How to host OpenVPN and Pi-hole on Ubuntu 18.04 VPS

Published: | Last Edited:
Category: tech | Tags: #pi-hole #vpn

Interested in using Wireguard? Check out my post on How to setup wireguard and pi-hole on Debian/Ubuntu


I have been playing around with setting up my own OpenVPN server lately and also found out Pi-hole. OpenVPN provides a way to set up a VPN that I can self manage and Pi-hole is a network wide ad blocking system. The two combined services provide a good way to make your web browsing experience more secure and ad-free.

I followed the guide on Pi-hole to set up a VPN server but I found out that some information is missing depending on the type of VPS you have such as whether your VPS is a NAT VPS or not. Below is the documented steps of all my findings.


Wireguard Setup

Run these scripts:

wget -O
chmod 755

Follow this setup:

Welcome to this quick OpenVPN "road warrior" installer

I need to ask you a few questions before starting the setup
You can leave the default options and just press enter if you are ok with them

First I need to know the IPv4 address of the network interface you want OpenVPN
listening to.
IP address: // Jason's notes: if you are behind NAT, just put your  ipv4 IP address

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol [1-2]: 1

What port do you want OpenVPN listening to?
Port: 1194

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) Google
   3) OpenDNS
   4) NTT
   5) Hurricane Electric
   6) Verisign
DNS [1-6]: 1

Finally, tell me your name for the client certificate
Please, use one word only, no special characters
Client name: pihole

Okay, that was all I needed. We are ready to set up your OpenVPN server now
Press any key to continue...

Start OpenVPN

Modify OpenVPN server’s configuration in /etc/openvpn/server/server.conf: remove all the existing push "dhcp-option DNS x.x.x.x and add push "dhcp-option DNS"

Restart OpenVPN services:

systemctl daemon-reload
systemctl restart openvpn // Jason's notes: just restarting openvpn does not change the configuration for OpenVPN server.
systemctl restart openvpn-server@server.service

Notes: if you are behind a NAT, you will also need to do the following:

ip r | grep default

# Output from ip r | grep default
default via x.x.x.x dev eth0 onlink

Note the value after dev in this case it is eth0 Run this:

iptables -t nat -A POSTROUTING  -s -o <value you got from above> -j MASQUERADE

# Example:
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Pi-hole Setup

Run this script:

curl -sSL | bash

Follow the instruction to set up pi-hole:

step 4

Test DNS settings

Run this script


# Output from host has address has IPv6 address 2607:f8b0:4005:80b::200e mail is handled by 10 mail is handled by 20 mail is handled by 30 mail is handled by 40 mail is handled by 50

Our OpenVPN + Pi-hole still see’s public IPs properly

This time run


# Output from host has address has IPv6 address :: is an alias for

Pi-hole blocked as the domain is in its blacklist.

Firewall Setup

I followed Pi-hole’s setup

Generate OpenVPN Client Config File

Run ./

Test From Browser

After connecting to your VPN using OpenVPN client. Go to this address, if everything works correctly you will see this: google syndication

Pi-hole Statistics

You can go to http://pi.hole/admin once you are connected to the VPN and see some of Pi-hole’s stats. The result is mind-boggling. Almost half of my traffic is to serve ads. Pi-hole stats


Pi-hole is a good solution to fight against ads on the internet. You should give it a try. That said not all ads are bad. Some creators are reliant on ads as their source of income. If you have someone you support, consider whitelisting the ads for the good cause.


Next Post: What I'm up to in August 2019
Previous Post: How to host Commento on Apache Webserver