I have an unusual setup, and I'm wondering if what I want to do is possible.
My current setup is the following :
My desktop computer goes through a VPN connection to access the internet (AirVPN)
My Raspberry Pi also goes through a VPN connection to access the internet (another AirVPN connection exiting through another internet-facing IP)
I'd like to run Pi-Hole on the Raspberry Pi, and be able to use it on my local network (eth0 interface) as a local DNS resolver. But I don't want the DNS requests to be sent through the eth0 interface (thus bypassing the VPN connection and defeating the purpose of not being spied by my ISP) but instead go through the VPN connection (tun0 interface), like everything else happening on my Raspi right now.
Is this behavior possible ? If yes, what interface should I choose during Pi-Hole installation ? eth0 or tun0 ? Because I'm afraid if I choose eth0, all DNS requests would go through eth0 interface, and not through my VPN connection.
Are there any additional steps to do to make it work like I want ?
No. If I understood correctly (correct me if I'm wrong) this page describes a way to allow clients to connect to the server where Pi-Hole is running with a VPN client, but only route DNS requests through it.
This is not what I need. I don't want to use my Pi-Hole installation from everywhere. I'll just use it on my local network. No VPN server will be installed on the machine where Pi-Hole resides. But a VPN client is already running on it. Let me explain through some improvised ascii schema. What I want is that :
[My Computer] ==DNS A query (eth0)==> [Raspi] ==DNS A query (through VPN connection, tun0)==> [external DNS resolver] (let's say DNS.watch for the sake of example)
Of course the response would be the same route but the other way.
What I mean is I don't want Pi-Hole to send DNS queries "in clear" through my actual ISP connection, but route it through a VPN connection (the OpenVPN client is running on the Raspi where Pi-Hole will be installed). So the interface where the Pi-Hole receive DNS queries from computers on the local network (eth0) is different from the interface it must use to send DNS queries to the Internet (tun0).
Otherwise, it completely defeats the purpose of using a VPN to avoid ISP spying (deep packet inspection, etc.), because my ISP would know every DNS request I make if I configure it to use the eth0 interface. (for example if I do "ping -I eth0 google.com" my ISP will see that I'm sending ICMP packets to Google. But if I do "ping -I tun0 google.com" they won't see anything except encrypted data going to a VPN server somewhere. This is the route I want the DNS queries from Pi-Hole to take... but the response must be delivered on the local network, and it can only reach the local network via eth0, which is the actual hardware interface connected to my modem-router)
If your raspberry pi is already using the VPN for internet access, then you're already set. Just choose the interface that the devices will use to query it during setup. That interface is what is used for dnsmasq to listen on, and for blocked domains to resolve to. The forwarded queries will go through the Pi-hole's normal internet path (the VPN gateway).
Oh ok... so even if I choose eth0 as the Pi-Hole interface, DNS queries would go through the normal internet path (VPN gateway, through tun0 interface) ?
Nice ! That's excatly what I wanted to know before proceeding with the installation (I have a shitton of things running on the Raspi and didn't want to mess up things and having to deal with backups etc. in case something went wrong). I'm clearly not a network expert... :') Maybe I should start learning more precisely how things (routing etc) are handled on Linux.