Skip to content

Setup OpenVPN Server

Change OpenVPN's resolvers

First, find the IP of your tun0 interface:

On Jessie

ifconfig tun0 | grep 'inet addr'
On Stretch
ip a

Edit the OpenVPN config file:

vim /etc/openvpn/server.conf

Set this line to use your Pi-hole's IP address, which you determined from the ifconfig command and comment out or remove the other line (if it exists):

push "dhcp-option DNS 10.8.0.1"
#push "dhcp-option DNS 8.8.8.8"

This push directive is setting a DHCP option, which tells client's connecting to the VPN that they should use Pi-hole as their primary DNS server.

It's suggested to have Pi-hole be the only resolver as it defines the upstream servers. Setting a non-Pi-hole resolver here may have adverse effects on ad blocking but it can provide failover connectivity in the case of Pi-hole not working if that is something you are concerned about.

Restart OpenVPN to apply the changes

Depending on your operating system, one of these commands should work to restart the service.

systemctl restart openvpn
service openvpn restart

Create a client config file (.ovpn)

Now that the server is configured, you'll want to connect some clients so you can make use of your Pi-hole wherever you are. Doing so requires the use of a certificate. You generate these and the resulting .ovpn file by running the installer and choosing 1) Add a new user for each client that will connect to the VPN.

You can repeat this process for as many clients as you need. In this example, we'll "Add a new user" by naming the .ovpn file the same as the client's hostname but you may want to adopt your own naming strategy.

Run the OpenVPN installer again

./openvpn-install.sh

Choose 1) Add a new user and enter a client name

Looks like OpenVPN is already installed

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]: 1

Tell me a name for the client certificate
Please, use one word only, no special characters
Client name: iphone7

This will generate a .ovpn file, which needs to be copied to your client machine (often times using the OpenVPN app). This process also generates a few other files found in /etc/openvpn/easy-rsa/pki/, which make public key authentication possible; you only need to worry about the .ovpn file, though.