From 7c9e8a0d5820f136be98ffd3d3a1b7858399720b Mon Sep 17 00:00:00 2001
From: DL6ER <DL6ER@users.noreply.github.com>
Date: Thu, 26 Jan 2017 13:50:52 +0100
Subject: [PATCH] Updated Pi hole   OpenVPN server (markdown)

---
 Pi-hole---OpenVPN-server.md | 179 +-----------------------------------
 1 file changed, 5 insertions(+), 174 deletions(-)

diff --git a/Pi-hole---OpenVPN-server.md b/Pi-hole---OpenVPN-server.md
index b73c2f0..61907ff 100644
--- a/Pi-hole---OpenVPN-server.md
+++ b/Pi-hole---OpenVPN-server.md
@@ -1,185 +1,16 @@
 This tutorial walks you through the installation of Pi-hole combined with an VPN server for secure access from remote clients. Via this VPN you cannot only access your admin interface remotely, but also use the DNS server and hence the full filtering capabilities of your Pi-hole from everywhere around the globe. Another plus is that your internet traffic will always be fully encrypted, so surfing on an unencrypted WiFi (like on airports or hotels) becomes a significant boost in terms of security.
 This manual is based on this [HowTo](https://discourse.pi-hole.net/t/pi-hole-with-openvpn-vps-debian/861) on [Discourse](https://discourse.pi-hole.net).
 
-### Install OpenVPN server
-Using the quick OpenVPN "road warrior" installer. It should be fine using the suggested defaults if you have no special needs
-```bash
-wget https://git.io/vpn -O openvpn-install.sh
-sudo bash openvpn-install.sh
-```
----
-### Install Pi-hole
-Chose `tun0` as networking interface. If `tun0` isn't available, the installation of the OpenVPN server failed.
-```bash
-curl -L https://install.pi-hole.net | bash
-```
 ---
 
-### Edit your VPN server settings
-to use your Pi-hole as DNS server
-
-First, get the IP of your `tun0` interface:
-```
-ifconfig tun0 | grep 'inet addr'
-```
-In my case this returns 
-<pre>
-<b>inet addr:10.8.0.1</b>  P-t-P:10.8.0.1  Mask:255.255.255.0
-</pre>
-
-Afterwards, change your settings in `/etc/openvpn/server.conf` from
-```
-push "dhcp-option DNS 8.8.8.8"
-```
-to
-<pre>
-push "dhcp-option DNS <b>10.8.0.1</b>"
-</pre>
-(where you might have to replace the IP if you found something different in the previous step)
-
-Finally, restart your OpenVPN server.
-```
-sudo service openvpn restart
-```
----
-### Connect from a client
-There are various tutorials available for all operating systems for how to connect to an OpenVPN server. 
-
-### Android
-Use the official OpenVPN App:
-https://play.google.com/store/apps/details?id=net.openvpn.openvpn
-
-### Other systems
-I'll demonstrate the procedure here for Ubuntu Linux (which trivially extends to Linux Mint, etc.)
-
-1. Install the necessary network-manager plugins
-```
-sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome
-sudo service network-manager restart
-```
-
-2. Securely copy the necessary certificates from your OpenVPN server to your client (e.g. using `sftp`). They are located in `/etc/openvpn/easy-rsa/pki`
-
-You will need:
-
-* User Certificate: `/etc/openvpn/easy-rsa/pki/issued/client.crt`
-* CA Certificate: `/etc/openvpn/easy-rsa/pki/ca.crt`
-* Private Key: `/etc/openvpn/easy-rsa/pki/private/client.key`
-* Private Key Password: Depending on your settings (might even be empty)
-* TA Key: `/etc/openvpn/ta.key`
-
-Further details can be found in the screenshots provided below:
-![](http://www.dl6er.de/pi-hole/openVPN/conn_type.png)
-![](http://www.dl6er.de/pi-hole/openVPN/keys.png)
-![](http://www.dl6er.de/pi-hole/openVPN/general.png)
-![](http://www.dl6er.de/pi-hole/openVPN/security.png)
-![](http://www.dl6er.de/pi-hole/openVPN/tls.png)
-
-Your whole network traffic will now securely be transferred to your Pi-hole.
-![](http://www.dl6er.de/pi-hole/openVPN/VPNclients.png)
+## Table of contents
+- [Installing OpenVPN server + Pi-hole](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation)
+- [Setup OpenVPN server](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Setup-server)
+- [Connect from clients to your OpenVPN server](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Connect-from-a-client)
+- Optional: [Firewall configuration (using `iptables`)](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Firewall-configuration-(using-iptables))
 
 ---
 ### Optional: Security information
 For security purposes, it is recommended that the CA machine should be separate from the machine running OpenVPN. If you loose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.
 
