Openvpn and pi hole on raspberry pi..........help :(

Foghorn Leghorn · 5 Mar 2017 at 22:05

Evening all, I'm hoping one of you genius can help me out here, I've spent the last week trying to set up an openvpn server on a pi and I'm now stuck

Set up pi hole a couple of weeks ago and this works fine and blocks ads on my network.

Installed openvpn and easy-rsa using these guides
http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing/
https://sys.jonaharagon.com/2016/05/12/setting-up-an-openvpn-server-on-a-raspberry-pi-2-part-12/

had a few problems connecting to the server initially, bit of googling later and I can now connect to the server from a client so I'm happy the certificates are good, port forwarding is good and my ddns is setup in the router.

Now the problem, I can't connect to anything on my network except the pi running the server, I can see the pi hole page and I can connect via ssh but i cant see anything else.

Server.conf

Code:

local 192.168.0.113
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/MYSERVER.crt
key /etc/openvpn/easy-rsa/keys/MYSERVER.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.113 255.255.255.255"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

sysctl.conf

Code:

net.ipv4.ip_forward=1

firewall rules

Code:

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

openvpn.log

Code:

Sun Mar  5 21:55:11 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] buil$

Sun Mar  5 21:55:11 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sun Mar  5 21:55:11 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be awa$
Sun Mar  5 21:55:11 2017 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key$
Sun Mar  5 21:55:11 2017 TUN/TAP device tun0 opened
Sun Mar  5 21:55:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Mar  5 21:55:11 2017 /sbin/ip link set dev tun0 up mtu 1500
Sun Mar  5 21:55:11 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Mar  5 21:55:11 2017 GID set to nogroup
Sun Mar  5 21:55:11 2017 UID set to nobody
Sun Mar  5 21:55:11 2017 UDPv4 link local (bound): [AF_INET]192.168.0.113:1194
Sun Mar  5 21:55:11 2017 UDPv4 link remote: [undef]
Sun Mar  5 21:55:11 2017 Initialization Sequence Completed
Sun Mar  5 21:55:26 2017 82.132.242.86:42826 [user1] Peer Connection Initiated with [AF_INET]82.132.242.86:42826
Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Mar  5 21:55:26 2017 user1/82.132.242.86:42826 send_push_reply(): safe_cap=940

openvpn status.log

Code:

OpenVPN CLIENT LIST
Updated,Sun Mar  5 22:42:32 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

I've not changed any settings in pi hole since I installed openvpn, is this the problem?

Foghorn Leghorn · 5 Mar 2017 at 23:40

Just in case it matters, I'm using openvpn connect on an android moto g4.

Once I'd got the pair connecting the client log file was showing the following error

:tun_prop_error:route is not canonical

I fixed this (with the help of google) by changing this line

push "route 192.168.0.113 255.255.255.0"

to this

push "route 192.168.0.113 255.255.255.255"

apparently this is a route to host not network so the mask is /32 not /24, hence the extra 255 at the end.

This cures the tun_prop_error

Code:

local 192.168.0.113
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/flicker.crt
key /etc/openvpn/easy-rsa/keys/flicker.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.0.113 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

Foghorn Leghorn · 6 Mar 2017 at 21:25

Cheers steveo

I think the rule I have setup in the firewall rules is similar?

Code:

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I have to confess this is all a bit beyond me. I've very little experience other than tinkering with a few basic pi projects.

Foghorn Leghorn · 8 Mar 2017 at 12:21

Cheers, I'll give that a try.

If no joy I'm going to do a fresh install without pi hole so I can rule that out.

Foghorn Leghorn · 10 Mar 2017 at 08:33

Frozennova said:
How many simultaneous connections do you plan on using with OpenVPN?

I've always found life far easier by using the access server package

One maybe two.

[Insert confused smiley here] will have to Google that, sadly I've no idea how any of this works , I've generally got away with having a basic understanding and following guides. I've come a little unstuck this time

Feek said:
I'm having a go at this at the moment, just off to bed while it's generating the key as "it's going to take a long time".

It wasn't kidding either, took a few hours to generate the keys on a pi1

Feek said:
I'm doing fine until I get the very end.

My /etc/network/interfaces file is this

Code:

# interfaces(5) file used by ifup(8) and ifdown(8) # Please note that this file is written to be used with dhcpcd # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d auto lo iface lo inet loopback iface eth0 inet manual allow-hotplug wlan0 iface wlan0 inet manual wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf allow-hotplug wlan1 iface wlan1 inet manual wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

No mention there of "iface eth0 inet dhcp" as suggested in the instructions. Also, I'm doing this on a Zero W so my network port is wlan0 anyway.

/edit - right, I've discovered that it's also the face eth0 net manual line so I've added one for wlan0 and the made the appropriate edit. Continuing.

Mine was also set to manual rather than dhcp, sounds like we googled and found the same answer.

I'd also like to point out that I'm holding you personally responsible for the pi zero w that is on its way to me, solely due to your contributions in the pi thread. Clearly owning 4 pi2 and 2 pi1 wasn't enough

This one's going to be for motion eye and time lapse duties.

Foghorn Leghorn · 10 Mar 2017 at 10:57

Route is not canonical Once it's connected?

