Pi-hole, OpenVPN Client on Asus Merlin Router


#1

I setup a Pi-hole today to work with my Asus RT-AC86U Router running Asus Merlin with both NordVPN and PIA VPN clients. I wanted to block ads but my biggest concern was preventing dns leaks.

I won’t go over the installation of DietPi and Pi-hole since that has been well documented elsewhere, but I had a hard time finding a good “how-to” specifically for Asus Merlin and/or OpenVPN clients using an outside VPN Service.

I found the best pi-hole configuration instructions on the Arch Wiki Pi-hole page:

https://wiki.archlinux.org/index.php/Pi-hole#Preferred_method

The one unique step during the pi-hole configuration (as described in the wiki) is to set only one custom dns server (IPv4). Set it to the ip address of your router. If your not sure of the ip address then you can look up your default gateway on your PC (in Windows the command is ipconfig).

Asus Merlin does not have a custom dnsmasq config in the web interface, but it does allow you to use custome config files and scripts through ssh. (note on the Asus Router the dnsmasq service is both the dns and dhcp services).

First you need to turn on scripting/custom config files and ssh access

  1. Go to Administration then System in the Merlin web interface.
  2. Under Persistent JFFS2 partition check to see if Enable JFFS custom scripts and configs is enabled. If it isn’t then enable it and the previous Format JFFS partition at next boot so the jffs partition will be setup correctly.
  3. You will need to connect to the router through ssh to setup the script. Scroll down to service and change Enable SSH to LAN only
  4. If you haven’t changed your login name and password yet I highly recommend you do so now since you will be using them to login to through ssh. When your done click Apply.

Next you need to add the dnsmasq.conf.add custom config file using ssh.

  1. Connect to the router through ssh. You can use any ssh client. I prefer putty or kitty. Use the ip address of the router.
  2. Once you have successfully connected go to the /jffs/configs directory (cd /jffs/scripts).
  3. Use your favorite bash editor to create and edit a file named dnsmasq.conf.add (nano dnsmasq.conf.add).
  4. Enter one line in the file (without the quotes) “dhcp-option=6,pi-hole ip” (replace the pi-hole ip with the static ip address you setup when you configured the pi-hole).
  5. Save the file (in nano its Ctrl-x then y to confirm then enter to accept the previous file name)
  6. Restart the dnsmasq service (service restart_dnsmasq) or restart your router.

You can learn more information about custom config files in Asus Merlin at:

The last step is only necessary if you have a OpenVPN client setup with policy rules. Make sure you have policy rules to route both the router and the pi-hole through the VPN. It’s technically not necessary to route the pi-hole through the VPN since its using the router as its upstream dns but it’s good practice in case you use the DietPi for other features or change your upstream dns in the future. (I’m not explaining how to setup policy rules as this is only necessary if you already have them setup).

  1. Go to your OpenVPN Client and under Rules for routing clients enter your router ip as the source ip, leave the destination ip blank, and change your iface (interface) to VPN, then click the +. Do the same with the pi-hole ip address then click apply.

If you want more info on policy rules there is very detailed instructions at the snbforums:

The pi-hole works great since any client, whether its setup to use PIA VPN, NordVPN or no VPN, will have all dns requests encrypted and hidden behind the VPN services tunnel. I tested this with ipleak.net and no matter what VPN I was using the dns showed as the PIA’s public ip address.

I was previously using AB-Solution installed on my Asus router (which is a great ad blocker!), but unfortunately there is a problem with dns leaks when using it with any OpenVPN client using policy routing. This isn’t something the creator of AB-Solution can fix. I wanted to try a different solution since I couldn’t get around using policy routing to get to Netflix, Hulu, etc.

I’ll be watching the pi-hole’s ad blocking over the next few days and see how it compares to AB-Solution XD.