hey, I want to setup family and friends with a pihole, but don't want to install RPi's in all their homes.
I'd prefer to have, a more or less, open DNS I can point my friends devices and home routers to as their main DNS resolver.
Is there a safe way to do this without running the risk to be abused by DDOS attackers?
The safe way is to secure this with a VPN and set ups your friends and family with a VPN client.
Or, use the Pi-Hole you have at home, setup VPN to it and let your family and friends send their DNS requests (no traffic) to your Pi-Hole.
This is the guide: Redirecting...
This is how to route DNS only through the VPN: Redirecting...
Yeah I have done that with a handful. But this process is rather cumbersome as many people have multiple devices. Iād prefer to change the settings on their routers to use my pi-server as their DNS resolver.
It seems for this I still have to install OpenVPN on each client and give them a certificate, correct? Or can this be done with simply providing them with the IP of my DNS server?
With a VPN, each user will need a client and certificate. That's what makes it secure.
An alternate solution (which you would like to avoid) is to put a Pi at each location. For less than $25 or so, they can each buy a Zero, card, USB adapter and power supply. That's what I have done with friends and family (but I used a Zero W and used the wireless feature). Easy enough for me to setup, and they don't have to do anything to maintain it other than keep it plugged in.
I suspect the alternate will be easier on your part and their part as well. They VPN is not something they will likely be able to manage, and there is no guarantee that they can even support a VPN on their router. So, some clients would be on your Pi-Hole and others not - too confusing.