I decided to use Pi-Hole as an ad-blocker because advertisements are blocked before it gets downloaded to your computer or other devices. So I no longer will be needing an ad-block extension in the browser which ends up running faster and using fewer system resources. Most importantly is that it works with all devices on the network if the router is configured to make use of your Raspberry Pi as the DNS nameserver or each device configured individually.
With the use of OpenVPN the internet data will be encrypted. Which is very important when using public Wi-Fi where evil people can spy on your internet behavior and even snatch some of your private data that are being sent. Another reason would be if configured correctly, that you can benefit from Pi-Hole ad-blocking without the need to open a public port on your router or modem to your (Pi-Hole) DNS server.
When combined with DNSCrypt it prevents DNS spoofing. By using cryptographic signatures it verifies if the DNS response originates from the configured DNS resolver and haven’t been tampered with. Preventing MITM (Man-in-the-Middle) attacks.
And this is how I installed and configured it.
Fresh system install & Prep
- Download latest Raspbian Lite and install it onto your microSD card. I use SD Card Formatter v4.0 to format the microSD card and Etcher to install Raspbian onto it.
- Optimize Raspberry Pi.
2 Change User Passwordto change the default password.
3 Boot Options->
B1 Desktop / CLI->
B2 Console Autologin
5 Interfacing Options->
7 Advanced Options->
A3 Memory Split-> Enter
- Update Raspbian.
sudo apt update && sudo apt -y upgrade
Find your IP addresses
- Find your public IP running.
- Find your Raspberry Pi local IP.
- Install OpenVPN server and follow the instructions. Leave most options on default because it is automatically detected, unless you are sure you have to change it.
wget https://git.io/vpn -O openvpn-install.sh chmod 755 openvpn-install.sh sudo ./openvpn-install.sh
My parameters chosen at setup.
- IPv4 (automatically detected, if not enter the local IPv4 address)
- Public IP (enter your public IP address)
- Port (change to your desired port)
Current system resolvers
- Client name
The generated OVPN file you can use with a OpenVPN client on e.g. your mobile phone.
Modify OpenVPN installation setup
First find out the tun0 interface IP address which is what OpenVPN uses.
In my case it is
- Edit OpenVPN server config.
sudo nano /etc/openvpn/server.conf
- Add the tun0 interface IP address, PiHole will be using it.
push "dhcp-option DNS 10.8.0.1"
- Comment out all other
push "dhcp-option DNS...references by adding a
#infront of them.
- Restart OpenVPN server.
sudo systemctl restart openvpn
Install Pi-Hole using their installer script. Choose Listen on all interfaces as the networking interface when asked and not tun0 as this does not work anymore on the most recent versions of Pi-Hole.
sudo curl -sSL https://install.pi-hole.net | bash
Install and setup DNSCrypt
Mostly sourced from https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0
- Install location shall be /opt. This is where we will place the dnscrypt-proxy files.
- Download DNSCrypt.
sudo wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.19/dnscrypt-proxy-linux_arm-2.0.19.tar.gz
- Extract prebuilt binary.
sudo tar -xf dnscrypt-proxy-linux_arm-2.0.19.tar.gz`
- Rename the extracted folder.
sudo mv linux-arm dnscrypt-proxy
- cd into extracted directory.
- Create a configuration file based on the example one.
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
- Edit the toml file.
sudo nano dnscrypt-proxy.toml
- Edit the port, since
53is already being used by Pi-Hole. This is the
- I set
listen_addresses = ['127.0.0.1:54','[::1]:54'].
- I set
require_dnssec = true.
- I set
server_names = ['dnscrypt.nl-ns0'].
- Install dnscrypt-proxy service.
sudo ./dnscrypt-proxy -service install
- Start the new service.
sudo ./dnscrypt-proxy -service start
Add the dnscrypt-proxy server to Pi-Hole on the Pi-Hole admin page.
Configure your clients
Configure your clients to use your Pi-Hole IP address as the DNS server or enter it into your router so every client on your local network will be using Pi-Hole filtering while being DNSCrypt secured.