PiVPN + Pi-Hole installation let crashes the Raspberry

DanSchaper · July 9, 2017, 6:12am

The 10 digit code is the token that we use to access your uploads on the Tricorder server. So every upload will generate a new token.

If you'd like us to take a look at a log or an upload to see what we can find, you'll have to post the token here for us. It's a secured system, even if everyone knows your token there are only 5 people that can currently see anything on Tricorder.pi-hole.net. (You can check that by going to that server and you'll see that you are unable to log in as you don't have the proper credentials.)

PatBuf · July 11, 2017, 5:50pm

Yes, That was a bit stupid of me.

A new try. I hope everything went well now.
The token is: 9y09g8nixe

Thanks.

jacob.salmela · July 12, 2017, 3:26am

The information uploaded was just the path to a file about your firewall...it wasn't a full log file. Will you try again?

PatBuf · July 12, 2017, 6:11pm

I used this command: echo /home/pi/Documents/Firewallrules.txt | nc tricorder.pi-hole.net 9999

Then I got that token en post it.

jacob.salmela · July 12, 2017, 6:26pm

You need to cat the file's content to be uploaded; when you used echo it just uploaded the file path to the server. Try again with

cat /home/pi/Documents/Firewallrules.txt | nc tricorder.pi-hole.net 9999

and post the debug token.

PatBuf · July 12, 2017, 7:22pm

I tried that too. But then I get back:
cat: /home/pi/Documents/Firewallrules.txt: No such file or directory Use netcat.

DanSchaper · July 12, 2017, 7:31pm

Does

cat /home/pi/Documents/Firewallrules.txt

actually output the contents of the file? It looks like that file doesn't exist.

PatBuf · July 13, 2017, 5:42pm

Apparently I have to put the extension .txt at the end of the file.
So I did that, and now got a token:

cxm2mojf87

Thanks.

DL6ER · July 17, 2017, 4:54pm

I've been traveling a lot lately and haven't had a chance to check what was going on here. You you please re-upload your file?

Background: Our backend deletes any uploaded data after 48 hours, so I cannot access the data using your token, anymore. However, I should have time to look at your file on Wednesday.

PatBuf · July 18, 2017, 6:02pm

No probs. I uploaded it again:

1tlfqlukqk

Thanks.

DL6ER · July 20, 2017, 5:50pm

Okay, I finally came around to look at your file before it expires (in 20 minutes ).

These rules do only protect your Pi-hole if it is connected over wlan0, but not over wired connection. Are you using wireless upstream connection only?
These rules will not allow you any SSH access, except from an address in the range 10.10.10.*
HTTP and HTTPS (ports 80 and 443) won't be protected (accessible both over wlan0 and tun0). The protection has to be on the router level.
DNS won't be available on wlan0, only though the VPN. Is that intended?

PatBuf · July 23, 2017, 10:11am

DL6ER:

Okay, I finally came around to look at your file before it expires (in 20 minutes ).

These rules do only protect your Pi-hole if it is connected over wlan0, but not over wired connection. Are you using wireless upstream connection only?
I use a Pi zero W, so it is over Wifi only.

These rules will not allow you any SSH access, except from an address in the range 10.10.10.*
For security reasons I disabled SSH in the Raspberry. I don't use it, only when I need to transfer some files to my computer. I use XRDP to connect remotley to the Pi.

HTTP and HTTPS (ports 80 and 443) won't be protected (accessible both over wlan0 and tun0). The protection has to be on the router level.
My router is a Fritzbox, and the documentation says: 'The FRITZ!Box offers a completely closed firewall to protect against unwanted data from the Internet. In the factory settings, all of the computers, smartphones, and other devices connected to the FRITZ!Box are already completely protected against attacks from the Internet.'
I created some port forwarding rules in the router, but not for the Raspberry. I think it's okay how it's set up now?

DNS won't be available on wlan0, only though the VPN. Is that intended?
This one I don't understand. Will this mean that when I typ a web address in my home network that it will not work?

Thanks for looking to the file.
See my answers under yours.

The rest of the rules looking good? Nothing is missing?

deviation56 · July 27, 2017, 12:39am

The reason I use PiVPN is that PiVPN gives the possibility to use a password in the OVPN config files. For so far I know OpenVPN does not.

FWIW- here is an openvpn server implementation with password authentication:

I'm currently running it on a regular Ubuntu 14.04 server but I don't see any reason why it should not install on a Raspberry Pi.

The installer is not quite as nice as Pihole's/PiVPN's but It comes with a nifty web UI for managing openvpn users and downloading openvpn client config files. I'm going to attempt to get this running in harmony with Pihole tonight and will report back.

DL6ER · August 1, 2017, 5:59pm

From what I've seen everything should be fine anyhow as your router is hiding the Raspberry as long as there are no rules (as you said). What you add is only adding some security in a place where you will (most likely) never need it.

Yes, that is what I meant.

SanFokion · August 22, 2017, 3:02pm

Could someone please explain the basic steps in order to install both pihole and pivpn. For the pihole, what dns server should I use and what for the pivpn. After installing both of them should I continue with the extra step of the recommended tutorial?

Mcat12 · August 24, 2017, 3:18am

This should help:

I think you just setup Pi-hole normally and then install PiVPN afterwards (I haven't done this before though).

Dubh · August 25, 2017, 2:49pm

That's exactly what I did, and it "just worked". I simply configured the LAN IP of the Pi-Hole system as the DNS server, I didn't do anything else special.