I want to vpn to my home network, in part, to have ads blocked 24/7 on my phone, but I'm having trouble. openVPN is working just fine- but it's note routing through pi-hole. I've tried two different guides and neither worked (or i didn't implement correctly).
Do you have to adjust pihole .conf file AND openvpn .conf files or just openvpn .conf? (the two guides are conflicting on this) - and I lost pihole functionality when i added the listen command to the pihole conf file. guide 1 guide 2
Here is my openVPN .conf if it helps. My router ip is 192.168.2.1; my pi is x.2.3.
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
'# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
'# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
'# Add route to Client routing table for the OPenVPN Subnet
push "route 192.168.2.0 255.255.255.0"
'# your local subnet
'#push "route 192.168.2.0 255.255.255.0"
'# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.2.3"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
'# Override the Client default gateway by using 0.0.0.0/1 and
'# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
'# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
'#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
'# This configuration file was originally written by Lauren Orsini at ReadWrite.
Thank for the idea. I did try that last night but the VPN lost all WAN connectivity. I think I may need to change
push "route 192.168.2.0 255.255.255.0"
to
push "route 192.168.1.0 255.255.255.0"
despite my LAN running on 2.0 the openVPN shows 1.0 on my phone in the connection status - like internally to openVPN it uses it's own subnet on the subnet....? It's confusing b/c i can connect to LAN devices just fine over VPN despite the x.1.0 subnet status.
I'll redo your suggestion and the idea above tonight and report back!
I confirmed my suspicion from earlier tinkering - commenting out those DNS lines causes loss of WAN/DNS service on the VPN client side.
Also - I used both x.1.0 and x.2.0 in the openVPN .conf file and neither way blocked adds. I'm still missing something on the VPN setup to force it to use the local subnet DNS (ie - pihole).
pi-hole is still working fine on my local subnet, just not for vpn clients of the pi.
I don't know what router you use, but mine has a setting for that. It's kind of buried. In the VPN, on the OpenVPN tab there is a drop down for VPN details. Change that to advanced and I see an option for Respond to DNS and Advertise DNS to clients. When I enabled both of those options, it works. It will show those requests as coming from your router not the IP for the VPN client.
Thanks! I'm running DD-WRT on my router now; I didn't think about setting the router up as the VPN server b/c piVPN on the Pi is so easy to set up. I'll have to look into it again, maybe that will be the easier solution rather than running both on the Pi.
Just another idea (that i'm typing out so i don't forget...); my router is supposed to send DNS to the pi; perhaps if I set the router IP as DNS on openVPN settings it will redirect to Pi. I'll report back after I try...
DELETED the copied text b/c it became obsolete but Please follow the link which has the solution (and updated solutions to re-solve after updating pi-hole).