Pi-hole is free and open source software to block ads and tracking domain. It is released under the GNU General Public License. The biggest advantage is ad blocking on all devices on the network from your smartphone to your tablets including all desktop computers. It even blocks in app ads on iOS and Android/Windows devices. The benefits are as follows:
- Blocks all advertisements using network-level DNS based blocking.
- Works with both apps and websites regardless of operating system.
- You can pair your Pi-hole with a VPN software such as OpenVPN for on-the-go ad-blocking and save on data 3G/4G/LTE costs.
- You can get improved privacy and security due to blocking of ads and tracking codes.
This tutorial provides step-by-step instructions for configuring an OpenVPN server on a Debian or Ubuntu Linux v14.04/16.04 LTS including Pi-hole ad blocking software. The steps are as follows.
Install OpenVPN
Type the following two commands:
$ wget https://git.io/vpn -O openvpn-install.sh
$ sudo bash openvpn-install.sh
Just follow on screen instructions to install the OpenVPN server. See our step-by-step guide for more detailed information on setting up an OpenVPN server on Linux.
Installing Pi-hole on a Linux server
At this stage I am assuming that you have a working OpenVPN server. The client is also configured to OpenVPN on OSX/Windows/Linux/FreeBSD/iOS/Andriod devices.
Note down your OpenVPN server IP address
Type the following command:
$ ip a show dev tun0
Sample outputs:
Fig.01: Finding out your OpenVPN server IP address
$ ip r | grep default
default via 192.168.2.254 dev br0 onlin
Our sample setup
Our sample setup/network
Install PI-HOLE
Run the install command as follows:
$ wget -O basic-install.sh https://install.pi-hole.net
$ sudo bash basic-install.sh
You will see progress on screen as follows:
Fig.02: Pi-Hole installer in action
Choose an interface for Pi-hole
Fig.03: Select an interface of OpenVPN server such as tun0
Select protocols for dns server
Fig.04: You must at least select IPv4 for all dns queries
Setup a static IP address (select No)
Fig.05: You must set a static IP address and it must match to tun0/OpenVPNs static IP address
Fig.06: Enter your tun0 interfaces IP address here
Fig.07: Setup default router IP
Fig.08: Are static IP settings correct? Yes.
Setup upstream DNS IP address
Fig.09: Select upstream DNS provider such as Google DNS
Fig.10: Installation complete
Test it
Type the following command on Pi-hole to see if DNS is working or not:
$ host cyberciti.biz 10.8.0.1
Sample outputs:
Using domain server: Name: 10.8.0.1 Address: 10.8.0.1#53 Aliases: cyberciti.biz has address 75.126.153.202 cyberciti.biz mail is handled by 1 aspmx.l.google.com. cyberciti.biz mail is handled by 10 aspmx2.googlemail.com. cyberciti.biz mail is handled by 10 aspmx3.googlemail.com. cyberciti.biz mail is handled by 5 alt1.aspmx.l.google.com. cyberciti.biz mail is handled by 5 alt2.aspmx.l.google.com.
Now try to lookup ad server IP address:
$ host pagead2.googlesyndication.com 10.8.0.1
Sample outputs:
Using domain server: Name: 10.8.0.1 Address: 10.8.0.1#53 Aliases: pagead2.googlesyndication.com has address 10.8.0.1
As you can see 10.8.0.1 is not a valid public IP address hence any ads coming from pagead2.googlesyndication.com will be served by our own Pi-hole.
Update OpenVPN config to push our PI-hole dns server
Type the following command:
$ sudo vi /etc/openvpn/server.conf
Delete or comment out existing DNS entries:
#Stop using Google DNS for our OpenVPN
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
Next add our PI-Hole DNS IP address:
push "dhcp-option DNS 10.8.0.1"
Save and close the file. Restart the OpenVPN server:
$ sudo systemctl restart openvpn@server
Open port 53 and 80 for our OpenVPN subnet
Type the following commands:
$ ufw allow proto tcp from 10.8.0.0/24 to 10.8.0.1 port 80
$ ufw allow proto tcp from 10.8.0.0/24 to 10.8.0.1 port 53
$ ufw allow proto udp from 10.8.0.0/24 to 10.8.0.1 port 53
Now reconnect all OpenVPN clients and you should able to browser everything without ads on your mobile devices. You can view PI-hole stats with the following url:
http://10.8.0.1/admin/
Sample outputs:
Fig.11: Pi-Hole admin/stats area
Conclusion
And there you have it, Pi-hole installed and configured on Debian or Ubuntu Linux along with an OpenVPN server. See Pi-hole.net for more information.
