Thank you for the brilliant guide!
What kind of speeds can you expect when connecting from remote locations and internetting through the Pi? Also, what Pi are you using this for?
My PiHole runs on the first Pi model... Don't think that thing likes to run OpenVPN.
It depends on how fast is your internet at pihole location and your openVPN configuration.
It is better use RPI 2 or RPI 3, because running a VPN with 2048-bit encryption on RPI 1 is not a good idea.
Do you think the Pi cpu/usb-bus will not be the bottleneck in this situaton? I have a Rpi 3 somewhere still, and my internet is a shared 1Gbits down and up. So that shouldn't be an issue.
You could also lower the encryption but that kind of bites into the whole purpose of using a VPN on public connections.
Anyway, was hoping someone could tell me what to expect. I have a OpenVPN connection to my Netgear Nighthawk but the speeds are pretty slow when connected.
Since USB and Ethernet are shared by a single bus, so it will definitely a bottleneck (100mbit is ok, but you can't get higher than that) Also CPU struggles to encrypt data. There are some other SBCs out there which has a gigabit port and more powerful processor.
All of the Raspberry Pi devices perform comparably similar with respect to Ethernet. They all have a dedicated Ethernet chip which is hooked up to the SoC via an external bus. Performance tests usually show that with the recent version you can actually really get to the 100MBit/s on wired Ethernet, and up to 40MBit/s via wireless. There are users who found that you can go up to 200 MBit/s if you buy a good (= expensive) USB-to-Ethernet adapter, but I doubt that it is really worth the effort.
Expect the Ethernet chip (marked with M1) to go even hotter than the SoC (M2) at full speed.
Encryption performance is an interesting question: Modern "normal" CPUs (like x86_64) have no problem at all, because the integrate circuits that are specifically designed to compute crypto-stuff. Well, in the world of ARM everything is different and I wasn't really able to draw conclusive information from the datasheet of the SoC used on the Raspberry Pi. It seems like CRC32 is implemented native, but for the rest this is left open (could even be that it is in there, but does not work with Raspbian).
I tested the VPN performance using OpenVPN + Raspberry Pi Model B (700MHz single core) and ended with about 9MBit/s performance. Repeated the same test with a Raspberry Pi 3 Model B (1.2GHz quad) and got about 13 MBit/s. So not really high-performance but in good agreement with what you would expect from there devices. 2048 keys.
1 Like
Thanks for the effort guys. I know about the HW limitations that the Pi's ethernet connection has but was wondering what limitation the CPU has, since encryption is very CPU intensive.
My router has gigabit ports and still preforms pretty bad at hosting OpenVPN, more than likely because it has a bad SoC.
Just wanted to know whether it would be worth it before I start flashing and installing stuff on my Pi2. Cheers guys!
It strongly depends on your use case. I use the VPN to tunnel the Pi-hole DNS server only and can still take advantage of the full power of my multihomed upstream connection (2GBit/s). The trick is that only the DNS server of my Pi-hole is routed over the VPN and effectively, I can use all of its functionality. At the same time, all other traffic enters the Internet directly, so no bandwidth limitation introduced by the performance of the Pi Ethernet.
Does that sound like what you want?
1 Like
Does that sound like what you want?
Yes! Initially I setup my router to route all traffic through there but without a decent server setup this seems like too much of a constrain on my mobile performance. It works though: no ads when connected to it. But it is sloooooowww.
I've always used AdAway on all of my (Android) devices but the company I (am going to) work for does not allow rooted devices to be used on the premises. So I wanted to swap to remotely calling my PiHole as the primary DNS server to still block all tracking, malware and (most) ads.
But, after reading up on this project the past weeks and watching this video I wholeheartedly agree with not simply forwarding port 53 and making my Pi visible to the public. So I guess a VPN it is.
Yeah, open resolvers are a thread that should not be underestimated! AFAIK the open resolvers found on the web can sum up to more than 20Gbps attacking power. Open resolvers are vulnerable to DNS amplification attacks (usually).
Either limit your Pi-hole to only answer to certain IP ranges (which might be hard to know beforehand, esp. when on mobile) or go VPN. VPN should be the preferred route. I will update our Pi-hole OpenVPN wiki by the instructions how to route only the DNS server, but not the whole internet traffic soon.
1 Like
I will update our Pi-hole OpenVPN wiki2 by the instructions how to route only the DNS server, but not the whole internet traffic soon.
I want to learn as much as possible and not blindly follow guides but I've only started learning writing code a few months ago and the amount of information you find about Linux / Debian / IP Tables / VPN / DNS / hosts files can be overwhelming.
When I've learned some more (and got some income) I'd like to put PiHole (or my own similar DNS) on a VPS and use a script or DynDNS on each device / network for access control. But for now setting up PiHole for myself and my family has been a fun and useful way to learn about networking and Linux in general.
It's especially cool when others like yourself help me out from time to time! Cheers!
Can you tell me what the issue might be with RPi 1? I use it and it seems to be working OK.
It might be a bit slow if it has to run PiHole and a OpenVPN server at the same time.
Appreciate you effort SIR! Thank you for this tutorial!
Awesome! Glad it is still helping out.
Also added an update to the tutorial to better fit with how pi-hole handles config files now. Haven't looked at this thing in a while, figured it'd be good to keep it relevant. 
1 Like
Thanks again for the update allowing for the settings to be persistent throughout an update.
Sorry, I'm lost in the instructions of "Long overdue update"
Should I be removing the interface line (interface=eth0) in the 01-pihole.conf file and putting it into a new empty file such as 02-addint.conf?
Thanks.
Pretty close. I think pihole takes your physical nic as a primary, and plugs it in on its own by default (interface=eth0).
We're needing to remove any custom (manually added by 'you') second interfaces listed in 01-pihole.conf to the 02-addint.conf file instead. My manually added interface line was 'interface=tun0'. So I needed to move it to the new 02 conf file instead of the 01 file made by pihole.
If you only have the one 'interface=eth0' line in the 01 file to begin with, it doesn't need to move. Just put any additional interfaces you want pihole to work with in the separate 02 config file.
I've modified the basic premise of openVPN+pihole blocking DNS to include routing the traffic through your local DNS instead of Google's 8.8.8.8, see here for further details: https://slicedpi.net/