Tutorial: Pihole and PiVPN on a Raspberry Pi

Requirements

  • Raspberry Pi (Model doesn't matter)
  • SDCard running Raspberry Pi OS (formerly known as Raspbian)
  • Basic OS Setup already set (e.g. Wifi/LAN, SSH)
  • optional: Set up Dynamic DNS

What I want to achieve

I want to use my RasPi as a device blocking all the Ads, Tracking URLs, Phishing Sites and other Scam on any device connected to my Homenetwork.

Pihole is a network-wide ad-blocking service which runs as a DNS Server and uses Blocklists. If your device calls an URL in such a list Pihole will block the request. The available Blocklist don't just contain Ad-related URLs, there are also lists for malicious sites, scam, phishing, cryptomining sites and other stuff you maybe don't want to have on your devices.

And I want to have that service also when I'm not at home and not connected to my network through my wifi connection. Therefore I want to set up a VPN server as well, using the Wireguard protocoll.

PiVPN is the most simpliest way to set up a VPN server as far as i know. It uses the OpenVPN protocol as well as Wireguard. It has an installer which drives you through all the necessary options.

Installing Pihole

I connect to my RasPi per SSH and use the following command to install pihole:

curl -sSL https://install.pi-hole.net | bash

After that the script loads and the installer pops up

The installer

Hit enter, another enter, and OK.

Now I choose my connection type:

Choose your connection

My RasPi is connected through the ethernet connection, so I choose the adapter eth0. If you set up your RasPi to use the wifi adapter you probably want to choose wlan0 ;)
wg0 is the wireguard adapter, because I'm already running PiVPN on that device so ignore that one.

Now select the Upstream Provider:

Select Upstream Provider

I'm choosing Quad9 (filtered, DNSSec). You can also set up unbound on your RasPi if your dont trust any of those services but since Quad9 moved to swiss I think they are trustworthy enough and offer the best service for me.

Now choose the Blocklist:

Choose Blocklist

Since there is only one by default I just hit enter.

Now select the IP Protocols:

Select IP Protocol

If you have a Dual Stack connection, choose both. If not IPv4 is the only requirement.

Now I truely want to use a static IP:

static IP configuration

A static IP is required (if your DHCP Server doesn't offer an IP reservation pool or sth. like that). Why? Because if the IP of your RasPi changes you won't be able to use the internet no more ... all DNS requests will just fail.

Hit OK and another enter. Also install the recommended Web admin interface and its components (lighttpd and PHP).

If you want to log your queries - turn it on and choose your privacy settings for the logs. I want to show everything.

Now the installation process starts. Get yourself a coffee maybe.

After some time the installation will (hopefully) succeed and the installer will show you a summary:

installation summary

Here you can see the link for the web admin interface and the login password.

Change the pihole password

If you want to change your password, after hitting OK use the following command:

pihole -a -p

it should give you the following confirmation:

  • [x] New password set

Now try to enter your Webinterface with a browser and the given link. And login with your password.

Now you should see something like this:

PiHole Webinterface

As you might have noticed, there are zero clients and therefore zero queries logged by pihole. Let's change that!

Setting up the router / DHCP server

To do so I want to tell all of my network clients to use the RasPi's IP as a DNS Server. The best way for me to do that is to set the DHCP Server to advertise Piholes DNS on the whole network.
I'm using my Fritzbox as a Router and DHCP, so I'm logging into its interface and get to the DHCP Settings. You can also use Pihole as a DHCP Server, but i want to use different devices for different tasks.

Fritzbox

So i set the IP of my RasPi's IP as a local DNS server in the DHCP Settings of my router. Now i restart the router to make new DHCP leases for any of my network devices.

You probably could also set your router's internet connection to use the RasPi's IP as a DNS server, and leave the DHCP settings (at least my Fritzbox can do that). This will also work, but you will only see the router as a client in your Pihole's webinterface and won't be able to analyse later on from which device maybe malicious requests are made to solve these problems.

Right after the restart you should see the first queries in your pihole's webinterface:

First Queries

Congratulations, your Pihole is set up and the first Ads are being blocked for any device connected to your homenetwork.

For the more advanced pihole settings that I am using like specific Blocklists just for some Devices, I will write an own article.

Installing PiVPN

Now that my homenetwork is filtered by Pihole, I want to have that service also while I am not at home.

The solution is a VPN. The easiest and fastest way setting up a VPN is with PiVPN imho.

To install:

curl -L https://install.pivpn.io | bash

Now wait a little until the installer shows up.

Hit yourself through the first OKs until it asks your for the IP configuration:

PiVPN IP configuration

If you using DHCP reservation choose YES, I choose NO because I set up the static IP with Pihole before.

PiVPN IP configuration

If the configuration is correct, hit YES!

Now the installer needs to assign a user and in its home directory are the configuration files saved.

Choose a user

If you changed your username after the Raspberry Pi OS setup choose your current user here. I'm using just the user "pi" - here I go.

Now the installer works a little until it wants to know, which VPN protocol I want to use.

wireguard or openVPN

I want to use wireguard here, because it's not that "drainy" on my smartphone as OpenVPN is.

The installer installs the protocol and asks you for a port now. Use the default one or change it to another port. You need to specify a Port-Forward with that port to the IP of the RasPi in your router settings!

In order to use the VPN over the internet in a comfortable way you might want to set up a DynamicDNS, so your homenetwork (if it has a dynamic IP) is available through a domain.

Now the installer has detected the Pihole installation I did before - perfect!

DNS Provider

I hit YES!

Now the Serverkeys are generated. After that the installer asks how the clients connect to the VPN:

Connection How

I choose DNS with the SPACE key and ENTER. As my ISP uses dynamic IP ranges for my connection, I set up a Dynamic DNS.

I need to enter my DynDNS Domain now:

Dynamic DNS Domain

After some dialogues I answered with YES/OK the script wants you to reboot the RasPi, and I accept it.

Add a VPN Profile

Once rebooted I'm ready to set up the first wireguard profile:

pivpn -a

I enter a profile name and the following output is given:

The Profile is generated

Now the easiest way to add this profile to your smartphone is:

pivpn -qr [profilename]

Now I download the wireguard app from my prefered app-store and add the profile with the QR output ;)
Try to connect now and head over to the terminal to check:

pivpn -c

This shows a list of clients and a "last seen" entry. If this entry is filled with the current date and time I am done now!

Last Check-Up

Now I check the Pihole webinterface again to see if the VPN gets filtered too:

Yes it works!

Everything works now like it should - And I have an ad-/tracking-/phishing-domain filtered internet experience on any device in our home-network and even on the go I'm covered. Nice!

I hope you liked my first try to write sth. and it wasn't that kind of a bad experience xD

Stay tuned for more content about pihole and privacy related topic.

Comments