I just want to say thanks for the tutorial. I followed a different tutorial and it resulted in a non-working pihole (I already had pihole installed and working prior to following that tutorial) and a non-working pivpn. This tutorial worked perfectly!
[GUIDE] My Pi-hole and PiVPN powered by our Raspberry Pi 3 Model B+
- Thread starter Oswald Boelcke
- Start date
-
- Tags
- dns network pi-hole raspberry pi vpn
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
Unbound
If interested, I intend to eventually also install unbound and am going to amend this thread afterwards accordingly. Please stay tuned.
I'm very glad to read that it worked for you. Please allow me to reiterate that all credits go to Mike Kuketz as I mentioned in the OP. With his permission I simply translated his tutorial and brought it to XDA to reach a wider audience.
If interested, I intend to eventually also install unbound and am going to amend this thread afterwards accordingly. Please stay tuned.
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
Thread has been slightly cleaned for hopefully better reading.
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
Discovered this very interestingly sounding project: Snips! De-centralised, open source and local.
If time permits I'm probably going to try to implement it.
All credits go (as usual) to Mike Kuketz to point me towards Snips.
If time permits I'm probably going to try to implement it.
All credits go (as usual) to Mike Kuketz to point me towards Snips.
Will you combine pihole,pivpn in docker mode managed by portainer and keep up to date with watchtower ?
Ps : i switched to your Non-crossed-list.. Thanks !
Ps : i switched to your Non-crossed-list.. Thanks !
Last edited:
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
Negative. Setup/configuration won't change; the current one completely satisfies our requirements.Will you combine pihole,pivpn in docker mode managed by portainer and keep up to date with watchtower ?
Ps : i switched to your Non-crossed-list.. Thanks !
Excellent Guide
This was an excellent guide and helped me setup Pihole and PiVPN on the same Pi running stable.
Just a few issues I came across were. On the 4rth set of code, are you sure about the file name ?
1) It says "cd /etc/dnsmasq.de" , but I was able to access the directory only when i edited the file name to "dnsmasq.d "
2)When I tried restarting the dnsmasq, it returned an error saying "sudo: /etc/init.d/dnsmasq: command not found" , but as you mentioned, the alternate way of doing this was to restart the Pi (could this be because i'm running Raspbian Buster and Test version of PiVPN ?). This worked well.
Overall really good guide and it helped me a lot. Thanks to you and Mike Kuketz.
Regards,
Aneesh
This was an excellent guide and helped me setup Pihole and PiVPN on the same Pi running stable.
Just a few issues I came across were. On the 4rth set of code, are you sure about the file name ?
1) It says "cd /etc/dnsmasq.de" , but I was able to access the directory only when i edited the file name to "dnsmasq.d "
2)When I tried restarting the dnsmasq, it returned an error saying "sudo: /etc/init.d/dnsmasq: command not found" , but as you mentioned, the alternate way of doing this was to restart the Pi (could this be because i'm running Raspbian Buster and Test version of PiVPN ?). This worked well.
Overall really good guide and it helped me a lot. Thanks to you and Mike Kuketz.
Regards,
Aneesh
Last edited:
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
Thanks very much, and I'm glad it worked for you. We're very satisfied the Pi in our network.
And you absolutely correct with both issues. Thanks very much for pointing them out to me. I'm correcting it immediately.
1. Just a typo. It has to be dnsmasq.d
2. That was the command before the folder dnsmasq.d was added.
BTW: I suggest to avoid to completely quote such long posts or to at least put them into hide brackets as it really clutters the screen. However, hide brackets are only good if on browser; for people using XDA Labs they don't work and have a relatively small screen cluttered.
Last edited:
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
Too many threads have been created on moderator's duty, so bumping this one to bring it up in my own profile stats.
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
With v4.3.2 (release notes), Pi-hole has obviously dropped support support for ad blocklists used by browser-based ad-blockers.
Refer also to https://github.com/pi-hole/pi-hole/pull/2912 and https://www.zdnet.com/article/pi-ho...blocklists-used-by-browser-based-ad-blockers/
I'm currently absolutely undecided if I "upgrade" to the new version.
Refer also to https://github.com/pi-hole/pi-hole/pull/2912 and https://www.zdnet.com/article/pi-ho...blocklists-used-by-browser-based-ad-blockers/
I'm currently absolutely undecided if I "upgrade" to the new version.
I was interested when I saw this and started researching it, but discovered that Snips has recently been bought by Sonos!
