General IT security topics
OpenVPN for Your PiHole
Goal
PiHole only available via OpenVPN
Steps to Achieve
Install OpenVPN on PiHole server according to https://ubuntu.com/server/docs/service-openvpn
At https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 you find a hint, how to set up a client config script.
create a file /etc/openvpn/client/make_config.sh
on the server, below the adjusted to the current ubuntu configuration with easy-rsa
#!/bin/bash
# First argument: Client identifier
OPENVPNDIR=/etc/openvpn
KEY_DIR=$OPENVPNDIR/easy-rsa/pki
OUTPUT_DIR=$OPENVPNDIR/client/files
BASE_CONFIG=$OPENVPNDIR/client/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/issued/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/private/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${OPENVPNDIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
Then you can run /etc/openvpn/client/make_config.sh CLIENTNAME
and you get a ovpn file in /etc/openvpn/client/files/
You now can import that in your NetworkManager. The good old resolv.conf does not work, so you can add the IP address 10.8.0.1 of the VPN server as DNS in theconfiguration, where the pihole is running.
Add iptable rules
We have to block the external interface in the chain DOCKER-USER, see https://docs.docker.com/network/iptables/.
With these commands you can successful block everything, except port 80 from outside (for letsencrypt) and everything in the network 10.8.0.1/24 (openVPN)
sudo iptables -I DOCKER-USER -i ens3 ! -s 10.8.0.1/24 -j DROP
sudo iptables -I DOCKER-USER -i ens3 -m comment --comment "Accept all connections from VPN to Docker - Drop all other" ! -s 10.8.0.1/24 -j DROP
sudo iptables -I DOCKER-USER -i ens3 -p tcp --dport 80 -m comment --comment "Accept HTTP for letsencrypt" -j ACCEPT
# block all IPv6 traffic except 80 for letsencrypt and 22 for ssh
sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo ip6tables -A INPUT -j DROP
Save them (iptables-persistent
must be installed):
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6