1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Openvpn and pi hole on raspberry pi..........help :(

Discussion in 'Linux & Open Source' started by Foghorn Leghorn, Mar 5, 2017.

  1. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    As a further update, I took a quick spin out to see what the performance was like. I drove around the block and ran a speedtest. I got 36.9Mbps down and 12.3Mbps up when tethering from my MacBook to my iPhone.

    Connected the VPN and ran another speedtest which reported 5.8Mbps down and 4.7Mbps up so quite a drop. I get 75Mbps down and 18Mbps upload on my home broadband connection but the VPN is running on a Pi Zero W connected via WiFi at 72Mbps each way. The speed will be a combination of broadband and WiFi limitations but it's certainly useable.

    It was quite satisfying to watch the ping I had running as it started and stopped as I kicked the VPN in and out.
     
  2. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Had a little bit of time to play last night and this afternoon. Fresh Raspbian Jessie install and then followed by pivpn. It works, woo hoo!

    I'm running it on a pi1 and it is a little sluggish :(, shame really, I'll stick it on a pi2 and see how that manages. I was hoping to find a role for my pi1 rather than stuff it back in a drawer though.

    Time to install pi-hole, wish me luck :D
     
  3. Steveocee

    Soldato

    Joined: Nov 5, 2011

    Posts: 5,170

    Location: Derbyshire

    Pi 1 as pihole and Pi2 as vpn?
     
  4. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Update. I now have openvpn and pi hole running on the same pi install. Pi Hole is blocking all ads network wide but not over the vpn connection. Not surprising really as I haven't told it to yet :D

    Back in we go, it'll either work or I'll break it completely.....
     
  5. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    No both on pi1 at the moment, I'll try a pi2 (purely to test the performance difference) once I've managed to get it all working on the pi1.
     
  6. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    When I installed PiVPN, I just gave it the address of my Pi-Hole as DNS server so it means ads are blocked when using the VPN.

    When you said it's sluggish, I'm not sure what there is to be sluggish? It just works in the background and does what it's supposed to do. Running htop on mine, the CPU is sitting at just a few percent usage so I'm a little confused as to when it's slow.

    Also, going back to something you said before. I've set up a Pi Zero W with motionEye today using a base Jessie install and then motionEye on top rather than using the motionEye OS image and that is certainly thrashing the Zero. We're talking about 50% CPU all the time and 100% solid when it's doing anything other than sitting at idle.
     
  7. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Ignore the sluggish bit, it seems my mobile signal dropped through the floor at the same time i connected to the vpn server so i assumed it was the pi1 causing a bottleneck, restarted my phone and all looks good.

    Good news! It seems I've managed to block ads over the vpn as well as my local network. I'll continue testing then post up the changes required. I'm not 100% sure the pi hole admin page is updating the dns queries/blocked queries from the vpn connection but the ads are blocked so if I can't figure it out I can certainly live with that :)
     
  8. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Cheers for the heads up re motion eye, I've used the motion eye os before and that worked well on a pi1 so I'll do the same with the zero.
     
  9. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    The way I tested to make sure ads were being blocked through the VPN was to connect, go to the daily mail full website and cnn.com as well - Totally ad free. Then I checked the Pi-Hole dashboard and it showed 370 blocks from my OpenVPN Pi. Sorted :)

    If you want to be doubly sure, check /etc/openvpn/server.conf for

    Code:
    # Set your primary domain name server address for clients
    push "dhcp-option DNS 192.168.1.2"
    push "dhcp-option DNS 8.8.8.8"
    The first is my Pi-Hole box and the second is obviously the google primary public DNS server, just in case the Pi-Hole goes down.
     
  10. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Daily mail! I was just sick a little bit into my mouth then :D

    Ads blocked :cool:
     
  11. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Changes I've made from the standard set up. Remove one of the dns servers from server config and replace with Pi-Hole ip address.

    /etc/openvpn/server.conf

    Code:
    # Set your primary domain name server address for clients
    push "dhcp-option DNS 192.168.0.113"
    push "dhcp-option DNS 8.8.8.8"
    
    Add the two lines below to dnsmasq config (replace 192.168.0.113 with the static ip address of your Pi-Hole server). Reboot and all should work.

    /etc/dnsmasq.conf

    Code:
    interface=tun0
    listen-address=127.0.0.1, 192.168.0.113, 10.8.0.1
    
     
    Last edited: Mar 11, 2017
  12. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    I didn't make any changes to the dnsmasq.conf file on my Zero, it wasn't needed.

    I've actually just completed an install on my Pi2 which is running Pi-Hole, Transmission and my UniFi controller and it's not working.

    The VPN connects from my iPhone but I don't appear to be getting any traffic through. I've tried adding the lines into dnsmasq.conf as you suggested but that's not made any difference.

    Now I'm grumpy.
     
  13. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    It wouldn't work without the two line in dnsmasq, I'm assuming because it's installed on the same pi using the same static ip address.

    Try removing the extra dns adresses from your server config. I ended up with a problem where I couldn't resolve addresses and it was because I'd set the primary dns in the pi hole set up and the secondary dns address in server.conf to the same address. Well, at least I think that's what caused it because it worked when I changed the secondary dns address in server.conf to another address, either that or I fixed it by accident and I don't know what I did :D

    Edit: this is where I found the info for the above changes to server.conf and dnsmasq if you're running both on the same pi

    https://github.com/pivpn/pivpn/wiki/FAQ#installing-with-pi-hole
     
  14. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    I only had two lines in my server.conf file, exactly as posted in post #29 in this thread. During setup, one of the questions was what do you want your DNS setup to be so I chose 192.168.1.2 (itself) and google. Mine looks like yours except the first IP is different.

    So my pi-hole uses 8.8.8.8 as primary, my VPN uses the pi-hole as primary.

    I've connected my laptop to the new VPN, it's resolving addresses (I can ping by name) but no data is going through.
     
  15. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    That's exactly the problem I had when I started the thread :(

    I could connect to the server and I could see the Pi-Hole admin page and also connect via ssh through the vpn but couldn't see any other part of my network or t'internet.

    I can post up my full server.conf and pihole.conf if it'll help.
     
  16. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Full server.conf file

    Code:
    dev tun
    proto udp
    port 1194
    ca /etc/openvpn/easy-rsa/pki/ca.crt
    cert /etc/openvpn/easy-rsa/pki/issued/server.crt
    key /etc/openvpn/easy-rsa/pki/private/server.key
    dh /etc/openvpn/easy-rsa/pki/dh2048.pem
    topology subnet
    server 10.8.0.0 255.255.255.0
    # server and remote endpoints
    ifconfig 10.8.0.1 10.8.0.2
    # Add route to Client routing table for the OpenVPN Server
    push "route 10.8.0.1 255.255.255.255"
    # Add route to Client routing table for the OPenVPN Subnet
    push "route 10.8.0.0 255.255.255.0"
    # your local subnet
    push "route 192.168.0.0 255.255.255.0"
    # Set your primary domain name server address for clients
    push "dhcp-option DNS 192.168.0.113"
    push "dhcp-option DNS 8.8.8.8"
    # push "dhcp-option DNS 212.159.6.10"
    # push "dhcp-option DNS 212.159.6.9"
    # Override the Client default gateway by using 0.0.0.0/1 and
    # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
    # overriding but not wiping out the original default gateway.
    push "redirect-gateway def1"
    client-to-client
    duplicate-cn
    keepalive 10 120
    tls-version-min 1.2
    tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
    cipher AES-256-CBC
    auth SHA256
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    #crl-verify /etc/openvpn/crl.pem
    status /var/log/openvpn-status.log 20
    status-version 3
    log /var/log/openvpn.log
    verb 1
    # Generated for use by PiVPN.io
    
     
  17. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Full setupVars.conf (Pi-Hole)

    Code:
    PIHOLE_INTERFACE=eth0
    PIHOLE_INTERFACE=tun0
    IPV4_ADDRESS=192.168.0.113/24
    IPV6_ADDRESS=
    PIHOLE_DNS_1=212.159.6.10
    PIHOLE_DNS_2=212.159.6.9
    QUERY_LOGGING=true
    INSTALL_WEB=true
    WEBPASSWORD=<random numbers and letters ;) >
    
     
  18. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    Identical except I didn't have PIHOLE_INTERFACE=tun0 in my Pi=Hole config. I've added it, rebooted but still nothing.

    What order did you install them? PiVPN first and then Pi-Hole?
     
  19. Foghorn Leghorn

    Wise Guy

    Joined: Jul 5, 2003

    Posts: 2,380

    Location: Cheshire

    Yes pivpn first on a fresh Jessie install.
     
  20. Feek

    Commissario

    Joined: Oct 16, 2002

    Posts: 27,896

    Location: In the radio shack

    OK, I've got a spare, fresh SD card with Jessie, I'll start again. It's frustrating but I would rather have it all working on a single Pi, connected via Ethernet rather than WiFi.