[GUIDE] My Pi-hole and PiVPN powered by our Raspberry Pi 3 Model B+

Search This thread

JeremyNSL

Senior Member
Mar 13, 2013
150
42
I just want to say thanks for the tutorial. I followed a different tutorial and it resulted in a non-working pihole (I already had pihole installed and working prior to following that tutorial) and a non-working pivpn. This tutorial worked perfectly!
 
  • Like
Reactions: Oswald Boelcke

Oswald Boelcke

Forum Moderator / Recognized Translator
Staff member
Unbound

I just want to say thanks for the tutorial. I followed a different tutorial and it resulted in a non-working pihole (I already had pihole installed and working prior to following that tutorial) and a non-working pivpn. This tutorial worked perfectly!
I'm very glad to read that it worked for you. Please allow me to reiterate that all credits go to Mike Kuketz as I mentioned in the OP. With his permission I simply translated his tutorial and brought it to XDA to reach a wider audience.
If interested, I intend to eventually also install unbound and am going to amend this thread afterwards accordingly. Please stay tuned.
 

Steelskinz

Senior Member
Mar 14, 2012
342
50
Lyon
Will you combine pihole,pivpn in docker mode managed by portainer and keep up to date with watchtower ?
Ps : i switched to your Non-crossed-list.. Thanks ! :)
 
Last edited:

Oswald Boelcke

Forum Moderator / Recognized Translator
Staff member
Will you combine pihole,pivpn in docker mode managed by portainer and keep up to date with watchtower ?
Ps : i switched to your Non-crossed-list.. Thanks ! :)
Negative. Setup/configuration won't change; the current one completely satisfies our requirements.
 

aneeshprasobhan

Senior Member
Jun 9, 2012
142
30
Trivandrum
Excellent Guide

Code:
cd /etc/dnsmasq.de
sudo touch 10-general.conf
sudo nano /etc/dnsmasq.d/10-general.conf
Insert line:

Finally, I was required to re-start both services:
Code:
sudo /etc/init.d/openvpn restart
sudo /etc/init.d/dnsmasq restart
Alternatively, I could certainly simply have rebooted the Raspberry Pi.


This was an excellent guide and helped me setup Pihole and PiVPN on the same Pi running stable.

Just a few issues I came across were. On the 4rth set of code, are you sure about the file name ?
1) It says "cd /etc/dnsmasq.de" , but I was able to access the directory only when i edited the file name to "dnsmasq.d "
2)When I tried restarting the dnsmasq, it returned an error saying "sudo: /etc/init.d/dnsmasq: command not found" , but as you mentioned, the alternate way of doing this was to restart the Pi (could this be because i'm running Raspbian Buster and Test version of PiVPN ?). This worked well.

Overall really good guide and it helped me a lot. Thanks to you and Mike Kuketz.

Regards,
Aneesh
 
Last edited:

Oswald Boelcke

Forum Moderator / Recognized Translator
Staff member
...
1) It says "cd /etc/dnsmasq.de" , but I was able to access the directory only when i edited the file name to "dnsmasq.d "
2)When I tried restarting the dnsmasq, it returned an error saying "sudo: /etc/init.d/dnsmasq: command not found" , but as you mentioned, the alternate way of doing this was to restart the Pi (could this be because i'm running Raspbian Buster and Test version of PiPN ?). This worked well.
...
Thanks very much, and I'm glad it worked for you. We're very satisfied the Pi in our network.
And you absolutely correct with both issues. Thanks very much for pointing them out to me. I'm correcting it immediately.
1. Just a typo. It has to be dnsmasq.d
2. That was the command before the folder dnsmasq.d was added.


BTW: I suggest to avoid to completely quote such long posts or to at least put them into hide brackets as it really clutters the screen. However, hide brackets are only good if on browser; for people using XDA Labs they don't work and have a relatively small screen cluttered.
 
