PiHole - VPN with iptables

Hey
I have made a new Setup with my Raspberry Pi with Pi-Hole and OpenVPN.
Everything works fine but now i want to give the Server a little bit more security with Iptables.
I saw something of this in your WIKI How to and i setup Iptables like that, but my problem is that i can’t access the Admin Dashboard of the Pi-Hole from any Computer at home with that configuration.
I’m not an expert with iptables and i didn’t really found a solution for this, so i hope someone here can help me.

I wrote the wiki articles. I think you referred to this one?

Please provide the output of

sudo iptables -L --line-numbers

so we can see how your firewall is configured. The shown configuration is constructed such that only access within the VPN is possible. That means that also the local network is excluded.

  • Your question is how to allow your local network in addition?
  • If so, what is the IP address of your Pi-hole? It is needed to decide what addresses belong to your internal network.

When i put in all the rules you wrote down in the wiki article my iptables -l output looks exactly the same as you shown in the article. I can’t post it right now because i deleted the rules for now.
And yes, i want to allow my local network in addition.
The Local IP Adress of my PiHole is 192.168.178.35.

Okay, what follows is untested and only constructed off the top of my head, but it should just work for you (or you will get an error messsage in case I had a typo).

As you already deleted all rules, we can start afresh. First, insert all explicit accept rules for the VPN as written in the wiki:

sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 80 -j ACCEPT

Then add explicit accept rules for your local network (i.e. 192.168.178.1 - 192.168.178.254)

sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -s 192.168.178.0/24 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -s 192.168.178.0/24 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -s 192.168.178.0/24 -p udp --destination-port 80 -j ACCEPT

And finally install the drop rules

sudo iptables -A INPUT -p tcp --destination-port 53 -j DROP
sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
sudo iptables -A INPUT -p udp --destination-port 53 -j DROP
sudo iptables -A INPUT -p udp --destination-port 80 -j DROP

Please share your experience with us, so I can extend our wiki accordingly.

1 Like

I put in all your rules and what should I say?
It works perfect :heart_eyes:
Big thanks to your very quick help :slight_smile:

Hi there! :wink:

Just in case some users were still, like me, unable to reach their Pi-hole DNS when connected under OpenVPN (DNS not resolving issue), here’s a quick fix :

  • First, modify /etc/dnsmasq.conf in order to replace:
    #listen-address= with listen-address=127.0.0.1, 192.168.xxx.xxx, 10.8.0.1
    where the second IP is the Pi-hole local network IP and the third IP is the tun0 interface.

  • Then, simply restart DNSMasq with:
    sudo systemctl restart dnsmasq

This fix was found on PiVPN wiki and I thought that it could help others PiHole users under a similar configuration.

Hopefully it’ll be useful for anyone :slight_smile:

The easy way of fixing this (at least as you are located behind a router e.g. at home) is to change the listening behavior on the settings page of Pi-hole:

1 Like

Thanks @DL6ER. This is the easiest way to do it. Worked for me.