Security questions and other issues with Pi-Hole + VPN


#1

Initial problem: VPN only works from home network. Cannot connect from outside. Pportfowarding is set up, OpnVPN is configured based on this detailed guide https://docs.pi-hole.net/guides/vpn/overview but still no success.

Goal: DNS serve& VPN that can be utilized securely from outside of the network

Current software idea: Raspian Stretch Lite, Pi-Hole, OpenVPN

Hardware: Pi Zero W, Netgear N7000

Home network devices, Win10, Linux, Android

Router settings: static IP for Pi, port forwarding set up to the Pi’s IP address, DNS server is the Pi’s internal IP address, utilizing No-Ip.com

My expertise level: intermediate with networking, advanced with Win10, Linux: on and off have been dabbling with it for 20 years but rather a beginner

Should I even bother trying to install OpenVPN on the Pi or just set it up on the router? Pros/Cons?

Security Questions:

  • what is the weakest link here?

  • should I run Pi-Hole on and OpenVPN on two separate devices?

  • how to encrypt the files on linux?

  • How should I make it secure from any outside attacks? Does it make sense of installing a firewall on the Pi?


#2

The forwarded ports on your router. If your Pi-Hole is within your network, you should not have to forward ports. The VPN provides the secure tunnel for external clients to get to the Pi-Hole.

They will run nicely together on the same device, per the guide you referenced.

This should not be required if your Pi is behind your router and the only external access is through VPN.

Use only the VPN to allow extenal clients to access it securely. Don’t forward ports to the Pi.

The Pi already has a firewall available and this is configured for Pi-Hole during the installation process.


#3

Thank you very much for the reponses.

I still have no solution to this point:

Initial problem: VPN only works from home network. Cannot connect from outside. Pportfowarding is set up, OpnVPN is configured based on this detailed guide https://docs.pi-hole.net/guides/vpn/overview but still no success.


#4

How’s that possible? How will I access anything from outside without portforwarding? Could you please explain?


#5

When you have the VPN working between the Pi and the outside client, all traffic goes within the encrypted tunnel. The router doesn’t see anything other than an encrypted stream, with no knowledge of port activity.

With the Pi behind your router, if the VPN is not used, the Pi is inviisible to the internet. With the VPN, you create a direct tunnel to the Pi.


#6

So how to I connect to the VPN? This is my main issue from the original post. I have a working VPN and pi-hole on the home network but I cannot connect to it from outside


#8

A normal setup would look like this:

OpenVPN set-up on your Pi zero W alongside Pi-hole, (i’m asuming you din’t change the default openVPN port) the port forwarded in your Netgear to point at your Pi Zero IP.

If your port is 1194 then that’s the port you will POINT to. To keep it easy, use the same port on INCOMING (on the router in the port forwarding settings).

Do you have a ddns host set-up or do you have a static IP assigned from your ISP ?

I’m asking because when the ovpn file is generated with that IP information as the connecting parameter.

Take a look at your *.ovpn file and make sure under the remote parameter you have the correct (your public facing) IP or your ddns hostname and the correct port.

(I have a feeling that during Road Warrior setup - when told you are behind a NAT - you entered the local IP and all your ovpn files are generated with the internal IP as the connecting IP - that’s why it works only when @ home - )

As for your initial question, I personally chose to go via OpenVPN and Pi-hole, self managed.

It makes troubleshooting a lot easier from a device I have full control over (the Pi) versus the Netgear (it have an R8000) that I have to log in via the web interface.

I like to have full control over my devices and if even needed, the whole thing is a ssh away.

Those are the pros in my book. The cons? Can’t think of any …

With the VPN running on the router, your hands are tied when it comes to settings … those would be the cons :slight_smile:


#9

Thank you.

I did change the port so it’s not the default. I forward that port to the Pi’s IP in the router. I use noip because I have dynamic IP. I set the host url up in openvpn and double checked the .ovpn file and it shows it in there. It has the “remote” line showing the right url and the right port. When I ping the url it shows my IP so it’s working.

When it told me I am behind a NAT I gave the Pi’s IP address.

Still can’t access it from outside :frowning:


#10

Something is blocking your inbound connection then.

I have the exact same setup and it works on my side.

Anything that might provide a clue in the openvpn connection log on the device?


#11

yeah, that’s what I am trying to figure out what could be blocking it…

I’m not home now but I’ll look into the log. Where do I find that? What should I be looking for?

How did you set up yours? This is the order I installed things

  1. Raspian Lite
  2. Pi-Hole
  3. OpenVPN (using these exact steps https://docs.pi-hole.net/guides/vpn/overview)
  4. Set up port forwarding

#12

Any information, why it fails to connect.
That’s on the device that uses the ovpn file (phone, tablet laptop ?).

I did set it up just like you described :slight_smile:


#13

it’s driving me nuts!!! I reinstalled the whole thing like 4 times…

This is the log when i try to connect to it:
Wed Dec 26 13:15:49 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Dec 26 13:15:49 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 26 13:15:49 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Wed Dec 26 13:15:49 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Dec 26 13:15:49 2018 Need hold release from management interface, waiting…
Wed Dec 26 13:15:50 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD ‘state on’
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD ‘log all on’
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD ‘echo all on’
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD ‘bytecount 5’
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD ‘hold off’
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD ‘hold release’
Wed Dec 26 13:15:50 2018 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Wed Dec 26 13:15:50 2018 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Wed Dec 26 13:15:50 2018 MANAGEMENT: >STATE:1545848150,RESOLVE,
Wed Dec 26 13:15:50 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.XXX.XX:[port number]
Wed Dec 26 13:15:50 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 26 13:15:50 2018 UDP link local: (not bound)
Wed Dec 26 13:15:50 2018 UDP link remote: [AF_INET]XX.XXX.XXX.XX:[port number]
Wed Dec 26 13:15:50 2018 MANAGEMENT: >STATE:1545848150,WAIT,


#14

then after a while drops this error:

Wed Dec 26 13:21:10 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Dec 26 13:21:10 2018 TLS Error: TLS handshake failed


#15

Try using a different port, see if that works.


#16

tried a different port
same results
this is really driving me nuts


#17

Something is definitely set-up wrong there …

The problem is not with Pi-hole as you can’t even get to the host from outside the network …

I used this OpenVPN script:

https://pastebin.com/tqY2pvpV

Installed Pi-hole (on eth0 and allowed all origins), installed openvpn via the script above on a raspberry.
Forwarded the custom port in my netgear. The end :slight_smile:

It works …


closed #18

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.