Yee Chie's Blog

Raspberry Pi 4 with Pi-Hole, OpenVPN and DNSCrypt

April 07, 2017

Raspberry Pi OS

Raspberry Pi OS is the official operating system for the Raspberry Pi, ensuring optimal performance and support for your device.

For an easy installation process, use the Raspberry Pi Imager to install the OS onto your Micro-SD card.

Once the installation is complete, be sure to update the system for the latest features and security updates.

sudo apt uptdate && sudo apt -y upgrade
sudo apt install -y unattended-upgrades

Optional: Tweak Raspberry Pi OS

  • sudo raspi-config
  • 1 Change User Password
  • 3 Boot Options - B1 Desktop / CLI - B2 Console Autologin
  • 4 Localisation Options - I2 Change Timezone
  • 4 Localisation Options - I4 Change Wi-Fi Country
  • 7 Advanced Options - A1 Expand filesystem
  • 7 Advanced Options - A3 Memory Split 16
  • sudo shutdown -r now

Prep Work

Find the required IP addresses which will be needed for OpenVPN.

  • External IP: curl ifconfig.me
  • Internal IP: hostname -I

OpenVPN

VPN, or Virtual Private Network, creates an encrypted connection between a client and a VPN server. This ensures that all internet data is secure from man-in-the-middle attacks as it is routed through the encrypted tunnel.

In addition to enhanced security, a VPN also enables clients to remotely access local networks securely, making it a valuable tool for remote work and access to resources on other networks.

Install

wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.sh

Example Install Settings

  • Public IPv4 address / hostname []: 123.456.789.000
  • Protocol [1]: UDP
  • Port [1194]: 11948
  • DNS [1]: Current system resolvers
  • Client name [client]: my-phone

The OpenVPN file, generated by the process, can be utilized with an OpenVPN client on devices such as smartphones. It can be located inside the /root directory, in this case, /root/my-phone.ovpn. To facilitate the transfer of the file off the Raspberry Pi, it is recommended to copy it to the home directory, ~/, and use SFTP (Secure File Transfer Protocol) for the transfer.

Configure OpenVPN

To begin, use the command ifconfig tun0 | grep 'inet' to determine the IP address of the tun0 interface, which is utilized by OpenVPN. In the example given, the IP address is 10.8.0.1.

  • Edit OpenVPN server config:
    sudo nano /etc/openvpn/server/server.conf
  • Add the tun0 interface IP address, PiHole will be using it:
    push "dhcp-option DNS 10.8.0.1"
  • Comment out other dhcp-option references by adding a # in front of it:
    #push "dhcp-option DNS 192.168.1.1"
  • Restart OpenVPN server:
    sudo systemctl restart openvpn

DNSCrypt

DNSCrypt is a protocol that ensures the authenticity of communications between a DNS client and a DNS resolver. It protects against DNS spoofing by using cryptographic signatures to verify that responses are coming from the chosen DNS resolver and that they have not been tampered with. In other words, it helps to secure and validate the DNS queries to protect user’s privacy and security.

Install

DNSCrypt-Proxy can be installed into the directory /opt, which is commonly used for the installation of additional application software packages.

cd /opt
sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.5/dnscrypt-proxy-linux_arm64-2.1.5.tar.gz
sudo tar xf dnscrypt-proxy-linux_arm64-2.1.5.tar.gz
sudo rm dnscrypt-proxy-linux_arm64-2.1.5.tar.gz
sudo mv linux-arm64 dnscrypt-proxy
cd dnscrypt-proxy
sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml

Configure DNSCrypt

For DNSCrypt-proxy to work correctly alongside Pi-Hole some changes must be made to the configuration file dnscrypt-proxy.toml.

Open dnscrypt-proxy.toml by running the command sudo nano dnscrypt-proxy.toml while still in /opt/dnscrypt-proxy.

  • Change port, since 53 is already being used by Pi-Hole.
    This is the listen_addresses line.
    Change it to listen_addresses = ['127.0.0.1:54','[::1]:54']
  • Change require_dnssec = false to require_dnssec = true
  • Install the dnscrypt-proxy service.
    sudo ./dnscrypt-proxy -service install
  • Start the dnscrypt-proxy service.
    sudo ./dnscrypt-proxy -service start
  • Check the service status.
    sudo systemctl status dnscrypt-proxy

Feel free to change additional options inside the configuration file to suit your needs as I have done.

Status DNSCrypt-Proxy

Pi-Hole

During the installation process, you can select any upstream DNS server. The selected server can be modified later in the configuration file if needed.

wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh

Take note of the login password once the installation is complete.

Configure Pi-Hole

Add the DNSCrypt-Proxy server to Pi-Hole on the Pi-Hole admin page.

Pi-Hole DNS page

Configure Clients

To configure clients to use Pi-Hole as the DNS server, set the Pi-Hole IP address as the DNS server on each client device. Alternatively, configure the router so that all clients on the local network will automatically use Pi-Hole filtering and DNSCrypt security. This way, all devices connected to the network will benefit from the enhanced security and ad-blocking provided by Pi-Hole and DNSCrypt.

Written by Yee Chie Tu. “He/Him” lives in The Netherlands and has been growing and evolving ever since. Check out his Mastodon and Pixelfed profile.