OpenVPN + Pi-hole Firewall and Resolver + Upstream Public DNS Setup on a Dedicated/Cloud Server

Cloudflared_Setup

Download link: https://developers.cloudflare.com/argo-tunnel/downloads/

For Raspberry Pi
================

- Install Pi-hole with lighttpd
- $ curl https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz | sudo tar xzC /usr/local/bin

- Test:
  $ sudo su
  $ cd /usr/local/bin
  $ cloudflared --version

- Install service at port 54
  $ sudo nano /etc/systemd/system/dnsproxy.service

[Unit]
Description=CloudFlare DNS over HTTPS Proxy
Wants=network-online.target
After=network.target network-online.target
 
[Service]
ExecStart=/usr/local/bin/cloudflared proxy-dns --port 54 --upstream https://1.1.1.1/.well-known/dns-query --upstream https://1.0.0.1/.well-known/dns-query
Restart=on-abort
 
[Install]
WantedBy=multi-user.target

  $ sudo systemctl restart dnsproxy.service
  $ sudo systemctl enable dnsproxy.service

- Pi-hole
  Set IPv4 to 127.0.0.1#54

Pi-hole_OpenVPN_Remote_Cloud_Setup.txt

###############################################################################
Easy Setup (this tutorial is for Ubuntu 16.04 and above)
========================================================

Install Pi-hole on a remote dedicated server/cloud vps and use OpenVPN to
connect to the server.

Two types of configuration:
- Full VPN connecttion
- VPN only for DNS queries
###############################################################################



# Update packages
$ apt update && sudo apt upgrade -y

# Install OpenVPN server
$ wget https://git.io/vpn -O openvpn-install.sh
$ chmod +x openvpn-install.sh
$ ./openvpn-install.sh

# Install Network Manager
$ apt install network-manager



If you want to use Nginx server to access Pi-hole admin GUI interface
=====================================================================

$ apt install php7.2-fpm php7.2-zip php-sqlite3

# Install Pi-hole.
$ curl -sSL https://install.pi-hole.net | bash

Steps:
======
1. Select your favorite upstream server (my favorite is cloudflare.
2. Deselect all the black lists. Later we will configure this.
3. Select protocols (IPv4, IPv6 or both, based on IPs available for your
server).
When you are asked, select 'tun0' network interface (very important!).
4. Install web admin (recommended).
5. Install web server lighttpd (no).
6. Note down the password to access web admin. If it does not provide any
password, run the following command to set a new password.
$ pihole -a -p
7. Configure Nginx:

$ nano /etc/nginx/sites-available/firewall.example.com


server {
        listen 80;
        listen [::]:80;
        root /var/www/html;
        server_name firewall.example.com;
        autoindex off;
        index pihole/index.php index.php index.html index.htm;
        location / {
                expires max;
                try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        }
        location /*.js {
                index pihole/index.js;
        }
        location /admin {
                root /var/www/html;
                index index.php index.html index.htm;
        }
        location ~ /\.ht {
                deny all;
        }
}


$ ln -s /etc/nginx/sites-enabled/firewall.example.com /etc/nginx/sites-available/firewall.example.com
$ service nginx configtest
$ service nginx restart


If you do not want to use Nginx server
======================================
- No need to install php7.2-fpm php7.2-zip php-sqlite3 by your own.
They should be installed automatically.
- At step 5, install web server lighttpd (yes).
- Step 7 is not needed anymore.



Configure OpenVPN server for Pi-hole
====================================

# All traffic over OpenVPN
$ nano /etc/openvpn/server.conf

Omit both lines:
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS y.y.y.y"

Add a new line:
push "dhcp-option DNS 10.8.0.1"


# Use OpenVPN only for DNS queries

Caution: with this setup, you cannot download any app from Google Playstore.
This is not a problem of Pi-hole, but OpenVPN.
So, with this setup you only need to disconnect from your OpenVPN server when
you want to download any app from Google Playstore.

$ nano /etc/openvpn/server.conf

Omit the following lines:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS y.y.y.y"

Add a new line:
push "dhcp-option DNS 10.8.0.1"

# Restart OpenVPN to apply the changes
service openvpn restart

Final setup
===========
Access Pi-hole admin
https://firewall.example.com/admin

Go to Setup => Blocklists

Now add all these lists one by one:
https://github.com/piLinux/hosts-blocklist


Cronjob (recommended):
$ crontab -e

*/30 * * * * /usr/local/bin/pihole -g

Set your own time period for cronjob to download all the
latest blocked hosts from all our included blocklists.



Troubleshooting
===============
If Pi-hole FTL fails to load, restart dnsmasq from 
https://firewall.example.com/admin/settings.php



Note:
=====
I wrote a very brief tutorial for advanced linux users. If you face any
difficulty, kindly write your question below with full details.

Thank you!