OpenVPN with Pi-Hole and DNSCrypt on Raspberry Pi

Yes, you can get the benefit of running Pi-Hole for ad-free-browsing while away from your house with a OpenVPN (I actually use, Pi-Hole, and DNSCrypt.

Akin to my last post, I didn't originally write this tutorial. This one comes from Yee Chie's website Most of this is his, however, I've changed some to benefit you and I for an easier setup. I'm posting it here so I can get to it when I need to.

I'm using Ubuntu for this as that's what I use on this RPi (I do use Raspian for my lowly little RPi Zero Pi-Hole). Let's jump into it.

Install OpenVPN

As I noted above I use PiVPN as my go-to for installing OpenVPN. Call me lazy, but it does save a few minutes of my life to let the scripts run the install. If you you've ever installed Pi-Hole before, this will look familiar:

curl -L | bash

Now for some slight modification to our OpenVPN install.

We need to find the tun0 (that's tun zero) interface address (What's tun0? Read this.).

ifconfig tun0 | grep 'inet'

For me it's

ifconfig tun0 | grep 'inet' 

With this address noted we need to open our .config and make a minor edit using sudo nano /etc/openvpn/server.conf and you'll be presented with this:

We need to add our tun0 address to the mix by placing it just below the current two entries:

Comment out (add #) the first and second DNS ( and then add your own using the Save this file (Control +x) and exit.

Then restart your OpenVPN sever using sudo systemctl restart openvpn.

Install Pi-Hole

Using their script you can simply run curl -sSL | bash to install Pi-Hole.

During the installation you'll be asked what network interface Pi-Hole should use. You must use the tun0 interface. Let it run and note your password on the last screen (or change it whenever using pihole -a -p).

Install DNSCrypt

At the time of writing the latest release was 2.0.17. If you'd like to install a newer version of DNSCrypt be sure to check out what their latest version is.

First, switch directories to cd /opt

Download the latest DNSCrypt sudo wget

Next we need to extract it via sudo tar -xf dnscrypt-proxy-linux_arm-2.0.17.tar.gz

Rename and change directories again sudo mv linux-arm dnscrypt-proxy && cd dnscrypt-proxy

Now we're making a configuration file via sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

Edit the newly created file via sudo nano dnscrypt-proxy.toml

We're going to change the following attributes:

ADD: server_names = ['',''] in the sever section.

CHANGE: listen_addresses = ['', '[::1]:53'] to listen_addresses = ['', '[::1]:54'] (note the edit to the port #, 53 is already being used by Pi-Hole).

CHANGE: # require_dnssec = false to require_dnssec = true (remember to remove the # sign).

CHANGE: # tls_disable_session_tickets = false to  tls_disable_session_tickets = true (also remove the #)

CHANGE: tls_cipher_suite = [52392, 49199] (mine were already set, just make sure yours are too).

After your changes are saved (Control +x) we need to install the DNSCrypt proxy service via sudo ./dnscrypt-proxy -service install

Start the proxy via sudo ./dnscrypt-proxy -service start

Configure Pi-Hole

To make this all come together we need to make one final edit via the Pi-Hole configuration/admin page; add our listening address and new port (54). It should read It may differ for you, but in the US, it's safe to say this is what it'll be unless you changed something with your own system. Note the "#" as opposed to the traditional ":". Here's what mine looks like:

And that's it. Your VPN is set up to use Pi-Hole (and a little extra security of DNSCrypt to keep your connection safer).

Show Comments

Get the latest posts delivered right to your inbox.