Problem with OpenVPN


#1

Need some help/advise from the pros…

I installed pihole a few months ago, and loved it…
then I saw openvpn integration and jumped into the bandwagon immediately… however… my network is not longer piholed…I’ll try and explain:

My setup:

  • cable modem/router with DNS that can be edited (since it work before) and routed to pihole raspberry pi IP, and OpenDNS… since it allows for up to 3 (maybe this is part of the issue?)
  • small network of a couple of windows and mac machines, as well as a few other devices: cell, tablets, etc…connected by wired and wifi
  • raspberry pi B running pihole (I should upgrade soon, dont freak out :slight_smile: ) I installed pihole a few months/weeks ago and then installed openvpn as per the instructions on the wiki: here

Issue:
I still have the DNS mapped to my current piholed/raspberry device
when I connect through the OpenVPN on my cell, everything seems to be piholed and blocked as it should be (btw: Im able to see all my lan/wlan devices if I’m, lets say, my cell connection away from home)
When I connect through any of the lan/wlan computers around the home, it seems like Im not getting protected by the pihole, I figure if I connect through the openvpn connection I get protected by testing… but then… not sure I want to do that every time… is that the way its supposed to work? am I missing something?

What I would like:
-connect from my cell while away, lets say airport wi-fi and be protected by my pihole-openvpn (not important if i connect to the other devices or not, which I read under the wiki that can be easily changed)
-connect from lan/wlan devices around the home without having to connect to the openvpn and be protected by the pihole


Pi-hole with OpenVPN VPS Debian
#2

I moved your message to a new topic since it is not related to the issue we are discussing in the other topic but a separate problem on a separate system.

I use myself a Pi B for development and use it in the office with about 10 active clients.

I think you might have followed our tutorial and changed the interface from eth0 (or similar) to tun0 in /etc/dnsmasq.d/01-pihole.conf? If so, you disabled it for your local network - I see that I should add a note in the tutorial.

For new, try to disable the interface line in /etc/dnsmasq.d/01-pihole.conf, like

# interface=tun0

and restart dnsmasq:

sudo service dnsmasq restart

#3

Since it’s working properly via the VPN, you’d need to make pihole listen on your local LAN IP, in addition to just the tun/vpn IP…
Make a new file (to ensure it stays after upgrades) /etc/dnsmasq.d/02-ANYNAME.conf
Add the LAN IP of your Pi (the IP of eth0) in it (which you edited in the modem/router)

listen-address=192.168.1.200

Do pihole restartdns

interface=eth0 can be used instead of listen-address - Man page of DNSMASQ


#4

Thanks to @DL6ER & @spacemonkey

issue: after installing PiHole and run it for a while, I installed OpenVPN by following the instructions from here .
I had to to tweak a few things, however, in order to have the VPN and internal network, both run through my pihole:

edited:
sudo nano /etc/dnsmasq.d/01-pihole.conf
should removed “eth0” if any and replaced with:
interface=tun0

added:
sudo nano /etc/dnsmasq.d/02-pihole.conf
add:
interface=eth0

I did a whole reboot of the raspberry pi
sudo reboot

hope this helps…


#5

We are actually going to remove the limitation that the Pi-hole will listen only on one interface, so that this shouldn’t be an issue in the future, anymore.


#6

Awesome news! I was hoping this would happen since I tried to ask about that (being able to select more than one option in which pihole listens)a little bit ago.
Thanks for coming around!


#7

Does this mean that Pi-hole will by default listen on the WAN interface as well? :astonished:


Warning About Open Public Resolvers?
#8

It depends which kind of device you have. Can you tell me more? If Pi-hole is running directly on the router that the answer might be Yes.


#9

I’m running one debian/pihole in the home network behind a router. Another on a VPS with openvpn as described here https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation
The second instance is the one I’m concerned about, which will listen on WAN by default. I guess if I add an IP or interface in /etc/dnsmasq.d/02-xxx.conf it will fix that. I suppose Pi-hole being for Pi’s and having only one ethernet port can be assumed to always be be a LAN device and so it won’t be a problem for many.


#10

Have you followed my advises [here](https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Firewall-configuration-(using-iptables)? A properly setup firewall sound IMHO much better than just having dnsmasq not listening on the device.


#11

I understand that. But most users who use the CLI to install pi-hole put some level of trust into it’s makers. If the above change makes into pi-hole, it will potentially leave some pi-hole installations, by default, as public DNS servers. I would expect the default pi-hole dnsmasq config to at least include local-service, to make future installations secure by default.
PS: following wiki to create an additional config file is less daunting than the wiki to create a firewall rule(s).


#12

If you install a server package to a device that has public internet facing interfaces, then it is your responsibility to firewall the device. The only situation I can see that happening is if you put a device in a DMZ, or on a VPS. Both situations require a firewall. Would you place a Raspberry Pi on a network with a public interface and leave the default user/pass pi/raspberry?


#13

I’m assuming to be at the same knowledge level as most of those who seek help for the pi-hole here. Besides, there’s no harm in including local-service to make pi-hole bulletproof.


#14

Not having a firewall set up can never be secure by default. I didn’t mark it as optional in the Wiki because it is actually optional, but rather because most installations are sitting behind a NAT/router which takes care for you about doing that properly. If your server is out in the wild (AKA VPS etc) you should never consider it as secure, especially not with any default configuration that might be there.

We are currently investigating if this option works in all cases. See


#15

The user will be able to chose in the next release, while the default will be using local-service


Option to install VPN