Using a VPN (Virtual Private Network) is a powerful way to enhance your online privacy and security. A VPN encrypts your internet connection and hides your device’s location, ensuring no one can track your online activities. Typically, a VPN is installed directly on a device, but by configuring it on your router, you can extend its protection to your entire network, safeguarding every connected device.

Running a VPN client on your router centralizes the VPN connection, meaning every device on your network benefits without needing individual VPN configurations. However, not all routers support VPN client functionality out of the box. It’s crucial to research router specifications before purchasing. Alternatively, you can explore custom firmware like DD-WRT that can unlock VPN functionality. Note, however, that not all routers are supported by DD-WRT.

In my case, I’m using the TP-Link Archer AXE75 router, which, while not compatible with DD-WRT, offers VPN client setup via its local management panel. I am using NordVPN, and their guide for TP-Link devices made the configuration process straightforward.

TP-Link Archer devices compatible with DD-WRT

When setting up the TP-Link Archer AXE75 router, TP-Link strongly pushes the use of their Tether app. While convenient, it binds the router to your TP-Link account, allowing remote management of the router from anywhere. This has raised security concerns, as noted on TP-Link’s user forum. If someone gains access to your TP-Link account, they could compromise your router.

Although TP-Link claims their cloud management feature involves no inbound traffic to your network, I still consider it a huge security risk. To mitigate this, I recommend unbinding your router from the TP-Link account via the Tether app. Once unbound, you can manage the router locally by visiting 192.168.0.1 in a web browser and logging in with the password set during initial setup.

Configuring Pi-Hole and the VPN Client Together

I use Pi-hole as a network-wide ad blocker, configured as the primary DNS server in my router’s DHCP settings. However, when enabling the VPN client, I noticed that Pi-hole stopped blocking ads. This happened because the VPN client was overriding the router’s DHCP DNS settings and redirecting DNS queries to NordVPN’s DNS servers.

To confirm this, I checked the DNS server settings in the TP-Link management panel, which displayed NordVPN’s DNS servers instead of my Pi-hole. The lack of ad blocking further confirmed the issue.

NordVPN forcing use of it's own DNS server 103.86.96.100

Many VPN clients allow you to specify custom DNS servers to prevent scenarios like this. Unfortunately, the TP-Link management panel lacked this option. After some research, I found a solution: modifying the .ovpn configuration file provided by NordVPN. To direct the VPN client to use Pi-hole as the DNS server, I added the following line to the .ovpn file:

dhcp-option DNS <pi-hole ip here>

After uploading the modified .ovpn file to the router and reconnecting, I checked the DNS settings in the management panel. This time, Pi-hole’s IP was listed, confirming that the VPN client was now using Pi-hole for DNS queries. Ads were blocked once again!

VPN client now using my Pi-Hole for DNS

Final thoughts

Combining a VPN client with Pi-hole on your router requires some configuration but offers significant benefits in terms of privacy, security, and ad blocking. Be prepared to troubleshoot issues like DNS conflicts, and don’t hesitate to modify configuration files if needed. With these adjustments, you can enjoy a network that is not only secure but also free from intrusive ads and trackers.

⚡️ Enjoyed this post? Buy me a coffee… in sats! Tip me via my Lightning address: [email protected]