Yes, you can get the benefit of running Pi-Hole for ad-free-browsing while away from your house with a OpenVPN (I actually use PiVPN.io), Pi-Hole, and DNSCrypt.

Akin to my last post, I didn't originally write this tutorial. This one comes from Yee Chie's website itchy.nl. Most of this is his, however, I've changed some to benefit you and I for an easier setup. I'm posting it here so I can get to it when I need to.

I'm using Ubuntu for this as that's what I use on this RPi (I do use Raspian for my lowly little RPi Zero Pi-Hole). Let's jump into it.

Install OpenVPN

As I noted above I use PiVPN as my go-to for installing OpenVPN. Call me lazy, but it does save a few minutes of my life to let the scripts run the install. If you you've ever installed Pi-Hole before, this will look familiar:

curl -L https://install.pivpn.io | bash

Now for some slight modification to our OpenVPN install.

We need to find the tun0 (that's tun zero) interface address (What's tun0? Read this.).

ifconfig tun0 | grep 'inet'

For me it's 10.8.0.1

ifconfig tun0 | grep 'inet' 

With this address noted we need to open our .config and make a minor edit using sudo nano /etc/openvpn/server.conf and you'll be presented with this:

We need to add our tun0 address to the mix by placing it just below the current two entries:

Comment out (add #) the first and second DNS (8.8.8.8 and 8.8.4.4) then add your own using the 10.8.0.1. Save this file (Control +x) and exit.

Then restart your OpenVPN sever using sudo systemctl restart openvpn.

Install Pi-Hole

Using their script you can simply run curl -sSL https://install.pi-hole.net | bash to install Pi-Hole.

During the installation you'll be asked what network interface Pi-Hole should use. You must use the tun0 interface. Let it run and note your password on the last screen (or change it whenever using pihole -a -p).

Install DNSCrypt

At the time of writing the latest release was 2.0.17. If you'd like to install a newer version of DNSCrypt be sure to check out what their latest version is.

First, switch directories to cd /opt

Download the latest DNSCrypt sudo wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.17/dnscrypt-proxy-linux_arm-2.0.17.tar.gz

Next we need to extract it via sudo tar -xf dnscrypt-proxy-linux_arm-2.0.17.tar.gz

Rename and change directories again sudo mv linux-arm dnscrypt-proxy && cd dnscrypt-proxy

Now we're making a configuration file via sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

Edit the newly created file via sudo nano dnscrypt-proxy.toml

We're going to change the following attributes:

ADD: server_names = ['dnscrypt.nl-ns0','dnscrypt.nl-ns0-doh'] in the sever section.

CHANGE: listen_addresses = ['127.0.0.1:53', '[::1]:53'] to listen_addresses = ['127.0.0.1:54', '[::1]:54'] (note the edit to the port #, 53 is already being used by Pi-Hole).

CHANGE: # require_dnssec = false to require_dnssec = true (remember to remove the # sign).

CHANGE: # tls_disable_session_tickets = false to  tls_disable_session_tickets = true (also remove the #)

CHANGE: tls_cipher_suite = [52392, 49199] (mine were already set, just make sure yours are too).

After your changes are saved (Control +x) we need to install the DNSCrypt proxy service via sudo ./dnscrypt-proxy -service install

Start the proxy via sudo ./dnscrypt-proxy -service start

Configure Pi-Hole

To make this all come together we need to make one final edit via the Pi-Hole configuration/admin page; add our listening address and new port (54). It should read 172.0.0.1#54. It may differ for you, but in the US, it's safe to say this is what it'll be unless you changed something with your own system. Note the "#" as opposed to the traditional ":". Here's what mine looks like:

And that's it. Your VPN is set up to use Pi-Hole (and a little extra security of DNSCrypt to keep your connection safer).