Hopefully this is still relevant or will be found useful to others, but here's what I had to do to get pi-hole to work for my openvpn clients::
- highly recommend quickly reviewing the 'Long overdue update' at the bottom of this post before continuing and using it along side the guide when necessary. -
1. Needed to setup my /etc/pihole/setupVars.conf file like so by adding an additional listening interface (dns may be different for some):
IPv4_address=[raspberryPi IP address]/24
2. Then make sure that /etc/dnsmasq.d/01-pihole.conf was like the following (note that there are two 'interface=" entries; one for the ethernet port, one for the tun0 vpn interface):
address=/pi.hole/[raspberryPi ip address]
3. Example dump the whole openvpn server config. But I bolded out the relevant lines (located in /etc/openvpn/server.conf)
Most of this should already be setup when you installed openvpn. This config assumes that your local subnet is a standard 192.168.1.0/24 network, and that the subnet OpenVPN server is assigning/using for connected clients is 10.8.0.0/24:
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS [raspberryPi ip address no subnet listed]"
push "redirect-gateway def1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
status /var/log/openvpn-status.log 20
4. Example client config (minus the secret private stuff like cert fields, etc) :
remote [external IP or your resolvable domain] 1149
verify-x509-name server name
5. Reboot pi, forward your openvpn listening server port through your router to the raspberry pi IP address
OpenVPN creates a new virtual interface on the raspberry pi (default 'tun0' in my case), and pi-hole doesn't know about it until you put it into the /etc/dnsmasq.d/01-pihole.conf config file ~step 2. (Step 1 holds configs in case you update your pi-hole instance so you don't have to fiddle with config files again.)
Then you also need to tell your OpenVPN server to point all DNS queries by your clients (and other traffic request) through your raspberry pi instead of it defaulting to your gateway or any other DNS server as the pi will handle it ~ step 3.
If done correctly, you should start seeing IP addresses from both subnets in the admin web interface.
Deprecated as of a while ago, my bad
It appears that when you update pihole, it does not add more than one 'interface' back into the 01-pihole.conf file (even if you have it listed in the setupVars.conf file). You will need to manually check and make sure that both of your interfaces are in place in the 01-pihole.conf file before it will work after updating.
Updating results in listing only two DNS server addresses as well after updating, and any additional servers will need to be manually added as well.
Also, the new web interface appears to currently only show one listening interface in the "Pi-Hole Ethernet Interface" section, but it still is listening on both.
Long overdue - Update - 3/15/2017
(Left original update section for a running history of changes)
Minor update and documenting an alternative way to maintain the additional interface when updating pi-hole so the interface does not have to be added in every time.
- Pi-hole currently allows for adding more than two DNS servers and extra ones no longer need to be manually added outside the admin interface through configuration files.
- The /etc/pihole/setupVars.conf file also no longer needs or really cares about additional 'PIHOLE_INTERFACE=' entries either (I think anyway), so Step 1 can be skipped entirely.
The system uses the dnsmasq service and parses the /etc/dnsmasq.d/ directory for configuration files. We can separate out our additional interface line (line: "interface=tun0" from Step 2 in my example from above) in a new, seperate file in the same directory as 01-pihole.conf (should be that /etc/dnsmasq.d/ directory).
- Create a new file and call it what ever you'd like, but for example, I called my additional new file 02-addint.conf for the sake of clarity.
- Remove the extra interface line from 01-pihole.conf and place that line by itself into the new 02-addint.conf file.
- Save the new file, and ether restart the pihole and dnsmasq services, or its probably easier just to re-boot your device entirely.
You should now be able to update pi-hole worry-free (for now ~ lol) without having to manually put the additional listening interfaces back in. What's cool, is that the "teleporter" export utility from the admin interface also exports this extra config file along with the other standard files so this change can get backed up worry free as well.
edit: words | edit2: more words | edit3: update | edit4: DNS note | edit5: 3/15/2017 update | edit6: rephrasing