

Hmm, I never thought openwrt can run on mikrotik. Thanks, This might be my last resort, if I fail to get the openVPN on pi working.

Yeah, you got me. :sweat_smile: I wouldn't pretend I have vast knowledge about networking. I only have general understanding of things work. and I am willing to learn to achieve my goal.:slight_smile: well, that's why I want to make sure of everything before I mess up with my current config.

Originally my plan is to have certain user have their traffic forwarded thru VPN and some other user without VPN. but this may complicate things for now.

You have to enable “IP Forwarding” in the kernel and add persistent MASQUERADE rules to NAT your LAN to VPN.
And for safety, only allow incoming (the destination port) dns(53UDP+TCP), dhcp(67UDP), http(80TCP), ssh(22TCP) etc on the LAN interface IP with the firewall.
Most can be googled/duckducked if search for your distro.

EDIT: You can grab some bits like ip forwarding and persistent masquerading from below doc: