Before we start, here is a link to the PIVPN site http://www.pivpn.io/ also to Pi-hole: https://pi-hole.net/ and thanks to Loic74 - https://marcstan.net/blog/2017/06/25/PiVPN-and-Pi-hole/

Like most normal people I find the subject of backups and secure VPNs to be torturous and boring. I’ve covered backups elsewhere since discovering the absolute importance of being able to do them easily but only now have I discovered the fun and relevance of having my own domain blocker to stop some of the ads coming in.

Recently, after months of on and off investigation into VPNs (mostly off) I stumbled across PIVPN. For the majority out there who are turned off by the subject… this is REALLY, REALLY easy and the PI does a great job of being a VPN server while doing other jobs. It also easily handles Pi-hole and hence can do blacklisting and whitelisting for your whole network.

While out in Spain for the summer I installed (doddle) PIVPN onto the Raspberry Pi 3 board I use to control stuff (and which is hence on 24-7). Go to the link above and you’ll see this is a no-effort-or-skill install. Oh, your router, you need to direct one port to the PI.

Pi-Hole on mobileI’m talking above about the “VPN SERVER” i.e. software that allows secure access to your stuff from anywhere (all your stuff).  I then put an “OPENVPN “client” on my mobile phone. This needed a “certificate” and in the past that has always filled me with fear.

“openVPN add”

That’s it. Add a password and a certificate is generated. This is just a text file which you can copy to your mobile phone, computers etc. There really is nothing more to it than that.

Back in England, the novelty of talking to my kit in Spain on the mobile with lots of open ports soon wore off… so I put the OpenVPN “client” in my router so I could access Spain from any machine here with only one port redirection on the router. Sorted.

Last week, I did the reverse and installed PIVPN on a PI here in the UK. One more certificate and I was done. I cannot overstress how easy this was. I’ve looked at all sorts of solutions and this can’t be beaten for ease. The Pi is not wasted as it too is on 24-7 doing other stuff.

Clearly, testing this while inside the network is foolish – so I turned off the WIFI on my phone and used my mobile data package for the test. Worked a treat. I could access all my network stuff.

So now, instead of having a shedload of open ports for various control and monitoring systems remotely, I only need the one. All of this is free – a great project!

PiVPN and Pi-hole

Putting that together with Pi-hole makes the investment in a Raspberry Pi3 a no-brainer – especially if that same Pi 3 is running the home control and thermostat display etc. No reason you could not do ALL of this on a Pi2 but I’m playing safe as I want it to do a LOT.

As I update this blog on my Windows 10 PC (which only today has been given the gift of a new 1TB hybrid C: drive and a new “normal” D: drive after many years of service with the original drives) – Pi-hole has reduced the incoming traffic on the web by a large margin without me noticing any missing stuff. MARVELOUS and thanks to an idea from Mr Shark I’ll soon have the stats for that on the little OLED display I ALSO have on the Pi.

This afternoon while on the road I had the VPN client running on my mobile and watched the stats as Pi-hole protected my phone. Up to now, reliability 100%

And here is the official video for Pi-hole… https://www.youtube.com/watch?v=vKWjx1AQYgs – just remember, this stuff is free. MAGIC.



52 thoughts on “PIVPN and PI-HOLE

  1. I'm a fan of it as well! It's nice that you can edit the "client" ovpn file if you need to (if you change a router port, IP, etc). Android and iPad OpenVPN Connect apps work great and I use Tunnelblick on OS X.

  2. Very interesting Pete, it might be worth posting the link on the node red forum as well, a LOT of people are having problems with malware due to exposing their instances insecurely to the Internet.

  3. Hi Pete, we live our lives in a similar manner, homes in 2 countries with various RasPis etc online at both ends. We use Nord VPN for iplayer etc, but I really don't want to leave any router ports open. I've been experimenting with the free version of ZeroTier, which creates an encrypted virtual layer 2/3 link across the internet. A bit more complicated to install, but it means each device can have a tunnel address on the same subnet, for me. The secure central admin page can add/delete devices as you want. Works fine between home and a mobile device, will report back on distant use in a month or so.....

  4. Definitely no ports open, I've probed our WAN address with various tests. The encrypted tunnel is originated by the local clients at each end, initially to a central Zerotier server. The firewalls see the tunnel setup as originating from the "inside", so no open ports needed. Also no need for dynamic DNS, as the clients send their WAN addresses during setup. When we changed to fibre broadband in Greece, I was surprised to find the COSMOTE fibre network is all IPv6 up to the router, with 4 in 6 tunnelling - a benefit of being a late adopter, but more hassle to set up dynamic DNS. I can't give it a full workout until our next visit, will report back.

