Akin to my last post, I didn't originally write this tutorial. This one comes from Yee Chie's website itchy.nl. Most of this is his, however, I've changed some to benefit you and I for an easier setup. I'm posting it here so I can get to it when I need to.
I'm using Ubuntu for this as that's what I use on this RPi (I do use Raspian for my lowly little RPi Zero Pi-Hole). Let's jump into it.
As I noted above I use PiVPN as my go-to for installing OpenVPN. Call me lazy, but it does save a few minutes of my life to let the scripts run the install. If you you've ever installed Pi-Hole before, this will look familiar:
curl -L https://install.pivpn.io | bash
Now for some slight modification to our OpenVPN install.
We need to find the tun0 (that's tun zero) interface address (What's tun0? Read this.).
ifconfig tun0 | grep 'inet'
For me it's
With this address noted we need to open our .config and make a minor edit using
sudo nano /etc/openvpn/server.conf and you'll be presented with this:
We need to add our tun0 address to the mix by placing it just below the current two entries:
Comment out (add #) the first and second DNS (184.108.40.206 and 220.127.116.11) then add your own using the 10.8.0.1. Save this file (Control +x) and exit.
Then restart your OpenVPN sever using
sudo systemctl restart openvpn.
Using their script you can simply run
curl -sSL https://install.pi-hole.net | bash to install Pi-Hole.
During the installation you'll be asked what network interface Pi-Hole should use. You must use the
tun0 interface. Let it run and note your password on the last screen (or change it whenever using
pihole -a -p).
At the time of writing the latest release was 2.0.17. If you'd like to install a newer version of DNSCrypt be sure to check out what their latest version is.
First, switch directories to
Download the latest DNSCrypt
sudo wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.17/dnscrypt-proxy-linux_arm-2.0.17.tar.gz
Next we need to extract it via
sudo tar -xf dnscrypt-proxy-linux_arm-2.0.17.tar.gz
Rename and change directories again
sudo mv linux-arm dnscrypt-proxy && cd dnscrypt-proxy
Now we're making a configuration file via
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
Edit the newly created file via
sudo nano dnscrypt-proxy.toml
We're going to change the following attributes:
server_names = ['dnscrypt.nl-ns0','dnscrypt.nl-ns0-doh'] in the sever section.
listen_addresses = ['127.0.0.1:53', '[::1]:53'] to
listen_addresses = ['127.0.0.1:54', '[::1]:54'] (note the edit to the port #, 53 is already being used by Pi-Hole).
# require_dnssec = false to
require_dnssec = true (remember to remove the # sign).
# tls_disable_session_tickets = false to
tls_disable_session_tickets = true (also remove the #)
tls_cipher_suite = [52392, 49199] (mine were already set, just make sure yours are too).
After your changes are saved (Control +x) we need to install the DNSCrypt proxy service via
sudo ./dnscrypt-proxy -service install
Start the proxy via
sudo ./dnscrypt-proxy -service start
To make this all come together we need to make one final edit via the Pi-Hole configuration/admin page; add our listening address and new port (54). It should read
18.104.22.168#54. It may differ for you, but in the US, it's safe to say this is what it'll be unless you changed something with your own system. Note the "#" as opposed to the traditional ":". Here's what mine looks like:
And that's it. Your VPN is set up to use Pi-Hole (and a little extra security of DNSCrypt to keep your connection safer).