Last edited:
  • Like
Reactions: aneeshprasobhan

Oswald Boelcke

Forum Moderator / Recognized Translator
Staff member

gadgetguy08

Senior Member
Apr 2, 2008
329
110
Discovered this very interestingly sounding project: Snips! De-centralised, open source and local.
If time permits I'm probably going to try to implement it.
All credits go (as usual) to Mike Kuketz to point me towards Snips.

I was interested when I saw this and started researching it, but discovered that Snips has recently been bought by Sonos!
There is plenty of outage from the developer community:
https://forum.snips.ai/t/important-message-regarding-the-snips-console/4145
 

Oswald Boelcke

Forum Moderator / Recognized Translator
Staff member
For quite a while I thought how to best bump this thread, and then I decided to simply share that the Pi with its Pi-hole and PiVPN are running perfectly as advertised and without any issues. And an interesting thread that I like to share despite me not being among the moderators who have been pinged in that thread: https://forum.xda-developers.com/galaxy-note-10-lite/help/bugs-software-t4096645

Stay safe and stay healthy!
Regards
Oswald Boelcke
 

Steelskinz

Senior Member
Mar 14, 2012
342
50
Lyon

Top Liked Posts

  • There are no posts matching your filters.
  • 13
    ATTENTION (update on 2018-04-09): The procedures described in this thread are only working if you own an internet account with a public IPv4 address or dual stack i.e. both, public IPv4 and public IPv6 addresses. For account with only a public IPv6 address, it won't work. Please also refer to post #16.


    Although I'd already read quite a lot about commercial VPN providers, reading of this article "VPN Leaks Found on 3 Major VPNs out of … 3 that We Tested" clearly established my decision to go for my own private VPN.
    Thanks to Mike Kuketz who's running an excellent German blog regarding information technology security, I was able to study these two articles (https://www.kuketz-blog.de/pi-hole-schwarzes-loch-fuer-werbung-raspberry-pi-teil1/, https://www.kuketz-blog.de/pivpn-raspberry-pi-mit-openvpn-raspberry-pi-teil3/) about Pi-hole and PiVPN on/via a Raspberry Pi and immediately decided to purchase a Raspberry Pi 3 Model B+ (including an official case and charger) from an authorised Raspberry Pi dealer. Remark for German speaking XDA users: Mike also runs a very interesting forum in conjunction with his blog.

    I'd be glad if this thread raises or raised your interest in a Raspberry Pi with Pi-hole and PiVPN. We are fascinated by their capabilities and glad to be able to utilise our own private VPN. If you also decide to go for it I hope that this tutorial facilitates setup and configuration. However, always be aware and remember that different scenario exist why use of a VPN might be reasonable. To anonymously browse the web via a VPN-provider certainly doesn't belong to that. The desire for anonymity and privacy in the world wide web is a reasonable wish of many users that can unfortunately hardly be implemented or only by extremely high efforts. You do not achieve anonymity while browsing the web, only because your network traffic is tunneled via a VPN-provider. This is only a promotional promise belonging into the category of modern fairy tales of the internet. However, by use of a (private) VPN you certainly enhance your privacy due to the encryption of your data traffic in this case between the Android device and the Raspberry Pi / PiVPN.

    Intent of this thread is to share my experiences and procedure during the setup of the Raspberry Pi, Pi-hole and PiVPN. As client (or you might call it the companion of PiVPN) on our Android devices, I use OpenVPN for Android by Arne Schwabe. I downloaded it from F-Droid; however, it's also available via the Google Play Store. Possibly interesting to a few Android users might be that it does not require root. The whole setup is positively working on our Android Nougat ROM but I don't have any experiences with Android Oreo.
    Additionally I want to clearly emphasise that I personally used Mike's two above linked articles written in German i.e. my thread is more or less only a translation of Mike's instruction into English. Therefore, I must clearly state that all credits go to Mike Kuketz.

    Generally, in this thread I don't intend to discuss the reasons that induced my decision to establish my own private VPN or to create my own Network-wide ad blocking. Already brief searches of the web are providing multiple hits in this context but it's anyway a very private decision.