      1. Yes agreed, but you could say the same about whichever dynamic DNS service you're using - really don't want to pay more for static WAN IPs! Testing from a friend's house in the UK seems fine, I can SSH or web browse to home devices from my laptop using their individual 10.147.1.x addresses. I'll give it a better try when I go away.

        I was speculating this morning, as it's effectively layer 2 device-to-remote-device, could I join them both to a second Zerotier network and cause an old-fashioned broadcast storm? I assume Zerotier have some equivalent of spanning-tree protocol built into the clients. (hands up if you remember the days of LAN broadcast storms)

    1. I've seen and used a few things like this in the past. Invariably they soon switch to a paid model hoping that the seamless experience will be enough to get the users to start paying. An open source system on your own hardware is going to be more reliable and cheaper in the long run.

  5. hi peter,

    check softether vpn out! it is great. I have on my NUC at home a softether server docker image and multiple pi clients with softether client on. Works likes a charm!

    oh yeah, KUTGW :p


    1. Changing the port does not add any security whatsoever, you might as well stay at default setting.
      Within 48 hours of creating DNS records the whole world will know you are running some sort of server. Bots will start scanning port range immediately and will find yours.
      Yes, by changing port you will avoid all stacks from amateurs, but it’s not who you should worry about.
      I’m kind of paranoid (I was hacked twice before) when it comes to server security and here is my solution:
      I run multiple rpi servers in (openwrt as a firewall router, web server, mqtt/nodered, domoticz, vpn client to work network, nas, plex, syslog, openvpn server) each dedicated to do its own task. All of them are On 24/7 except Vpn server which is connected through a relay, controlled by gpio in domoticz, with on/off by telegram bot.
      Any time there is for need remote access to my lan I would send a message to Telegram, wait a minute for Vpn server to start, connect, do what has to be done, shutdown the server.
      Ones cracked Vpn server has unrestricted access to your lan, it should be well secured, but since I don’t posses skills to customize iptables keeping it off is my way of securing it.

        1. That’s another package to install, configure and maintain. Since it’s not part of PiVpn it wouldn’t get any updates automatically and potentially might be broken if pivpn updates a service it depends on.
          Here is my logic, if someone decides to use pivpn script it means they are not fluent in Linux to configure openvpn themself and shouldn’t be messing with any additions.
          I prefer to run pivpn on separate machine to minimize the risk of braking dependencies.
          By the way, what are the use cases for home automation that require Vpn to be on 24/7 ?

            1. Pivpn is just a script to help you write openvpn config files and create certificates. Ones installed it’s using standard repositories for updates, there are no additional packages it depends on.

                1. Thanks for the advise, but I’ll stick with openvpn.
                  Zerotier is the same old Vpn except it requires a third party to run.
                  Unless you have more than 2 sites to connect, there are no benefits of using it

              1. Its griping about BC not being found, but installing anyway. Asking me which DNS provider I'm using. The PI is using my router. The router is the only devide that knows the real DNS provider... so I've put "custom" and now it wants the address so I guess I'll put my router address

          1. in the article about pi-hole on orange pi, you'll find 1 way to use it: by just changing your pc's DNS to the ip of the pi-hole server... this way you're not passing all your traffic through the pi-hole server, but just filtering out ads via dns... otherwise you can use the pi-hole server as your gateway, and all traffic will go through it...

      1. it's very useful for filtering out those banners, ads, malware, too...
        and i think it can work on those boards with just 256mb, too, so finally some use for them...

        but my deviated mind thinks to other stuff when reading "pi hole", lol

  6. Ideas guys.. I installed PIHOLE - I have nginx so didnt need a webserver. I told it my DNS is the address of my router as that is the only thing that has the actual dns provider. The admin page is up.... but I'm getting "lost connection to API" across the coloured panels and the dns service is apparently not running. Also the FTL service whatever that is, is not running, so it says.

    1. I ran into the FTL issue as well on my first attempts on an RPI3+Stretch setup.
      Eventually I installed PiHole onto a fresh Debian9 install on a VM and it ran straight away.

