Routing Pi-hole through a VPN client on the same Pi


Expected Behaviour:

[Route all DNS requests through the OpenVPN service(a VPN client) found on the same Pi.]

Actual Behaviour:

[Can’t figure out how to configure it to be so.]

Debug Token:

[I tried to upload a debug log but I got the error “There was an error uploading your debug log.”]

The closest article I could find to my issue is this (Pi-hole installation on rpi as vpn gateway, ( openvpn client ) fails (spectacular)).

I have followed a guide to get my RPi to act as a router and forward traffic from my LAN through a 3rd party VPN. The Pi does this by using OpenVPN to connect to a remote VPN server. This currently works as intended. The guide I followed is this (

I am now looking to install Pi-Hole and have it so that Pi-Hole routes all its traffic through the VPN as well. I want to do this for two reasons. 1. To prevent DNS leaks. 2. To prevent anyone analysing my traffic to determine where I am resolving my DNS requests and the content of those requests.

My Pi currently has a static IP assigned. I have tried to set it up using both eth0 and tun0. I know I can change it to listen to multiple interfaces if need be.

Questions 1.
How can I setup Pi-Hole to use my VPN connection to forward its requests if the VPN connection is active.

Question 2.
When establishing the VPN connection my Pi needs to resolve the domain of the VPN server it is connecting to. If Pi-Hole is set to only use the VPN connection (which wouldn’t be active at this point) then how would my Pi be able to resolve this query?

Perhaps there is a way I can set my Pi up so that any DNS requests the Pi makes can go out over eth0 if tun0 is down but any DNS requests a client makes must go out over tun0.



For this, you need a DNS server on the VPN server you are connecting to as your upstream DNS server.
You would change the DNS settings within Pi-hole’s interface to point at the custom IP (the VPN server/DNS) for the upstream resolver…

This way, anything that hits Pi-hole, gets relayed and eventually queried via the VPN tunnel from the VPN server hosting your DNS (unbound maybe?) server.

For this, you need a script that will automate all the parameter alterations AFTER VPN tunnel is up.

On the OpenVPN server side it’s really easy to achieve that as it supports executing a scrip when a client connects and disconnects, but this, is not the case.

You’d have to write something to this logic:

execute VPN connection (use local resolver) and connect
probe for valid VPN connection
change parameters within Pi-hole’s config files to use the Upstream DNS server via the VPN tunnel
restart Pi-hole for settings to take effect
loop and probe the VPN connection
|___ Restore local resolver (and send e-mail/push?) if VPN is down
|______ Do nothing if VPN is still live.

I’m assuming that, right now, your RPi, being in router mode, broadcasts the RPi IP as your DNS to your LAN clients, right?

If so, then the Router part of the setup, stays untouched as the Pi-hole instance will switch (based on the tun0 interface being up or down logic from the script above) the Upstream DNS settings and your clients won’t know the difference.

Long story short, you would have to write your own automation for this.



I contacted my VPN provider (Express VPN) and they said that they cannot provide me the IP of their DNS servers. I know if I use their app (which has a RPi version) that it will do this but then DNS is set automatically but then the problem is that I still don’t know the address to hardcode it into Pi-hole. At a loss here.

What I was thinking was possibly making it so that the Pi never uses Pi-hole for any of its own queries. Instead, only clients from the LAN use the Pi-hole service. If I can figure out how to turn off Pi-hole for the Pi hosting it then this would resolve this issue.

Sure anyone could see the traffic the Pi using but as a router the only time the Pi uses the WAN connection for itself is when it is updating packages.

It does not. I know that I can push the Pi as a DNS to its clients but I have chosen not to. Not all clients on my LAN use the Pi as a gateway so I have left my router as the DHCP server and manually set both the default gateway and DNS to that of my Pi if I wish for it to use the Pi tunnel.



That’s one thing a connected client gets automatically when connected to the VPN server.

You can fish it out of the connection log …

You can use that IP within the Pi-hole settings for DNS resolution (no matter how you look at it, someone WILL know what you are connecting to from a DNS perspective, whether is the VPN provider’s DNS or whoever provides your upstream DNS) .

Why don’t you want to use a local Ubound resolver as your Upstream ?

You can’t achieve that with the way Pi-hole works as it depends on /etc/resolv.conf and any changes in that file (not only don’t last but they), override Pi-hole as a whole.

You can either write code for switching that parameter as I said, before VPN and restore after, OR … get a Raspberry Pi Zero W and dedicate that for Pi-Hole.



I honestly didn’t know about this and still can’t really understand what this is. This would encrypt my DNS queries so that the only one who knows what I am querying would be the DNS server and not an ISP if they recorded my traffic. Is this correct?



In a nutshell:

You will not send your DNS requests to anybody EXCEPT the root servers.

It does NOT encrypt your DNS traffic. You could look into DNScrypt for that.

What happens with unbound is that you do not depend on any public DNS server for DNS resolution, you handle that, locally without anyone but the root servers know what you are “resolving”.

Your ISP will still be able to see your traffic though but not your DNS queries …


closed #7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.