1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Openvpn and pi hole on raspberry pi..........help :(

Discussion in 'Linux & Open Source' started by Foghorn Leghorn, Mar 5, 2017.

  1. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Evening all, I'm hoping one of you genius can help me out here, I've spent the last week trying to set up an openvpn server on a pi and I'm now stuck :(

    Set up pi hole a couple of weeks ago and this works fine and blocks ads on my network.

    Installed openvpn and easy-rsa using these guides
    http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
    https://sys.jonaharagon.com/2016/05/12/setting-up-an-openvpn-server-on-a-raspberry-pi-2-part-12/

    had a few problems connecting to the server initially, bit of googling later and I can now connect to the server from a client so I'm happy the certificates are good, port forwarding is good and my ddns is setup in the router.

    Now the problem, I can't connect to anything on my network except the pi running the server, I can see the pi hole page and I can connect via ssh but i cant see anything else.

    Server.conf
    Code:
    local 192.168.0.113
    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/MYSERVER.crt
    key /etc/openvpn/easy-rsa/keys/MYSERVER.key
    dh /etc/openvpn/easy-rsa/keys/dh2048.pem
    server 10.8.0.0 255.255.255.0
    ifconfig 10.8.0.1 10.8.0.2
    push "route 10.8.0.1 255.255.255.255"
    push "route 10.8.0.0 255.255.255.0"
    push "route 192.168.0.113 255.255.255.255"
    push "dhcp-option DNS 192.168.0.1"
    push "redirect-gateway def1"
    client-to-client
    duplicate-cn
    keepalive 10 120
    tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
    cipher AES-128-CBC
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status /var/log/openvpn-status.log 20
    log /var/log/openvpn.log
    verb 1
    
    sysctl.conf
    Code:
    net.ipv4.ip_forward=1
    firewall rules
    Code:
    #!/bin/sh
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    
    openvpn.log
    Code:
    Sun Mar  5 21:55:11 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] buil$
    
    Sun Mar  5 21:55:11 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
    Sun Mar  5 21:55:11 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be awa$
    Sun Mar  5 21:55:11 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key$
    Sun Mar  5 21:55:11 2017 TUN/TAP device tun0 opened
    Sun Mar  5 21:55:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sun Mar  5 21:55:11 2017 /sbin/ip link set dev tun0 up mtu 1500
    Sun Mar  5 21:55:11 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
    Sun Mar  5 21:55:11 2017 GID set to nogroup
    Sun Mar  5 21:55:11 2017 UID set to nobody
    Sun Mar  5 21:55:11 2017 UDPv4 link local (bound): [AF_INET]192.168.0.113:1194
    Sun Mar  5 21:55:11 2017 UDPv4 link remote: [undef]
    Sun Mar  5 21:55:11 2017 Initialization Sequence Completed
    Sun Mar  5 21:55:26 2017 82.132.242.86:42826 [user1] Peer Connection Initiated with [AF_INET]82.132.242.86:42826
    Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
    Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 send_push_reply(): safe_cap=940
    
    openvpn status.log
    Code:
    OpenVPN CLIENT LIST
    Updated,Sun Mar  5 22:42:32 2017
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    GLOBAL STATS
    Max bcast/mcast queue length,0
    END
    I've not changed any settings in pi hole since I installed openvpn, is this the problem?
     
    Last edited: Mar 5, 2017
  2. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Just in case it matters, I'm using openvpn connect on an android moto g4.

    Once I'd got the pair connecting the client log file was showing the following error

    :tun_prop_error:route is not canonical

    I fixed this (with the help of google) by changing this line

    push "route 192.168.0.113 255.255.255.0"

    to this

    push "route 192.168.0.113 255.255.255.255"

    apparently this is a route to host not network so the mask is /32 not /24, hence the extra 255 at the end.

    This cures the tun_prop_error


    Code:
    local 192.168.0.113
    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/flicker.crt
    key /etc/openvpn/easy-rsa/keys/flicker.key
    dh /etc/openvpn/easy-rsa/keys/dh2048.pem
    server 10.8.0.0 255.255.255.0
    ifconfig 10.8.0.1 10.8.0.2
    push "route 10.8.0.1 255.255.255.255"
    push "route 10.8.0.0 255.255.255.0"
    push "route 192.168.0.113 255.255.255.0"
    push "dhcp-option DNS 192.168.0.1"
    push "redirect-gateway def1"
    client-to-client
    duplicate-cn
    keepalive 10 120
    tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
    cipher AES-128-CBC
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status /var/log/openvpn-status.log 20
    log /var/log/openvpn.log
    verb 1
    
     
  3. Steveocee

    Soldato

    Joined: Nov 5, 2011

    Posts: 5,152

    Location: Derbyshire

    My only experience doing this is with MT hardware but in general, don't you need a NAT rule to handle all traffic coming in form your remote IP range so it can enter your LAN rather than just setting up routes from one LAN range to another?

    My own personal setup is as follows;
    VPN clients:10.254.254.0/24
    VPN Host:10.254.254.1
    Main LAN Range:10.10.10.0/24
    Main GW: 10.10.10.1

    I have a NAT rule set up natting any traffic from 10.254.254.2-10 through the router.

    MikroTik speak:
    Code:
    add action=masquerade chain=srcnat comment=VPN-NAT src-address=10.254.254.0/24
    
    I can reach all LAN IP's on my network and also have outbound internet access as handled by the "main" NAT rule out of my PPPoE interface.