    Additionally, I'm only focusing on our router, an AVM Fritz!Box 7390, our Android devices (Samsung Galaxy S3 LTE - i9305, all with RR-N-v5.8.5-final, Magisk v16.0, Xposed, XPrivacyLua and GApps-free thanks to microG), and Windows 10 Pro on a notebook (just started to familarise myself with Linux Mint i.e. all work in regard to this thread was conducted under Windows). I'm convinced that all interested readers of this thread are capable to translate/transfer the basic ideas to other routers, devices or Linux, iOS etc.

    Content:


    Remark:

    1. In the attached screenshots, IP-addresses are blacked out for privacy reasons.
    2. Please advise if something is not clear, incorrect or incomplete.


    Off topic comments are allowed as long they are generally related to the overall topic, are in the general interest of the followers of this thread and add value to the thread. Having fun is always welcomed here. The ultimate decision rests with me as the OP!
    5
    PiVPN in Combination with the Pi-Hole

    Updated on 2019-06-15.
    --------------------------------------------------------------------------------------------------------------------------------------------------

    PiVPN in combination with the Pi-Hole

    Please allow me to mention of another great advantage of having PiVPN together with Pi-hole on one and the same Raspberry Pi:
    All of our mobile devices, which connect via OpenVPN with our home network, benefit from the Pi-hole i.e. no advertisement or trackers that follow us at every turn when connected to the web via mobile data or a WiFi network other than ours.

    However, in order to achieve this I was require to slightly modify two configuration files on the Raspberry Pi as described below (please refer to the screenshots) - and ok, it's self-evident that I had to first install Pi-hole and PiVPN on the same Raspberry Pi before as described in this thread.

    At first, I modified the OpenVPN server configuration by nano via the Raspberry Pi's console:
    Code:
    sudo nano /etc/openvpn/server.conf
    The file opened and I looked for those two lines showing the IP-addresses of the DNS servers of my choice and as mentioned in the posts above:
    Code:
    push "dhcp-option DNS 85.214.20.141"
    push "dhcp-option DNS 213.73.91.35"
    I deleted one line and modified the other one to read:
    Code:
    push "dhcp-option DNS 10.8.0.1"
    As DNS-server for all of our clients I've therefore defined the IP address of the VPN interface (tun0) (originally the local IP of the eth0 interface) of our Raspberry Pi, and hence forward all DNS-requests to the local DNS-server (dnsmasq) of the Pi-hole.


    With its latest release Pi-hole changed the content of dnsmasq.conf located at /etc (for details refer to DNS Resolver in the Pi-hole documentation). dnsmasq.conf now simply points to a new folder named dnsmasq.d that is also located at /etc (refer to attached screenshot 1). This folder now contains the actual configuration files and is initially only populated with one file called 01-pihole.conf, which is the configuration file of Pi-hole's dnsmasq. 01-pihole.conf is used and modified by Pi-hole itself, and no custom modification should be made to it (refer to screenshot 2). However, additional configuration files in this folder will be executed in sequence by dnsmasq / FTLDNS.
    This means I created a new file called 10-general.conf with the content:
    Code:
    cd /etc/dnsmasq.d
    sudo touch 10-general.conf
    sudo nano /etc/dnsmasq.d/10-general.conf
    Insert line:
    Code:
    interface=tun0
    This means we added a line with the VPN interface (tun0) that is listening on IP 10.8.0.1 by default.

    Finally, I simply rebooted the Raspberry Pi.
    4
    Initial Installation of the Raspberry Pi

    Updated on 2019-03-17!
    ********************

    Initial Installation of the Raspberry Pi

    As already said I'd ordered a Raspberry Pi 3 Model B+ including the official housing and AC charger. Most likely the whole setup is going to work with other Raspberry Pi models but please note that Jacob Salmela, the developer of Pi-hole, recommends a system of 512 MB RAM. Brief remark, you're unable to place the Raspberry Pi in its housing with an inserted microSD card.
    Talking about microSD cards, I use a 32 GB, class 10 card to host the Raspberry Pi's OS and the Pi-hole/PiVPN. I'm convinced that a 16 GB card is also suitable, even a 8 GB one might be sufficient. I personally didn't require a keyboard or screen for the Raspberry Pi as I connect to it via a Secure Shell (SSH).
    I decided to use RASPBIAN, the official OS of the Raspberry Pi Foundation; however, there're other OS' available, just search the web. I'm using Raspbian Stretch Lite, which fully meets my requirements, and downloaded it here as a zip-file. Unzipped the file and inserted the microSD into my notebook. There are multiple ways described to flash the OS image to the SD but I decided to use the way via Win32DiskImager. The Win32DiskImager utility is available via its Sourceforge Project page as an installer file. I just exactly followed the instructions as provided on the last linked Raspberry Pi page.
    After the image had been flashed to the SD I had to create a simple file called "ssh" in the /boot partition in order to be later on able to access the Raspberry Pi via SSH. As a Windows user, first I'd to install Ext2Fsd driver to be able to access the system partition. The microSD was now prepared and ready to use.

    The Raspberry Pi was already sleeping in its housing, I inserted the microSD into the Pi, connected the Pi by a regular network cable to LAN3 of my Fritz!Box (LAN1 is used for the connection to my Genexis Hybrid Live! Titanium-54 running in bridge mode as fiber modem, the internet radio is connected to LAN4) and finally connected the Pi to power.

    For the following steps, please refer to the attached screenshots (I apologise for not havin changed Windows system language to English). Next step was to access the admin panel of our Fritz!Box. Its DHCP server is enabled; however, I don't allow the DHCP server to use the complete spectrum of IP addresses ("Home network => Home network overview => Network settings => IPv4-addresses"). On "Home network => Home network overview" I selected the details of the raspberrypi. Here, I assigned an IP to raspberrypi that is outside of the DHCP IP-range and ticked the always assign the same IP. Just for completeness, even before I installed the Raspberry Pi the DNS-servers were set to 85.214.20.141 (i.e. Digital Courage) and 213.73.91.35 (i.e. Chaos Computer Club) in the Fritz!Box ("Internet => Access credentials => DNS server"). On this German page you find other uncencored and free DNS server without tracking.

    Knowing the IP-address of the Raspberry Pi, I now connected to the Pi via SSH by use of PuTTY that I downloaded from here and installed it. After start of PuTTY and entering of the Pi's IP, a terminal opens.
    The default user credentials are:
    - User: pi
    - Password: raspberry

    Now, I accessed the Pi's admin terminal, and first changed the default password by:
    Code:
    passwd
    Changed slightly the Pi's configuration:
    Code:
    sudo raspi-config
    Code:
    Advanced Options → Expand Filesystem 
    
    Localisation Options → Change Timezone → Europe → Berlin
     Finish, Reboot
    My last step in the setup of the Raspberry Pi was to update the package by:
    Code:
    sudo apt-get update
    sudo apt-get upgrade
    sudo reboot
    Final remark: I keep the Raspberry Pi's WiFi disabled as I don't require it.
    4
    The Pi-hole

    Updated on 2019-03-18!
    ********************

    The Pi-hole

    The Pi-hole has been developed by Jacob Salmela since 2015. Pi-hole is based on dnsmasq and the webserver Lighttpd. The complete source code is available at GitHub. But what makes Pi-hole actually so special? It's a solution to block advertisement and trackers already within the network i.e. Pi-hole is theoretically able to blocks ads for all devices connected to the network. I guess this initially sounds adventurously but it proves to work in our home network.

    If interested in the technical background please refer to the linked websites.

