PiHole with OpenVPN the easy way — use PiVPN

I’ve setup PiHole and OpenVPN several times on devices like RaspberryPI and Odroid64. OpenVPN is usually the tricker part to get right. What I’ve found that works best is to first install PiHole, then use PiVPN to setup OpenVPN. It is by far the easiest way to install OpenVPN. After you’ve installed it, however you will need to make one modification:

Open /etc/openvpn/server.conf and add the following line (substitute the IP of your PiHole device):

push "dhcp-option DNS 172.16.0.75"

And then comment out (using #) every other push “dhcp-option” line.

This will force OpenVPN to use only PiHole as your DNS server.

If you want to create static entries for machines in your network (this is very helpful for windows machines) modify /etc/hosts and add your entries there:

172.16.0.6 MyMachine

In order to make sure your hard-wired DNS entries respond appropriately for both inside the network, and via an OpenVPN connection, go to PiHole settings and on the DNS tab make sure that under Interface listening behavior you select the radio button listen on all interfaces and uncheck all entries on Advanced DNS Settings

Now go to your router and change your DNS settings so that it points to only your PiHole server. Every client that connects from inside your network, or the OpenVPN tunnel will now use PiHole for DNS queries which allows you to use these DNS entires. Additionally even your OpenVPN clients will now have the benefit of PiHole blocking ads.

2 Likes

13 posts were split to a new topic: Unable to resolve external domains through VPN Cloudflared

this is really what I wanted to do.. I'll try it later today, thank you

I installed Pi-hole, then PiVPN. Both followed the default settings. And changed ** /etc/openvpn/server.conf file as you suggested.

Now I could connect Pi-hole from another machine, but my OpenVPN cannot be connected.

Any suggestions?

The easy way nowadays is PiHole and the PiVPN with WireGuard option.
OpenVpn is so 2019.

1 Like

Hi there,

I set up PiVPN with the WireGuard option now.
Seems I could not connect to the Internet when the VPN was connected.

Any tips on setting it up?

Best regards,

Did you portforward port 51820 to your RPI?
First make an instance VPN if that does not exist in your router, else adapt that instance
Protocol UDP start port 51820, end port 51820

Then create a new item that points to your RPI IP.
Make it use the VPN instance you just created.

It's a 2 stage setup on most routers.

Let PiVPN be on IPv4 only on your router as well

For troubleshooting switch off IPtables or UFW because it can obstruct.

1 Like

Is there a way to set up an instance VPN on the university eduroam network?

Merry Christmas.

Ahhh, seems right now I could only connect wireguard VPN when I use the school network hhh

Hi All,

I'm trying to install OpenVPN and PiHole on my Raspberry Pi 4. I read a lot of tutorials but I never reach to a good functioning. I mean, after installation step, I have my OpenVPN which works well on my Raspberry (I don't see my Public IP address). On my Windows computer (after setting of the DNS Address) I can see my Pi Hole console which works fine (ads are blocked!) but I see my public IP address.

Is there an explanation ? Could someone tell me what I'm missing ?

P.S : I tried this tutorial : Raspberry Pi 4 with Pi-Hole, OpenVPN and DNSCrypt (itchy.nl)

Many thanks.
Smilorel

Hi HvdW,

It has external IP, start port, and end port.
Also a local IP, start port, and end port.
What should I fill in these?

Best,

All equal to the port you have chosen.
IP the IP from your RPI.

I don't understand why you would do this raspberry pi is so underpowered.

A Pi 4 can easily handle this.

Hey HvdW,

I reconfigured PiVPN, chose WireGuard, for the port forward part. Should I fill in the public IP or the 192.168... address?

Also, my pihole failed to work after PiVPN was installed every time. Here is the debug log for pihole: https://tricorder.pi-hole.net/yUGdz6lW/
After restartdns, the pihole part works well. Though still, the wireguard does not work.

Here is the PiVPN debug log:
pi@raspberrypi:~ $ pivpn -d
::: Generating Debug Output
:::: PiVPN debug ::::

:::: Latest commit ::::
Branch: master
Commit: 027f257931d1f169e254def5d1552d55810fefda
Author: 4s3ti
Date: Thu Aug 5 15:12:33 2021 +0200
Summary: Latest Changes update.

:::: Installation settings ::::
PLAT=Raspbian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
IPv4addr=192.168.0.12/24
IPv4gw=192.168.0.1
install_user=pi
install_home=/home/pi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(iptables-persistent)

:::: Server configuration shown below ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820

begin mbp

[Peer]
PublicKey = mbp_pub
PresharedKey = mbp_psk
AllowedIPs = 10.6.0.2/32

end mbp

=============================================
:::: Client configuration shown below ::::
[Interface]
PrivateKey = mbp_priv
Address = 10.6.0.2/24
MTU = 1420
DNS = 10.6.0.1

[Peer]
PublicKey = server_pub
PresharedKey = mbp_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0

:::: Recursive list of files in ::::
::::[4m/etc/wireguard shown below ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
clients.txt
mbp.conf

/etc/wireguard/keys:
mbp_priv
mbp_psk
mbp_pub
server_priv
server_pub

:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp

:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq

:::: WARNING: This script should have automatically masked sensitive ::::
:::: information, however, still make sure that PrivateKey, PublicKey ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this: ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe ::::

:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::

Best,
zwu

The 192
However it will all be filled in auto by the setup.
Just confirm IP internal, external and suggested port.
On your router forward UDP suggested port from external to the 192 internal.
Ask again if you cannot find it.
Often YouTube is a great resource.
Regards.