Skip to content

RasPi: openVPN, piHole with DNSoverHTTPS and DNSoverTLS

kreisklasse edited this page Feb 8, 2019 · 6 revisions

RaspberryPI Model 3 with openVPN & piHole & DNS over TLS & DNS over HTTPS

This is my step-by-step tutorial for installing
openVPN, piHole which uses unbound for DNS-over-TLS (DoT) and DNSCrypt2 for DNS-over-Https (DoH)
on a RaspberryPi with pre-installed Raspbian Stretch Light.

Tutorials Sources

Tutorials for installing piHole and piVPN (openVPN) (german tutorial only)

Tutorial using DNSCrypt2 for DNS-over_Https and DNSCrypt

Tutorials using UNBOUND for DNS-over-TLS:

Tutorials using STUBBY for DNS-over-TLS (not used in my tutorial):

DNS-over-TLS capable Server overview:

How I did it

do it at your own risk!

perform update of raspbian
sudo apt-get update
sudo apt-get upgrade
when a kernel update was done, reboot your pi
sudo reboot

Install piHole

curl -sSL | bash

Note: Automatic update of piHole Blocklists  
Normally piHole updates it's blocklists once a week every sunday. If you want to change this, open  
sudo nano /etc/cron.d/pihole
and change the line
30 2    * * 7   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity
to, i.e.
30 2    * * 3,6   root    PATH="$PATH:/usr/local/bin/" pihole updatePihole
now it's updating at 2:30 in the mornig every Wednesday and Saturday

Install openVPN

using piVPN according to
including point 5
curl -L | bash

when everything (piHole/piVPN) is running fine, then continue with installing unbound and DNSCrypt2

Install unbound for DoT

install unbound and dsnutils
sudo apt-get install -y unbound dnsutils

to configure unbound
cd /etc/unbound/unbound.conf.d
sudo rm qname-minimisation.conf
sudo nano unbound_srv.conf

(if you can not use ipv6, then you have to change the dns-server to an ipv4 address)

 do-tcp: yes
 do-udp: yes
 do-ip4: yes
 do-ip6: yes
 prefer-ip6: yes
 prefetch: yes
 rrset-roundrobin: yes
 use-caps-for-id: yes
 hide-identity: yes
 hide-version: yes
 minimal-responses: yes
 qname-minimisation: yes
 access-control: allow
 port: 8853
 verbosity: 1
    name: "."
#    forward-addr: 2001:610:1:40ba:145:100:185:15@853
#    forward-addr: 2001:610:1:40ba:145:100:185:16@853
#    forward-addr: 2001:610:1:40ba:145:100:185:17@853
#    forward-addr: 2001:610:1:40ba:145:100:185:18@853
    forward-ssl-upstream: yes

sudo service unbound restart

Install DNSCrypt2 for DoH

Download DNSCrypt. Check for latest release at
cd /opt

sudo wget

sudo tar -xf dnscrypt-proxy-linux_arm-2.0.19.tar.gz

sudo mv linux-arm dnscrypt-proxy

cd dnscrypt-proxy

sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

sudo nano dnscrypt-proxy.toml

edit following lines:
listen_addresses = ['']
require_dnssec = true
i added only DoH Server, if you like you can also add DNSCrypt Server
server_names = ['securedns-ipv6-doh', 'doh-blahdns-de', '', 'doh-ibksturm']
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199] or keep it like it is

Install dnscrypt-proxy service:
sudo ./dnscrypt-proxy -service install

Start the new service
sudo ./dnscrypt-proxy -service start

Setup piHole to use unbound and DNSCrypt server

open piHole Admin page, then the DNS tab,
enter under Custom 1 (IPv4), your DoH server

and enter under Custom 2 (IPv4), your DoT server

Save, and under the System tab, press Restart DNS Resolver


You can’t perform that action at this time.