Pi-hole over openVPN connection

Hello,

In short, I want all devices that connect via VPN to use my pi-hole as DNS.

I know there is already an article that deals with this topic.

Unfortunately I don’t speak the language and I don’t know if the constellation is the same as mine.

Let’s start…

I have already installed an active openVPN service via Foris. It works fine. I have configured the firewall that all devices that connect to the VPN can access all devices in the “normal” network.

The pi-hole runs as LXC container on the router.
the pi-hole is configured as DNS server in DHCP.
All devices in the “normal” network get it assigned as DNS by DHCP.

How do I configure that all VPN connections get the pi-hole as DNS server?

Yes, I think your constellation is the same (I’m native CZ). The critical part seems

 list push 'dhcp-option DNS 192.168.1.5’

in /etc/config/openvpn (on the VPN server). I mainly skimmed the CZ topic; I don’t really have first-hand knowledge.

Oh, wait, that seems weird to me. Anyway, he used a firewall rule to let the address through, but I’m really confused from the approach. Perhaps it’s best to ignore me on this thread and hope someone else knows better :slight_smile:

Hi,

I think that for the working state you need two things:

  1. Firewall rule for comunnication from VPN to DHCP server (accept) = accept communication from VPN network to IP of your pi-hole “machine”, you can add any (tcp/udp) or just 53 TCP/UDP (DNS). It’s possible that something like that already exists after the creating the VPN (because you want to comunicate to your local network remotely so there should be rule for the comunication from VPN network to LAN, the problem is if you have pi-hole in some special network for example 172.17.3.0/24 - in that case you will need to create the rule for accepting the comunication, but if you have that pi-hole server in 192.168.17.1.0/24 - native LAN - you don’t need that rule, it should exist)
  2. That setting saying that the DHCP server is IP with pi-hole

That guy said that you must edit file /etc/config/openvpn and there should be something like:
config openvpn 'server_turris’
option enabled '1’
option port '1194’
option proto 'udp’
option dev 'tun_turris’
option ca '/etc/ssl/ca/openvpn/ca.crt’
option crl_verify '/etc/ssl/ca/openvpn/ca.crl’
option cert '/etc/ssl/ca/openvpn/01.crt’
option key '/etc/ssl/ca/openvpn/01.key’
option dh '/etc/dhparam/dh-default.pem’
option server '10.111.111.0 255.255.255.0’
option ifconfig_pool_persist '/tmp/ipp.txt’
option duplicate_cn '0’
option keepalive '10 120’
option comp_lzo 'yes’
option persist_key '1’
option persist_tun '1’
option status '/tmp/openvpn-status.log’
option verb '3’
option mute '20’
list push 'route 192.168.155.0 255.255.255.0’
list push 'redirect-gateway def1’
list push 'dhcp-option DNS 192.168.1.5’
list push ‘dhcp-option DNS 10.111.111.1’

The bold text is the parameter which says that the DNS server is on the specific address. You should change the addres to your situation. You must have the address od your pi-hole server before the default address (in this example 10.111.111.1) because you want pi-hole to be the primary DNS server otherwise the default DNS will work as the primary DNS and you don’t want that.

I’m not sure for what purpose those italic lines have so it’s possible that you will have some different values (it’s possible that even the address of default DNS will be different - that’s OK).

1 Like

Thanks for the answer.

I have tested it and it works.

I only modified the config /etc/config/openvpn with “list push ‘dhcp-option DNS 10.0.0.3’”. 10.0.0.3 is my pi-hole.

After a restart it worked immediately.

Thanks a lot!

1 Like