Skip to content

Instantly share code, notes, and snippets.

Last active Feb 24, 2021
What would you like to do?
vpn route through another vpn pihole pivpn dnsmasq openvpn


Ideally, I like to run one vpn. I have OpenVPN/PiVPN working just fine.

On the PiVPN server, I'd like to run a VPN client to my work office.

It's difficult to get Cisco VPN client and Tunnelblick clients running side-by-side on the same machine, ie my local dev machine, without a seeming hack(see below).

I have it working locally.

  • Cisco AnyConnect Client connect to work VPN. Only specific resources are made available. All other traffic is routed as normal.
  • Tunnelblick will connect my personal vpn (PiVPN) routing all other traffic.
  • With an entry in /etc/hosts, ie an entry like I'm able to access URL's that are for work only.
  • Without the /etc/hosts entry, the work resource URL's do not resolve. this seems like a hack. :(
  • Maybe this is a DNS or IP mask issue that can be handled through a local OpenVPN config? TBD.

On Raspbian

A few notes about what is working for PiVPN:

  • OpenConnect connects to my work VPN when logged into the VPN server via ssh. Successfully able to route traffic to my work VPN if I am logged into the server as a user.
  • When connected through the VPN, this will NOT route work specific URL's though PiVPN and then through the OpenConnect Client
  • WIP/TODO need to figure out how to route select PiVPN traffic throught a local PiVPN server OpenConnect client connection.
  • after openconnect install, this works for connection. I did not have any issues getting this to work.
sudo openconnect


  • I installed the OpenVPN app, Version 3.1.0 (890), on my OS X dev machine as a replacement for Tunnelblick. The OpenVPN app works MUCH better.
  • Regardless of app I use to connect to my PiVPN, I first need to connect to my work VPN using the Cisco AnyConnect app and then launch the OpenVPN PiVPN client.
  • I still need the dns entry in /etc/hosts for my work resource as mentioned above.
  • I'm now using openconnect instead of Cisco AnyConnect to connect to my work vpn. Install with brew install openconnect. Run with sudo openconnect Enter username and password. ez pz.

Another Update, Pi-Hole DNS when on the local network

When on my local network, without running a OpenVPN client on my local machine, I still want to have Pi-Hole handle the the DNS resolution. I followed a few of the instructions online, but mostly this one from Marc Stan. The key to getting DNS resolution to work localally with DHCP, was adding the eth0 entry to the the config file. The /etc/dnsmasq.d/02-ovpn.conf file looks like this:


This change allows Pi-hole to listen to both the tunnel connection and the traffic coming into the Pi-Hole DNS from the local network.

Note this Pi-Hole Admin Console DNS setting: Screen Shot 2019-11-02 at 10 51 35 PM

I'm running dd-wrt on my router.

Setup->Basic Setup

Screen Shot 2019-11-02 at 10 37 35 PM


Screen Shot 2019-11-02 at 10 39 40 PM

Third Update

Running PiVPN(OpenVPN) on UDP and TCP protocols

Sometimes networks block 1194/UDP. Running on 443/TCP might be a way around this.

Install PiVPN and Pihole

documented elsewhere

Please note, I initially used the recommened udp protocol and port 1194 when setting up PiVPN. I also made modifiations to my conf files to get PiVPN and PiHole to play nice together for both the VPN connections and local network traffic.

My router handles all port forwarding. (another topic and documented elsewhere.)

cp /etc/openvpn/server.conf /etc/openvpn/server_tcp.conf

Duplicate the current server.conf file. We'll edit the new version below.

Edit /etc/openvpn/server_tcp.conf.

The only lines I need to update were the following:

dev tun_tcp
proto tcp
port 1194

Keep the rest of the conf file the same.

Edit /etc/dnsmasq.d/02-ovpn.conf

I'm running pi-hole to resolve dns queries for both vpn and internal network traffic. The dnsmasq file looks like this:


iptables /etc/iptables/rules.v4

I needed to add one line, -A POSTROUTING -s -o eth0 -j MASQUERADE

Generated by iptables-save v1.4.21 on Thu Dec 29 19:17:57 2016


This is the easiest way to restart the services, but there are quicker ways to restart services for dnasmasq, iptables, and openvpn. The Raspberry Pi restarts so fast, whatev's. :)


This comment has been minimized.

Copy link
Owner Author

@todgru todgru commented Nov 2, 2019

I left a comment here. good info on running openconnect. though it's not as difficult as it once was to install. 😄


This comment has been minimized.

Copy link
Owner Author

@todgru todgru commented Nov 13, 2019


This comment has been minimized.

Copy link

@Olegka99 Olegka99 commented Feb 24, 2021

I have to travel a lot for work, and I must always be in touch, including on social networks. I first encountered the problem of Facebook inaccessibility three years ago when I flew to China. Local colleagues suggested that you need to use a VPN in order to get the IP address of another country, and thus, communicate freely on Facebook. But I didn't know which VPN is better. I asked my acquaintances which VPN service they themselves use: the reviews about were the best. Excellent speed, high safety, works all over the world. I have one license connected to both a laptop and a phone. Wherever I am, it's convenient. I am always in touch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment