Articles

Pi-hole + OpenVPN: Block Ads on Remote Networks (2026)

April 18, 2026 4 min read

You can block ads on any network you connect to, not just your home Wi-Fi, by combining Pi-hole and OpenVPN.

Let’s see it in action. Imagine you’re at a coffee shop, connected to their public Wi-Fi. Normally, ads would be whizzing by. But with this setup, your laptop is connected through a VPN tunnel to your home network, where your Pi-hole is running. All your internet traffic is routed through your home Pi-hole before it hits the coffee shop’s router and then the internet.

Here’s the setup:

  1. Your Home Network:

    • Pi-hole: This is your ad-blocking DNS server. It sits on your home network and filters out ad domains.
    • OpenVPN Server: This server runs on a machine within your home network (it can be your Pi-hole device itself, a router, or a dedicated server). It accepts incoming VPN connections.
    • Router: Your home router needs to be configured to forward the OpenVPN port (default is UDP 1194) to the internal IP address of your OpenVPN server. You’ll also need a dynamic DNS (DDNS) service if your home IP address changes.

  2. Your Remote Device (Laptop, Phone, etc.):

    • OpenVPN Client: This software connects to your home OpenVPN server.
    • Pi-hole as DNS: Once connected to the VPN, your remote device will be configured to use your Pi-hole’s IP address as its DNS server.

How it works:

When your remote device wants to resolve a domain name (e.g., example.com), it sends the DNS query to its configured DNS server. In this case, because you’re connected to the VPN, that server is your Pi-hole.

  • Query reaches Pi-hole: Pi-hole checks its blocklists. If example.com is an ad server, Pi-hole returns a blocked IP (like 0.0.0.0). If it’s not blocked, Pi-hole forwards the query to its upstream DNS server (e.g., Google DNS at 8.8.8.8).
  • Traffic routed through VPN: Crucially, all traffic from your remote device is now encapsulated within the OpenVPN tunnel and routed to your home network. So, even though the DNS query went to your Pi-hole, the actual internet traffic for example.com will also be routed through the VPN and then out to the internet from your home network. This means your remote device appears to have your home IP address to the outside world.

Configuration Steps (Simplified):

  • Install Pi-hole: If you haven’t already, set up Pi-hole on a device on your home network (e.g., a Raspberry Pi). Note its IP address (e.g., 192.168.1.10).

  • Install and Configure OpenVPN Server:

    • On a Linux machine (like your Pi-hole device), install OpenVPN.
    • Follow a guide to set up an OpenVPN server (e.g., using openvpn-install script). This generates server configuration files and client profiles (.ovpn).
    • Key Server Configuration (server.conf):
      port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0 # VPN subnet
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp" # Route all traffic through VPN
push "dhcp-option DNS 192.168.1.10"     # Tell clients to use Pi-hole for DNS
keepalive 10 120
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
    • Router Port Forwarding: Forward UDP port 1194 on your home router to the internal IP of your OpenVPN server.
    • DDNS: Set up a DDNS service (e.g., DuckDNS, No-IP) and configure your router to update it. Your OpenVPN client will connect to your DDNS hostname.

  • Configure OpenVPN Client:

    • Take the generated .ovpn client profile.
    • Crucial Modification: You need to ensure the client profile explicitly tells the OpenVPN client to use your Pi-hole for DNS. The push "dhcp-option DNS 192.168.1.10" from the server config usually handles this by default. However, if you want to be explicit or troubleshoot, you can add or modify a line in your client .ovpn file:
      # ... other client config lines ...
remote your_ddns_hostname.duckdns.org 1194 udp
# If the server push doesn't work, uncomment and set your Pi-hole IP
# dhcp-option DNS 192.168.1.10
# ...
    • Install OpenVPN client software on your remote device and import the .ovpn profile.

Once connected via VPN, your remote device’s DNS requests will be directed to your Pi-hole, and all its internet traffic will tunnel through your home network.

The one thing that often trips people up is DNS resolution within the VPN itself. When the OpenVPN client connects, it receives configuration from the server. The push "dhcp-option DNS <Pi-hole_IP>" directive is what tells the client to use your Pi-hole as its DNS resolver. If this push directive isn’t correctly processed or if the client has overriding DNS settings, you might find that DNS queries aren’t hitting Pi-hole, and thus ads aren’t being blocked. Always verify that your remote device’s network settings show your Pi-hole’s IP address as the DNS server after the VPN connects.

After successfully blocking ads on remote networks, the next challenge is understanding how to manage DNS over HTTPS (DoH) or DNS over TLS (DoT) clients that might try to bypass Pi-hole.

Want structured learning?

Take the full Pihole course →