This tutorial will instruct you how to setup both Pi-Hole and OpenVPN on a Ubuntu 18.04 server hosted on DigitalOcean and connect your smartphone.
Set up a new machine (the small $5/month box with 1GB RAM is more than enough) with a blank Ubuntu 18.04 installation. Continue through the initial server setup tutorial, and either install your SSH keys (strongly recommended) or otherwise just use password authentication over SSH.
Don’t setup a firewall yet, we’ll do that later.
cd ~ wget https://git.io/vpn -O openvpn-install.sh chmod 755 openvpn-install.sh sudo ./openvpn-install.sh
A small script will start. Accept all the defaults, and give the system a name. The default is “client”, which I suggest you change to “pihole”.
Check IP Addresses for PiHole Setup
Enter the below command and make a note of the output. Check the IP address below (which should be 10.8.0.1) and make a note of it for the next step.
ip addr show tun0
1: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever
Do the same with the next command and its output. This will be the “default gateway IP”.
ip route show | grep default
Output from ip r | grep default default via 198.51.100.1 dev eth0 onlink
curl -sSL https://install.pi-hole.net | bash
Go through the installation script. Select tun0 (NOT eth0) as the default interface when prompted. Use the default settings when not sure, and stop when you get to the “Static IP Address” screen, which asks you for your IP Address and Gateway.
Do not accept the default settings and instead enter the IP addresses you identified above, ending the first one with “/24”. For example, in this tutorial, I would enter:
Desired IP Address: 10.8.0.1/24
Default Gateway: 198.51.100.1
Accept the other default settings and continue.
Test the PiHole installation by entering the below two commands (in the DigitalOcean server, not your local machine):
host google.com 10.8.0.1 host pagead2.googlesyndication.com 10.8.0.1
You should see output indicating that “google.com has address 184.108.40.206” and “pagead2.googlesyndication.com has address 10.8.0.1” (or sometimes 0.0.0.0). If this happens, PiHole is working correctly.
Configure OpenVPN to use PiHole
sudo nano /etc/openvpn/server.conf
Find any lines in this file which look like the below, and comment them out by starting the lines with a semicolon (if they aren’t commented already):
push "dhcp-option DNS 220.127.116.11"
Add the line:
push "dhcp-option DNS 10.8.0.1"
Then restart the server:
sudo systemctl restart openvpn@server
And check that it started correct – check for a status of active (running):
sudo systemctl status openvpn@server
● firstname.lastname@example.org - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/openvpn@.service; indirect; vendor preset: enabled) Active: active (running) since Wed 2019-03-06 09:28:55 UTC; 1h 11min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 11398 (openvpn)
Create a Client Config (.ovpn) File
Run the installation script again, which will detect that you already have OpenVPN installed, and ask what you want to do. You want to add a new user, so select that option and make up a name for the new machine (something like “jamesphone” should be fine).
Change Firewall Settings
sudo iptables -I INPUT -i tun0 -j ACCEPT sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -I INPUT -i lo -j ACCEPT sudo iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable sudo iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset sudo iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable sudo iptables -P INPUT DROP
Connect to VPN Using Your Phone
Move the .opvn file to your phone using an SFTP program, then install an OpenVPN app and import the settings.