Openvpn and pi hole on raspberry pi..........help :(

Feek · 10 Mar 2017 at 12:13

As a further update, I took a quick spin out to see what the performance was like. I drove around the block and ran a speedtest. I got 36.9Mbps down and 12.3Mbps up when tethering from my MacBook to my iPhone.

Connected the VPN and ran another speedtest which reported 5.8Mbps down and 4.7Mbps up so quite a drop. I get 75Mbps down and 18Mbps upload on my home broadband connection but the VPN is running on a Pi Zero W connected via WiFi at 72Mbps each way. The speed will be a combination of broadband and WiFi limitations but it's certainly useable.

It was quite satisfying to watch the ping I had running as it started and stopped as I kicked the VPN in and out.

Foghorn Leghorn · 11 Mar 2017 at 17:16

Had a little bit of time to play last night and this afternoon. Fresh Raspbian Jessie install and then followed by pivpn. It works, woo hoo!

I'm running it on a pi1 and it is a little sluggish

, shame really, I'll stick it on a pi2 and see how that manages. I was hoping to find a role for my pi1 rather than stuff it back in a drawer though.

Time to install pi-hole, wish me luck

Steveocee · 11 Mar 2017 at 18:03

Pi 1 as pihole and Pi2 as vpn?

Foghorn Leghorn · 11 Mar 2017 at 18:04

Update. I now have openvpn and pi hole running on the same pi install. Pi Hole is blocking all ads network wide but not over the vpn connection. Not surprising really as I haven't told it to yet

Back in we go, it'll either work or I'll break it completely.....

Foghorn Leghorn · 11 Mar 2017 at 18:06

Steveocee said:
Pi 1 as pihole and Pi2 as vpn?

No both on pi1 at the moment, I'll try a pi2 (purely to test the performance difference) once I've managed to get it all working on the pi1.

Feek · 11 Mar 2017 at 18:41

When I installed PiVPN, I just gave it the address of my Pi-Hole as DNS server so it means ads are blocked when using the VPN.

When you said it's sluggish, I'm not sure what there is to be sluggish? It just works in the background and does what it's supposed to do. Running htop on mine, the CPU is sitting at just a few percent usage so I'm a little confused as to when it's slow.

Also, going back to something you said before. I've set up a Pi Zero W with motionEye today using a base Jessie install and then motionEye on top rather than using the motionEye OS image and that is certainly thrashing the Zero. We're talking about 50% CPU all the time and 100% solid when it's doing anything other than sitting at idle.

Foghorn Leghorn · 11 Mar 2017 at 19:23

Ignore the sluggish bit, it seems my mobile signal dropped through the floor at the same time i connected to the vpn server so i assumed it was the pi1 causing a bottleneck, restarted my phone and all looks good.

Good news! It seems I've managed to block ads over the vpn as well as my local network. I'll continue testing then post up the changes required. I'm not 100% sure the pi hole admin page is updating the dns queries/blocked queries from the vpn connection but the ads are blocked so if I can't figure it out I can certainly live with that

Foghorn Leghorn · 11 Mar 2017 at 19:25

Cheers for the heads up re motion eye, I've used the motion eye os before and that worked well on a pi1 so I'll do the same with the zero.

Feek · 11 Mar 2017 at 19:34

The way I tested to make sure ads were being blocked through the VPN was to connect, go to the daily mail full website and cnn.com as well - Totally ad free. Then I checked the Pi-Hole dashboard and it showed 370 blocks from my OpenVPN Pi. Sorted

If you want to be doubly sure, check /etc/openvpn/server.conf for

Code:

# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.1.2"
push "dhcp-option DNS 8.8.8.8"

The first is my Pi-Hole box and the second is obviously the google primary public DNS server, just in case the Pi-Hole goes down.

Foghorn Leghorn · 11 Mar 2017 at 19:56

Daily mail! I was just sick a little bit into my mouth then

Ads blocked :cool:

Foghorn Leghorn · 11 Mar 2017 at 21:05

Changes I've made from the standard set up. Remove one of the dns servers from server config and replace with Pi-Hole ip address.

/etc/openvpn/server.conf

Code:

# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.113"
push "dhcp-option DNS 8.8.8.8"

Add the two lines below to dnsmasq config (replace 192.168.0.113 with the static ip address of your Pi-Hole server). Reboot and all should work.

/etc/dnsmasq.conf

Code:

interface=tun0
listen-address=127.0.0.1, 192.168.0.113, 10.8.0.1

Feek · 11 Mar 2017 at 21:19

I didn't make any changes to the dnsmasq.conf file on my Zero, it wasn't needed.

I've actually just completed an install on my Pi2 which is running Pi-Hole, Transmission and my UniFi controller and it's not working.

The VPN connects from my iPhone but I don't appear to be getting any traffic through. I've tried adding the lines into dnsmasq.conf as you suggested but that's not made any difference.

Now I'm grumpy.

Foghorn Leghorn · 11 Mar 2017 at 21:30

It wouldn't work without the two line in dnsmasq, I'm assuming because it's installed on the same pi using the same static ip address.

Try removing the extra dns adresses from your server config. I ended up with a problem where I couldn't resolve addresses and it was because I'd set the primary dns in the pi hole set up and the secondary dns address in server.conf to the same address. Well, at least I think that's what caused it because it worked when I changed the secondary dns address in server.conf to another address, either that or I fixed it by accident and I don't know what I did

Edit: this is where I found the info for the above changes to server.conf and dnsmasq if you're running both on the same pi

https://github.com/pivpn/pivpn/wiki/FAQ#installing-with-pi-hole

Feek · 11 Mar 2017 at 21:37

I only had two lines in my server.conf file, exactly as posted in post #29 in this thread. During setup, one of the questions was what do you want your DNS setup to be so I chose 192.168.1.2 (itself) and google. Mine looks like yours except the first IP is different.

So my pi-hole uses 8.8.8.8 as primary, my VPN uses the pi-hole as primary.

I've connected my laptop to the new VPN, it's resolving addresses (I can ping by name) but no data is going through.

Foghorn Leghorn · 11 Mar 2017 at 21:49

That's exactly the problem I had when I started the thread

I could connect to the server and I could see the Pi-Hole admin page and also connect via ssh through the vpn but couldn't see any other part of my network or t'internet.

I can post up my full server.conf and pihole.conf if it'll help.

Foghorn Leghorn · 11 Mar 2017 at 22:05

Full server.conf file

Code:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.0.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.113"
push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 212.159.6.10"
# push "dhcp-option DNS 212.159.6.9"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io

Foghorn Leghorn · 11 Mar 2017 at 22:07

Full setupVars.conf (Pi-Hole)

Code:

PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=192.168.0.113/24
IPV6_ADDRESS=
PIHOLE_DNS_1=212.159.6.10
PIHOLE_DNS_2=212.159.6.9
QUERY_LOGGING=true
INSTALL_WEB=true
WEBPASSWORD=<random numbers and letters ;) >

Feek · 11 Mar 2017 at 22:11

Identical except I didn't have PIHOLE_INTERFACE=tun0 in my Pi=Hole config. I've added it, rebooted but still nothing.

What order did you install them? PiVPN first and then Pi-Hole?

Foghorn Leghorn · 11 Mar 2017 at 22:13

Yes pivpn first on a fresh Jessie install.

Feek · 11 Mar 2017 at 22:14

OK, I've got a spare, fresh SD card with Jessie, I'll start again. It's frustrating but I would rather have it all working on a single Pi, connected via Ethernet rather than WiFi.