Self-hosting VPN on Raspberry Pi with Pihole - Need Clarification

Hi all,

I’ve been running a Pihole on RPI Zero 2W for some time and it’s been great. Now I’m thinking about tinkering with self-hosted VPN, so that I can take advantage of accessing Pihole DNS server from outside by LAN, but I’m a bit confused by all the options/articles online.

I see that Wireguard is recommended a lot and lots of people set it up using PiVPN but it seems like there’s some uncertainty around whether PiVPN is maintained anymore or not. I’ve found that wg-easy has been recommended lately, and based on my research I think that’s what I would like to try using to set up my VPN. Do you have any experiences with it? Is there a nice guide I can use to set it up on an RPI? Or do you recommend something else?

My other question is with regards to which hardware I should use to set it up. I don’t want to do it on the same RPI that’s running PiHole and it’s probably too weak for it anyways. Anything you suggest? Rpi3/4?

Lastly, how has your experience been self-hosting the VPN on your server and taking advantage of pihole outside your network? Has it been working reliably and user-friendly enough for other people in my household to take advantage of?

If that matters at all, I’m running a personal router (ASUS AX-1800s) together with bridged ISP modem on my network.

Thanks in advance and sorry for the lengthy post. Any feedback is welcomed.

Edit: for anyone interested, ended up following this guide (Install server - Pi-hole documentation) and it was pretty straightforward to set up the server and clients but it did take quite a bit of troubleshooting. For DDNS, ended up using the one provided by ASUS. Will see how it fares, but so far so good.

We use Tailscale here as we are behind CGNAT, but it would be pretty much the same.

We setup VPN on demand when we’re out and about and our phones automatically connect back to our VPN and get an ad-free secure experience. The wife who isn’t as technical in setting this stuff up is comfortable and hasn’t experienced issues with the service installed.

Doing this on an RPI4 - you probably want a faster processor to churn out the VPN encrypted packets.

I’m hosting the wireguard server on the same device as pihole and access it from remote with DynamicDNS and port forwarding on the router, no problems until now. Had 3 clients connected at the same time, didn’t notice any issues but I also didn’t analyze further

I have pihole + unbound + piVPN/Wireguard on a Beaglebone Black. No issue with two devices connecting through VPN. I have a netgear router, which gives free DDNS through no-ip.com

but it seems like there’s some uncertainty around whether PiVPN is maintained anymore or not

There’s no uncertainty. It’s no longer maintained since a week.
It’s not a maybe : the current maintainer clearly told they won’t work on it and won’t transfer ownership, except to the original creator.
[EDIT] No idea who the new maintainer is, but clearly there’s one since 2d ago
https://github.com/pivpn/pivpn/discussions/1829
https://github.com/pivpn/pivpn/discussions/1832

I don’t want to do it on the same RPI that’s running PiHole and it’s probably too weak for it anyways. Anything you suggest? Rpi3/4?

I’m running the slower-reputed OpenVPN+Pihole along a DDNSupdater on my Pi0W. Not zero 2, a 1st gen zero.
DDNS is kinda lightweight.

if it helps, I believe PiVPN is no longer supported, this was a recent change I read last week. I’m trying to find the source.

2 x Raspberry Pi Zero, with both running current DietPi. One has PiVPN installed and I’ve been using my phone & tablet regularly to block ads. My laptop also uses it when traveling.

All was fairly straight forward to configure and no issues experienced, while I have a working home connection. (Must turn the VPN off when extended power outages occur).

I’m using DuckDNS for the VPN and 1 port forward is all that was required.

Tailscale on Pi Zero 2W works absoutely fine :slight_smile:

Doing this on an RPI4 - you probably want a faster processor to churn out the VPN encrypted packets.

What I did on OpenVPN :

  1. Ensure the VPN only transfers DNS, with “full tunnel” being another choice
  2. Increase the blocked TTL from 2s to 1min, in an attempt to reduce bandwidth.

Thanks! Any DDNS provider you recommend? I see a couple available on my asus router but I think not all of them are free or you have to confirm every once in a while if I’m not mistaken

I did see the initial advice about PiVPN, so I’m very glad to see that there has been some discussions and that while not fully supported, the project will remain active.

I read it might still be maintained by someone else who took over the project… or maybe not. In any case probably best to use something else I guess

I’m using this one, but just because it was in a list of free DDNS providers. Works as expected and is nicely explained, but other providers will work just as good ig

I’ve just noticed changing their website’s language to english does not actually change the FAQ and instruction texts - so this might be a dealbreaker for you

On my fritzbox router which is pretty common in Germany I could check a setting (or it defaults to, I don’t remember) which automatically induces these confirm requests when the router’s ip adress changes, so I don’t need to confirm them manually. Other routers probably might have this functionality as well. At least goip.de says they also send a mail before deleting your acc because of inactivity

Just learn wireguard. You’ll appreciate it when you are done.

I use multiple systems to access home network pihole in case one goes down.

RPi3 with pihole, unbound and wireguard. Netdata for alerts when down.

RPi3 4 with pihole 2, unbound and tailscale. Which is just wireguard tech run by a private company. Works better but no control of your keys. Netdata for alerts.

Old work laptop flashed with DietPi. Pihole, unbound, netdata and Zerotier.

Use diet pi and it’ll install workable configs for you. Even so pihole uses unbound. Then use their website to learn the basics. Google diet pi software. Dietpi Dashboard is nice too.

I read it might still be maintained by someone else who took over the project…

Must be very recent then. I had read from the last update’s farewell that the original project won’t be maintained unless the original creators come back.
I guess it could be a fork, but then it’s basically a different software

[EDIT] Yup, it changed two days ago
https://github.com/pivpn/pivpn/discussions/1829
https://github.com/pivpn/pivpn/discussions/1832