    For the installation of Pi-hole on the Raspberry Pi, I connected to the Pi via SSH and opened a terminal. For a full automatic installation of Pi-hole I used the following command line:
    Code:
    curl -sSL https://install.pi-hole.net | bash
    Attention: Please acknowledge the following statement posted on the Pi-hole webpage:
    Our code is completely open, but piping to bash can be dangerous. For a safer install, review the code and then run the installer locally.
    After completion of the installation of all packages and dependencies, the configurator opened. My personal selection is as follows:

    • Select Upstream DNS Provider
      • Custom: 85.214.20.141, 213.73.91.35 [Remark: DNS servers as already mentioned in post #2.]
    • Select Protocols
      • IPv4: Check
      • IPv6: Uncheck (Remark: None of our devices uses IPv6.)
    • Do you want to use your current network settings as a static address?
      • IP address: xxx.xxx.xxx.xxx (Remark: The fixed IP-addess of the Raspberry Pi.)
      • Gateway: xxx.xxx.xxx.1 (Remark: The IP of my router i.e. the Fritz!Box.)
    • Do you want to log queries?
      • On: Check
    After the configurator's queries were completed it provided me with the address of graphical web-interface (http://pi.hole/admin or http://"IP-address of the Pi"/admin; screenshot available in the OP) and the login password for Pi-hole.


    Remark: As soon as practicable I changed the initial password to my own one by following command line:

    Code:
    sudo pihole -a -p
    In order that ads and trackers are blocked by the Pi-hole, it's necessary to point the Pi as the DNS-server to all devices. As usually, different ways and approaches exist to do so. Below I only describe the one I used.


    Please refer to the attached screenshot that I already used in post #2, too. I circled the field where I inserted the IP-address of the Pi as the local DNS server.
    Remark: With some routers it's possible to simply assign the IP-address of the Raspberry Pi as the new DNS-server. Advantage: Nothing is changing for the clients; they simply send a DNS-request to the router that forwards it to the Pi-hole in turn. However, this feature is not available for all Fritz!Boxes due to their integrated "DNS Rebind Protection".


    Just for completeness a few useful Pi-hole commands:

    • pihole -h: Help that shows a list of all available commands
    • pihole -up: Initiates an update of the Pi-hole software
    • pihole -r: Relauch of the configurator e.g. to conduct changes to the DNS
    • pihole -g: Initiates an update of the blocklists
    Pi-hole automatically updates the ad sources once a week on Sunday at a random time in the early morning. If required this "cron-job" can be changed via

    Code:
    sudo nano /etc/cron.d/pihole
    respectively
    Code:
    sudoedit /etc/cron.d/pihole
    Since Pi-hole version 3.x, it's no longer required to add/delete/amend blocklists via a terminal but can easily be accomplished via the Admin-web-interface.


    Now some initial changes to the pi-hole settings via the Admin GUI:

    • Settings → DNS → DNSSEC: Enabled.
    • Settings → Blocklists: Set to you're own desire; I've got all default lists enabled. Personally I added the Non-crossed-list to the blocklists. Just copy and paste all lists into the text field, followed by a click onto "Save and Update".
    In the dashboard, about 1M blocked domains should be indicated.


    Final remark: Personally, I recognise the Pi-hole as my first line of defense, and I continue to use addons in my browser like uBlock Origin to defeat the rest.
    4
    PiVPN

    Updated on 2019-03-18
    *******************
    PiVPN

    The project PiVPN owns a webpage and additionally a Github-page, where it's source could can be examined. Basically, PiVPN is nothing else than a collection of shell scripts that facilitates installation and configuration of OpenVPN extremely.

    I guess it's obvious that VPN only makes sense if the Android device is always able to reach the end of the tunnel and to connect to the Raspberry Pi. You are certainly aware that a lot of or most Internet Service Provider (ISP) assign dymnamic IPs to an Internet account - at least mine does i.e. my ISP regularly or occasionally changes the IP-address of my account. In turn, this means we need to ensure that the Android device "finds" the Raspberry Pi independent of its IP address. Two simple steps are required to achieve this and ought to be conducted prior to the installation of PiVPN on the Raspberry Pi:

