I have made a new Setup with my Raspberry Pi with Pi-Hole and OpenVPN.
Everything works fine but now i want to give the Server a little bit more security with Iptables.
I saw something of this in your WIKI How to and i setup Iptables like that, but my problem is that i can’t access the Admin Dashboard of the Pi-Hole from any Computer at home with that configuration.
I’m not an expert with iptables and i didn’t really found a solution for this, so i hope someone here can help me.
I wrote the wiki articles. I think you referred to this one?
Please provide the output of
sudo iptables -L --line-numbers
so we can see how your firewall is configured. The shown configuration is constructed such that only access within the VPN is possible. That means that also the local network is excluded.
- Your question is how to allow your local network in addition?
- If so, what is the IP address of your Pi-hole? It is needed to decide what addresses belong to your internal network.
When i put in all the rules you wrote down in the wiki article my iptables -l output looks exactly the same as you shown in the article. I can’t post it right now because i deleted the rules for now.
And yes, i want to allow my local network in addition.
The Local IP Adress of my PiHole is 192.168.178.35.
Okay, what follows is untested and only constructed off the top of my head, but it should just work for you (or you will get an error messsage in case I had a typo).
As you already deleted all rules, we can start afresh. First, insert all explicit
accept rules for the VPN as written in the wiki:
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT
Then add explicit
accept rules for your local network (i.e.
192.168.178.1 - 192.168.178.254)
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --destination-port 53 -j ACCEPT sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --destination-port 80 -j ACCEPT sudo iptables -A INPUT -s 192.168.178.0/24 -p udp --destination-port 53 -j ACCEPT sudo iptables -A INPUT -s 192.168.178.0/24 -p udp --destination-port 80 -j ACCEPT
And finally install the
sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP sudo iptables -A INPUT -p udp --destination-port 53 -j DROP sudo iptables -A INPUT -p udp --destination-port 80 -j DROP
Please share your experience with us, so I can extend our wiki accordingly.
I put in all your rules and what should I say?
It works perfect
Big thanks to your very quick help
Just in case some users were still, like me, unable to reach their Pi-hole DNS when connected under OpenVPN (DNS not resolving issue), here’s a quick fix :
/etc/dnsmasq.confin order to replace:
listen-address=127.0.0.1, 192.168.xxx.xxx, 10.8.0.1
where the second IP is the Pi-hole local network IP and the third IP is the tun0 interface.
Then, simply restart DNSMasq with:
sudo systemctl restart dnsmasq
This fix was found on PiVPN wiki and I thought that it could help others PiHole users under a similar configuration.
Hopefully it’ll be useful for anyone
The easy way of fixing this (at least as you are located behind a router e.g. at home) is to change the listening behavior on the settings page of Pi-hole:
Thanks @DL6ER. This is the easiest way to do it. Worked for me.