Install PiHole and OpenVPN on DigitalOcean Ubuntu 18.04

This tutorial will instruct you how to setup both Pi-Hole and OpenVPN on a Ubuntu 18.04 server hosted on DigitalOcean and connect your smartphone.

Set up a new machine (the small $5/month box with 1GB RAM is more than enough) with a blank Ubuntu 18.04 installation. Continue through the initial server setup tutorial, and either install your SSH keys (strongly recommended) or otherwise just use password authentication over SSH.

Don’t setup a firewall yet, we’ll do that later.

Install OpenVPN

cd ~

wget https://git.io/vpn -O openvpn-install.sh

chmod 755 openvpn-install.sh

sudo ./openvpn-install.sh

A small script will start. Accept all the defaults, and give the system a name. The default is “client”, which I suggest you change to “pihole”.

Check IP Addresses for PiHole Setup

Enter the below command and make a note of the output. Check the IP address below (which should be 10.8.0.1) and make a note of it for the next step.

ip addr show tun0
1: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever

Do the same with the next command and its output. This will be the “default gateway IP”.

ip route show | grep default
Output from ip r | grep default
default via 198.51.100.1 dev eth0 onlink

Install PiHole

curl -sSL https://install.pi-hole.net | bash

Go through the installation script. Select tun0 (NOT eth0) as the default interface when prompted. Use the default settings when not sure, and stop when you get to the “Static IP Address” screen, which asks you for your IP Address and Gateway.

Do not accept the default settings and instead enter the IP addresses you identified above, ending the first one with “/24”. For example, in this tutorial, I would enter:

Desired IP Address: 10.8.0.1/24

Default Gateway: 198.51.100.1

Accept the other default settings and continue.

Testing PiHole

Test the PiHole installation by entering the below two commands (in the DigitalOcean server, not your local machine):

host google.com 10.8.0.1

host pagead2.googlesyndication.com 10.8.0.1

You should see output indicating that “google.com has address 216.58.194.174” and “pagead2.googlesyndication.com has address 10.8.0.1” (or sometimes 0.0.0.0). If this happens, PiHole is working correctly.

Configure OpenVPN to use PiHole

sudo nano /etc/openvpn/server.conf

Find any lines in this file which look like the below, and comment them out by starting the lines with a semicolon (if they aren’t commented already):

push "dhcp-option DNS 1.2.3.4"

Add the line:

push "dhcp-option DNS 10.8.0.1"

Then restart the server:

sudo systemctl restart openvpn@server

And check that it started correct – check for a status of active (running):

sudo systemctl status openvpn@server
‚óŹ openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; indirect; vendor preset: enabled)
Active: active (running) since Wed 2019-03-06 09:28:55 UTC; 1h 11min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 11398 (openvpn)

Create a Client Config (.ovpn) File

sudo ./openvpn-install.sh

Run the installation script again, which will detect that you already have OpenVPN installed, and ask what you want to do. You want to add a new user, so select that option and make up a name for the new machine (something like “jamesphone” should be fine).

Change Firewall Settings

sudo iptables -I INPUT -i tun0 -j ACCEPT

sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT

sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT

sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT

sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT

sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT

sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT

sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -I INPUT -i lo -j ACCEPT

sudo iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable

sudo iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset

sudo iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable

sudo iptables -P INPUT DROP

Connect to VPN Using Your Phone

Move the .opvn file to your phone using an SFTP program, then install an OpenVPN app and import the settings.