[PiVPN Wireguard] DNS not working out of the box? Here's what I did

So I wanted to be able to VPN to my home internet connection when I’m out and about, both a full tunnel (if I’m on unsecured wifi at coffee shops, airports etc.), and a DNS-only tunnel so I can experience ad-free browsing while I’m using 4G/5G mobile internet without being hindered by the speed of my home internet, as I only have 20mbit up.

This took a quite a bit of trial and error to get this working fully for me, I’m not too familiar with Linux & networking and the suggestions I found in various forum and and reddit threads were never consistent, probably due to the different setups they had.

I installed DietPi (DietPi_RPi-ARMv8-Bullseye.img if that’s relevant) and pi-hole to my raspberry pi two days ago, and then pivpn today via dietpi-software. It detected pi-hole already during installation and I also accepted the request to tunnel the DNS through pi-hole. After all that was finished tunneling didn’t really work out of the box unless you change the Interface listening behavior on pi-hole web admin at Settings > DNS to Listen on all interfaces, permit all origins. I was slightly apprehensive about enabling that. Besides, DNS-only tunneling still didn’t work.

It turns out the problems I had with tunneling is because of the DNS entry in /etc/pivpn/wireguard/setupVars.conf, pivpnDNS1 was at, and my pihole is actually at You can type pivpn debug to check what yours is pointing to.

sudo nano /etc/pivpn/wireguard/setupVars.conf
and change the pivpnDNS1 entry to your pihole IP, then ctrl-x and press Y and enter to save the file.
then type:
sudo systemctl restart wg-quick@wg0
to restart wireguard.

Don’t forget to change the DNS in your Wireguard client profile as well, the DNS servers entry is most likely still pointing to if you created the pivpn profiles in the past.

To get DNS-only tunneling working, you only need to make this change on your wireguard client profile. Make another pivpn profile with pivpn add and name it AdBlockOnly or whatever you like, then change AllowedIPs from, ::0/0 to what your LAN is on followed by (in my case its, This guide is from https://docs.pivpn.io/wireguard/#blocking-internet-access . I’m guessing this works because it’s not allowing my mobile provider’s IP through the VPN for full tunneling, however DNS tunneling still works and I have confirmed this with www.whatismyip.com and adblock is functioning on known ad-heavy websites.

Both tunnel types should all be working fine now and you won’t need to have to use the 3rd option permit all origins option in your pi-hole, the first option which pivpn automatically switched to during setup will be fine. Hope this helped!


a little bit of expected behaviour as by default PiHole is LISTEN to local network only due to security. But your VPN is a different interface wg0 and therefore it is needed to set Listen on all interfaces, permit all origins inside PiHole or running pihole -a on command line. Having set this, you should be able to use your VPN server IP as DNS server entry inside client configuration.