Dual operation (Local and OpenVPN) and Firwall

Help Community Help
1

The issue I am facing:

The Guide Redirecting... is apparently outdated as per Can't make "LAN & VPN dual operation" work - #6 by RamSet and same forum thread provides a bash script. I ran this bash script but I am wondering whether my pihole is safe because apparently iptables are empty:

pi@raspberrypi:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
pi@raspberrypi:~ $

When I tried the Guides Redirecting... and Redirecting..., I also had no problem (i.e. VPN and local pihole filtering was apparently working) until I carried out step sudo iptables -P INPUT DROP (I carried out the step after I specified ACCESS as specified in the guide).

How come that in the Guide it is recommended to switch specify the iptables but the bash script does not take care of the firewall?

Details about my system:

https://tricorder.pi-hole.net/eloh6mcqmc

What I have changed since installing Pi-hole:
See above.

2

The latest RoadWarrior install script handles all needed IPTABLES rules.

Latest version is available here:

The additional steps in the guide are deprecated and no longer needed.

4

I followed your link and discovered that there is also a wireguard script.
I did the following:

  1. fresh install of raspi os buster
  2. fresh install of pihole
  3. fresh install of your wireguard script

You wrote that all IPTABLES rule are handled by the script. I am concerned that the firewall is still not protective enough:

pi@raspberrypi:~/noip/noip-2.1.9-1 $ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:51820

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  10.7.0.0/24          anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
pi@raspberrypi:~/noip/noip-2.1.9-1 $

The guide Redirecting... looks much more restrictive, hence, more protective.

New debug log: https://tricorder.pi-hole.net/qt23ouwy0n

5

The script itself and the VPN server require a relatively small set of instructions to work.
At it’s core, the server opens a port, you tunnel and authenticate to that.
Now, unless you have exposed the whole device to the internet with free and unrestricted access to all the ports, you don’t need to worry about any additional IPTABLES restrictions or settings.

The tunnel handles all traffic mapping back and forth between the connected client and the server.

Firewall and other restrictions happen at router level, unless again you either have the Pi-hole/VPN device either in DMZ or simply directly connected to the internet with nothing in between OR you have this running on a VPS.

Even then, you concern should be to actually restrict port 53 for outside access.

Never the less, that is a discussion for another post.

What the above script does is simply maps the tunnel to the port and handles packet routing between the two subnets.

Nothing more nothing less. And that’s all that’s needed. No additional settings are required for it to work.

1 Like