Would it be possible to setup ExpressVPN on the same PI as the Pi-hole?

Question

I've managed to setup a PI-hole and my router is using the pi-hole as the DHCP server, and all my devices still have internet access.
I would also like to install ExpressVPN on the Pi, so that all my devices automatically get the benefits of the VPN.

I've managed to install ExpressVPN on the PI, and it connects.
But the problem is once the PI connects to ExpressVPN, all my devices lose internet access.
I am guessing I need to somehow configure the Pi-hole to use the VPN connection as well, but i am not sure how to do that, or even where to start.

I've found a ton of articles about setting up OpenVPN and/or PiVPN but that seems more related to being able to connect to my PI-hole when I am outside of my home, e.g. at work.

Is what I am trying to do even possible and if so, any suggestions will be much appreciated. Thanks in advance.

Answer 1

I ran into the same issue and the solution is actually quite simple. On your pi run the following commands in a terminal:

expressvpn disconnect
expressvpn preferences set force_vpn_dns false
expressvpn connect

Once your vpn connects back up, ensure that you dns resolution is working on your network clients.

Explanation:
'force_vpn_dns' is set to True by default. When set to True this forces the connection to only use ExpressVPN's DNS. Since the OP and myself run PiHole on the same server, which is a DNS server, setting this to False allows the server to send DNS resolution requests to itself. The reason this breaks DNS resolution to all local network clients is because in most cases (mine in particular) the clients' DNS server is pointed at the PiHole server

I hope this helps.

Answer 2

Without some additional information, it will be hard for others to give you specific advice/instructions.

The Problem

Right now, with pi-hole and Express VPN, your pi has multiple interfaces and networks. It has a routing table, and can communicate through all of them (presumably) You want it to forward traffic from your LAN clients through the pi-hole software and then through the VPN. Conversely, it must forward traffic in the opposite direction for two-way communication to work.

The Solution

Without more knowledge of your setup, I can only point you towards sources of information to learn the concepts of how to make this work.

IP Forwarding

For the pi to forward packets from one interface to another that originated somewhere else and are destined for somewhere else, IP forwarding must be enabled. Have a look at https://www.eukhost.com/kb/how-to-enable-ip-forwarding-on-linux-ipv4-ipv6/

Firewall/NAT

Even with forwarding enabled, that only solves half the problem. Your pi (which is now acting like a 'router') needs a set of rules to follow to know which packets need to go where and how it should MASQUERADE the addresses to keep from confusing clients. Packets from your LAN forwarded through your VPN would go nowhere if their source address remained in a private range (ie. 192.168.x.x or 10.x.x.x) so the pi has to modify source addresses on outgoing packets to its own. Likewise incoming packets from the VPN destined for the LAN need to have their source address modified to match the pi so that the LAN clients send their responses to the correct place. Further reading: https://www.karlrupp.net/en/computer/nat_tutorial

I hope that helps!

Answer 3

Sure I found little information to install a client DNS VPN through Pi-Hole. My conf is a Pi3-B+ with Raspbian last update and upgrade My_IP_Pi:X.X.X.X name IP_A for this exemple

I Install Pi-Hole v5.0 configure with DHCP server. After I install my Client VPN with default tunnel mode (sorry not ExpressVPN) and configure it with systemctl as service.

At this point in the process, all is OK, no firewall, no IP Forwarding, just routing table do the Job.

Command Pi3-B+: ( Pi3-B+ : eth0 interface / Ethernet Port ) ( VPN Tunnel : tun0 )

My Gateway/Box : 192.168.1.1

Verify :

ip route show
0.0.0.0/1 via X.X.X.1 dev tun0 
default via 192.168.1.1 dev eth0 src IP_A metric 202 
...

I configure my interface Client with DHCP auto for IP and set DNS Pi to IP_A

The final test Open Browser in Client

On the Pi3-B+ Install tcpdump. open 2 terminal. For the first term I check this interface eth0 with :

sudo tcpdump -i eth0 udp port 53

For the second I check VPN :

sudo tcpdump -i tun0 udp port 53

On the client Browser open a link Page and check if you see a "similar" traffic in eth0 and tun0, for me I think is good. Traffic DNS go to eth0, after on the VPN. tcpdump capture all traffic for DNS, I recommend to test with one Client.

Another Command to check DNS with or without VPN

Install iputils-tracepath and check exemple

tracepath howto.lintel.in

Check IP in Pi3-B+:

curl ipinfo.io

Use command route for routing table

route -n

My Pi-hole settings:

Network interface: eth0 (so that it also works if we aren’t connected through the VPN)
Enable: DNS > Never forward non-FQDNs
Enable: DNS > Never forward reverse lookups for private IP ranges
Enable: DNS > Use DNSSEC (disable for test with tcpdump)
Select: DNS > Listen only on interface eth0. Local Mode -> Client VPN ;).
Allows only queries from devices that are at most one hop away.

My Other Settings

Disable IPV6 in Pi-Hole
Comment IPV6 loopback in /etc/hosts
  127.0.0.1       localhost
  #::1            localhost ip6-localhost ip6-loopback
  #ff02::1                ip6-allnodes
  #ff02::2                ip6-allrouters
  127.0.1.1       raspberrypi
Disable IPV6 in my client config Ethernet