I managed to sort that one.

I also had problems with openvpn shutting down immediately after starting on boot. Unsurprisingly i couldn't connect, had to start openvpn from cli and then it would connect fine.

Edit: not seen pivpn, might have to have a try this weekend if i don't get any further with openvpn or access server.

Foghorn Leghorn · 10 Mar 2017 at 11:12

Feek said:
Working perfectly with PiVPN. I'm connected to the internet via tethering on my phone and can access the outside world along with my internal network. Nice.

/edit - Because I told the setup to use my Pi-hole as DNS, ads are blocked as well. That's a nice bonus.

Superb, that's exactly what i was hoping for with openvpn and Pi-Hole, ad blocking on the internal network and external connections.

I take it you had Pi-Hole installed and set up first then installed pivpn?

Edit: I've just had a 'your order has been shipped' for my pi zero order

Foghorn Leghorn · 10 Mar 2017 at 11:14

Cheers, I'll give it a whirl on the same pi 1st anyway.

Foghorn Leghorn · 11 Mar 2017 at 17:16

Had a little bit of time to play last night and this afternoon. Fresh Raspbian Jessie install and then followed by pivpn. It works, woo hoo!

I'm running it on a pi1 and it is a little sluggish

, shame really, I'll stick it on a pi2 and see how that manages. I was hoping to find a role for my pi1 rather than stuff it back in a drawer though.

Time to install pi-hole, wish me luck

Foghorn Leghorn · 11 Mar 2017 at 18:04

Update. I now have openvpn and pi hole running on the same pi install. Pi Hole is blocking all ads network wide but not over the vpn connection. Not surprising really as I haven't told it to yet

Back in we go, it'll either work or I'll break it completely.....

Foghorn Leghorn · 11 Mar 2017 at 18:06

Steveocee said:
Pi 1 as pihole and Pi2 as vpn?

No both on pi1 at the moment, I'll try a pi2 (purely to test the performance difference) once I've managed to get it all working on the pi1.

Foghorn Leghorn · 11 Mar 2017 at 19:23

Ignore the sluggish bit, it seems my mobile signal dropped through the floor at the same time i connected to the vpn server so i assumed it was the pi1 causing a bottleneck, restarted my phone and all looks good.

Good news! It seems I've managed to block ads over the vpn as well as my local network. I'll continue testing then post up the changes required. I'm not 100% sure the pi hole admin page is updating the dns queries/blocked queries from the vpn connection but the ads are blocked so if I can't figure it out I can certainly live with that

Foghorn Leghorn · 11 Mar 2017 at 19:25

Cheers for the heads up re motion eye, I've used the motion eye os before and that worked well on a pi1 so I'll do the same with the zero.

Foghorn Leghorn · 11 Mar 2017 at 19:56

Daily mail! I was just sick a little bit into my mouth then

Ads blocked :cool:

Foghorn Leghorn · 11 Mar 2017 at 21:05

Changes I've made from the standard set up. Remove one of the dns servers from server config and replace with Pi-Hole ip address.

/etc/openvpn/server.conf

Code:

# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.113"
push "dhcp-option DNS 8.8.8.8"

Add the two lines below to dnsmasq config (replace 192.168.0.113 with the static ip address of your Pi-Hole server). Reboot and all should work.

/etc/dnsmasq.conf

Code:

interface=tun0
listen-address=127.0.0.1, 192.168.0.113, 10.8.0.1

Foghorn Leghorn · 11 Mar 2017 at 21:30

It wouldn't work without the two line in dnsmasq, I'm assuming because it's installed on the same pi using the same static ip address.

Try removing the extra dns adresses from your server config. I ended up with a problem where I couldn't resolve addresses and it was because I'd set the primary dns in the pi hole set up and the secondary dns address in server.conf to the same address. Well, at least I think that's what caused it because it worked when I changed the secondary dns address in server.conf to another address, either that or I fixed it by accident and I don't know what I did

Edit: this is where I found the info for the above changes to server.conf and dnsmasq if you're running both on the same pi

https://github.com/pivpn/pivpn/wiki/FAQ#installing-with-pi-hole

Foghorn Leghorn · 11 Mar 2017 at 21:49

That's exactly the problem I had when I started the thread

I could connect to the server and I could see the Pi-Hole admin page and also connect via ssh through the vpn but couldn't see any other part of my network or t'internet.

I can post up my full server.conf and pihole.conf if it'll help.

Foghorn Leghorn · 11 Mar 2017 at 22:05

Full server.conf file

Code:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.0.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.113"
push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 212.159.6.10"
# push "dhcp-option DNS 212.159.6.9"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io

Foghorn Leghorn · 11 Mar 2017 at 22:07

Full setupVars.conf (Pi-Hole)

Code:

PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=192.168.0.113/24
IPV6_ADDRESS=
PIHOLE_DNS_1=212.159.6.10
PIHOLE_DNS_2=212.159.6.9
QUERY_LOGGING=true
INSTALL_WEB=true
WEBPASSWORD=<random numbers and letters ;) >

Foghorn Leghorn · 11 Mar 2017 at 22:13

Yes pivpn first on a fresh Jessie install.