Raspberry Pi 3 with Pi-Hole & OpenVPN & DNSCrypt

My Raspberry Pi - during setup
Fig 1. My Raspberry Pi - during initial setup.

I decided to use Pi-Hole as an ad-blocker because advertisements are blocked before it gets downloaded to your computer or other devices. So I no longer will be needing an ad-block extension in the browser which ends up running faster and using fewer system resources. Most importantly is that it works with all devices on the network if the router is configured to make use of your Raspberry Pi as the DNS nameserver or each device configured individually.

With the use of OpenVPN the internet data will be encrypted. Which is very important when using public Wi-Fi where evil people can spy on your internet behavior and even snatch some of your private data that are being sent. Another reason would be if configured correctly, that you can benefit from Pi-Hole ad-blocking without the need to open a public port on your router or modem to your (Pi-Hole) DNS server.

When combined with DNSCrypt it prevents DNS spoofing. By using cryptographic signatures it verifies if the DNS response originates from the configured DNS resolver and haven’t been tampered with. Preventing MITM (Man-in-the-Middle) attacks.

And this is how I installed and configured it.

Fresh system install & Prep

  • Download latest Raspbian Lite and install it onto your microSD card. I use SD Card Formatter v4.0 to format the microSD card and Etcher to install Raspbian onto it.
  • Optimize Raspberry Pi. sudo raspi-config
    • Select 2 Change User Password to change the default password.
    • Select 3 Boot Options -> B1 Desktop / CLI -> B2 Console Autologin
    • Select 5 Interfacing Options -> P2 SSH -> Yes
    • Select 7 Advanced Options -> A3 Memory Split -> Enter 16
  • Update Raspbian.
    sudo apt update && sudo apt -y upgrade

Install OpenVPN

  • Install OpenVPN server and follow the instructions.
    wget https://git.io/vpn -O openvpn-install.sh
    chmod 755 openvpn-install.sh
    sudo ./openvpn-install.sh
    

Modify OpenVPN installation setup

First find out the tun0 interface IP address.

ifconfig tun0 | grep 'inet'

In my case it is 10.8.0.1.

  • Edit OpenVPN server config.
    sudo nano /etc/openvpn/server.conf
  • Add the tun0 interface IP address, PiHole will be using it.
    push "dhcp-option DNS 10.8.0.1"
  • Comment out all other push "dhcp-option DNS... references by adding a # infront of them.
  • I set port to a different value for security reasons.
  • Restart OpenVPN server.
    sudo systemctl restart openvpn

Install Pi-Hole

Install Pi-Hole using their installer script. Choose tun0 as the networking interface when asked.

  • sudo curl -sSL https://install.pi-hole.net | bash

Install and setup DNSCrypt

Mostly sourced from https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0

  • Install location shall be /opt. This is where we will place the dnscrypt-proxy files.
    cd /opt
  • Download DNSCrypt. Latest release can be found at https://github.com/jedisct1/dnscrypt-proxy/releases.
    sudo wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.15/dnscrypt-proxy-linux_arm-2.0.16.tar.gz
  • Extract prebuilt binary.
    sudo tar -xf dnscrypt-proxy-linux_arm-2.0.16.tar.gz`
  • Rename the extracted folder.
    sudo mv linux-arm dnscrypt-proxy
  • cd into extracted directory.
    cd dnscrypt-proxy
  • Create a configuration file based on the example one.
    sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
  • Edit the toml file.
    sudo nano dnscrypt-proxy.toml
  • Edit the port, since 53 is already being used by Pi-Hole. This is the listen_addresses line.
  • I set listen_addresses = ['127.10.10.2:54'].
  • I set require_dnssec = true.
  • I set server_names = ['dnscrypt.nl-ns0','dnscrypt.nl-ns0-doh'].
  • I set tls_disable_session_tickets = true.
  • I set tls_cipher_suite = [52392, 49199].
  • Install dnscrypt-proxy service.
    sudo ./dnscrypt-proxy -service install
  • Start the new service.
    sudo ./dnscrypt-proxy -service start

Configure Pi-Hole

If you are using the latest Pi-Hole version with FTLDNS than you can easily add your DNSCrypt proxy server by going to the settings page on the Pi-Hole admin page. Since the version with FTLDNS accepts IP with a custom port using “#”.

Pi-Hole with custom IP and port
Fig 2. Pi-Hole with custom IP and port.

If you are not using Pi-Hole with FTLDNS follow the next instructions.

Setup dnsmasq

  • Edit the configuration file.
    sudo nano /etc/dnsmasq.conf
  • Edit #listen-address= to: listen-address=127.0.0.1, 192.168.xxx.xxx, 10.8.0.1
    Second IP with your Raspberry Pi local network IP and third IP is the tun0 interface where OpenVPN listens on.
  • Create a new config file for DNSCrypt settings.
    sudo nano /etc/dnsmasq.d/02-dnscrypt.conf
    Add server=127.0.0.1#54
    Where PiHole can find your DNSCrypt server. Change the port to the port you configured during the setup of DNSCrypt.
  • Edit the PiHole settings.
    sudo nano /etc/dnsmasq.d/01-pihole.conf
  • Comment out all the server references. From server=... to #server=....
  • Edit the PiHole setup variables.
    sudo nano /etc/pihole/setupVars.conf
  • Comment out all the PIHOLE_DNS_x references by adding a # infront of them.
  • Restart dnsmasq.
    sudo systemctl restart dnsmasq

Comments