How does Pi-Hole work with an VPN (PIA or Pi-VPN)

Hi there,

newbie here, that was able to set up pi-hole with youtube videos as guide. So please don’t expect high technical knowledge.

I’m trying to understand how pi-hole works together with an VPN and how it could improve security.

My Pi-Hole is in use for about a year now, and it works pretty great. Now I wanna implement a VPN (PIA) for additional security/anonymity.

Where exactly does the VPN (PIA in this case) enter in this simplified (and hopefully correct) Schemata ? And how can I use PIA together with Pi-Hole outside my network?

PiVPN, as I understand it, let’s me connect my phone from anywhere to my network and use pi-hole. It also protects me in unsafe wifi hotspots. But I can’t change my location and my data is not anonymous, since it can be grabbed outside my home network, right?

Thanks for the help!!

———

Edit: added the Schemata

If you have set your dns settings to point to your Pi-hole it should use it. There’s some conflicting setting about dns leak protection that must be disabled to work properly.

On the other hand, a vpn from your phone to your home network should be an encrypted channel of communication that routes all traffic to your network first. So, theoretically no one should be able to sneak on your data.

PiVPN, as I understand it, let’s me connect my phone from anywhere to my network and use pi-hole.

Correct. (It can also work without Pihole, btw)

It also protects me in unsafe wifi hotspots.

Yes and no… 99% of your internet use is over https and VPNs “for safety” are overated by scammy marketting campaigns. Modern web is designed to be accessed from wireless networks outside your home.
In particular, no legal bank would operate unsafely.

But I can’t change my location

It’s a question of point of view. It changes your location to your home. That can be really useful to access content geolock’d to your own country when you’re away.
Note that using a VPN with the purpose of looking like you’re coming from somewhere you aren’t is a rather dark grey area. Public VPNs are advertising this use, but it isn’t legal. (In France, some argue that advertising means the user is usikg the VPN as provided, and not responsible. Never tested in court.)

and my data is not anonymous

Correct. The goal of a VPN is to connect to a seperate network, in your case your home.
Whoever told you a VPN is to be anonymous is a scammer. Either you use your own VPN which doesn’t make you anonymous at all, else you connect to a VPN used by other people, at which point both the wifi and the website can know you’re using an IP used by VPNs and the VPN can identify you.

since it can be grabbed outside my home network, right?

The data can’t be grabbed, it’s encrypted by the VPN (and, ideally, by the application layer too, like HTTPS)
The wifi network will see metadata, like when you connected, that you connected to your home network, etc.
Without a VPN, they could also see the domain, because it’s sent in plaintext by HTTPS under some conditions.

First: You might want to stay far away from PIA. They’ve been bought by a company called Kape Technologies that has been linked to spyware and malware.

Second: When you are using a VPN, you’re effectively disabling the PiHole because all DNS goes through the VPN tunnel. Yes, you can set it so that the DNS resolves through your PiHole, but that may lead to DNS leaks.

Third (This one I’m a little fuzzy on): You can use PiVPN to route your data and DNS requests to your home network.

I wound up setting up a free Oracle Cloud VM running another PiHole instance and a WireGuard VPN for when I’m remote and not using my main VPN (Nord in my case).

There is a potential issue with DNS leak when using PIA, but resolving to another DNS server outside of PIA. If your desire is to leverage PIA and PiHole remotely (or within your network), I would think that you may need to leverage two VPNs. Now admittedly I could be completely wrong here and off base, so corrections from the community are encouraged.

Leverage OpenVPN in your home network. OpenVPN will allow your phone to VPN into your home network remotely.

The OpenVPN server should then resolve to PiHole inside your network. There after, PiHole could go through PIA. The PIA instance would be on your router (if capable) or on a separate server within the network (a VM perhaps).

Phone > OpenVPN > Pi-Hole > PIA > Internet.

This is a set of hoops though. I would just stick with PIA on the phone and a good ad-blocker, especially if you don’t really need to connect back to your home network. This is what I do on my desktop where I am using PIA at home, as to not risk DNS leaks.

And a final warning. I personally have not used PIA across my entire network because there are sites and services which block connections for VPNed IPs.

Those are two completely different things

PiVPN allows you to connect to your home network and use pihole as your dns on remote devices

A VPN like PIA let’s you connect to the internet while hiding your ISP IP address, giving you a degree of anonymity

I ve used this with my Macs and Never had an issue. I set them to ‘Send All Traffic’ and have the IP/DNS set by the server, which resolves as the pihole. never had an issue with it in the past.

edit: this was my Own VPN running on my network with the PiHole running on the same server.

I’ve recently been more serious about pihole and making it work for all my home users. I was previously using a dns filter on my Android and Adguard on my desktop (which I still use to block annoyances that dns can’t do alone). I also want mobile devices to have filtering whether they are at home or not, in the most user friendly way. I’m currently using pivpn (wireguard) and it seems to be going well.

I have 2 different tunnels setup through wireguard. We primarily use a split tunnel to filter dns through the pihole and use mobile data or wifi for other traffic. The other tunnel is a full vpn that can be used on unsecure networks.

I use OpenVPN via my Untangle NGFW setup, and there was a setting to specify the DNS. I just pointed it at itself (Untangle is assigning DHCP and queries my Pihole VM for DNS).

Then in OVPN settings on the client side, I believe there was a setting where I had to uncheck “Allow DNS fallback” so it would always have to use the server’s DNS.

AirVPN has been rock solid for and my piece hole works very well on my home network.

I am also a noob like OP and in the same boat. I am running pihole for a while and wondering how I can setup a vpn so that I don’t see the silly advt while on the move. Any beginners guide out there ?

The best option would be having a VPN Server listening somewhere and then a client at your home pointing to the provider you want, then route the traffic from the ip/subnet from your client to the provider vpn gateway. Not an easy setup for someone not so experienced with networks but doable.

I have openvpn (connecting to PIA) on my pi and my routing rules prevent internet access unless openvpn is connected.

Unfortunately pihole was configuring the pi to only resolve dns locally, which prevented the vpn tun0 connection establishing, because pihole couldn’t access the internet!

Maybe I was just unlucky, but worth noting that the auto config doesn’t handle that scenario correctly.

Second mullvad. I’ve been using them for years and they are absolutely fantastic. They also have an in client option for ad blocking when you’re out of the house too.

Yeah. I thought about that as well some time ago. But Linus dispelled my concerns.
But since then if heard of Mullvard. But also of Proton VPN

And what DNS is the VPN asking and why can’t it use my Pi?

The DNS setting in my PIA on my PC is set to Pi. So that works. And I still can change my location. What I don’t get is how that works.
My understanding is, that a VPN generates a tunnel from my router to a VPN server in a location I choose. I can imagine how a Pi can work in this scenario. But I don’t get how it works when am outside my home network. PIA would need to ask my PIA at home and still rout my traffic to some location of my choosing.

Your third one is accurate. I have a vpn setup and if I route my router dns through my pi, pihole works

First: You might want to stay far away from PIA. They’ve been bought by a company called Kape Technologies that has been linked to spyware and malware.

Can you elaborate on this a little further? I knew they had been bought by Kape Tech and knew of their history. When the purchase first happened many people (including high profile tech Youtubers) were worried that the ethics of Kape would corrupt PIA but those fears seemed to be put to rest. However, this is the second time in about a week someone has brought it up after hearing nothing about it for many months. What has changed to make us not trust PIA again? What do you suggest as an alternative?

So your virtual Pi is set to be in another location than your home? That would somewhat anonymous your traffic, right?

I understand that. Can I combine them?