If you use PiHole to block your ads, you might be unpleasantly surprised after installing NordVPN. After you connect to a VPN server, your previous DNS settings won’t be respected. In other words, DNS queries will no longer go to your PiHole resolver, but to NordVPN’s resolver.
When I originally wrote this post in 2021, NordVPN’s software didn’t contain an option to specify a custom DNS server. Now, in 2023, there is such an option, but it still doesn’t work if the DNS server is in a local network (and that’s where your Raspberry Pi likely is).
Workaround: use OpenVPN software to connect to NordVPN infrastructure
I tried many things, and ultimately landed with a workaround for this issue. It requires a tradeoff, though. It allows you to keep using NordVPN’s infrastructure and subscription you paid for, but you would need to switch from the official NordVPN software to a more generic, open-source VPN client, which can be configured to work with PiHole.
Here are the steps. I tested that they still work in 2022 2023:
- Remove the official NordVPN software. Install OpenVPN GUI instead. It’s a popular open-source software.
The downside here is that it forces us to use OpenVPN protocol for VPN connection, so we won’t benefit from improvements coming from the NordLynx protocol. It’s good enough for me, but decide if the tradeoff makes sense to you. - Download NordVPN server configuration for OpenVPN client from the official NordVPN website.
You’ll have to choose a single, specific server to use with OpenVPN. This is another downside. There won’t be an option to automatically “choose the fastest server” as in the official NordVPN client.
I selected one of the servers located near me, and UDP as a transport protocol. - Import the downloaded file to OpenVPN GUI.
I just moved the file toc:\Users\MyUserName\OpenVPN\config\. - Set your PiHole device as preferred DNS server when connecting to VPN.
Modify the downloaded configuration file and add a line similar to:dhcp-option DNS 192.168.0.95
somewhere in the file. Replace the IP address with the IP address of your PiHole! - Set up OpenVPN GUI to autostart with system and to start new connection when launched
After following these steps, the VPN connection works and PiHole is used as a DNS server as it used to.
Appendix: lessons learned and my perspective in 2023
Since I wrote this blog post, I simplified my setup. I learned that Pi-Hole is a fun tool, but it doesn’t meet my requirements. I want to have my ads blocked not only when I’m at home, but also on other networks and on a smartphone. Furthermore, I would rather not spend more time fighting with routers and firewalls and networking, but just solve the ad-blocking problem and be done with it 😀
In the process, wrote another blog post looking at the ways to host PiHole in the cloud. Ultimately, though, I switched to a cloud-native solution alternative to Pi-Hole, called NextDNS. I’m supper happy about the change!
Regarding the VPN, I connect to it very sporadically now. I believe that with an encrypted DNS and mostly encrypted web today, VPNs don’t bring much added value in terms of privacy and security. Resigning from the daily VPN use removes one more complex layer from my networking setup, which results in less problems to solve and more time saved. But of course, this is only my current judgement.
Good luck with your endeavor! 🙂
Would there be an advantage in setting up NordVPN on the Raspberry Pi? i’m guessing the Pi is acting as your DNS server for PiHole.
Hi Tom. I didn’t find much use for NordVPN on Raspberry Pi in my setup. But I am ensuring encryption of DNS queries between the Raspberry Pi and the DNS service by using DNS-over-HTTPS protocol instead of the regular, unencrypted DNS.
So, currently my DNS queries go from PC -> Raspberry Pi (in the same trusted network) -> NextDNS service (using secure DNS-over-HTTPS protocol, I use dnscrypt-proxy). I thinks that’s a pretty solid setup 🙂
Know that your queries are doing to the upstream DNS provider using your own IP. If privacy is a concern then you should also run your pihole through Nord so it connects to the DoH upstream using the Nord server’s IP.