Skip to content

OpenVPN for Your PiHole

OpenVPN for Your PiHole published on

Goal

PiHole only available via OpenVPN

Steps to Achieve

Install OpenVPN on PiHole server according to https://ubuntu.com/server/docs/service-openvpn

At https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 you find a hint, how to set up a client config script.

create a file /etc/openvpn/client/make_config.sh on the server, below the adjusted to the current ubuntu configuration with easy-rsa

#!/bin/bash

# First argument: Client identifier

OPENVPNDIR=/etc/openvpn

KEY_DIR=$OPENVPNDIR/easy-rsa/pki
OUTPUT_DIR=$OPENVPNDIR/client/files
BASE_CONFIG=$OPENVPNDIR/client/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/issued/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/private/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${OPENVPNDIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Then you can run /etc/openvpn/client/make_config.sh CLIENTNAME and you get a ovpn file in /etc/openvpn/client/files/

You now can import that in your NetworkManager. The good old resolv.conf does not work, so you can add the IP address 10.8.0.1 of the VPN server as DNS in theconfiguration, where the pihole is running.

Add iptable rules

We have to block the external interface in the chain DOCKER-USER, see https://docs.docker.com/network/iptables/.

With these commands you can successful block everything, except port 80 from outside (for letsencrypt) and everything in the network 10.8.0.1/24 (openVPN)

sudo iptables -I DOCKER-USER -i ens3 ! -s 10.8.0.1/24 -j DROP
sudo iptables -I DOCKER-USER -i ens3 -m comment --comment "Accept all connections from VPN to Docker - Drop all other" ! -s 10.8.0.1/24 -j DROP
sudo iptables -I DOCKER-USER -i ens3 -p tcp --dport 80 -m comment --comment "Accept HTTP for letsencrypt" -j ACCEPT

# block all IPv6 traffic except 80 for letsencrypt and 22 for ssh
sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo ip6tables -A INPUT -j DROP

Save them (iptables-persistent must be installed):

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Page Footer