VPN server with PiHole and encrypted DNS

Networking Home Networking
, ,
1

Initial Setup

This document serves as a technical reference for configuring a Pi-hole and OpenVPN setup. Users are encouraged to replicate the steps outlined herein.

  1. Follow the Pi-hole VPN Guide:

    • Access the guide here.
    • In the initial command, replace wget https://git.io/vpn -O openvpn-install.sh with wget https://git.hhf.technology/hhf/OpenVPN-install/raw/branch/main/openvpn-install.sh -O openvpn-install.sh. This change directs to a more secure fork of installer.
    • Utilize the default options unless specific configurations are required (e.g., choose between tun0 and eth0 based on your network architecture).
    • Depending on privacy considerations and the current status of FTLDNS, it may be prudent to disable DNS logging options.
    • Ensure that iptables is configured to reload upon system restart by executing sudo bash -c "iptables-save > /etc/iptables.conf" and adding iptables-restore < /etc/iptables.conf to /etc/rc.local.
    • If operating in a hosted environment, consider opting out of static IP allocation; this may facilitate server restoration under different IP addresses (this remains untested).
    • For internal network setups, implement the following:
      • Refer to the optional guides for Dual Operation: LAN & VPN and Dynamic DNS (omit <b> </b> tags in the dual operation section).
      • Configure a static/reserved IP for the Pi-hole device and forward port 1194 in your router settings.
    • Users may experience slow connection speeds upon VPN initiation. To mitigate this, append tun-mtu 1400 and mssfix 1360 at the end of /etc/openvpn/server.conf.

  2. Implementing DNS Over HTTPS:

    • Until native functionality is integrated into FTLDNS, utilize Cloudflare’s encrypted DNS protocol via DNS over HTTPS. Refer to Cloudflare’s documentation here.
    • Follow either this tutorial or the official guide here.
    • For domain management on DigitalOcean, create a subdomain for your VPN that points to a dynamic IP address. The following script can be utilized to update DNS records dynamically from your Pi-hole:
    #!/bin/bash

PUBLIC_IPV4=$(curl ifconfig.co)
MY_API_ACCESS_TOKEN="your-api-key-from-https://cloud.digitalocean.com/settings/api/tokens"

curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer ${MY_API_ACCESS_TOKEN}" -d '{"data":"'"${PUBLIC_IPV4}"'"}' "https://api.digitalocean.com/v2/domains/example.com/records/MY_DOMAIN_ID"

    Replace example.com with your domain name and MY_DOMAIN_ID can be retrieved using:

    curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer YOUR_API_ACCESS_TOKEN" "https://api.digitalocean.com/v2/domains/example.com/records"

    Ensure the script is executable and schedule it in crontab using crontab -e.

Migration of OpenVPN Server and Pi-hole

In the event that the OpenVPN server and Pi-hole are relocated to a new IP address (note: this process remains untested):

  1. Update the remote server IP in all existing client .ovpn files/configurations as well as in /etc/openvpn/client-template.txt.

    • This step is unnecessary if utilizing DynamicDNS configured within these files.
    • If using a domain name, ensure that DNS records are updated with your Domain Name Registrar.

  2. For configurations involving Dual Operation: LAN & VPN, modify /etc/openvpn/server.conf to reflect new IP addresses in:

    push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.35"

    Adjust these settings according to any changes in subnet.

  3. Update /etc/dhcpcd.conf with the new static IP address and gateway (available in DigitalOcean under settings > networking). Reboot and verify functionality; further adjustments may not be necessary.

  4. Modify the IPV4 address in /etc/pihole/setupVars.conf, or alternatively execute pihole -r. Note that reconfiguration will be required for the cloudflared service established earlier.

    • If executing pihole -r, you will need to select a DNS server; subsequently, reconfigure Pi-hole to utilize the locally running cloudflared service as per this guide.

  5. Adjust any static IP configurations and OpenVPN port forwarding settings (typically on port 1194) in your new router.

  6. If utilizing Dual Operation: LAN & VPN, ensure /etc/iptables.conf reflects any changes to local subnet configurations (e.g., from 192.168.0.0/24to192.168.1.0/24).

  7. Restart the Pi-hole device to apply all firewall changes effectively.