          1. Hi
            just tried on a raspi 3b+ with latest raspbian stretch: flawless victory, no problems at all... i run setup and the only option i deselected was the last one, about logging queries, as searching yesterday evening i've found some suggesting this could have been the problem of what's happening to Peter's setup... other then this, i installed lighttpd as i ran all of this on the rpi i'm using for docker, so no other services at all, pretty virgin... and don't think that using an other http server could cause problems, that's used only for admin interface... os, try rerunning setup deselecting that option, i think this sw is a must and seems to work fine 🙂

            1. Ah, nice one.
              Integrated it in no time in my favourite Home Automation system (Jeedom)
              And I see there are also API functions to enable/disable the service through HTTP calls

  7. Hi all,

    @Peter: Thanks for a great resource on pi's and home automation 🙂 New here but wanted to add my 2 cents, hope it's useful...

    I've been using pi3+pihole+pivpn for more than a year now. Worked flawslessly up to some time ago, more on that later. The reason for me was 2 ways. 1. I wanted my kids (and myself) to be able to use the vpn when using public wifi. 2. To access my home network (with just that one port forward).

    I installed pihole on a fresh raspbian install and after that pivpn. Then some tinkering to tell pivpn to use pihole as dns. This way the vpn traffic is also ad-filtered, specifically foor point 2 above. I'm not sure if this https://discourse.pi-hole.net/t/pihole-with-openvpn-the-easy-way-use-pivpn/7912 is the source I used then but it was the 1st as a result on searching pi3 + pivp + pihole and it seems familair 🙂

    I am able to set my pihole as dns in my ISP modem/router so that solves all for my home network. Not sure if other ISP's allow that.

    Not to tell anybody what to do but I donated to both, well deserved IMO.

    Also, I tried DietPi which has pivpn and pihole as optional installs. It looks great and have tinkered with it a lot but the promises made are not fullfilled, alas. Abandonded that...

    On YouTube https://youtu.be/gyatgrlqFtE is a description on using the pi with openvpn to route traffic through to a public VPN service. I have not tried this yet and also he does not use pivpn but openvpn install. Lots to learn though if you see the trickle of commands he gives 🙂

    Now to the current moment, it all aint workin' anymore 🙁 At some point, probably after an update, I was no longer able to connect to the pi though pihole is still working. Tried lots of stuff, no success. I am working my way up to starting afresh, but it is a daunting task as I also have a lot of other stuff running on that pi...


    1. Thanks for that info. I've not integrated the two yet but the plan is to route everything through PiHole at router level - right now it is optional while I check reliability. Just completed apt-get and npm updates and all is well. I have Voda fast broadband here in the UK and when I'm back in Spain in Spring, I want UK access without paying for a service, may as well have that extra protection as well. The PI is running the heating anyway so it may as well serve that extra function.

    2. Not sure if this is specifically what is stopping your pivpn working but I have had no luck in getting this running despite trying on 2 different pi's and with fresh installs of raspbuan stretch lite. The first problem is that as pivpn is a script to automate the openvpn install it only handles issues it anticipates. There is a dig command at line 910 that tries to establish your external IP which fails on my setup due to a problem in resolving the openvpn server. The backup call to eth0.me also fails and because the problem is not picked up by the script it will announce that install has completed. .if you check the log it will confirm the problem. Not sure what causes this given it seems to work for others maybe my ISP (virgin) or my router (Netgear). I resolved this issue by changing the dig to point to Google servers rather than openvns and install completes but I still cannot get port forwarding to work which may be a linked problem with the install. Bottom line is if you are installing pivpn check the log and don't rely on the install successful message.

  8. There are a number of things that may be the cause, Debian (in whatever current form) and DNS services are what I'm looking into now.

    The rpi I had running on Raspbian Jessie, ran without any issues at first for a considerable time. I installed that with the install scripts and it ran in one go. Later I also did the same for a friend, on a rpi running Raspbian stretch. That also ran fine initially without any special settings or issues.

    Both instances of openvpn have stopped working, that is, any connection attempt hangs on authentication. No errors, just forever waiting.

    A while ago I upgrade Jessie to Stretch on my rpi and at first I thought that might be the cause, however the one at my friends house already was Stretch. Then, I thought it could be because I changed DNS in the pihole settings from google to cloudflare but going back did not solve anything (restarted everything, pi & modem/router - both pis).

    Off Topic: Currently I am setting up a fresh pi booting from an ssd via usb as the sdcards tend to have flaws after a while. This setup is fine but I run into an issue as I cannot get the d***n thing to use a static IP. I know I am doing this the correct way because I have done this maybe a dozen times already and checking various resources on internet confirm my settings. The only variable that has changed between now and what is used to do is Raspbian so for now I blame that.

    BTW- also off topic; "fresh setup" means download current Raspbian lite, etch to sdcard & ssd, startup, setup the 'boot from ssd flag', power down, remove sdcard, power up.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.