Pi-hole/pi-hole
Pi-hole/pi-hole
1
0
Fork 0
mirror of https://github.com/pi-hole/pi-hole.git synced 2025-04-28 12:04:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Updated Pi hole OpenVPN server (markdown)

DL6ER 2017-01-26 13:50:52 +01:00
parent f9c7520ea0
commit 7c9e8a0d58
1 changed files with 5 additions and 174 deletions
Download patch file Download diff file Expand all files Collapse all files

179
Pi-hole---OpenVPN-server.md

@ -1,185 +1,16 @@
This tutorial walks you through the installation of Pi-hole combined with an VPN server for secure access from remote clients. Via this VPN you cannot only access your admin interface remotely, but also use the DNS server and hence the full filtering capabilities of your Pi-hole from everywhere around the globe. Another plus is that your internet traffic will always be fully encrypted, so surfing on an unencrypted WiFi (like on airports or hotels) becomes a significant boost in terms of security. This tutorial walks you through the installation of Pi-hole combined with an VPN server for secure access from remote clients. Via this VPN you cannot only access your admin interface remotely, but also use the DNS server and hence the full filtering capabilities of your Pi-hole from everywhere around the globe. Another plus is that your internet traffic will always be fully encrypted, so surfing on an unencrypted WiFi (like on airports or hotels) becomes a significant boost in terms of security.
This manual is based on this [HowTo](https://discourse.pi-hole.net/t/pi-hole-with-openvpn-vps-debian/861) on [Discourse](https://discourse.pi-hole.net). This manual is based on this [HowTo](https://discourse.pi-hole.net/t/pi-hole-with-openvpn-vps-debian/861) on [Discourse](https://discourse.pi-hole.net).
### Install OpenVPN server
Using the quick OpenVPN "road warrior" installer. It should be fine using the suggested defaults if you have no special needs
```bash
wget https://git.io/vpn -O openvpn-install.sh
sudo bash openvpn-install.sh
```
---
### Install Pi-hole
Chose `tun0` as networking interface. If `tun0` isn't available, the installation of the OpenVPN server failed.
```bash
curl -L https://install.pi-hole.net | bash
```
--- ---
### Edit your VPN server settings ## Table of contents
to use your Pi-hole as DNS server - [Installing OpenVPN server + Pi-hole](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation)
- [Setup OpenVPN server](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Setup-server)
First, get the IP of your `tun0` interface: - [Connect from clients to your OpenVPN server](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Connect-from-a-client)
``` - Optional: [Firewall configuration (using `iptables`)](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Firewall-configuration-(using-iptables))
ifconfig tun0 | grep 'inet addr'
```
In my case this returns
<pre>
<b>inet addr:10.8.0.1</b> P-t-P:10.8.0.1 Mask:255.255.255.0
</pre>
Afterwards, change your settings in `/etc/openvpn/server.conf` from
```
push "dhcp-option DNS 8.8.8.8"
```
to
<pre>
push "dhcp-option DNS <b>10.8.0.1</b>"
</pre>
(where you might have to replace the IP if you found something different in the previous step)
Finally, restart your OpenVPN server.
```
sudo service openvpn restart
```
---
### Connect from a client
There are various tutorials available for all operating systems for how to connect to an OpenVPN server.
### Android
Use the official OpenVPN App:
https://play.google.com/store/apps/details?id=net.openvpn.openvpn
### Other systems
I'll demonstrate the procedure here for Ubuntu Linux (which trivially extends to Linux Mint, etc.)
1. Install the necessary network-manager plugins
```
sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome
sudo service network-manager restart
```
2. Securely copy the necessary certificates from your OpenVPN server to your client (e.g. using `sftp`). They are located in `/etc/openvpn/easy-rsa/pki`
You will need:
* User Certificate: `/etc/openvpn/easy-rsa/pki/issued/client.crt`
* CA Certificate: `/etc/openvpn/easy-rsa/pki/ca.crt`
* Private Key: `/etc/openvpn/easy-rsa/pki/private/client.key`
* Private Key Password: Depending on your settings (might even be empty)
* TA Key: `/etc/openvpn/ta.key`
Further details can be found in the screenshots provided below:
![](http://www.dl6er.de/pi-hole/openVPN/conn_type.png)
![](http://www.dl6er.de/pi-hole/openVPN/keys.png)
![](http://www.dl6er.de/pi-hole/openVPN/general.png)
![](http://www.dl6er.de/pi-hole/openVPN/security.png)
![](http://www.dl6er.de/pi-hole/openVPN/tls.png)
Your whole network traffic will now securely be transferred to your Pi-hole.
![](http://www.dl6er.de/pi-hole/openVPN/VPNclients.png)
--- ---
### Optional: Security information ### Optional: Security information
For security purposes, it is recommended that the CA machine should be separate from the machine running OpenVPN. If you loose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server. For security purposes, it is recommended that the CA machine should be separate from the machine running OpenVPN. If you loose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.
--- ---
### Optional: Firewall configuration (using iptables)
If your server is visible to the world, you might want prevent port 53/80 from being accessible from the outside. You will still be able to connect to your Pi-hole from within the VPN.
Using `iptables`: First, verify that there is no rule that explicitly accepts `http` requests
```
sudo iptables -L --line-numbers
```
If you get something like
<pre>
Chain INPUT (policy ACCEPT)
num target prot opt source destination
<b>1 ACCEPT tcp -- anywhere anywhere tcp dpt:http</b>
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:domain
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
</pre>
you have to first explicitly delete the first INPUT rule using:
```
sudo iptables -D INPUT 1
```
Then you can add an explicit rule that allows access from within the VPN
```
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
```
And another one that prevents access from everywhere else
```
sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP
sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
sudo iptables -A INPUT -p udp --destination-port 53 -j DROP
sudo iptables -A INPUT -p udp --destination-port 80 -j DROP
```
Your configuration should look like
<pre>
sudo iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 104 packets, 8691 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- <b>tun0</b> any anywhere anywhere tcp dpt:domain
2 0 0 ACCEPT tcp -- <b>tun0</b> any anywhere anywhere tcp dpt:http
3 0 0 ACCEPT udp -- <b>tun0</b> any anywhere anywhere udp dpt:domain
4 0 0 ACCEPT udp -- <b>tun0</b> any anywhere anywhere udp dpt:http
5 0 0 DROP tcp -- <b>any</b> any anywhere anywhere tcp dpt:domain
6 0 0 DROP tcp -- <b>any</b> any anywhere anywhere tcp dpt:http
7 0 0 DROP udp -- <b>any</b> any anywhere anywhere udp dpt:domain
8 0 0 DROP udp -- <b>any</b> any anywhere anywhere udp dpt:http
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 83 packets, 11305 bytes)
num pkts bytes target prot opt in out source destination
</pre>
while there might be other rules in your table. Note that the order of the list entries matters!
---
### Optional: IPv6
Note that you will have to repeat the firewall setup using `ip6tables` if your server is also reachable via IPv6:
```
sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --destination-port 53 -j DROP
sudo ip6tables -A INPUT -p tcp --destination-port 80 -j DROP
sudo ip6tables -A INPUT -p udp --destination-port 53 -j DROP
sudo ip6tables -A INPUT -p udp --destination-port 80 -j DROP
```
```
sudo ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp anywhere anywhere tcp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:http
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT udp anywhere anywhere udp dpt:http
DROP tcp anywhere anywhere tcp dpt:domain
DROP tcp anywhere anywhere tcp dpt:http
DROP udp anywhere anywhere udp dpt:domain
DROP udp anywhere anywhere udp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
```