Initial problem: VPN only works from home network. Cannot connect from outside. Pportfowarding is set up, OpnVPN is configured based on this detailed guide Redirecting... but still no success.
Goal: DNS serve& VPN that can be utilized securely from outside of the network
Current software idea: Raspian Stretch Lite, Pi-Hole, OpenVPN
Hardware: Pi Zero W, Netgear N7000
Home network devices, Win10, Linux, Android
Router settings: static IP for Pi, port forwarding set up to the Pi's IP address, DNS server is the Pi's internal IP address, utilizing No-Ip.com
My expertise level: intermediate with networking, advanced with Win10, Linux: on and off have been dabbling with it for 20 years but rather a beginner
Should I even bother trying to install OpenVPN on the Pi or just set it up on the router? Pros/Cons?
Security Questions:
what is the weakest link here?
should I run Pi-Hole on and OpenVPN on two separate devices?
how to encrypt the files on linux?
How should I make it secure from any outside attacks? Does it make sense of installing a firewall on the Pi?
The forwarded ports on your router. If your Pi-Hole is within your network, you should not have to forward ports. The VPN provides the secure tunnel for external clients to get to the Pi-Hole.
They will run nicely together on the same device, per the guide you referenced.
This should not be required if your Pi is behind your router and the only external access is through VPN.
Use only the VPN to allow extenal clients to access it securely. Don't forward ports to the Pi.
The Pi already has a firewall available and this is configured for Pi-Hole during the installation process.
Initial problem: VPN only works from home network. Cannot connect from outside. Pportfowarding is set up, OpnVPN is configured based on this detailed guide https://docs.pi-hole.net/guides/vpn/overview but still no success.
When you have the VPN working between the Pi and the outside client, all traffic goes within the encrypted tunnel. The router doesn't see anything other than an encrypted stream, with no knowledge of port activity.
With the Pi behind your router, if the VPN is not used, the Pi is inviisible to the internet. With the VPN, you create a direct tunnel to the Pi.
So how to I connect to the VPN? This is my main issue from the original post. I have a working VPN and pi-hole on the home network but I cannot connect to it from outside
OpenVPN set-up on your Pi zero W alongside Pi-hole, (i'm asuming you din't change the default openVPN port) the port forwarded in your Netgear to point at your Pi Zero IP.
If your port is 1194 then that's the port you will POINT to. To keep it easy, use the same port on INCOMING (on the router in the port forwarding settings).
Do you have a ddns host set-up or do you have a static IP assigned from your ISP ?
I'm asking because when the ovpn file is generated with that IP information as the connecting parameter.
Take a look at your *.ovpn file and make sure under the remote parameter you have the correct (your public facing) IP or your ddns hostname and the correct port.
(I have a feeling that during Road Warrior setup - when told you are behind a NAT - you entered the local IP and all your ovpn files are generated with the internal IP as the connecting IP - that's why it works only when @ home - )
As for your initial question, I personally chose to go via OpenVPN and Pi-hole, self managed.
It makes troubleshooting a lot easier from a device I have full control over (the Pi) versus the Netgear (it have an R8000) that I have to log in via the web interface.
I like to have full control over my devices and if even needed, the whole thing is a ssh away.
Those are the pros in my book. The cons? Can't think of any ...
With the VPN running on the router, your hands are tied when it comes to settings ... those would be the cons
I did change the port so it's not the default. I forward that port to the Pi's IP in the router. I use noip because I have dynamic IP. I set the host url up in openvpn and double checked the .ovpn file and it shows it in there. It has the "remote" line showing the right url and the right port. When I ping the url it shows my IP so it's working.
When it told me I am behind a NAT I gave the Pi's IP address.
it's driving me nuts!!!! I reinstalled the whole thing like 4 times...
This is the log when i try to connect to it:
Wed Dec 26 13:15:49 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Dec 26 13:15:49 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Dec 26 13:15:49 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Wed Dec 26 13:15:49 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed Dec 26 13:15:49 2018 Need hold release from management interface, waiting...
Wed Dec 26 13:15:50 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD 'state on'
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD 'log all on'
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD 'echo all on'
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD 'bytecount 5'
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD 'hold off'
Wed Dec 26 13:15:50 2018 MANAGEMENT: CMD 'hold release'
Wed Dec 26 13:15:50 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 26 13:15:50 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Dec 26 13:15:50 2018 MANAGEMENT: >STATE:1545848150,RESOLVE,,,,,,
Wed Dec 26 13:15:50 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XXX.XXX.XX:[port number]
Wed Dec 26 13:15:50 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Dec 26 13:15:50 2018 UDP link local: (not bound)
Wed Dec 26 13:15:50 2018 UDP link remote: [AF_INET]XX.XXX.XXX.XX:[port number]
Wed Dec 26 13:15:50 2018 MANAGEMENT: >STATE:1545848150,WAIT,,,,,,
The problem is not with Pi-hole as you can’t even get to the host from outside the network ...
I used this OpenVPN script:
Installed Pi-hole (on eth0 and allowed all origins), installed openvpn via the script above on a raspberry.
Forwarded the custom port in my netgear. The end