Openvpn and pi hole on raspberry pi..........help :(

Foghorn Leghorn · 5 Mar 2017 at 22:05

Evening all, I'm hoping one of you genius can help me out here, I've spent the last week trying to set up an openvpn server on a pi and I'm now stuck

Set up pi hole a couple of weeks ago and this works fine and blocks ads on my network.

Installed openvpn and easy-rsa using these guides
http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
https://sys.jonaharagon.com/2016/05/12/setting-up-an-openvpn-server-on-a-raspberry-pi-2-part-12/

had a few problems connecting to the server initially, bit of googling later and I can now connect to the server from a client so I'm happy the certificates are good, port forwarding is good and my ddns is setup in the router.

Now the problem, I can't connect to anything on my network except the pi running the server, I can see the pi hole page and I can connect via ssh but i cant see anything else.

Server.conf

Code:

local 192.168.0.113
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/MYSERVER.crt
key /etc/openvpn/easy-rsa/keys/MYSERVER.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.113 255.255.255.255"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

sysctl.conf

Code:

net.ipv4.ip_forward=1

firewall rules

Code:

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

openvpn.log

Code:

Sun Mar  5 21:55:11 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] buil$

Sun Mar  5 21:55:11 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sun Mar  5 21:55:11 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be awa$
Sun Mar  5 21:55:11 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key$
Sun Mar  5 21:55:11 2017 TUN/TAP device tun0 opened
Sun Mar  5 21:55:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Mar  5 21:55:11 2017 /sbin/ip link set dev tun0 up mtu 1500
Sun Mar  5 21:55:11 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Mar  5 21:55:11 2017 GID set to nogroup
Sun Mar  5 21:55:11 2017 UID set to nobody
Sun Mar  5 21:55:11 2017 UDPv4 link local (bound): [AF_INET]192.168.0.113:1194
Sun Mar  5 21:55:11 2017 UDPv4 link remote: [undef]
Sun Mar  5 21:55:11 2017 Initialization Sequence Completed
Sun Mar  5 21:55:26 2017 82.132.242.86:42826 [user1] Peer Connection Initiated with [AF_INET]82.132.242.86:42826
Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 send_push_reply(): safe_cap=940

openvpn status.log

Code:

OpenVPN CLIENT LIST
Updated,Sun Mar  5 22:42:32 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

I've not changed any settings in pi hole since I installed openvpn, is this the problem?

Foghorn Leghorn · 5 Mar 2017 at 23:40

Just in case it matters, I'm using openvpn connect on an android moto g4.

Once I'd got the pair connecting the client log file was showing the following error

:tun_prop_error:route is not canonical

I fixed this (with the help of google) by changing this line

push "route 192.168.0.113 255.255.255.0"

to this

push "route 192.168.0.113 255.255.255.255"

apparently this is a route to host not network so the mask is /32 not /24, hence the extra 255 at the end.

This cures the tun_prop_error

Code:

local 192.168.0.113
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/flicker.crt
key /etc/openvpn/easy-rsa/keys/flicker.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.113 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

Steveocee · 6 Mar 2017 at 11:17

My only experience doing this is with MT hardware but in general, don't you need a NAT rule to handle all traffic coming in form your remote IP range so it can enter your LAN rather than just setting up routes from one LAN range to another?

My own personal setup is as follows;
VPN clients:10.254.254.0/24
VPN Host:10.254.254.1
Main LAN Range:10.10.10.0/24
Main GW: 10.10.10.1

I have a NAT rule set up natting any traffic from 10.254.254.2-10 through the router.

MikroTik speak:

Code:

add action=masquerade chain=srcnat comment=VPN-NAT src-address=10.254.254.0/24

I can reach all LAN IP's on my network and also have outbound internet access as handled by the "main" NAT rule out of my PPPoE interface.

***I also hand off 10.10.10.20 & 10.10.10.32 which are my DNS1 & DNS2 which are both Pi-Holes. (DNS1 updates gravity daily and DNS2 weekly)

Foghorn Leghorn · 6 Mar 2017 at 21:25

Cheers steveo

I think the rule I have setup in the firewall rules is similar?

Code:

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I have to confess this is all a bit beyond me. I've very little experience other than tinkering with a few basic pi projects.

Steveocee · 8 Mar 2017 at 11:54

Foghorn Leghorn said:
Cheers steveo

I think the rule I have setup in the firewall rules is similar?

Code:

#!/bin/sh iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I have to confess this is all a bit beyond me. I've very little experience other than tinkering with a few basic pi projects.

Rough stab in the dark, what is the -o eth0 flag? If that is inbound interface then it should be the vpn interface, if it is outbound then it will only masquerade outbound traffic. May be worth trying to remove it completely and see how if that works.

Foghorn Leghorn · 8 Mar 2017 at 12:21

Cheers, I'll give that a try.

If no joy I'm going to do a fresh install without pi hole so I can rule that out.

Steveocee · 8 Mar 2017 at 17:11

It shouldn't be pi hole causing it. I use shouldn't carefully though.

Frozennova · 9 Mar 2017 at 19:46

How many simultaneous connections do you plan on using with OpenVPN?

I've always found life far easier by using the access server package

Feek · 10 Mar 2017 at 00:21

I'm having a go at this at the moment, just off to bed while it's generating the key as "it's going to take a long time".

