Skip to content

RasPi: openVPN, piHole with DNSoverHTTPS and DNSoverTLS

kreisklasse edited this page Feb 8, 2019 · 6 revisions

RaspberryPI Model 3 with openVPN & piHole & DNS over TLS & DNS over HTTPS

This is my step-by-step tutorial for installing
openVPN, piHole which uses unbound for DNS-over-TLS (DoT) and DNSCrypt2 for DNS-over-Https (DoH)
on a RaspberryPi with pre-installed Raspbian Stretch Light.

Tutorials Sources

Tutorials for installing piHole and piVPN (openVPN) (german tutorial only)

Tutorial using DNSCrypt2 for DNS-over_Https and DNSCrypt

Tutorials using UNBOUND for DNS-over-TLS:

Tutorials using STUBBY for DNS-over-TLS (not used in my tutorial):

DNS-over-TLS capable Server overview:

How I did it

do it at your own risk!

perform update of raspbian
sudo apt-get update
sudo apt-get upgrade
when a kernel update was done, reboot your pi
sudo reboot

Install piHole

curl -sSL https://install.pi-hole.net | bash

Note: Automatic update of piHole Blocklists  
Normally piHole updates it's blocklists once a week every sunday. If you want to change this, open  
sudo nano /etc/cron.d/pihole
and change the line
30 2    * * 7   root    PATH="$PATH:/usr/local/bin/" pihole updateGravity
to, i.e.
30 2    * * 3,6   root    PATH="$PATH:/usr/local/bin/" pihole updatePihole
now it's updating at 2:30 in the mornig every Wednesday and Saturday

Install openVPN

using piVPN according to https://www.kuketz-blog.de/pivpn-raspberry-pi-mit-openvpn-raspberry-pi-teil3/
including point 5
curl -L https://install.pivpn.io | bash

when everything (piHole/piVPN) is running fine, then continue with installing unbound and DNSCrypt2

Install unbound for DoT

install unbound and dsnutils
sudo apt-get install -y unbound dnsutils

to configure unbound
cd /etc/unbound/unbound.conf.d
sudo rm qname-minimisation.conf
sudo nano unbound_srv.conf

unbound_srv.conf
(if you can not use ipv6, then you have to change the dns-server to an ipv4 address)

server:
 do-tcp: yes
 do-udp: yes
 do-ip4: yes
 do-ip6: yes
 prefer-ip6: yes
 prefetch: yes
 rrset-roundrobin: yes
 use-caps-for-id: yes
 hide-identity: yes
 hide-version: yes
 minimal-responses: yes
 qname-minimisation: yes
 interface: 127.0.30.1
 access-control: 0.0.0.0/0 allow
 port: 8853
 verbosity: 1
forward-zone:
    name: "."
    forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk
    forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#dot.securedns.eu
    forward-addr: 2a02:c205:3001:4558::1@853#fdns1.dismail.de
    forward-addr: 2a02:2970:1002::18@853#dns2.digitalcourage.de
    forward-addr: 46.182.19.48@853#dns2.digitalcourage.de
    forward-addr: 2620:fe::fe@853#dns.quad9.net
#  dnsovertls.sinodun.com
#    forward-addr: 2001:610:1:40ba:145:100:185:15@853
#    forward-addr: 2001:610:1:40ba:145:100:185:16@853
#    forward-addr: 2001:610:1:40ba:145:100:185:17@853
#    forward-addr: 2001:610:1:40ba:145:100:185:18@853
    forward-ssl-upstream: yes
 

sudo service unbound restart

Install DNSCrypt2 for DoH

Download DNSCrypt. Check for latest release at https://github.com/jedisct1/dnscrypt-proxy/releases
cd /opt

sudo wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.19/dnscrypt-proxy-linux_arm-2.0.19.tar.gz

sudo tar -xf dnscrypt-proxy-linux_arm-2.0.19.tar.gz

sudo mv linux-arm dnscrypt-proxy

cd dnscrypt-proxy

sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

sudo nano dnscrypt-proxy.toml

edit following lines:
listen_addresses = ['127.0.20.1:54']
require_dnssec = true
i added only DoH Server, if you like you can also add DNSCrypt Server
server_names = ['securedns-ipv6-doh', 'doh-blahdns-de', 'dnscrypt.nl-ns0-doh', 'doh-ibksturm']
tls_disable_session_tickets = true
tls_cipher_suite = [52392, 49199] or keep it like it is

Install dnscrypt-proxy service:
sudo ./dnscrypt-proxy -service install

Start the new service
sudo ./dnscrypt-proxy -service start

Setup piHole to use unbound and DNSCrypt server

open piHole Admin page, then the DNS tab,
enter under Custom 1 (IPv4), your DoH server
127.0.20.1#54

and enter under Custom 2 (IPv4), your DoT server
127.0.30.1#8853

Save, and under the System tab, press Restart DNS Resolver

Done.

You can’t perform that action at this time.