Optional: Only route DNS via VPN
OpenVPN is no longer recommended
We do no longer recommending the use of OpenVPN for new deployments. Although OpenVPN has served us well in the past, we believe it's time to move towards more modern and efficient solutions.
We suggest that users now turn their attention to WireGuard, a forward-thinking VPN solution that offers better performance, faster speeds, and easier implementation. WireGuard has been designed with the latest technology in mind, providing simple yet powerful tools for securing your network communications. Pi-hole's step-by-step tutorial is designed to help you understand the ins and outs of WireGuard, regardless of your technical expertise.
Optional: Only route DNS via VPN¶
With this setup, you will force connected clients to use only the DNS provided by the VPN connection, i.e. the Pi-hole. Do this only if you don't want to tunnel all traffic from the client through the VPN, but only its DNS queries.
/etc/openvpn/server/server.conf and remove (comment out) the following line:
# push "redirect-gateway def1 bypass-dhcp"
Using a client config file¶
This works pretty much out of the box with common
client.ovpn files, like this provided one: client.ovpn
Remember to replace the locations of your keys and the address/hostname of your server.
Using the Network Manager¶
When using the Network Manager, you will have to do some additional setting on the client's side of things:
Alternative 1: Disable Network Manager's internal DNS server¶
and restart the Network Manager:
sudo restart network-manager
When connecting your DNS server will now be properly picked up and used by your client.
Alternative 2: Set DNS server address of your Pi-hole manually on the main interface¶
You can also set the address of the DNS server manually (use the device which actually connects to the internet, e.g.
After doing either alternative, you should see:
pi.hole has address W.X.Y.Z (outside address of your VPN server)
pi.hole has IPv6 address A:B:C:D:E:F (outside address of your VPN server)
The web interface of your Pi-hole will be visible at
http://pi.hole/admin/ (even with the recommended firewall configuration mentioned on another subpage)
If your new DNS server configuration has not been activated (try restarting the interface/system) you will see
Host pi.hole not found: 3(NXDOMAIN)
If you are not connected to your VPN network you will see
;; connection timed out; no servers could be reached