Pi-hole with OpenVPN VPS Debian

Pihole1234 · December 18, 2016, 4:49pm

How would I go about limiting lighttpd to listen only on the VPN device, so it wouldn't be accessible from the www.

DL6ER · December 18, 2016, 6:08pm

@Pihole1234 I did some investigations on how you would do that with the firewall iptables and added that to the end of the HowTo here. Please tell us if you succeed.

Pihole1234 · December 18, 2016, 7:08pm

That worked perfect. There were no rules setup so it was just a matter of running the 2 commands. Thanks again.

norrkin · December 24, 2016, 10:23pm

Did you actually get this working on your VPS?

As those two rules do not appear to work on my OpenVZ debian jessie install

DL6ER · December 25, 2016, 7:54pm

I wrote this Tutorial while working on ao ordinary Ubuntu 16.04 VM and everything worked perfectly, so I suspect that you have some strange configuration.

We can try to debug this together. However, note that answers my be delayed during holiday time. Please provide more details concerning your problem.

norrkin · December 26, 2016, 10:09am

Think I've misunderstood how the rules work.

I was trying to access the GUI via http://pi.hole which is mapped to my VPS's external IP via local.list. When I applied the rules external access stopped working as well as myself accessing the external IP from my VPN connection.

If I try accessing the GUI via http://10.8.0.1/admin it works. I thought that the rules were allowing port 80 access to my tun0 interface regardless of if the traffic was internal or external. Clearly that is not the case.

DL6ER · December 26, 2016, 11:42am

Well, I think you misunderstand a minor thing. Yes, it will allow access to your tun0 interface. But, if you try to access the Pi through its external IP, this request will go through the tun0 device and then connect to eth0 on your server since this interface is connected with the external IP. However, from this device you will then not be able to access the web UI.

Set the IPv4 IP of the Pi-hole to your VPN IP, then there is no need for mapping any hostname since the Pi-hole will take care of it itself.

ninja85a · January 11, 2017, 7:32pm

hey my friend is trying to get this installed on his VPS with debian 8 installed and its not working any ideas why?
its saying the curl -L isnt a command

DL6ER · January 11, 2017, 8:00pm

It seems like that curl is not available on his system.
That does

command -v curl

say? Does it say something at all?

ninja85a · January 11, 2017, 8:26pm

by say do you mean what comes up when he tried to set it up?

DL6ER · January 11, 2017, 8:27pm

I mean what comes if he enters:

command -v curl

DL6ER · February 13, 2017, 7:52am

A post was split to a new topic: Problem with OpenVPN

telekrmor · February 13, 2017, 2:23pm

Yeah, curl isn't shipped by default with Debian. Just run

apt install curl

and then you can run the command.

Alternatively, you can use wget or git to download the script and run it locally.

spacemonkey · February 13, 2017, 3:50pm

Using OpenVPN on a VPS may be for the privacy (whatever that means) conscious. After reading this thread, I went ahead and disabled lighttpd's accesslog by commenting out the following in /etc/lighttpd/lighttpd.conf.

#"mod_accesslog"
#accesslog.filename = "/var/log/lighttpd/access_log"

It would likely be overwritten after an upgrade, and I'm not sure of any other way to disable it.

Mcat12 · February 13, 2017, 3:55pm

You might be able to override it in /etc/lighttpd/external.conf

spacemonkey · February 13, 2017, 6:55pm

@Mcat12 Thanks for the pointer. Disabling lighttpd's accesslog by commenting out the /etc/lighttpd/lighttpd.conf wont survive Pi-Hole updates.
The safe way is to create /etc/lighttpd/external.conf and add the following

include_shell "sed -i -r 's/^(\s*accesslog\.filename)/#\1/' /etc/lighttpd/lighttpd.conf"
include_shell "sed -i -r 's/^(\s*\"mod_accesslog\",)/#\1/' /etc/lighttpd/lighttpd.conf"

More info

1,2,3,4

Mcat12 · February 13, 2017, 9:30pm

How about just having this in the extra config?

accesslog.filename = ""

spacemonkey · February 14, 2017, 1:18pm

accesslog.filename = "" in external.conf prevents lighttpd from starting

[details=Error] debian:~# systemctl status lighttpd.service
? lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled)
Active: failed (Result: exit-code) since Tue 2017-02-14 17:10:38; 17s ago
Process: 6880 ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Process: 8204 ExecStartPre=/usr/sbin/lighttpd -t -f /etc/lighttpd/lighttpd.conf (code=exited, status=255)
Main PID: 6880 (code=exited, status=0/SUCCESS)
Feb 14 17:10:38 debian systemd[1]: Starting Lighttpd Daemon...
Feb 14 17:10:38 debian lighttpd[8204]: Duplicate config variable in conditional 0 global: accesslog.filename
Feb 14 17:10:38 debian lighttpd[8204]: 2017-02-14 17:10:38: (configfile.c.957) source: cat external.conf 2>/dev/null line: 12 pos: 1 parser failed somehow near here: (EOL)
Feb 14 17:10:38 debian lighttpd[8204]: 2017-02-14 17:10:38: (configfile.c.957) source: /etc/lighttpd/lighttpd.conf line: 67 pos: 1 parser failed somehow near here: (EOL)
Feb 14 17:10:38 debian systemd[1]: lighttpd.service: control process exited, code=exited status=255
Feb 14 17:10:38 debian systemd[1]: Failed to start Lighttpd Daemon.
Feb 14 17:10:38 debian systemd[1]: Unit lighttpd.service entered failed state.[/details]
However it works if accesslog.filename is commented or didn't exist in lighttpd.conf, to begin with.

hgelpke · July 28, 2017, 5:48am

This dumps the ovpn file to the /root folder and I've disabled root. How can I change where that file is sent?

PromoFaux · July 28, 2017, 1:19pm

As noted on your issue on github, I think you're getting us confused with piVPN. We don't do anything with VPN configs. Cheers!