 ---
-### Optional: Firewall configuration (using iptables)
-If your server is visible to the world, you might want prevent port 53/80 from being accessible from the outside. You will still be able to connect to your Pi-hole from within the VPN.
-
-Using `iptables`: First, verify that there is no rule that explicitly accepts `http` requests
-```
-sudo iptables -L --line-numbers
-```
-
-If you get something like
-<pre>
-Chain INPUT (policy ACCEPT)
-num  target     prot opt source               destination         
-<b>1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http</b>
-2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
-3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
-
-Chain FORWARD (policy ACCEPT)
-num  target     prot opt source               destination         
-
-Chain OUTPUT (policy ACCEPT)
-num  target     prot opt source               destination         
-</pre>
-you have to first explicitly delete the first INPUT rule using:
-```
-sudo iptables -D INPUT 1
-```
-
-Then you can add an explicit rule that allows access from within the VPN
-```
-sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
-sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
-sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
-sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
-```
-
-And another one that prevents access from everywhere else
-```
-sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP
-sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
-sudo iptables -A INPUT -p udp --destination-port 53 -j DROP
-sudo iptables -A INPUT -p udp --destination-port 80 -j DROP
-```
-
-Your configuration should look like
-<pre>
-sudo iptables -L -v --line-numbers
-Chain INPUT (policy ACCEPT 104 packets, 8691 bytes)
-num   pkts bytes target     prot opt in     out     source               destination         
-1        0     0 ACCEPT     tcp  --  <b>tun0</b>   any     anywhere             anywhere             tcp dpt:domain
-2        0     0 ACCEPT     tcp  --  <b>tun0</b>   any     anywhere             anywhere             tcp dpt:http
-3        0     0 ACCEPT     udp  --  <b>tun0</b>   any     anywhere             anywhere             udp dpt:domain
-4        0     0 ACCEPT     udp  --  <b>tun0</b>   any     anywhere             anywhere             udp dpt:http
-5        0     0 DROP       tcp  --  <b>any</b>    any     anywhere             anywhere             tcp dpt:domain
-6        0     0 DROP       tcp  --  <b>any</b>    any     anywhere             anywhere             tcp dpt:http
-7        0     0 DROP       udp  --  <b>any</b>    any     anywhere             anywhere             udp dpt:domain
-8        0     0 DROP       udp  --  <b>any</b>    any     anywhere             anywhere             udp dpt:http
-
-Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
-num   pkts bytes target     prot opt in     out     source               destination         
-
-Chain OUTPUT (policy ACCEPT 83 packets, 11305 bytes)
-num   pkts bytes target     prot opt in     out     source               destination
-</pre>
-while there might be other rules in your table. Note that the order of the list entries matters!
-
----
-### Optional: IPv6
-
-Note that you will have to repeat the firewall setup using `ip6tables` if your server is also reachable via IPv6:
-
-```
-sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
-sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
-sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
-sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
-sudo ip6tables -A INPUT -p tcp --destination-port 53 -j DROP
-sudo ip6tables -A INPUT -p tcp --destination-port 80 -j DROP
-sudo ip6tables -A INPUT -p udp --destination-port 53 -j DROP
-sudo ip6tables -A INPUT -p udp --destination-port 80 -j DROP
-```
-
-```
-sudo ip6tables -L
-Chain INPUT (policy ACCEPT)
-target     prot opt source               destination         
-ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain
-ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
-ACCEPT     udp      anywhere             anywhere             udp dpt:domain
-ACCEPT     udp      anywhere             anywhere             udp dpt:http
-DROP       tcp      anywhere             anywhere             tcp dpt:domain
-DROP       tcp      anywhere             anywhere             tcp dpt:http
-DROP       udp      anywhere             anywhere             udp dpt:domain
-DROP       udp      anywhere             anywhere             udp dpt:http
-
-Chain FORWARD (policy ACCEPT)
-target     prot opt source               destination         
-
-Chain OUTPUT (policy ACCEPT)
-target     prot opt source               destination
-```
\ No newline at end of file