There is plenty of outage from the developer community:
https://forum.snips.ai/t/important-message-regarding-the-snips-console/4145
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
For quite a while I thought how to best bump this thread, and then I decided to simply share that the Pi with its Pi-hole and PiVPN are running perfectly as advertised and without any issues. And an interesting thread that I like to share despite me not being among the moderators who have been pinged in that thread: https://forum.xda-developers.com/galaxy-note-10-lite/help/bugs-software-t4096645
Stay safe and stay healthy!
Regards
Oswald Boelcke
Stay safe and stay healthy!
Regards
Oswald Boelcke
Time to test if adguardhome could be an alternative ?
- Apr 13, 2016
- 10,734
- 15,547
- 263
- 64
At least no requirement for me as Pihole is running as expected and advertised.
Why to change a running horse?
Top Liked Posts
-
There are no posts matching your filters.
-
13ATTENTION (update on 2018-04-09): The procedures described in this thread are only working if you own an internet account with a public IPv4 address or dual stack i.e. both, public IPv4 and public IPv6 addresses. For account with only a public IPv6 address, it won't work. Please also refer to post #16.
Although I'd already read quite a lot about commercial VPN providers, reading of this article "VPN Leaks Found on 3 Major VPNs out of … 3 that We Tested" clearly established my decision to go for my own private VPN.
Thanks to Mike Kuketz who's running an excellent German blog regarding information technology security, I was able to study these two articles (https://www.kuketz-blog.de/pi-hole-schwarzes-loch-fuer-werbung-raspberry-pi-teil1/, https://www.kuketz-blog.de/pivpn-raspberry-pi-mit-openvpn-raspberry-pi-teil3/) about Pi-hole and PiVPN on/via a Raspberry Pi and immediately decided to purchase a Raspberry Pi 3 Model B+ (including an official case and charger) from an authorised Raspberry Pi dealer. Remark for German speaking XDA users: Mike also runs a very interesting forum in conjunction with his blog.
I'd be glad if this thread raises or raised your interest in a Raspberry Pi with Pi-hole and PiVPN. We are fascinated by their capabilities and glad to be able to utilise our own private VPN. If you also decide to go for it I hope that this tutorial facilitates setup and configuration. However, always be aware and remember that different scenario exist why use of a VPN might be reasonable. To anonymously browse the web via a VPN-provider certainly doesn't belong to that. The desire for anonymity and privacy in the world wide web is a reasonable wish of many users that can unfortunately hardly be implemented or only by extremely high efforts. You do not achieve anonymity while browsing the web, only because your network traffic is tunneled via a VPN-provider. This is only a promotional promise belonging into the category of modern fairy tales of the internet. However, by use of a (private) VPN you certainly enhance your privacy due to the encryption of your data traffic in this case between the Android device and the Raspberry Pi / PiVPN.
Intent of this thread is to share my experiences and procedure during the setup of the Raspberry Pi, Pi-hole and PiVPN. As client (or you might call it the companion of PiVPN) on our Android devices, I use OpenVPN for Android by Arne Schwabe. I downloaded it from F-Droid; however, it's also available via the Google Play Store. Possibly interesting to a few Android users might be that it does not require root. The whole setup is positively working on our Android Nougat ROM but I don't have any experiences with Android Oreo.
Additionally I want to clearly emphasise that I personally used Mike's two above linked articles written in German i.e. my thread is more or less only a translation of Mike's instruction into English. Therefore, I must clearly state that all credits go to Mike Kuketz.
Generally, in this thread I don't intend to discuss the reasons that induced my decision to establish my own private VPN or to create my own Network-wide ad blocking. Already brief searches of the web are providing multiple hits in this context but it's anyway a very private decision.
Additionally, I'm only focusing on our router, an AVM Fritz!Box 7390, our Android devices (Samsung Galaxy S3 LTE - i9305, all with RR-N-v5.8.5-final, Magisk v16.0, Xposed, XPrivacyLua and GApps-free thanks to microG), and Windows 10 Pro on a notebook (just started to familarise myself with Linux Mint i.e. all work in regard to this thread was conducted under Windows). I'm convinced that all interested readers of this thread are capable to translate/transfer the basic ideas to other routers, devices or Linux, iOS etc.
Content:
- Post #2: Initial Installation of the Raspberry Pi
- Post #3: The Pi-hole
- Post #4: PiVPN
- Post #5: PiVPN in Combination with the Pi-Hole
- Post #6: OpenVPN for Android
- Post #7: Dynamic DNS
- Post #8: Customisation of the NTP-Server
- Post #9: Unbound / Recursive DNS server
Remark:
- In the attached screenshots, IP-addresses are blacked out for privacy reasons.
- Please advise if something is not clear, incorrect or incomplete.
Off topic comments are allowed as long they are generally related to the overall topic, are in the general interest of the followers of this thread and add value to the thread. Having fun is always welcomed here. The ultimate decision rests with me as the OP!5PiVPN in Combination with the Pi-Hole
Updated on 2019-06-15.
--------------------------------------------------------------------------------------------------------------------------------------------------
PiVPN in combination with the Pi-Hole
Please allow me to mention of another great advantage of having PiVPN together with Pi-hole on one and the same Raspberry Pi:
All of our mobile devices, which connect via OpenVPN with our home network, benefit from the Pi-hole i.e. no advertisement or trackers that follow us at every turn when connected to the web via mobile data or a WiFi network other than ours.
However, in order to achieve this I was require to slightly modify two configuration files on the Raspberry Pi as described below (please refer to the screenshots) - and ok, it's self-evident that I had to first install Pi-hole and PiVPN on the same Raspberry Pi before as described in this thread.
At first, I modified the OpenVPN server configuration by nano via the Raspberry Pi's console:
The file opened and I looked for those two lines showing the IP-addresses of the DNS servers of my choice and as mentioned in the posts above:Code:sudo nano /etc/openvpn/server.conf
I deleted one line and modified the other one to read:Code:push "dhcp-option DNS 85.214.20.141" push "dhcp-option DNS 213.73.91.35"
As DNS-server for all of our clients I've therefore defined the IP address of the VPN interface (tun0) (originally the local IP of the eth0 interface) of our Raspberry Pi, and hence forward all DNS-requests to the local DNS-server (dnsmasq) of the Pi-hole.Code:push "dhcp-option DNS 10.8.0.1"
With its latest release Pi-hole changed the content of dnsmasq.conf located at /etc (for details refer to DNS Resolver in the Pi-hole documentation). dnsmasq.conf now simply points to a new folder named dnsmasq.d that is also located at /etc (refer to attached screenshot 1). This folder now contains the actual configuration files and is initially only populated with one file called 01-pihole.conf, which is the configuration file of Pi-hole's dnsmasq. 01-pihole.conf is used and modified by Pi-hole itself, and no custom modification should be made to it (refer to screenshot 2). However, additional configuration files in this folder will be executed in sequence by dnsmasq / FTLDNS.
This means I created a new file called 10-general.conf with the content:
Insert line:Code:cd /etc/dnsmasq.d sudo touch 10-general.conf sudo nano /etc/dnsmasq.d/10-general.conf
This means we added a line with the VPN interface (tun0) that is listening on IP 10.8.0.1 by default.Code:interface=tun0
Finally, I simply rebooted the Raspberry Pi.4Initial Installation of the Raspberry Pi
Updated on 2019-03-17!
********************
Initial Installation of the Raspberry Pi
As already said I'd ordered a Raspberry Pi 3 Model B+ including the official housing and AC charger. Most likely the whole setup is going to work with other Raspberry Pi models but please note that Jacob Salmela, the developer of Pi-hole, recommends a system of 512 MB RAM. Brief remark, you're unable to place the Raspberry Pi in its housing with an inserted microSD card.
Talking about microSD cards, I use a 32 GB, class 10 card to host the Raspberry Pi's OS and the Pi-hole/PiVPN. I'm convinced that a 16 GB card is also suitable, even a 8 GB one might be sufficient. I personally didn't require a keyboard or screen for the Raspberry Pi as I connect to it via a Secure Shell (SSH).
I decided to use RASPBIAN, the official OS of the Raspberry Pi Foundation; however, there're other OS' available, just search the web. I'm using Raspbian Stretch Lite, which fully meets my requirements, and downloaded it here as a zip-file. Unzipped the file and inserted the microSD into my notebook. There are multiple ways described to flash the OS image to the SD but I decided to use the way via Win32DiskImager. The Win32DiskImager utility is available via its Sourceforge Project page as an installer file. I just exactly followed the instructions as provided on the last linked Raspberry Pi page.
After the image had been flashed to the SD I had to create a simple file called "ssh" in the /boot partition in order to be later on able to access the Raspberry Pi via SSH. As a Windows user, first I'd to install Ext2Fsd driver to be able to access the system partition. The microSD was now prepared and ready to use.
The Raspberry Pi was already sleeping in its housing, I inserted the microSD into the Pi, connected the Pi by a regular network cable to LAN3 of my Fritz!Box (LAN1 is used for the connection to my Genexis Hybrid Live! Titanium-54 running in bridge mode as fiber modem, the internet radio is connected to LAN4) and finally connected the Pi to power.