    1. Assign a static IP to the Raspberry Pi on the router as described in post #2.
    2. Find and use a DynDNS-provider who converts the dynamic, public IP-address assigned by the ISP into a permanent domain name as described in post #7.
    Remark: Ideally, use of the subnets 192.168.0.x/24 oder 192.168.1.x/24 should be avoided as they are very commonly in use, and routing conflicts might arise if trying to connect from the outside. In this context, please acknowledge a note taken from the OpenVPN-log:
    NOTE: Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
    After I managed these prerequisites, I commenced installation of PiVPN that is as easily conducted by a single command line as it had been for the Pi-hole (the respective attention note I made in post #3 also applies here):

    Code:
    curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash
    At first, the script updates the APT-package sources followed by the upgrade of the packages and subsequently installs OpenVPN.
    During the installation I was able to customise my configuration. Attached are a few screenshots that I explain in sequence below:

    1. As already stated the IP-address of PiVPN respectively the Raspberry Pi ought to be static on the router. The gateway address is usually the internal IP address of the router.
    2. Usually, I'm not one for automated updates or upgrades as I rather maintain control and prefer to be able to immediately intervene in case of issues. However, I decide to make an exception for PiVPN as in this case activation of validation and installation of security updates seems to be very reasonable especially if the solution is meant to be as "fire (i.e. install) and forget"; i.e. install once and gotta rarely care. Don't interpret rarely as never; the automated security updates merely lighten my workload.
    3. As protocol I chose UDP and left the standard port 1194 unchanged. At this point, I don't intend to start a discussion about the pro's or con's of OpenVPN via UDP or TCP, just briefly: UDP is faster and TCP more reliable. Please allow me to quote the OpenVPN mainpage:
      OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks.
    4. Since OpenVPN v2.4, authentification and key exchange is possible via elliptic curves. PiVPN optionally generates either a 256-, 384-, or 521-bit-ECDSA-key pair, containing the public and private keys. 256-bit is the default setting, which is ok as it matches a 3072-bit.
      The key generation on a Raspberry Pi 3 only takes a few seconds.
      The striked-out lines are only valid for clients that doesn't support OpenVPB v2.4+:
      For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.
      Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
    5. Due to the already a few times mentioned "issue" with the dynamic public IP-address issued by the ISP, I ticked "Use a public DNS".
    6. In this window I entered my domain name as mentioned in post #7 regarding dynamic DNS.
    7. I selected custom to use the DNS servers of my choice.
    8. Here, I entered "my" DNS servers as already explained in post #2.
    This completed installation and configuration of PiVPN. Now, I had to create profiles that in turn need to be "installed" on my clients. Personally, I decided to use a distinct profile for each client . To create a profile for an Android device the follwoing command lines apply:

    Code:
    pivpn add
    Code:
    Enter a Name for the Client: MyClientName
    
    Enter the password for the client: MyPassword
    Subsequently the profile was generated with all necessary information (certificate, encryption details, etc.) and saved at /home/pi/ovpns.

    I downloaded and installed FileZilla on my Windows notebook, connected via FileZilla to the Raspberry Pi and copied the file "MyClientName.ovpn" at /home/pi/ovpns onto my notebook. I transfered this file to my Android device and imported it into OpenVPN for Android; please refer to post #6 for more information in this respect.

    That was it - now I was nearly able to connect my Android via my own private VPN with PiVPN respectively our Raspberry Pi; the only missing step was to open the router's/Fritz!Box's UDP port 1194 for the Raspberry Pi / PiVPN to allow data to pass from the outside.

    The procedure is pretty simple and straight forward for a Fritz!Box (please refer to the last three screenshots). Open the admin web-interface of the Fritz!Box and select "Internet => Permissions => Port permissions => New port permission" (Remark: The English web-interface might probably read different than my translation but I'm convinced it's self-explaining). The IP must be the fixed IP assigned to the Raspberry Pi, I chose to name this permission "OpenVPN", selected UDP as the protocol and port "1194". And I didn't forget to tick the "Activate permission".

    Last but not least, the following command line allowed me to check if my i9305 successfully connected to my PiVPN:
    Code:
    pivpn list
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone