Pi-Hole/docs
1
0
Fork 0
mirror of https://github.com/pi-hole/docs.git synced 2025-12-24 13:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

port VPN guide

Browse Source 
Signed-off-by: Adam Warner <adamw@rner.email>
This commit is contained in:
Adam Warner
2017-10-31 23:20:19 +00:00
parent 2866472a30
commit 8039992b92
5 changed files with 314 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
docs/guides/vpn/clients.md Normal file
View File

@@ -0,0 +1,84 @@
**See bottom of this page for how to generate additional client certificates**
### Connect from a client
There are various tutorials available for all operating systems for how to connect to an OpenVPN server.
### Android
See special page [here](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Connect-from-a-client-(Android)).
### Linux
I'll demonstrate the procedure here for Ubuntu Linux (which trivially extends to Linux Mint, etc.)
1. Install the necessary network-manager plugins
```
sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome
sudo service network-manager restart
```
2. Securely copy the necessary certificates from your OpenVPN server to your client (e.g. using `sftp`). They are located in `/etc/openvpn/easy-rsa/pki`
You will need:
* User Certificate: `/etc/openvpn/easy-rsa/pki/issued/client.crt`
* CA Certificate: `/etc/openvpn/easy-rsa/pki/ca.crt`
* Private Key: `/etc/openvpn/easy-rsa/pki/private/client.key`
* Private Key Password: Depending on your settings (might even be empty)
* TA Key: `/etc/openvpn/ta.key`
Further details can be found in the screenshots provided below:
![](http://www.dl6er.de/pi-hole/openVPN/conn_type.png)
![](http://www.dl6er.de/pi-hole/openVPN/keys.png)
![](http://www.dl6er.de/pi-hole/openVPN/general.png)
![](http://www.dl6er.de/pi-hole/openVPN/security.png)
![](http://www.dl6er.de/pi-hole/openVPN/tls.png)
Your whole network traffic will now securely be transferred to your Pi-hole.
![](http://www.dl6er.de/pi-hole/openVPN/VPNclients.png)
### Windows
You will have to install additional software. See https://openvpn.net/index.php/open-source/downloads.html
---
### Optional: Add more client certificates
You have to generate an individual certificate for each client. This can be done very conveniently like shown below:
<pre>
<b>sudo bash openvpn-install.sh</b>
Looks like OpenVPN is already installed
What do you want to do?
<b>1) Add a new user</b>
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]: <b>1</b>
Tell me a name for the client certificate
Please, use one word only, no special characters
Client name: thinkpad2
Generating a 2048 bit RSA private key
.......................+++
....+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/thinkpad2.key.kHwbBkvK9b'
-----
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'thinkpad2'
Certificate is to be certified until Feb 28 10:24:26 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
<b>Client thinkpad2 added, configuration is available at /root/thinkpad2.ovpn</b>
</pre>
Copy the file `/root/thinkpad2.ovpn` to your new client.
**WARNING** Anyone who gets his hands on this configuration/certificate file can obtain full access to your VPN. Make sure that you use only trusted paths for transferring the file (e.g. *never* send it via an un-encrypted channel, e.g. email or FTP). Best strategy is to use an USB thumbdrive to avoid any network transport at all. Make sure to delete the certificate on the USB drive afterwards.
**NOTICE** If one of your certificates has been compromised, remove it using option `2` (see above) and generate a new certificate. This will effectively lock out anyone who might have gotten access to the certificate.

64
docs/guides/vpn/dual-operation.md Normal file
View File

@@ -0,0 +1,64 @@
### Optional: Only route DNS via VPN
With this setup you will force connected clients to use only the DNS provided by the VPN connection, i.e. the Pi-hole. Do this only if you **don't** want to tunnel all traffic from the client thru the VPN, but only its DNS queries.
Edit your `/etc/openvpn/server.conf` and remove (comment) the following line:
```
# push "redirect-gateway def1 bypass-dhcp"
```
### Using a client config file
This works pretty much out of the box with common `client.ovpn` files, like this provided one: [client.ovpn](http://www.dl6er.de/pi-hole/openVPN/client.ovpn)
Remember to replace the locations of your keys and the address/host name of your server.
### Using the Network Manager
When using the Network Manager, you will have to do some additional setting on the client side of things:
![](http://www.dl6er.de/pi-hole/openVPN/local.png)
#### Alternative 1: Disable Network Manager's internal DNS server
Edit `/etc/NetworkManager/NetworkManager.conf`:
```
# dns=dnsmasq
```
and restart the Network Manager:
```
sudo restart network-manager
```
When connecting your DNS server will now be properly picked up and used by your client.
#### Alternative 2: Set DNS server address of your Pi-hole manually on the main interface
You can also set the address of the DNS server manually (use the device which actually connects to the internet, e.g. `eth0`):
![](http://www.dl6er.de/pi-hole/openVPN/manualDNS.png)
After doing either alternative, you should see:
```
pi.hole has address W.X.Y.Z (outside address of your VPN server)
pi.hole has IPv6 address A:B:C:D:E:F (outside address of your VPN server)
```
The web interface of your Pi-hole will be visible at `http://pi.hole/admin/` (even with the recommended firewall configuration mentioned on another subpage)
![](http://www.dl6er.de/pi-hole/openVPN/VPNdashboard.png)
---
## Troubleshooting
If your new DNS server configuration has not been activated (try restarting the interface / system) you will see
```
host pi.hole
Host pi.hole not found: 3(NXDOMAIN)
```
If you are not connected to your VPN network you will see
```
host pi.hole
;; connection timed out; no servers could be reached
```