For the following steps, please refer to the attached screenshots (I apologise for not havin changed Windows system language to English). Next step was to access the admin panel of our Fritz!Box. Its DHCP server is enabled; however, I don't allow the DHCP server to use the complete spectrum of IP addresses ("Home network => Home network overview => Network settings => IPv4-addresses"). On "Home network => Home network overview" I selected the details of the raspberrypi. Here, I assigned an IP to raspberrypi that is outside of the DHCP IP-range and ticked the always assign the same IP. Just for completeness, even before I installed the Raspberry Pi the DNS-servers were set to 85.214.20.141 (i.e. Digital Courage) and 213.73.91.35 (i.e. Chaos Computer Club) in the Fritz!Box ("Internet => Access credentials => DNS server"). On this German page you find other uncencored and free DNS server without tracking.
Knowing the IP-address of the Raspberry Pi, I now connected to the Pi via SSH by use of PuTTY that I downloaded from here and installed it. After start of PuTTY and entering of the Pi's IP, a terminal opens.
The default user credentials are:
- User: pi
- Password: raspberry
Now, I accessed the Pi's admin terminal, and first changed the default password by:
Changed slightly the Pi's configuration:Code:passwd
Code:sudo raspi-configMy last step in the setup of the Raspberry Pi was to update the package by:Code:Advanced Options → Expand Filesystem Localisation Options → Change Timezone → Europe → Berlin Finish, Reboot
Final remark: I keep the Raspberry Pi's WiFi disabled as I don't require it.Code:sudo apt-get update sudo apt-get upgrade sudo reboot4The Pi-hole
Updated on 2019-03-18!
********************
The Pi-hole
The Pi-hole has been developed by Jacob Salmela since 2015. Pi-hole is based on dnsmasq and the webserver Lighttpd. The complete source code is available at GitHub. But what makes Pi-hole actually so special? It's a solution to block advertisement and trackers already within the network i.e. Pi-hole is theoretically able to blocks ads for all devices connected to the network. I guess this initially sounds adventurously but it proves to work in our home network.
If interested in the technical background please refer to the linked websites.
For the installation of Pi-hole on the Raspberry Pi, I connected to the Pi via SSH and opened a terminal. For a full automatic installation of Pi-hole I used the following command line:
Attention: Please acknowledge the following statement posted on the Pi-hole webpage:Code:curl -sSL https://install.pi-hole.net | bash
After completion of the installation of all packages and dependencies, the configurator opened. My personal selection is as follows:
- Select Upstream DNS Provider
- Custom: 85.214.20.141, 213.73.91.35 [Remark: DNS servers as already mentioned in post #2.]
- Select Protocols
- IPv4: Check
- IPv6: Uncheck (Remark: None of our devices uses IPv6.)
- Do you want to use your current network settings as a static address?
- IP address: xxx.xxx.xxx.xxx (Remark: The fixed IP-addess of the Raspberry Pi.)
- Gateway: xxx.xxx.xxx.1 (Remark: The IP of my router i.e. the Fritz!Box.)
- Do you want to log queries?
- On: Check
Remark: As soon as practicable I changed the initial password to my own one by following command line:
In order that ads and trackers are blocked by the Pi-hole, it's necessary to point the Pi as the DNS-server to all devices. As usually, different ways and approaches exist to do so. Below I only describe the one I used.Code:sudo pihole -a -p
Please refer to the attached screenshot that I already used in post #2, too. I circled the field where I inserted the IP-address of the Pi as the local DNS server.
Remark: With some routers it's possible to simply assign the IP-address of the Raspberry Pi as the new DNS-server. Advantage: Nothing is changing for the clients; they simply send a DNS-request to the router that forwards it to the Pi-hole in turn. However, this feature is not available for all Fritz!Boxes due to their integrated "DNS Rebind Protection".
Just for completeness a few useful Pi-hole commands:
- pihole -h: Help that shows a list of all available commands
- pihole -up: Initiates an update of the Pi-hole software
- pihole -r: Relauch of the configurator e.g. to conduct changes to the DNS
- pihole -g: Initiates an update of the blocklists
respectivelyCode:sudo nano /etc/cron.d/pihole
Since Pi-hole version 3.x, it's no longer required to add/delete/amend blocklists via a terminal but can easily be accomplished via the Admin-web-interface.Code:sudoedit /etc/cron.d/pihole
Now some initial changes to the pi-hole settings via the Admin GUI:
- Settings → DNS → DNSSEC: Enabled.
