Pi-hole with OpenVPN VPS Debian

Modified by moderator:
See also our new official HowTo which originated from this article here and tries to make it easily followable, providing additional help:
GitHub - pi-hole/pi-hole: A black hole for Internet advertisements

Original message from Pihole1234

Install openvpn

wget https://git.io/vpn -O openvpn-install.sh
sudo bash openvpn-install.sh

Install pi-hole

curl -L https://install.pi-hole.net | bash

ok so i have both pihole and openvpn hosted both on the same vps. i installed both using default ip of vps. Then i edited files using this tutorial to get openvpn and pihole working together.

1. Needed to setup my /etc/pihole/setupVars.conf file like so by adding an addtional listening interface
(dns may be different for some):

piholeInterface=eth0
piholeInterface=tun0
IPv4_address=[raspberryPi IP address]/24
IPv6_address=
piholeDNS1=8.8.8.8
piholeDNS2=8.8.4.4

2. Then make sure that /etc/dnsmasq.d/01-pihole.conf was like the following
(note that there are two 'interface=" entries; one for the ethernet port, one for the tun0 vpn interface):

address=/pi.hole/[raspberryPi ip address]
addn-hosts=/etc/pihole/gravity.list
domain-needed
bogus-priv
no-resolv
server=8.8.8.8
server=8.8.4.4

interface=eth0
interface=tun0

cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=300
log-async

3. Example dump the whole openvpn server config. But I bolded out the relevant lines (located in /etc/openvpn/server.conf)
Most of this should already be setup when you installed openvpn. This config assumes that your local subnet is a standard 192.168.1.0/24 network, and that the subnet OpenVPN server is assigning/using for connected clients is 10.8.0.0/24:

dev tun
proto tcp
port 1149
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS [raspberryPi ip address no subnet listed]"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

So the problem now is both the dns server and lighttpd server were both still public if you put in my vps ip. I've turned off the lighttpd server with this.

sudo systemctl disable lighttpd.service

sudo systemctl stop lighttpd.service

if i want to restart web server I do this

sudo systemctl enable lighttpd.service

sudo systemctl start lighttpd.service

Now no one can access admin page.

Now how to I make it that no one else can use my dns server without me setting them up through openvpn. Any help would be great. thanks

Your tutorial is very welcome here and we might consider to add it to our regular Wiki (with reference and credit to you, of course). However, there are some minor details I'd like to discuss with you.

The will not work as you expect. We source the setupVars.conf file and in your case, the Pi-hole will only listen on tun0, but not on eth0, as the interface variable is overwritten by the second entry. It is working nevertheless, since you also modify /etc/dnsmasq.d/01-pihole.conf. However, this will currently not be preserved by an update as we don't support adding multiple interfaces, currently. But there will be something to read at the end of my message that might render this unnecessary.

Styling issues:

• All of your enumeration items are "1."

• Concerning code, commands and config files: indent the text by 4 spaces. There is a button in the editor which can do this for you for multiple lines at once (makes it much easier to read)

Further things:

• In the release that will become public very soon there will be a strong password protection for the web interface. Guess it is not absolutely necessary any longer to completely disable the web server. Having said that you could also limit lighttpd to listen only on the VPN device, so it wouldn't be accessible from the www.

Not sure if I get what you want: You want to restrict the DNS service to be only available via VPN? If so, then simply remove eth0 from the dnsmasq configuration and have it only listening of tun0 to achieve exactly what you want.

Thank you very much for response and information. Sorry about styling issue I realised it was hard to read. Hopefully this helps out some users. Love the pihole project.

I improved your formatting to make it easier readable for interested readers. I might follow your guide myself to have a VPN Pi-hole as well (always planned to do that). Will go into a Wiki page if everything works out nicely.

Thanks for your contribution!

I'm also re-categorizing this into the how-to category as opposed to help.

How would I go about limiting lighttpd to listen only on the VPN device, so it wouldn't be accessible from the www.

@Pihole1234 I did some investigations on how you would do that with the firewall iptables and added that to the end of the HowTo here. Please tell us if you succeed.

That worked perfect. There were no rules setup so it was just a matter of running the 2 commands. Thanks again.

Did you actually get this working on your VPS?

As those two rules do not appear to work on my OpenVZ debian jessie install

I wrote this Tutorial while working on ao ordinary Ubuntu 16.04 VM and everything worked perfectly, so I suspect that you have some strange configuration.

We can try to debug this together. However, note that answers my be delayed during holiday time. Please provide more details concerning your problem.

Think I've misunderstood how the rules work.

I was trying to access the GUI via http://pi.hole which is mapped to my VPS's external IP via local.list. When I applied the rules external access stopped working as well as myself accessing the external IP from my VPN connection.

If I try accessing the GUI via http://10.8.0.1/admin it works. I thought that the rules were allowing port 80 access to my tun0 interface regardless of if the traffic was internal or external. Clearly that is not the case.

Well, I think you misunderstand a minor thing. Yes, it will allow access to your tun0 interface. But, if you try to access the Pi through its external IP, this request will go through the tun0 device and then connect to eth0 on your server since this interface is connected with the external IP. However, from this device you will then not be able to access the web UI.

Set the IPv4 IP of the Pi-hole to your VPN IP, then there is no need for mapping any hostname since the Pi-hole will take care of it itself.

hey my friend is trying to get this installed on his VPS with debian 8 installed and its not working any ideas why?
its saying the curl -L isnt a command

It seems like that curl is not available on his system.
That does

command -v curl

say? Does it say something at all?

by say do you mean what comes up when he tried to set it up?

I mean what comes if he enters:

command -v curl

A post was split to a new topic: Problem with OpenVPN

Yeah, curl isn't shipped by default with Debian. Just run

apt install curl

and then you can run the command.

Alternatively, you can use wget or git to download the script and run it locally.

Using OpenVPN on a VPS may be for the privacy (whatever that means) conscious. After reading this thread, I went ahead and disabled lighttpd's accesslog by commenting out the following in /etc/lighttpd/lighttpd.conf.

#"mod_accesslog"
#accesslog.filename = "/var/log/lighttpd/access_log"

It would likely be overwritten after an upgrade, and I'm not sure of any other way to disable it.

You might be able to override it in /etc/lighttpd/external.conf