I was reading about setting up Pi-hole with a VPN to prevent DNS Amplification Attacks. On the help page, it also mentions the possibility of setting up the VPN so that only DNS traffic goes through it.
One of the benefits of using the VPN with Pi-hole is that the VPN provides encryption in the absence of TLS, thus protecting the admin interface password.
If the VPN is set up in the DNS-only manner detailed in the second link, does it still provide this encryption, or is the password and other traffic to the admin interface sent in plain text? I suspect that it would not, but I am unsure because connecting to 10.8.0.1 is technically a LAN connection.
If the DNS-only VPN setup does not provide the encryption for the admin password, is there some other way the admin password can be protected with this setup?
Is it possible for the DNS-only or full-tunnel option to be setup on a client-by-client basis? For example, to have the full VPN tunnel used on the device used to access the admin panel, and having the DNS-only tunnel for all other devices?
Theoretically, someone that sniffed the password out of the packets wouldn't be able to use it without being conntected to the VPN anyway, but I still want to protect the password.
I should have mentioned that the use case for this is an instance when Pi-hole is running on a VPS, so accessing the Pi-hole admin interface directly without VPNing in is not an option.
Actually, that described approach does route all traffic to the DNS server's address (10.8.0.1 from the example) through the VPN connection, i.e. all packets to that destined IP will travel trough the encrypted tunnel. That would also be true for traffic related to Pi-hole's UI, as long as that server address also happens to serve Pi-hole's web UI.
I see. That makes much more sense than what I was originally thinking.
So this DNS-only tunnel method really just means „DNS-server-IP-only" tunnel method.
This method forces all DNS queries to that IP, solong as that IP is set as the system DNS, so they're all the in the tunnel.
And then the full tunnel method just forces a redirect of all traffic to the DNS-server-IP for proxy, regardless of the IP address that is actually being targeted.
That really makes perfect sense. I don't know what scrambled my brain all up to have the confusion I did, but whatever. The misunderstanding is cleared up now.