- Settings → Blocklists: Set to you're own desire; I've got all default lists enabled. Personally I added the Non-crossed-list to the blocklists. Just copy and paste all lists into the text field, followed by a click onto "Save and Update".
Final remark: Personally, I recognise the Pi-hole as my first line of defense, and I continue to use addons in my browser like uBlock Origin to defeat the rest.4PiVPN
Updated on 2019-03-18
*******************
PiVPN
The project PiVPN owns a webpage and additionally a Github-page, where it's source could can be examined. Basically, PiVPN is nothing else than a collection of shell scripts that facilitates installation and configuration of OpenVPN extremely.
I guess it's obvious that VPN only makes sense if the Android device is always able to reach the end of the tunnel and to connect to the Raspberry Pi. You are certainly aware that a lot of or most Internet Service Provider (ISP) assign dymnamic IPs to an Internet account - at least mine does i.e. my ISP regularly or occasionally changes the IP-address of my account. In turn, this means we need to ensure that the Android device "finds" the Raspberry Pi independent of its IP address. Two simple steps are required to achieve this and ought to be conducted prior to the installation of PiVPN on the Raspberry Pi:
- Assign a static IP to the Raspberry Pi on the router as described in post #2.
- Find and use a DynDNS-provider who converts the dynamic, public IP-address assigned by the ISP into a permanent domain name as described in post #7.
After I managed these prerequisites, I commenced installation of PiVPN that is as easily conducted by a single command line as it had been for the Pi-hole (the respective attention note I made in post #3 also applies here):
At first, the script updates the APT-package sources followed by the upgrade of the packages and subsequently installs OpenVPN.Code:curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash
During the installation I was able to customise my configuration. Attached are a few screenshots that I explain in sequence below:
- As already stated the IP-address of PiVPN respectively the Raspberry Pi ought to be static on the router. The gateway address is usually the internal IP address of the router.
- Usually, I'm not one for automated updates or upgrades as I rather maintain control and prefer to be able to immediately intervene in case of issues. However, I decide to make an exception for PiVPN as in this case activation of validation and installation of security updates seems to be very reasonable especially if the solution is meant to be as "fire (i.e. install) and forget"; i.e. install once and gotta rarely care. Don't interpret rarely as never; the automated security updates merely lighten my workload.
- As protocol I chose UDP and left the standard port 1194 unchanged. At this point, I don't intend to start a discussion about the pro's or con's of OpenVPN via UDP or TCP, just briefly: UDP is faster and TCP more reliable. Please allow me to quote the OpenVPN mainpage:
- Since OpenVPN v2.4, authentification and key exchange is possible via elliptic curves. PiVPN optionally generates either a 256-, 384-, or 521-bit-ECDSA-key pair, containing the public and private keys. 256-bit is the default setting, which is ok as it matches a 3072-bit.
The key generation on a Raspberry Pi 3 only takes a few seconds.
The striked-out lines are only valid for clients that doesn't support OpenVPB v2.4+:
- Due to the already a few times mentioned "issue" with the dynamic public IP-address issued by the ISP, I ticked "Use a public DNS".
- In this window I entered my domain name as mentioned in post #7 regarding dynamic DNS.
- I selected custom to use the DNS servers of my choice.
- Here, I entered "my" DNS servers as already explained in post #2.
Code:pivpn addSubsequently the profile was generated with all necessary information (certificate, encryption details, etc.) and saved at /home/pi/ovpns.Code:Enter a Name for the Client: MyClientName Enter the password for the client: MyPassword
I downloaded and installed FileZilla on my Windows notebook, connected via FileZilla to the Raspberry Pi and copied the file "MyClientName.ovpn" at /home/pi/ovpns onto my notebook. I transfered this file to my Android device and imported it into OpenVPN for Android; please refer to post #6 for more information in this respect.
That was it - now I was nearly able to connect my Android via my own private VPN with PiVPN respectively our Raspberry Pi; the only missing step was to open the router's/Fritz!Box's UDP port 1194 for the Raspberry Pi / PiVPN to allow data to pass from the outside.
The procedure is pretty simple and straight forward for a Fritz!Box (please refer to the last three screenshots). Open the admin web-interface of the Fritz!Box and select "Internet => Permissions => Port permissions => New port permission" (Remark: The English web-interface might probably read different than my translation but I'm convinced it's self-explaining). The IP must be the fixed IP assigned to the Raspberry Pi, I chose to name this permission "OpenVPN", selected UDP as the protocol and port "1194". And I didn't forget to tick the "Activate permission".
Last but not least, the following command line allowed me to check if my i9305 successfully connected to my PiVPN:
Code:pivpn list
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone