See my PiHole enabled OpenVPN Server

You can see my PiHole enabled OpenVPN Server... this just made my love for PiHole reach new heights :slight_smile:

More details may be added later, but the current should be enough to help PiHole admins get OpenVPN up and running on the same RPi :wink:

4 Likes

openVPN is not directing traffic through pi-hole - your guide which adds only 1 line to the .conf file did not fix this. Am i missing the other changes that need to be made?

2 Likes

Hopefully this is still relevant or will be found useful to others, but here's what I had to do to get pi-hole to work for my openvpn clients::

- highly recommend quickly reviewing the 'Long overdue update' at the bottom of this post before continuing and using it along side the guide when necessary. -

1. Needed to setup my /etc/pihole/setupVars.conf file like so by adding an additional listening interface (dns may be different for some):

piholeInterface=eth0
piholeInterface=tun0
IPv4_address=[raspberryPi IP address]/24
IPv6_address=
piholeDNS1=8.8.8.8
piholeDNS2=8.8.4.4

2. Then make sure that /etc/dnsmasq.d/01-pihole.conf was like the following (note that there are two 'interface=" entries; one for the ethernet port, one for the tun0 vpn interface):

address=/pi.hole/[raspberryPi ip address]
addn-hosts=/etc/pihole/gravity.list
domain-needed
bogus-priv
no-resolv
server=8.8.8.8
server=8.8.4.4

interface=eth0
interface=tun0

cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=300
log-async

3. Example dump the whole openvpn server config. But I bolded out the relevant lines (located in /etc/openvpn/server.conf)
Most of this should already be setup when you installed openvpn. This config assumes that your local subnet is a standard 192.168.1.0/24 network, and that the subnet OpenVPN server is assigning/using for connected clients is 10.8.0.0/24:

dev tun
proto tcp
port 1149
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS [raspberryPi ip address no subnet listed]"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

4. Example client config (minus the secret private stuff like cert fields, etc) :wink::

client
dev tun
proto tcp
remote [external IP or your resolvable domain] 1149
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA256
comp-lzo
verb 1

5. Reboot pi, forward your openvpn listening server port through your router to the raspberry pi IP address

TL;DR

OpenVPN creates a new virtual interface on the raspberry pi (default 'tun0' in my case), and pi-hole doesn't know about it until you put it into the /etc/dnsmasq.d/01-pihole.conf config file ~step 2. (Step 1 holds configs in case you update your pi-hole instance so you don't have to fiddle with config files again.)

Then you also need to tell your OpenVPN server to point all DNS queries by your clients (and other traffic request) through your raspberry pi instead of it defaulting to your gateway or any other DNS server as the pi will handle it ~ step 3.

If done correctly, you should start seeing IP addresses from both subnets in the admin web interface.


Deprecated as of a while ago, my bad :frowning:

It appears that when you update pihole, it does not add more than one 'interface' back into the 01-pihole.conf file (even if you have it listed in the setupVars.conf file). You will need to manually check and make sure that both of your interfaces are in place in the 01-pihole.conf file before it will work after updating.

Updating results in listing only two DNS server addresses as well after updating, and any additional servers will need to be manually added as well.

Also, the new web interface appears to currently only show one listening interface in the "Pi-Hole Ethernet Interface" section, but it still is listening on both.

Long overdue :scream_cat: - Update - 3/15/2017
(Left original update section for a running history of changes)

Minor update and documenting an alternative way to maintain the additional interface when updating pi-hole so the interface does not have to be added in every time.

  • Pi-hole currently allows for adding more than two DNS servers and extra ones no longer need to be manually added outside the admin interface through configuration files.
  • The /etc/pihole/setupVars.conf file also no longer needs or really cares about additional 'PIHOLE_INTERFACE=' entries either (I think anyway), so Step 1 can be skipped entirely.

The system uses the dnsmasq service and parses the /etc/dnsmasq.d/ directory for configuration files. We can separate out our additional interface line (line: "interface=tun0" from Step 2 in my example from above) in a new, seperate file in the same directory as 01-pihole.conf (should be that /etc/dnsmasq.d/ directory).

  1. Create a new file and call it what ever you'd like, but for example, I called my additional new file 02-addint.conf for the sake of clarity.
  2. Remove the extra interface line from 01-pihole.conf and place that line by itself into the new 02-addint.conf file.
  3. Save the new file, and ether restart the pihole and dnsmasq services, or its probably easier just to re-boot your device entirely.

You should now be able to update pi-hole worry-free (for now ~ lol) without having to manually put the additional listening interfaces back in. What's cool, is that the "teleporter" export utility from the admin interface also exports this extra config file along with the other standard files so this change can get backed up worry free as well.

edit: words | edit2: more words | edit3: update | edit4: DNS note | edit5: 3/15/2017 update | edit6: rephrasing

7 Likes

Well holy moly, me oh my. Thank you so much for posting such a well stated tutorial. It's golden, and it worked. I wish you weren't a stranger and I'd give you something of genuine gratitude, like chocolate chip cookies.

1 Like

Haha, no problemo :smiley: Glad it worked for you.

thanks twotonefox for updating. I'm having issues after updating pi-hole so hopefully your update advice solves it...... have to wait till i get home to test it.

edit: got home and tried this; so it wasn't anything new like you said, just re-doing the same initial settings since the update wiped it out.

I've added a note about needing to add DNS entries back into the 01 conf file as it only results in the first two in a list if you had more than that before doing an update.

So I just followed these changes, and when I am connected to the VPN, any dns request times out, disconnect from the VPN works fine.

I'm not sure if now its a pihole config issue or VPN issue.

I updated /etc/dnsmasq.conf with
listen-address=127.0.0.1, 192.168.0.13, 10.8.0.1

(2nd ip is the local ip of the pi, 3rd is the tun ip)

and restarted the whole machine with no luck. Is there something I'm missing outside of the above steps?

I'm a little confused - i don't see that the instructions above show changing the listening address- from your default pivpn and pi-hole installs you should only change the files listed.

Sorry just realized I had added that earlier, reverted that change and still no dns after restarting dnsmasq as well as openvpn.

So have you opened each of the files twotonefox listed, and confirmed the bold lines / the whole files match?
/etc/pihole/setupVars.conf
/etc/dnsmasq.d/01-pihole.conf
/etc/openvpn/server.conf

What device is the client? PC, phone?
Does pi-hole work on the LAN vs remote VPN?

Maybe post your files minus secret info so the community can have a look and see if something stands out, and start ruling things out.

Double checked my changes, so here are the files that I'm working with:

/etc/pihole/setupVars.conf

WEBPASSWORD=*edited*
PIHOLE_INTERFACE=eth0
PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=192.168.0.13/24
IPV6_ADDRESS=*edited*
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
QUERY_LOGGING=true

/etc/dnsmasq.d/01-pihole.conf

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/local.list

domain-needed

bogus-priv

no-resolv

server=8.8.8.8
server=8.8.4.4

interface=eth0
interface=tun0

cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=300

log-async

/etc/openvpn/server.conf

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.0.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.13"
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 1
# Generated for use by PiVPN.io

Thank you for the brilliant guide!

What kind of speeds can you expect when connecting from remote locations and internetting through the Pi? Also, what Pi are you using this for?

My PiHole runs on the first Pi model... Don't think that thing likes to run OpenVPN.

It depends on how fast is your internet at pihole location and your openVPN configuration.

It is better use RPI 2 or RPI 3, because running a VPN with 2048-bit encryption on RPI 1 is not a good idea.

Do you think the Pi cpu/usb-bus will not be the bottleneck in this situaton? I have a Rpi 3 somewhere still, and my internet is a shared 1Gbits down and up. So that shouldn't be an issue.

You could also lower the encryption but that kind of bites into the whole purpose of using a VPN on public connections.

Anyway, was hoping someone could tell me what to expect. I have a OpenVPN connection to my Netgear Nighthawk but the speeds are pretty slow when connected.

Since USB and Ethernet are shared by a single bus, so it will definitely a bottleneck (100mbit is ok, but you can't get higher than that) Also CPU struggles to encrypt data. There are some other SBCs out there which has a gigabit port and more powerful processor.

All of the Raspberry Pi devices perform comparably similar with respect to Ethernet. They all have a dedicated Ethernet chip which is hooked up to the SoC via an external bus. Performance tests usually show that with the recent version you can actually really get to the 100MBit/s on wired Ethernet, and up to 40MBit/s via wireless. There are users who found that you can go up to 200 MBit/s if you buy a good (= expensive) USB-to-Ethernet adapter, but I doubt that it is really worth the effort.

Expect the Ethernet chip (marked with M1) to go even hotter than the SoC (M2) at full speed.

Encryption performance is an interesting question: Modern "normal" CPUs (like x86_64) have no problem at all, because the integrate circuits that are specifically designed to compute crypto-stuff. Well, in the world of ARM everything is different and I wasn't really able to draw conclusive information from the datasheet of the SoC used on the Raspberry Pi. It seems like CRC32 is implemented native, but for the rest this is left open (could even be that it is in there, but does not work with Raspbian).

I tested the VPN performance using OpenVPN + Raspberry Pi Model B (700MHz single core) and ended with about 9MBit/s performance. Repeated the same test with a Raspberry Pi 3 Model B (1.2GHz quad) and got about 13 MBit/s. So not really high-performance but in good agreement with what you would expect from there devices. 2048 keys.

1 Like

Thanks for the effort guys. I know about the HW limitations that the Pi's ethernet connection has but was wondering what limitation the CPU has, since encryption is very CPU intensive.

My router has gigabit ports and still preforms pretty bad at hosting OpenVPN, more than likely because it has a bad SoC.

Just wanted to know whether it would be worth it before I start flashing and installing stuff on my Pi2. Cheers guys!

It strongly depends on your use case. I use the VPN to tunnel the Pi-hole DNS server only and can still take advantage of the full power of my multihomed upstream connection (2GBit/s). The trick is that only the DNS server of my Pi-hole is routed over the VPN and effectively, I can use all of its functionality. At the same time, all other traffic enters the Internet directly, so no bandwidth limitation introduced by the performance of the Pi Ethernet.

Does that sound like what you want?

1 Like