Hey
I have made a new Setup with my Raspberry Pi with Pi-Hole and OpenVPN.
Everything works fine but now i want to give the Server a little bit more security with Iptables.
I saw something of this in your WIKI How to and i setup Iptables like that, but my problem is that i can't access the Admin Dashboard of the Pi-Hole from any Computer at home with that configuration.
I'm not an expert with iptables and i didn't really found a solution for this, so i hope someone here can help me.
I wrote the wiki articles. I think you referred to this one?
Please provide the output of
sudo iptables -L --line-numbers
so we can see how your firewall is configured. The shown configuration is constructed such that only access within the VPN is possible. That means that also the local network is excluded.
- Your question is how to allow your local network in addition?
- If so, what is the IP address of your Pi-hole? It is needed to decide what addresses belong to your internal network.
When i put in all the rules you wrote down in the wiki article my iptables -l output looks exactly the same as you shown in the article. I can't post it right now because i deleted the rules for now.
And yes, i want to allow my local network in addition.
The Local IP Adress of my PiHole is 192.168.178.35.
Okay, what follows is untested and only constructed off the top of my head, but it should just work for you (or you will get an error messsage in case I had a typo).
As you already deleted all rules, we can start afresh. First, insert all explicit accept
rules for the VPN as written in the wiki:
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
Then add explicit accept
rules for your local network (i.e. 192.168.178.1 - 192.168.178.254
)
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -s 192.168.178.0/24 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -s 192.168.178.0/24 -p udp --destination-port 80 -j ACCEPT
And finally install the drop
rules
sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP
sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
sudo iptables -A INPUT -p udp --destination-port 53 -j DROP
sudo iptables -A INPUT -p udp --destination-port 80 -j DROP
Please share your experience with us, so I can extend our wiki accordingly.
I put in all your rules and what should I say?
It works perfect
Big thanks to your very quick help
Hi there!
Just in case some users were still, like me, unable to reach their Pi-hole DNS when connected under OpenVPN (DNS not resolving issue), here's a quick fix :
-
First, modify
/etc/dnsmasq.conf
in order to replace:
#listen-address=
withlisten-address=127.0.0.1, 192.168.xxx.xxx, 10.8.0.1
where the second IP is the Pi-hole local network IP and the third IP is the tun0 interface. -
Then, simply restart DNSMasq with:
sudo systemctl restart dnsmasq
This fix was found on PiVPN wiki and I thought that it could help others PiHole users under a similar configuration.
Hopefully it'll be useful for anyone
The easy way of fixing this (at least as you are located behind a router e.g. at home) is to change the listening behavior on the settings page of Pi-hole:
Can anyone expain how to fix this issue. If i set listen on all interfaces OpenVPN works, if i set listen only on interface eth0 i can connect with OpenVPN but routing not working with Pihole. I think my iptables are OK but it have something to do with the eth0 and tun0 interfaces that need to be configured somewhere. Hope that anyone can help to provide a solution. Thx!
Edit: Is it OK to just add pihole_Interface=tun0 to the setupVars.conf file?
What's the issue with listen on all interfaces?
I have my setup with that option.
If I'm not mistaken tun0 will only filter if you are connected to the VPN. For local+remote resolution you must have listen on all interfaces. Your pie should be behind a gateway firewall which makes the Pi's iptables unimportant.
Hope this helps.
I'll post my iptables if you really need them. I use them for unnecessary redundancy.
I run two instances of openvpn. One on port 1194 udp and another on port 443 tcp.
# Generated by iptables-save v1.6.1 on Mon Apr 8 21:21:18 2019
*nat
:PREROUTING ACCEPT [131:9208]
:INPUT ACCEPT [80:5581]
:OUTPUT ACCEPT [195:12859]
:POSTROUTING ACCEPT [195:12859]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source ip-of-pie
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source ip-of-pie
-A POSTROUTING -s 10.8.1.0/24 ! -d 10.8.1.0/24 -j SNAT --to-source ip-of-pie
-A POSTROUTING -s 10.8.1.0/24 ! -d 10.8.1.0/24 -j SNAT --to-source ip-of-pie
COMMIT
# Completed on Mon Apr 8 21:21:18 2019
# Generated by iptables-save v1.6.1 on Mon Apr 8 21:21:18 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [170:20287]
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A-INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -p udp --dport 68 -j ACCEPT
-A INPUT -p udp --dport 67 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p udp --dport 68 -j ACCEPT
-A OUTPUT -p udp --dport 67 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 853 -j ACCEPT
-A OUTPUT -p tcp --dport 8245 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Mon Apr 8 21:21:18 2019
Thanks for the input. Thought that listen on all interfaces is less secure than listen to eth0 only. Anyway it works like this so i'm just leave it like that.