Posted inGuides

How to Set Up a VPN Server with DoH (DNS-over-HTTPS)

No Comments

We earn commissions using affiliate links.

VPN (Virtual Private Network) technology provides secure communication between two networks over the internet by encrypting the data and routing it through a secure server. DNS (Domain Name System) is a crucial part of internet infrastructure, translating human-readable domain names into IP addresses. By default, DNS queries are sent in plain text, which can expose browsing activities to eavesdroppers. DNS-over-HTTPS (DoH) is an advanced privacy protocol that encrypts DNS queries using HTTPS, protecting them from interception. In this article, we’ll walk through the steps of setting up a VPN server with DNS-over-HTTPS (DoH) support.

Contents show

Requirements

  • A VPS (Virtual Private Server) running Ubuntu 20.04 LTS or higher.
  • Root access to the VPS server.
  • A domain name for DNS purposes (optional but recommended).
  • Basic knowledge of terminal commands and networking concepts.

Step 1: Install OpenVPN Server

To start, we need to set up the OpenVPN server on our VPS. OpenVPN is a robust and widely used VPN solution. First, we will install the necessary packages.

sudo apt update
sudo apt install openvpn easy-rsa
Next, we need to set up the Easy-RSA tools to generate the necessary certificates for our VPN.
make-cadir /openvpn-ca
cd /openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key client
Now, configure the OpenVPN server by editing the server configuration file:
sudo nano /etc/openvpn/server.conf
In the configuration file, add or modify the following lines:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1”
push “dhcp-option DNS 1.1.1.1”
push “dhcp-option DNS 1.0.0.1”
keepalive 10 120
comp-lzo
persist-key
persist-tun
user nobody
group nobody
Finally, enable and start the OpenVPN service:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Step 2: Install and Configure DNS-over-HTTPS (DoH) Server

Now that the VPN server is set up, we need to configure DNS-over-HTTPS to encrypt DNS queries. For this purpose, we will use the dnscrypt-proxy service, a popular tool for DNS-over-HTTPS support.
Install dnscrypt-proxy on the VPS:
sudo apt install dnscrypt-proxy
Edit the configuration file for dnscrypt-proxy:
sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Find and modify the following line to enable DNS-over-HTTPS:
server_names = [‘cloudflare’, ‘google’, ‘quad9’]
Then, bind dnscrypt-proxy to the local interface so the VPN can access it:
listen_addresses = [‘127.0.0.1:53’]
Enable and start the dnscrypt-proxy service:
sudo systemctl start dnscrypt-proxy
sudo systemctl enable dnscrypt-proxy

Step 3: Configure OpenVPN to Use DNS-over-HTTPS

Now that dnscrypt-proxy is running, configure OpenVPN to route DNS queries through it. Open the OpenVPN server configuration file:
sudo nano /etc/openvpn/server.conf
Update the dhcp-option DNS lines to point to the local dnscrypt-proxy server:
push “dhcp-option DNS 127.0.0.1”
This ensures that DNS queries made by clients connected to the VPN will be routed to the DNS-over-HTTPS server for resolution. Restart the OpenVPN service to apply the changes:
sudo systemctl restart openvpn@server

Step 4: Client Configuration

Now that the server is configured, it’s time to configure the client. On the client machine, you need to install OpenVPN client software. For Linux:
sudo apt install openvpn
Transfer the client certificate and configuration files from the server:
scp user@your-vps:/etc/openvpn/client.ovpn /client.ovpn
Then, connect to the VPN using the OpenVPN client:
sudo openvpn –config /client.ovpn
To verify that DNS-over-HTTPS is functioning correctly, use the following command to check that DNS queries are being routed through the DoH server:
dig @127.0.0.1 example.com
The response should be encrypted over HTTPS and routed via dnscrypt-proxy.

Troubleshooting

  • If you experience connectivity issues, check the firewall settings on the VPS to ensure that UDP port 1194 is open for VPN traffic.
  • If DNS queries are not resolving correctly, verify that dnscrypt-proxy is running and check the configuration file for any typos.
  • For additional logs and troubleshooting, view the system logs for OpenVPN and dnscrypt-proxy:

sudo journalctl -u openvpn@server
sudo journalctl -u dnscrypt-proxy

Conclusion

Setting up a VPN server with DNS-over-HTTPS ensures that both your network traffic and DNS queries are encrypted, providing an added layer of privacy and security. By following the steps outlined above, you can configure OpenVPN to route all DNS queries through a DoH server, making your online activities more private and secure.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *