Openvpn and pi hole on raspberry pi..........help :(

Soldato
Joined
5 Jul 2003
Posts
2,769
Location
Cheshire
Evening all, I'm hoping one of you genius can help me out here, I've spent the last week trying to set up an openvpn server on a pi and I'm now stuck :(

Set up pi hole a couple of weeks ago and this works fine and blocks ads on my network.

Installed openvpn and easy-rsa using these guides
http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
https://sys.jonaharagon.com/2016/05/12/setting-up-an-openvpn-server-on-a-raspberry-pi-2-part-12/

had a few problems connecting to the server initially, bit of googling later and I can now connect to the server from a client so I'm happy the certificates are good, port forwarding is good and my ddns is setup in the router.

Now the problem, I can't connect to anything on my network except the pi running the server, I can see the pi hole page and I can connect via ssh but i cant see anything else.

Server.conf
Code:
local 192.168.0.113
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/MYSERVER.crt
key /etc/openvpn/easy-rsa/keys/MYSERVER.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.113 255.255.255.255"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

sysctl.conf
Code:
net.ipv4.ip_forward=1

firewall rules
Code:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

openvpn.log
Code:
Sun Mar  5 21:55:11 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] buil$

Sun Mar  5 21:55:11 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sun Mar  5 21:55:11 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be awa$
Sun Mar  5 21:55:11 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key$
Sun Mar  5 21:55:11 2017 TUN/TAP device tun0 opened
Sun Mar  5 21:55:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Mar  5 21:55:11 2017 /sbin/ip link set dev tun0 up mtu 1500
Sun Mar  5 21:55:11 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Mar  5 21:55:11 2017 GID set to nogroup
Sun Mar  5 21:55:11 2017 UID set to nobody
Sun Mar  5 21:55:11 2017 UDPv4 link local (bound): [AF_INET]192.168.0.113:1194
Sun Mar  5 21:55:11 2017 UDPv4 link remote: [undef]
Sun Mar  5 21:55:11 2017 Initialization Sequence Completed
Sun Mar  5 21:55:26 2017 82.132.242.86:42826 [user1] Peer Connection Initiated with [AF_INET]82.132.242.86:42826
Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 send_push_reply(): safe_cap=940

openvpn status.log
Code:
OpenVPN CLIENT LIST
Updated,Sun Mar  5 22:42:32 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

I've not changed any settings in pi hole since I installed openvpn, is this the problem?
 
Last edited:
Soldato
OP
Joined
5 Jul 2003
Posts
2,769
Location
Cheshire
Just in case it matters, I'm using openvpn connect on an android moto g4.

Once I'd got the pair connecting the client log file was showing the following error

:tun_prop_error:route is not canonical

I fixed this (with the help of google) by changing this line

push "route 192.168.0.113 255.255.255.0"

to this

push "route 192.168.0.113 255.255.255.255"

apparently this is a route to host not network so the mask is /32 not /24, hence the extra 255 at the end.

This cures the tun_prop_error


Code:
local 192.168.0.113
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/flicker.crt
key /etc/openvpn/easy-rsa/keys/flicker.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.113 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
 
Soldato
Joined
5 Nov 2011
Posts
5,356
Location
Derbyshire
My only experience doing this is with MT hardware but in general, don't you need a NAT rule to handle all traffic coming in form your remote IP range so it can enter your LAN rather than just setting up routes from one LAN range to another?

My own personal setup is as follows;
VPN clients:10.254.254.0/24
VPN Host:10.254.254.1
Main LAN Range:10.10.10.0/24
Main GW: 10.10.10.1

I have a NAT rule set up natting any traffic from 10.254.254.2-10 through the router.

MikroTik speak:
Code:
add action=masquerade chain=srcnat comment=VPN-NAT src-address=10.254.254.0/24

I can reach all LAN IP's on my network and also have outbound internet access as handled by the "main" NAT rule out of my PPPoE interface.


***I also hand off 10.10.10.20 & 10.10.10.32 which are my DNS1 & DNS2 which are both Pi-Holes. (DNS1 updates gravity daily and DNS2 weekly)
 
Soldato
OP
Joined
5 Jul 2003
Posts
2,769
Location
Cheshire
Cheers steveo

I think the rule I have setup in the firewall rules is similar?

Code:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I have to confess this is all a bit beyond me. I've very little experience other than tinkering with a few basic pi projects.
 
Soldato
Joined
5 Nov 2011
Posts
5,356
Location
Derbyshire
Cheers steveo

I think the rule I have setup in the firewall rules is similar?

Code:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I have to confess this is all a bit beyond me. I've very little experience other than tinkering with a few basic pi projects.

Rough stab in the dark, what is the -o eth0 flag? If that is inbound interface then it should be the vpn interface, if it is outbound then it will only masquerade outbound traffic. May be worth trying to remove it completely and see how if that works.
 
Commissario
Joined
16 Oct 2002
Posts
2,648
Location
In the radio shack
I'm doing fine until I get the very end.

My /etc/network/interfaces file is this

Code:
# interfaces(5) file used by ifup(8) and ifdown(8)
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
# Include files from /etc/network/interfaces.d:

source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

No mention there of "iface eth0 inet dhcp" as suggested in the instructions. Also, I'm doing this on a Zero W so my network port is wlan0 anyway.


/edit - right, I've discovered that it's also the face eth0 net manual line so I've added one for wlan0 and the made the appropriate edit. Continuing.
 
Soldato
OP
Joined
5 Jul 2003
Posts
2,769
Location
Cheshire
How many simultaneous connections do you plan on using with OpenVPN?

I've always found life far easier by using the access server package

One maybe two.

[Insert confused smiley here] will have to Google that, sadly I've no idea how any of this works , I've generally got away with having a basic understanding and following guides. I've come a little unstuck this time :D

I'm having a go at this at the moment, just off to bed while it's generating the key as "it's going to take a long time".

It wasn't kidding either, took a few hours to generate the keys on a pi1

I'm doing fine until I get the very end.

My /etc/network/interfaces file is this

Code:
# interfaces(5) file used by ifup(8) and ifdown(8)
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
# Include files from /etc/network/interfaces.d:

source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

No mention there of "iface eth0 inet dhcp" as suggested in the instructions. Also, I'm doing this on a Zero W so my network port is wlan0 anyway.


/edit - right, I've discovered that it's also the face eth0 net manual line so I've added one for wlan0 and the made the appropriate edit. Continuing.

Mine was also set to manual rather than dhcp, sounds like we googled and found the same answer.

I'd also like to point out that I'm holding you personally responsible for the pi zero w that is on its way to me, solely due to your contributions in the pi thread. Clearly owning 4 pi2 and 2 pi1 wasn't enough :D
This one's going to be for motion eye and time lapse duties.
 
Commissario
Joined
16 Oct 2002
Posts
2,648
Location
In the radio shack
@Frozennova Do you have a link please?
@Foghorn Leghorn I always get the blame for everything! I completed the setup in the early hours of the morning (I've got some bad insect bites on my leg and couldn't sleep so it took my mind off them) but was then getting errors when I tried to connect from the laptop. I ended up trashing the SD card in frustration and am now running this method instead. It's generating the key now.
 
Soldato
OP
Joined
5 Jul 2003
Posts
2,769
Location
Cheshire
Route is not canonical Once it's connected?

I managed to sort that one.

I also had problems with openvpn shutting down immediately after starting on boot. Unsurprisingly i couldn't connect, had to start openvpn from cli and then it would connect fine.

Edit: not seen pivpn, might have to have a try this weekend if i don't get any further with openvpn or access server.
 
Commissario
Joined
16 Oct 2002
Posts
2,648
Location
In the radio shack
Working perfectly with PiVPN. I'm connected to the internet via tethering on my phone and can access the outside world along with my internal network. Nice.

/edit - Because I told the setup to use my Pi-Hole as DNS, ads are blocked as well. That's a nice bonus.
 
Soldato
OP
Joined
5 Jul 2003
Posts
2,769
Location
Cheshire
Working perfectly with PiVPN. I'm connected to the internet via tethering on my phone and can access the outside world along with my internal network. Nice.

/edit - Because I told the setup to use my Pi-hole as DNS, ads are blocked as well. That's a nice bonus.

Superb, that's exactly what i was hoping for with openvpn and Pi-Hole, ad blocking on the internal network and external connections.

I take it you had Pi-Hole installed and set up first then installed pivpn?

Edit: I've just had a 'your order has been shipped' for my pi zero order :D
 
Commissario
Joined
16 Oct 2002
Posts
2,648
Location
In the radio shack
Pi-Hole is on a separate Pi which is also running my UniFi controller but looking at those instructions, he already has a Pi-Hole user so I suggest it'll work perfectly with Pi-Hole already installed.
 
Man of Honour
Joined
13 Nov 2009
Posts
11,595
Location
Northampton
@Frozennova Do you have a link please?
@Foghorn Leghorn I always get the blame for everything! I completed the setup in the early hours of the morning (I've got some bad insect bites on my leg and couldn't sleep so it took my mind off them) but was then getting errors when I tried to connect from the laptop. I ended up trashing the SD card in frustration and am now running this method instead. It's generating the key now.

https://docs.openvpn.net/how-to-tut...tall-openvpn-access-server-on-linux-debian-6/

I used the access server method on my Hetzner dedicated server and then have iptables setup to drop connections from anywhere that isn't either my home IP address or it's own address for services such as SSH (Can't try and attack a port that you can't connect to)
 
Commissario
Joined
16 Oct 2002
Posts
2,648
Location
In the radio shack
I'm all done.
.ovpn files installed on MacBook, iPhone and iPad and working perfectly.
Be interested to see how it works on your Pi-Hole box, I may reinstall on there as it would make sense for everything to be on one Pi rather than splitting it between two of them.
 
Back
Top Bottom