    ***I also hand off 10.10.10.20 & 10.10.10.32 which are my DNS1 & DNS2 which are both Pi-Holes. (DNS1 updates gravity daily and DNS2 weekly)
     
  4. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Cheers steveo

    I think the rule I have setup in the firewall rules is similar?

    Code:
    #!/bin/sh
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    I have to confess this is all a bit beyond me. I've very little experience other than tinkering with a few basic pi projects.
     
  5. Steveocee

    Soldato

    Joined: Nov 5, 2011

    Posts: 5,152

    Location: Derbyshire

    Rough stab in the dark, what is the -o eth0 flag? If that is inbound interface then it should be the vpn interface, if it is outbound then it will only masquerade outbound traffic. May be worth trying to remove it completely and see how if that works.
     
  6. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Cheers, I'll give that a try.

    If no joy I'm going to do a fresh install without pi hole so I can rule that out.
     
  7. Steveocee

    Soldato

    Joined: Nov 5, 2011

    Posts: 5,152

    Location: Derbyshire

    It shouldn't be pi hole causing it. I use shouldn't carefully though.
     
  8. Frozennova

    Man of Honour

    Joined: Nov 13, 2009

    Posts: 11,196

    Location: Northampton

    How many simultaneous connections do you plan on using with OpenVPN?

    I've always found life far easier by using the access server package
     
  9. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,241

    Location: In the radio shack

    I'm having a go at this at the moment, just off to bed while it's generating the key as "it's going to take a long time".
     
  10. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,241

    Location: In the radio shack

    I'm doing fine until I get the very end.

    My /etc/network/interfaces file is this

    Code:
    # interfaces(5) file used by ifup(8) and ifdown(8)
    # Please note that this file is written to be used with dhcpcd
    # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
    # Include files from /etc/network/interfaces.d:
    
    source-directory /etc/network/interfaces.d
    auto lo
    iface lo inet loopback
    
    iface eth0 inet manual
    
    allow-hotplug wlan0
    iface wlan0 inet manual
        wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
    
    allow-hotplug wlan1
    iface wlan1 inet manual
        wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
    No mention there of "iface eth0 inet dhcp" as suggested in the instructions. Also, I'm doing this on a Zero W so my network port is wlan0 anyway.


    /edit - right, I've discovered that it's also the face eth0 net manual line so I've added one for wlan0 and the made the appropriate edit. Continuing.
     
  11. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    One maybe two.

    [Insert confused smiley here] will have to Google that, sadly I've no idea how any of this works , I've generally got away with having a basic understanding and following guides. I've come a little unstuck this time :D

    It wasn't kidding either, took a few hours to generate the keys on a pi1

    Mine was also set to manual rather than dhcp, sounds like we googled and found the same answer.

    I'd also like to point out that I'm holding you personally responsible for the pi zero w that is on its way to me, solely due to your contributions in the pi thread. Clearly owning 4 pi2 and 2 pi1 wasn't enough :D
    This one's going to be for motion eye and time lapse duties.
     
  12. Frozennova

    Man of Honour

    Joined: Nov 13, 2009

    Posts: 11,196

    Location: Northampton

    The access server package takes care of all the configuration for you basically, but it's limited to 2 simultaneous connections.

    Takes about 3 minutes to install and have working
     
  13. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,241

    Location: In the radio shack

    @Frozennova Do you have a link please?
    @Foghorn Leghorn I always get the blame for everything! I completed the setup in the early hours of the morning (I've got some bad insect bites on my leg and couldn't sleep so it took my mind off them) but was then getting errors when I tried to connect from the laptop. I ended up trashing the SD card in frustration and am now running this method instead. It's generating the key now.
     
  14. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Route is not canonical Once it's connected?

    I managed to sort that one.

    I also had problems with openvpn shutting down immediately after starting on boot. Unsurprisingly i couldn't connect, had to start openvpn from cli and then it would connect fine.

    Edit: not seen pivpn, might have to have a try this weekend if i don't get any further with openvpn or access server.
     
  15. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,241

    Location: In the radio shack

    Working perfectly with PiVPN. I'm connected to the internet via tethering on my phone and can access the outside world along with my internal network. Nice.

    /edit - Because I told the setup to use my Pi-Hole as DNS, ads are blocked as well. That's a nice bonus.
     
  16. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Superb, that's exactly what i was hoping for with openvpn and Pi-Hole, ad blocking on the internal network and external connections.

    I take it you had Pi-Hole installed and set up first then installed pivpn?

    Edit: I've just had a 'your order has been shipped' for my pi zero order :D
     
  17. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,241

    Location: In the radio shack

    Pi-Hole is on a separate Pi which is also running my UniFi controller but looking at those instructions, he already has a Pi-Hole user so I suggest it'll work perfectly with Pi-Hole already installed.
     
  18. Frozennova

    Man of Honour

    Joined: Nov 13, 2009

    Posts: 11,196

    Location: Northampton

    https://docs.openvpn.net/how-to-tut...tall-openvpn-access-server-on-linux-debian-6/

    I used the access server method on my Hetzner dedicated server and then have iptables setup to drop connections from anywhere that isn't either my home IP address or it's own address for services such as SSH (Can't try and attack a port that you can't connect to)
     
  19. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,345

    Location: Cheshire

    Cheers, I'll give it a whirl on the same pi 1st anyway.
     
  20. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,241

    Location: In the radio shack

    I'm all done.
    .ovpn files installed on MacBook, iPhone and iPad and working perfectly.
    Be interested to see how it works on your Pi-Hole box, I may reinstall on there as it would make sense for everything to be on one Pi rather than splitting it between two of them.