- How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server
- Install Pi-hole with an OpenVPN to block ads
- Update/upgrade Pi-hole with an OpenVPN
- OpenVPN server on Debian 9/8
- Import a OpenVPN .ovpn file with Network Manager
- Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes
- CentOS 7 Set Up OpenVPN Server In 5 Minutes
- Pi-Hole and Cloudflare DoH config
- Debian 10 Set Up OpenVPN Server In 5 Minutes
- CentOS 8 OpenVPN server in 5 mintues
- Ubuntu 20.04 LTS OpenVPN server in 5 mintues
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 14 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Comments on this entry are closed.
Hi, great tutorial!
Unfortunately, my Android phone (Nexus 6P, running 7.1.1 DP 2) doesn’t correctly copy the DNS server settings pushed by the OpenVPN server. Is there something I can do about this?
Hello and thanks for your toturial.
I was looking for something of this type but also solution to another problem. Is it possible to have pi-hole work with a VPN client?
For what I have seen in google searches and and tests that I have already done with another software (script ab-solution) in conjunction with the openvpn client the ads are not blocked because of the resolution of dns in the dnsmasq file and because of the options Strick or exclusive in client configuration.
If I put the option strick I get the ad blocking to work but I have dns leak, if I put the option in exclusive I do not have dns leak, but I do not have ad blocking.
Can you help me?
Thank you.
Pi-hole was designed for Raspberry Pi, but also works on most Debian-based distros. ( ) ?
Linux Mint, Ubuntu provide images for RPi as well.
the ? character in my previous message was supposed to be a U+2665, a black heart suit.
Hi. Can you give the `iptables` direct command that corresponds to
ufw allow proto udp from 10.8.0.0/24 to 10.8.0.1 port 53
Here is my current situation:
I have OpenVPN-2.4 running on my Ubuntu 16.04 server, and also running on my clients: dd-wrt router, Windows x64 Pro, and Android 7.1.1.
In my Ubuntu /etc/openvpn/server.conf I have
push “dhcp-option DNS 10.8.0.1”
I want my clients to use the server’s iptable rules set up to block a list of IP addresses.
I have have tried several sets of iptable rules in my Ubuntu server /etc/init.d/openvpn file, not of which work. E.g., I try
blacklist IP:
iptables -A INPUT -s IP -j DROP
delete blacklisted IP
iptables -D INPUT -s IP -j DROP
to test an IP that I can use in one of my client browsers.
I have tried (uncommented iptables lines are used currently):
# iptables -A INPUT -i tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o tun+ -m state –state RELATED,ESTABLISHED -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# iptables -A OUTPUT -o tun+ -j ACCEPT
## from Linode doc
/sbin/iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -j REJECT
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -i tun+ -j ACCEPT
/sbin/iptables -A FORWARD -i tun+ -j ACCEPT
Otherwise, my VPNs seem to be working fine.
Thanks.
Lester
Hi there, i thought your tutorial was very clear and easy to get through. It worked very well…. for a few hours hahaha! Now I keep having problems connecting my openvpn. I cant ssh into my pi, but when I reboot AND restart the openvpn server it seems to be working again. For a few hours! I’ve checked out the IPtables and they seem to be messed up when I cant ssh into my pi anymore. The weird thing is it works fine for a few hours, only after reconnecting/spending some time on the vpn it stops working completely. Anybody else had this problem or knows a solution?! Thank you!
That is weird. You need to make sure you are not running out of memory. Also what OS and version? What is the version Kernel? Older kernels have bugs on Ubuntu that killed process randomly. Make sure you are using latest kernel. HTH
Thank you for your fast reply! I’m running on Raspbian jessie version 8.0.
Yep. I have the same problem. Randomly stop’s working after a few hours. Running on a Linode VPS (Ubuntu 17)
Hi would i be able to setup raspberry pi and also use openvpn to set up my paid vpn such as private intenet access for example?
i mean openvpn and pihole
I think I’m missing something. To access Pi-Hole over LTE using the VPN, don’t I need to modify my router’s settings?
I am using it over both LTE and wifi. No problem what so ever.