See my PiHole enabled OpenVPN Server

General Customizing Pi-hole
3

Hopefully this is still relevant or will be found useful to others, but here's what I had to do to get pi-hole to work for my openvpn clients::

- highly recommend quickly reviewing the 'Long overdue update' at the bottom of this post before continuing and using it along side the guide when necessary. -

1. Needed to setup my /etc/pihole/setupVars.conf file like so by adding an additional listening interface (dns may be different for some):

piholeInterface=eth0
piholeInterface=tun0
IPv4_address=[raspberryPi IP address]/24
IPv6_address=
piholeDNS1=8.8.8.8
piholeDNS2=8.8.4.4

2. Then make sure that /etc/dnsmasq.d/01-pihole.conf was like the following (note that there are two 'interface=" entries; one for the ethernet port, one for the tun0 vpn interface):

address=/pi.hole/[raspberryPi ip address]
addn-hosts=/etc/pihole/gravity.list
domain-needed
bogus-priv
no-resolv
server=8.8.8.8
server=8.8.4.4

interface=eth0
interface=tun0

cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=300
log-async

3. Example dump the whole openvpn server config. But I bolded out the relevant lines (located in /etc/openvpn/server.conf)
Most of this should already be setup when you installed openvpn. This config assumes that your local subnet is a standard 192.168.1.0/24 network, and that the subnet OpenVPN server is assigning/using for connected clients is 10.8.0.0/24:

dev tun
proto tcp
port 1149
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS [raspberryPi ip address no subnet listed]"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

4. Example client config (minus the secret private stuff like cert fields, etc) :wink::

client
dev tun
proto tcp
remote [external IP or your resolvable domain] 1149
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1

5. Reboot pi, forward your openvpn listening server port through your router to the raspberry pi IP address

TL;DR

OpenVPN creates a new virtual interface on the raspberry pi (default 'tun0' in my case), and pi-hole doesn't know about it until you put it into the /etc/dnsmasq.d/01-pihole.conf config file ~step 2. (Step 1 holds configs in case you update your pi-hole instance so you don't have to fiddle with config files again.)

Then you also need to tell your OpenVPN server to point all DNS queries by your clients (and other traffic request) through your raspberry pi instead of it defaulting to your gateway or any other DNS server as the pi will handle it ~ step 3.

If done correctly, you should start seeing IP addresses from both subnets in the admin web interface.

Deprecated as of a while ago, my bad :frowning:

It appears that when you update pihole, it does not add more than one 'interface' back into the 01-pihole.conf file (even if you have it listed in the setupVars.conf file). You will need to manually check and make sure that both of your interfaces are in place in the 01-pihole.conf file before it will work after updating.

Updating results in listing only two DNS server addresses as well after updating, and any additional servers will need to be manually added as well.

Also, the new web interface appears to currently only show one listening interface in the "Pi-Hole Ethernet Interface" section, but it still is listening on both.

Long overdue :scream_cat: - Update - 3/15/2017
(Left original update section for a running history of changes)

Minor update and documenting an alternative way to maintain the additional interface when updating pi-hole so the interface does not have to be added in every time.

  • Pi-hole currently allows for adding more than two DNS servers and extra ones no longer need to be manually added outside the admin interface through configuration files.
  • The /etc/pihole/setupVars.conf file also no longer needs or really cares about additional 'PIHOLE_INTERFACE=' entries either (I think anyway), so Step 1 can be skipped entirely.

The system uses the dnsmasq service and parses the /etc/dnsmasq.d/ directory for configuration files. We can separate out our additional interface line (line: "interface=tun0" from Step 2 in my example from above) in a new, seperate file in the same directory as 01-pihole.conf (should be that /etc/dnsmasq.d/ directory).

  1. Create a new file and call it what ever you'd like, but for example, I called my additional new file 02-addint.conf for the sake of clarity.
  2. Remove the extra interface line from 01-pihole.conf and place that line by itself into the new 02-addint.conf file.
  3. Save the new file, and ether restart the pihole and dnsmasq services, or its probably easier just to re-boot your device entirely.

You should now be able to update pi-hole worry-free (for now ~ lol) without having to manually put the additional listening interfaces back in. What's cool, is that the "teleporter" export utility from the admin interface also exports this extra config file along with the other standard files so this change can get backed up worry free as well.

edit: words | edit2: more words | edit3: update | edit4: DNS note | edit5: 3/15/2017 update | edit6: rephrasing

7 Likes