Setting up Pi-Hole with PiVPN for the first time - few doubts

Blazex · January 10, 2021, 6:44pm

Hello everyone,

I just bought Raspberry Pi 4 and I am really looking forward to setup Pi-hole and PiVPN.
This is all new to me but I did some research online and I have couple of questions if I can.

My setup: ISP's modem (internet speed 150 Mbit/s), router TP-Link Archer C6 V2, 1x Raspberry Pi 4, small network with 2 laptops and 3 smart phones. No static IP address. I also have Mullvad account.

My goal: I want use Pi-Hole to get rid of the ads and telemetry on all devices. I want to install PiVPN and Wireguard to be able to connect to my network from outside.

1Q: Should I add these lists to default one or less is more? I would like to avoid false positive.

2.Q: I am little bit confused about DNS. My present idea is to set IP address of my rpi in my router as DNS server to be able to use Pi-hole on all my devices. Do I set secondary DNS same as primary? Do I have to turn off DHCP on my router and turn it on on rpi?

3.Q: I will try Cloudflare as my upstream DNS provider. Is it worth it to also install cloudflared do have DoH?

4.Q: Should I bother with unbound?

5.Q: During the installation of PiVPN with Wireguard, is it advisable to change port 51820 to something else to make life harder for potential intruder? Can I just add random number at the end?

6.Q: As I don't have static IP, I will use www.noip.com. Do I have to set up noip.com also in my router or just on rpi?

7.Q: I need to use Mullvad VPN from time to time, will it run on my setup?

Hope these questions are not too stupid. Many thanks.

jfb · January 10, 2021, 6:50pm

It's your choice. The more blocklists, the more opportunity for false positives. If you don't see ads now, you don't need more blocking.

That said, the ticked lists from that collection are fairly safe.

Depends on the router. You want Pi-hole to be the only DNS server available to clients. Some routers will auto-fill an empty second slot with the ISP DNS, for example. You can enter the same IP twice, if the router supports it. If not, then try 0.0.0.0 or an unused IP from your LAN range.

Unbound will offer you greater privacy than using a third party upstream DNS server - nobody is collecting your DNS history. Plus, you have complete control of your own resolver; no filtering, etc.

Not really. Changing ports doesn't provide any meaningful security improvement.

It will run, but when you use a commercial VPN your DNS traffic will no longer go to Pi-hole. This is done to prevent DNS leaks (DNS traffic outside the tunnel).

Blazex · January 10, 2021, 7:55pm

Thank you for this!
I just found this guide, I will try to follow it and will see what happens.

Blazex · January 10, 2021, 9:33pm

Is it generally suggested to turn off DHCP on my router and let rpi handle it?

jfb · January 10, 2021, 9:51pm

No. Use the DHCP server that best meets your needs. If you are happy with router DHCP, keep using it.

Blazex · January 10, 2021, 11:33pm

Thank you. I am in the middle of configuring unbound following guide from github and there is a part in config file:

# IPs authorized to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1 allow
access-control: 192.168.x.0/24 allow

The last line's IP address should be replaced with Subnet mask, from my router's LAN settings right?

yubiuser · January 11, 2021, 5:32am

Yes, replace it.

system · January 18, 2021, 5:32am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.