Feek · 10 Mar 2017 at 04:51

I'm doing fine until I get the very end.

My /etc/network/interfaces file is this

Code:

# interfaces(5) file used by ifup(8) and ifdown(8)
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
# Include files from /etc/network/interfaces.d:

source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

No mention there of "iface eth0 inet dhcp" as suggested in the instructions. Also, I'm doing this on a Zero W so my network port is wlan0 anyway.

/edit - right, I've discovered that it's also the face eth0 net manual line so I've added one for wlan0 and the made the appropriate edit. Continuing.

Foghorn Leghorn · 10 Mar 2017 at 08:33

Frozennova said:
How many simultaneous connections do you plan on using with OpenVPN?

I've always found life far easier by using the access server package

One maybe two.

[Insert confused smiley here] will have to Google that, sadly I've no idea how any of this works , I've generally got away with having a basic understanding and following guides. I've come a little unstuck this time

Feek said:
I'm having a go at this at the moment, just off to bed while it's generating the key as "it's going to take a long time".

It wasn't kidding either, took a few hours to generate the keys on a pi1

Feek said:
I'm doing fine until I get the very end.

My /etc/network/interfaces file is this

Code:

# interfaces(5) file used by ifup(8) and ifdown(8) # Please note that this file is written to be used with dhcpcd # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d auto lo iface lo inet loopback iface eth0 inet manual allow-hotplug wlan0 iface wlan0 inet manual wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf allow-hotplug wlan1 iface wlan1 inet manual wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

No mention there of "iface eth0 inet dhcp" as suggested in the instructions. Also, I'm doing this on a Zero W so my network port is wlan0 anyway.

/edit - right, I've discovered that it's also the face eth0 net manual line so I've added one for wlan0 and the made the appropriate edit. Continuing.

Mine was also set to manual rather than dhcp, sounds like we googled and found the same answer.

I'd also like to point out that I'm holding you personally responsible for the pi zero w that is on its way to me, solely due to your contributions in the pi thread. Clearly owning 4 pi2 and 2 pi1 wasn't enough

This one's going to be for motion eye and time lapse duties.

Frozennova · 10 Mar 2017 at 09:16

The access server package takes care of all the configuration for you basically, but it's limited to 2 simultaneous connections.

Takes about 3 minutes to install and have working

Feek · 10 Mar 2017 at 10:44

@Frozennova Do you have a link please?
@Foghorn Leghorn I always get the blame for everything! I completed the setup in the early hours of the morning (I've got some bad insect bites on my leg and couldn't sleep so it took my mind off them) but was then getting errors when I tried to connect from the laptop. I ended up trashing the SD card in frustration and am now running this method instead. It's generating the key now.

Foghorn Leghorn · 10 Mar 2017 at 10:57

Route is not canonical Once it's connected?

I managed to sort that one.

I also had problems with openvpn shutting down immediately after starting on boot. Unsurprisingly i couldn't connect, had to start openvpn from cli and then it would connect fine.

Edit: not seen pivpn, might have to have a try this weekend if i don't get any further with openvpn or access server.

Feek · 10 Mar 2017 at 11:03

Working perfectly with PiVPN. I'm connected to the internet via tethering on my phone and can access the outside world along with my internal network. Nice.

/edit - Because I told the setup to use my Pi-Hole as DNS, ads are blocked as well. That's a nice bonus.

Foghorn Leghorn · 10 Mar 2017 at 11:12

Feek said:
Working perfectly with PiVPN. I'm connected to the internet via tethering on my phone and can access the outside world along with my internal network. Nice.

/edit - Because I told the setup to use my Pi-hole as DNS, ads are blocked as well. That's a nice bonus.

Superb, that's exactly what i was hoping for with openvpn and Pi-Hole, ad blocking on the internal network and external connections.

I take it you had Pi-Hole installed and set up first then installed pivpn?

Edit: I've just had a 'your order has been shipped' for my pi zero order

Feek · 10 Mar 2017 at 11:13

Pi-Hole is on a separate Pi which is also running my UniFi controller but looking at those instructions, he already has a Pi-Hole user so I suggest it'll work perfectly with Pi-Hole already installed.

Frozennova · 10 Mar 2017 at 11:14

Feek said:
@Frozennova Do you have a link please?
@Foghorn Leghorn I always get the blame for everything! I completed the setup in the early hours of the morning (I've got some bad insect bites on my leg and couldn't sleep so it took my mind off them) but was then getting errors when I tried to connect from the laptop. I ended up trashing the SD card in frustration and am now running this method instead. It's generating the key now.

https://docs.openvpn.net/how-to-tut...tall-openvpn-access-server-on-linux-debian-6/

I used the access server method on my Hetzner dedicated server and then have iptables setup to drop connections from anywhere that isn't either my home IP address or it's own address for services such as SSH (Can't try and attack a port that you can't connect to)

Foghorn Leghorn · 10 Mar 2017 at 11:14

Cheers, I'll give it a whirl on the same pi 1st anyway.

Feek · 10 Mar 2017 at 11:33

I'm all done.
.ovpn files installed on MacBook, iPhone and iPad and working perfectly.
Be interested to see how it works on your Pi-Hole box, I may reinstall on there as it would make sense for everything to be on one Pi rather than splitting it between two of them.