93
docs/guides/vpn/firewall.md Normal file
View File

@@ -0,0 +1,93 @@
### Optional: Firewall configuration (using iptables)
If your server is visible to the world, you will want prevent port 53/80 from being accessible from the global Internet. You will want be only able to connect to your Pi-hole from within the VPN.
Using `iptables`: First, verify that there is no rule that explicitly accepts `http` requests
```
sudo iptables -L --line-numbers
```
If you get something like
<pre>
Chain INPUT (policy ACCEPT)
num target prot opt source destination
<b>1 ACCEPT tcp -- anywhere anywhere tcp dpt:http</b>
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:domain
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
</pre>
you have to first explicitly delete the first INPUT rule using:
```
sudo iptables -D INPUT 1
```
We recommend that you empty out the firewall so you have full control over its setup.
For setting up your firewall in conjunction with your VPN you have **TWO** options:
Option 1: Allow everything within your VPN:
```
sudo iptables -I INPUT -i tun0 -j ACCEPT
```
or
Option 2: Explicitly allow what can be accessed from within the VPN:
```
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
```
Obviously, it is important to enable SSH and VPN access from anywhere
```
sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT
```
The next crucial setting is to explicitly allow TCP/IP to do "three way handshakes":
```
sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
```
Also, we want to allow any loopback traffic, i.e. the Pi is allowed to talk to itself without any limitations using `127.0.0.0/8`:
```
sudo iptables -I INPUT -i lo -j ACCEPT
```
Finally, prevent access from anywhere else (i.e. if no rule has matched up to this point):
```
sudo iptables -P INPUT DROP
```
Optional: If you want to allow access to the Pi-hole from within the VPN *and* from the local network, you will have to explicitly allow your local network as well (assuming the local network is within the address space 192.168.**178**.1 - 192.168.**178**.254):
<pre>
sudo iptables -A INPUT -s 192.168.<b>178</b>.0/24 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -s 192.168.<b>178</b>.0/24 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -s 192.168.<b>178</b>.0/24 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -s 192.168.<b>178</b>.0/24 -p udp --destination-port 80 -j ACCEPT
</pre>
See also [this](https://discourse.pi-hole.net/t/pihole-vpn-with-iptables/2384) thread on Discourse.
---
### Optional: IPv6
Note that you will have to repeat the firewall setup using `ip6tables` if your server is also reachable via IPv6:
```
sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --destination-port 22 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
sudo ip6tables -A INPUT -p udp --destination-port 1194 -j ACCEPT
sudo ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -I INPUT -i lo -j ACCEPT
sudo ip6tables -P INPUT DROP
```

64
docs/guides/vpn/only-dns-via-vpn.md Normal file
View File

@@ -0,0 +1,64 @@
### Optional: Only route DNS via VPN
With this setup you will force connected clients to use only the DNS provided by the VPN connection, i.e. the Pi-hole. Do this only if you **don't** want to tunnel all traffic from the client thru the VPN, but only its DNS queries.
Edit your `/etc/openvpn/server.conf` and remove (comment) the following line:
```
# push "redirect-gateway def1 bypass-dhcp"
```
### Using a client config file
This works pretty much out of the box with common `client.ovpn` files, like this provided one: [client.ovpn](http://www.dl6er.de/pi-hole/openVPN/client.ovpn)
Remember to replace the locations of your keys and the address/host name of your server.
### Using the Network Manager
When using the Network Manager, you will have to do some additional setting on the client side of things:
![](http://www.dl6er.de/pi-hole/openVPN/local.png)
#### Alternative 1: Disable Network Manager's internal DNS server
Edit `/etc/NetworkManager/NetworkManager.conf`:
```
# dns=dnsmasq
```
and restart the Network Manager:
```
sudo restart network-manager
```
When connecting your DNS server will now be properly picked up and used by your client.
#### Alternative 2: Set DNS server address of your Pi-hole manually on the main interface
You can also set the address of the DNS server manually (use the device which actually connects to the internet, e.g. `eth0`):
![](http://www.dl6er.de/pi-hole/openVPN/manualDNS.png)
After doing either alternative, you should see:
```
pi.hole has address W.X.Y.Z (outside address of your VPN server)
pi.hole has IPv6 address A:B:C:D:E:F (outside address of your VPN server)
```
The web interface of your Pi-hole will be visible at `http://pi.hole/admin/` (even with the recommended firewall configuration mentioned on another subpage)
![](http://www.dl6er.de/pi-hole/openVPN/VPNdashboard.png)
---
## Troubleshooting
If your new DNS server configuration has not been activated (try restarting the interface / system) you will see
```
host pi.hole
Host pi.hole not found: 3(NXDOMAIN)
```
If you are not connected to your VPN network you will see
```
host pi.hole
;; connection timed out; no servers could be reached
```

9
mkdocs.yml
View File

@@ -9,6 +9,15 @@ theme: material
pages:
- 'Information & Support': 'index.md'
- 'Prerequisites': 'prerequesites.md'
- 'Guides':
- 'Pi-hole and OpenVPN Server':
- 'Overview': 'guides/vpn/overview.md'
- 'Installation': 'guides/vpn/installation.md'
- 'Setup OpenVPN Server': 'guides/vpn/setup-openvpn-server.md'
- 'Firewall Configuration': 'guides/vpn/firewall.md'
- 'Connecting clients': 'guides/vpn/clients.md'
- 'Optional: Only route DNS via VPN': 'guides/vpn/only-dns-via-vpn.md'
- 'Optional: Dual operation: LAN & VPN at the same time': 'guides/vpn/dual-operation.md'
extra:
social:
- type: globe