Raspberry Pi 3 + Pi-Hole + OpenVPN & DNSCrypt
My own guide to use PI 3 with some good programs.
Currently I'm using this Pi 3 B+ starter kit.
- The benefit is that you won't need any external software like adblockers (uBlock, AdGuard, etc) any more. Maybe only for cosmetic filter rules. Ads getting blocked before they're getting downloaded which speedups your webpage loading.
- All external devices you plugin onto your Router getting automatically the adblocker lists too, which means you not need to root your device (because efficient adblockers always requiring root or some kind of tunnel which drains your battery).
- OpenVPN and DNSCrypt are included in order to encrypt your internet data traffic and DNS queries. This also will solve any DNS leaks in this case spoofing.
- The guide is beginner friendly with easy install instructions.
Clean system installation
Download Raspbian Lite from Raspberrypi.org and install it onto your microSD card. I use SD Card Formatter v4.0 and to format the microSD card Download USB Image Tool 1.74 (as alternative you can use Etcher) to install Raspbian Lite onto it.
Optimize Raspberry Pi via
Change User Passwordto change the default password.
B1 Desktop/ CLI -> B2
Interfacing Options-> P2
Advanced Options-> A3
Memory Split-> Enter
Update Raspbian and the Linux kernel.
sudo apt update && sudo apt -y upgrade sudo apt install -y rpi-update sudo rpi-update
- Reboot your Raspberry Pi via
If the Raspberry Pi is behind a router (NAT) you have to configure port forwarding. The default OpenVPN port is 1194 (UDP), I recommend to use a different port e.g. 11920. Also configure a static local IP address for the Raspberry Pi. Change the Router DNS to the Pi hole given one.
- Install OpenVPN server using the PiVPN installer script.
wget https://git.io/vpn -O openvpn-install.sh chmod 755 openvpn-install.sh sudo ./openvpn-install.sh
- Find the IP of the tun0 interface via
ifconfig tun0 | grep 'inet addr'.
- This e.g. returns
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0.
- Edit the file /etc/openvpn/server.conf via
sudo nano /etc/openvpn/server.conf.
- Modify push
"dhcp-option DNS 18.104.22.168"to push
"dhcp-option DNS 10.8.0.1".
- You can comment out all other
push "dhcp-option DNS...entries with
#in front of it.
- (optional) Change your Port if you like to.
- Close and save the file with Ctrl+X, enter y, enter.
- Restart OpenVPN via
sudo systemctl restart openvpn.
Your OpenVPN server.conf file must include the following lines:
push "dhcp-option DNS 127.0.0.1" push "dhcp-option DNS 127.0.0.2"
You can get the latest version of the Pi-Hole script including installation instructions from here.
The basic command to install PI-Hole is:
sudo curl -sSL https://install.pi-hole.net | bash.
The following example isn't needed anymore, but in case you have troubles ensure dnsmasq.conf is correct configured as shown here:
- Edit /etc/dnsmasq.conf via:
sudo nano /etc/dnsmasq.conf.
listen-address=127.0.0.1, 192.168.xxx.xxx, 10.8.0.1.
- Replace the second IP with your Raspberry Pi local network IP and the third IP is the tun0 interface.
- Restart DNSMasq via
sudo systemctl restart dnsmasq.
Install DNSCrypt-proxy v2
- Install the necessary system DNSCrypt package
cd /optis our dir where the files are getting dropped into.
wget https://raw.githubusercontent.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall --no-check-certificate chmod +x dnscrypt-autoinstall.sh ./dnscrypt-autoinstall.sh
After downloading the latest DNSCrypt-proxy version extract the prebuilt binary via
sudo tar -xf dnscrypt-proxy-linux_arm64-2.0.14.tar.gz
- Rename the extracted folder:
sudo mv linux-arm64 dnscrypt-proxy.
- Go into the dir with cd:
- Now create a configuration file which we're are going to use form the integrated example
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml- the .toml file is the DNSCrypt-proxy configuration file.
- Go ahead and edit the configuration file
sudo nano dnscrypt-proxy.toml, the default port for DNS queries is 53, this is already used by the Pi-Hole default configuration, so we have to edit this to another port like 54. The
listen addressesline represents where the port goes over.
- You can change the rest of the configuration how you like, for example
require_dnsseccan be set to true and
listen_addressesmust be set to another port than 53, like
- The last two commands are
sudo ./dnscrypt-proxy -service installto install the DNSCrypt-proxy service and to start the new service we're going to use
sudo ./dnscrypt-proxy -service start.
- Add DNSCrypt user via
sudo useradd -r -d /var/dnscrypt -m -s /usr/sbin/nologin dnscrypt.
- Take a look at the official DNSCrypt public resolver list and select which resolvers you want to use. (Nearby Location, No Logging etc.)
- In this guide I will be using dnscrypt.nl-ns0 (DNSCrypt.nl The Netherlands).
- Copy the dnscrypt-proxy.socket adding @resolver-name (from the ‘Name’ column in the list) at the end:
cp dnscrypt-proxy.socket firstname.lastname@example.org.
- Edit email@example.com with
Modify DNSMasq configurations
- Create an additional DNSMasq configuration file:
sudo nano /etc/dnsmasq.d/02-dnscrypt.conf. If there is already an file, use the existent one via
sudo nano /etc/dnsmasq.conf(that's the default procedure).
- Edit the
listen-address=127.0.0.1, 192.168.xxx.xxx, 10.8.0.1. The second IP (the one starting with 192.168.) is your own Rasperry Pi local network IP address while the third IP is the tun0 interface where OpenVPN is listening on.
- Now we need to create another file,
sudo nano /etc/dnsmasq.d/02-dnscrypt.confcreates the DNSCrypt-proxy configuration but since our PI-Hole doesn't know (yet) where our PI-Hole is we need to give him our server address
server=127.0.0.1#54- ensure port 53 is not set here, give him the port we set earlier above (in this test example 54).
- Now we create and edit the Pi-Hole configuration,
sudo nano /etc/dnsmasq.d/01-pihole.confand comment out the pre-defined server preference
- The last step is to change the default setup variables,
sudo nano /etc/pihole/setupVars.confwe need to comment out
#PIHOLE_DNS_xand restart our local dnsmasq server via
sudo systemctl restart dnsmasq.