Mastering DNS Privacy: Pi-hole + Unbound + OpenVPN. (Part 3 – Final)

yannick Coffi -


Pi-hole + Unbound + VPN (OpenVPN) enhances privacy by blocking ads, trackers, and malicious domains while also preventing ISP snooping, DNS hijacking, and censorship.

Pi-hole blocks ads, trackers, and malware at the network level.
Unbound acts as a secure, recursive DNS resolver—no need to trust third-party services like Google or Cloudflare.
OpenVPN encrypts all your traffic, tunneling it safely through untrusted networks—whether you’re on public Wi-Fi or away from home.

But here's the catch:

If your DNS isn't routed through Pi-hole—even while on VPN—ads, trackers, and DNS leaks still happen. That's why it's critical to pass all DNS queries through Pi-hole inside the VPN tunnel.

For an in-depth look at DNS privacy and network security, check out our tutorial on Mastering DNS Privacy: Pi-hole + Unbound (Part 1 & Part 2). This powerful combination enhances your privacy, security, and control over DNS queries, ensuring a more secure and censorship-resistant browsing experience.

Push Pi-hole DNS to VPN Clients

Edit your OpenVPN server config (/etc/openvpn/server.conf) and add:

push "dhcp-option DNS [Your Pi-hole IP]"

This tells connected VPN clients to use the specified IP [Your Pi-hole IP] as their DNS server.
Replace [Your Pi-hole IP] with your Pi-hole IP address!

add the following block for maximum privacy and security:

push "redirect-gateway def1"

This directive ensures that all client internet traffic, including web browsing, DNS queries, and other network requests, is securely tunneled through the VPN, preventing data leaks and masking the client's real IP address. When combined with Pi-hole as the DNS server, all DNS queries are filtered and resolved through Pi-hole, providing network-wide ad blocking, enhanced privacy, and greater control over your internet traffic.

However, this setting comes with some drawbacks:

• Routes all traffic, including local network, internet, and DHCP requests, through the VPN tunnel.
• Prevents clients from accessing local network resources (e.g., printers, file shares) unless explicitly allowed through custom routing rules.
• This may disrupt DHCP renewals since DHCP traffic is also routed through the VPN, preventing the client from communicating with the local DHCP server to obtain or renew its IP address.

Use this setting if you need a full-tunnel VPN for privacy and security, DO NOT require local network access, and want all DNS requests to be processed through Pi-hole for ad-blocking and tracking prevention.

or add the following block for Balanced Privacy and Functionality:

 push "redirect-gateway def1 bypass-dhcp"

This setting works the same as "redirect-gateway def1" but excludes DHCP traffic from being routed through the VPN, allowing clients to renew their DHCP lease from their home router. DNS queries are still routed through Pi-hole, ensuring ad-blocking and privacy, while local network resources like printers and NAS remain accessible. Additionally, local network speeds are faster since only internet traffic is tunneled through the VPN.


Use this setting if you want a full-tunnel VPN while maintaining local network access and avoiding DHCP lease issues when connecting from different networks. Still, it forces all internet traffic through the VPN, but DHCP requests stay local.


Now; if you only want local network access and don't want to route all internet traffic through the VPN, remove redirect-gateway and just use:

push "route 192.168.1.0 255.255.255.0"


For hybrid behavior:

push "redirect-gateway def1 bypass-dhcp bypass-dns"
push "route 192.168.1.0 255.255.255.0"

This encrypts all internet traffic through the VPN for privacy while allowing access to local network resources like printers and NAS, and ensuring DHCP renewals work without issues.

Restart OpenVPN and check its status:

$ sudo systemctl restart openvpn@server
$ sudo systemctl status openvpn@server

Use sudo systemctl restart openvpn@server when you need to apply changes or fix issues on your specific VPN server. This will reconnect all clients with the updated settings.


Firewall Rule

If you’re using UFW (Uncomplicated Firewall), you must allow DNS traffic from VPN clients:

$ sudo ufw allow from 10.8.0.0/24 to [Your Pi-hole IP] port 5335 proto udp

If Pi-hole is forwarding to Unbound locally, this enforce DNS filtering, ad-blocking, and privacy through your Pi-hole.


Confirm It Works

From a VPN client:

$ nslookup google.com

If it returns:

Server:		[Your Pi-hole IP]
Address:	[Your Pi-hole IP]#53

Non-authoritative answer:
Name:	google.com
Address: 142.250.180.14


This is excellent news! It means:

  • Your VPN client is using Pi-hole ([Your Pi-hole IP]) as its DNS server.
  • The response is successful, indicating that Pi-hole is:
    • Accepting DNS queries on port 53
    • Resolving them either via an upstream DNS or Unbound (if configured)

What "Non-authoritative answer" Means:

This just means the DNS reply didn’t come from the original source (like Google's own authoritative nameservers), but from a cache or resolver — in this case, Pi-hole or Unbound.


⚠️ Recommendation 💄

When integrating Pi-hole with OpenVPN, it's important to harden security and properly configure DNS settings.

Here are #3 of our best recommended practices:


1. Secure DNS Handling (Avoid Leaks)
Do not push external DNS servers to clients to ensure all DNS queries go through Pi-hole.

Comment out or remove:

#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 1.1.1.1"

Instead, explicitly set Pi-hole as the DNS server for connected VPN clients as stated above!

push "dhcp-option DNS [Your Pi-hole IP]"  # Assuming Pi-hole is running on the VPN server

2. Harden OpenVPN Security
Use Strong Encryption:

tls-version-min 1.2  # Enforces a minimum TLS version of 1.2 for security.
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384  # Specifies a secure cipher suite for TLS handshake.
cipher AES-256-GCM  # Uses AES-256-GCM for strong encryption and authenticated encryption.
auth SHA512  # Ensures message integrity using SHA-512 hashing algorithm.
ncp-disable  # Disables Negotiable Cryptographic Parameters (NCP) to prevent weak cipher negotiation.


Enable Perfect Forward Secrecy (PFS)
Ensure you're using Elliptic Curve Diffie-Hellman (ECDH) instead of traditional DH:

dh none # Use ECDH instead of traditional DH
ecdh-curve secp384r1  # Uses the secp384r1 elliptic curve for Diffie-Hellman key exchange.


3. Disable IPv6 (Prevent IPv6 DNS Leaks)
If you're not disabling system IPv6 entirely and want to still use Pi-hole for IPv4:

  • Visit the Pi-hole Admin Dashboard (http://pi.hole/admin)
  • Go to Settings → DNS
  • Uncheck all IPv6-related upstream DNS resolvers (e.g., Cloudflare IPv6, Google IPv6).
  • Click Save.

⚠️ Note: This step only prevents Pi-hole itself from forwarding DNS queries over IPv6. It does not fully prevent IPv6 DNS leaks from client devices on your network.

Since a full IPv6 block is beyond the scope of this guide, you may want to check out a more detailed walkthrough here: (coming soon)


Restart the DNS resolution service:

$ sudo systemctl restart pihole-FTL


Pi-hole + Unbound + OpenVPN isn't just a combo—it's a strategy. When properly configured, it shields your traffic, secures your DNS, and slams the door on ads and trackers.
But remember: DNS privacy only works if your VPN clients actually use Pi-hole. Route DNS traffic the right way, and you stay in control—wherever you are.


Stay secure. Stay curious.
Stay SNUBbed!