So I wanted to be able to VPN to my home internet connection when I’m out and about, both a full tunnel (if I’m on unsecured wifi at coffee shops, airports etc.), and a DNS-only tunnel so I can experience ad-free browsing while I’m using 4G/5G mobile internet without being hindered by the speed of my home internet, as I only have 20mbit up.
This took a quite a bit of trial and error to get this working fully for me, I’m not too familiar with Linux & networking and the suggestions I found in various forum and and reddit threads were never consistent, probably due to the different setups they had.
I installed DietPi (DietPi_RPi-ARMv8-Bullseye.img if that’s relevant) and pi-hole to my raspberry pi two days ago, and then pivpn today via dietpi-software. It detected pi-hole already during installation and I also accepted the request to tunnel the DNS through pi-hole. After all that was finished tunneling didn’t really work out of the box unless you change the Interface listening behavior on pi-hole web admin at Settings > DNS to Listen on all interfaces, permit all origins. I was slightly apprehensive about enabling that. Besides, DNS-only tunneling still didn’t work.
It turns out the problems I had with tunneling is because of the DNS entry in /etc/pivpn/wireguard/setupVars.conf, pivpnDNS1 was at 10.6.0.1, and my pihole is actually at 192.168.1.2. You can type pivpn debug to check what yours is pointing to.
sudo nano /etc/pivpn/wireguard/setupVars.conf
and change the pivpnDNS1 entry to your pihole IP, then ctrl-x and press Y and enter to save the file.
sudo systemctl restart wg-quick@wg0
to restart wireguard.
Don’t forget to change the DNS in your Wireguard client profile as well, the DNS servers entry is most likely still pointing to 10.6.0.1 if you created the pivpn profiles in the past.
To get DNS-only tunneling working, you only need to make this change on your wireguard client profile. Make another pivpn profile with pivpn add and name it AdBlockOnly or whatever you like, then change AllowedIPs from 0.0.0.0/0, ::0/0 to what your LAN is on followed by 10.6.0.0/24 (in my case its 192.168.1.0/24, 10.6.0.0/24). This guide is from https://docs.pivpn.io/wireguard/#blocking-internet-access . I’m guessing this works because it’s not allowing my mobile provider’s IP through the VPN for full tunneling, however DNS tunneling still works and I have confirmed this with www.whatismyip.com and adblock is functioning on known ad-heavy websites.
Both tunnel types should all be working fine now and you won’t need to have to use the 3rd option permit all origins option in your pi-hole, the first option which pivpn automatically switched to during setup will be fine. Hope this helped!