Would I need to change the openvpn server config file?
I guess I should explain the problem rather than jumping to my own solution.
When looking at the Query Log, all entries that originate from my local network have an IP address of 192.168.1.1 rather than their actual IP.
I'd really like to fix that. Is it correct that I would have to use the pihole as my DHCP server rather than my router?
If so, how would I go about making the change? I have checked around and haven't found a solution.
My guess is to make a change to the OpenVPN server configuration file but I don't know what to change.
I appreciate your continued help.
Everything you will have to do is described in
Please provide further details if you need specific help with any of the changes.
@twotonefox - I followed your steps including the "long overdue" section but am unable to get pihole to see my openvpn traffic. In summary:
- Added /etc/dnsmasq.d/02-openvpn.conf to define the tun0 interface.
- Modified /etc/openvpn/server/server.conf as you directed
- Modified my client.conf as you directed
I can connect to my openvpn server and all traffic flows, but pihole doesn't seem to see my tunneling traffic.
Server config:
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
port 443
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.251"
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
comp-lzo
max-clients 4
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
1 Like
Is this still an issue for you?
@twotonefox, @graysky2
So my two issues are that:
1 without adding interface=eth1, to a conf file my internet will not work.
My pi-hole is running on eth1.
2 I cannot seem to get the routing correct.
The VPN connects without a problem, the Pi is assigned the VPN's public address
However my devices are being filtered through the pi hole, however it is not going through the vpn tunnel. Hence all my devices have my old public ip address and not the VPN's. At least this is my thoughts thus far .
Update:
I've reinstalled the server along with not transferring the .ovpn files over dropbox as this seems to create some problem.
So I've managed to get some clients connected. Though I'm still very puzzled:
-
So the server works correctly and I can connect through my original public ip address, however when I get openvpn to connect to the nordvpn servers then my clients can't connect. I have a DynDNS setup, and the changed IP address is correct. The clients just refuse to connect. In essence i think i'm trying to setup openvpn as a gateway and as a server.
-
I was wondering if there's a way to force all local traffic through to nordvpn servers without having setup clients to connect to openvpn first.
Update# 2
I've managed to set everything up correctly (many incorrect tutorials on the internet)
I'm left with only 1 issue. So I can see and connect to my entire LAN network , however I'm unable to connect to my MQTT broker through the vpn when I am not connected to my home wifi. When connected to the wifi network it passes through.
Not trying to bomb the thread, but a little information that some may find useful is doing the same thing with Wireguard.
I use Wireguard to bridge my home network with my cloud hosted VPN/Pi-Hole Server, however I don't tunnel through it. I can tunnel everything through it if I wanted, but instead I can just simply access my LAN if I wish or the usual traffic goes out my existing gateway on whatever network I am using (Usually my home or cellular). The only traffic that is tunneled is DNS queries and Wireguard provides a lower latency, Lower CPU usage, Memory Usage, and higher potential bandwidth than OpenVPN.
I've setup your Wireguard (wg) suggestion, really impressed with the simplicity. However MQTT is still not going through. This I suppose might be as a result of MQTT relying on tcp, wireguard is purely udp.
Personally, I am unfamiliar with MQTT, however Wireguard can encapsulate both TCP and UDP traffic. Otherwise, other TCP services will not work through it. My DNS redirection through it is UDP, however, my web server behind it, mail server, spam filtering, etc.. are all TCP.
However, if you are trying to do something like establish a TCP connection through something like a firewall, then I can see your issue.
If you are trying to forward traffic through it beyond the endpoints of the VPN itself, you may have to enable net.ipv4.ip_forward = 1, I am unsure why, but I also enabled net.ipv4.conf.all.proxy_arp = 1 in /etc/sysctl.conf, then do sysctl -p
You also have to include any additional IPs you want to have access to the other side in the target's wireguard IP allow list, otherwise only the traffic from the other VPN endpoint will be allowed. (ie: I had to add the CIDR entry for my LAN xxx.xxx.xxx.xxx/xx
I'm having a heck of a time getting any VPN to work at this point (I've tried OpenVPN/PiVPN, and Wireguard about 100 times each). I'm really hoping to get a helping hand with my Wireguard setup.
My setup looks like this:
Router: xxx.xxx.xxx.1
Primary Pihole and Wireguard Server (ethernet): xxx.xxx.xxx.66
Seconday/Backup Pihole (wireless): xxx.xxx.xxx.99
-= wg0.conf =-
[Interface]
Address = xxx.xxx.xxx.1/24 (Router)
DNS = xxx.xxx.xxx.66,xxx.xxx.xxx.99 (Primary and Secondary Piholes)
ListenPort = default port, already forwarded
PrivateKey = XXXXXXXXXX
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCE$
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j AC$
[Peer]
#Client1
PublicKey = XXXXXXXXXX
AllowedIPs = 0.0.0.0/0, ::/0
PersistentkeepAlive = 60
-= client1.conf =-
[Interface]
Address = xxx.xxx.xxx.66/24 (Primary Pihole and Wireguard Server)
DNS = xxx.xxx.xxx.66,xxx.xxx.xxx.99 (Primary and Secondary Piholes)
PrivateKey = XXXXXXXXXX
[Peer]
PublicKey = XXXXXXXXXX
Endpoint = mydynamic.ddns.com:default
AllowedIPs = 0.0.0.0/0, ::/0
#AllowedIPs = ??????
#PersistentkeepAlive = 60
Ideally, I am aiming for Dual Operation (as described here).
Previous attempts resulted in timeouts during the handshaking process.
With this current setup, everything seems to kick off correctly when I run the WG Server (as far as I can tell). However, I get an immediate DNS/Endpoint error when trying to connect with my client.
Given I've spent so much time on this, I'm pretty committed to Wireguard at this point as I too have read and seen a bit of research promoting Wireguard over OpenVPN. I'm also willing to take this to PMs if need be.
Thanks in advance!
One thing that I notice is that you refer to a "default" port.
I may be wrong, but in my experience with Wireguard, it chooses a port above the average service port range of like 32000 at random when the config is setup.
After your config file is setup, try using wg-quick up /path/to/config/file (Normally /etc/wireguard/interfacename.config IE: /etc/wireguard/wg0.config)
wg-quick will also add new rules to iptables for accepting new connections and append the routing table.
I was referring to the default port Wireguard uses, which I believe is 51820 (I just left it out of my .conf file).
A few quick questions if you (or others) don't mind...
Under my server configuration, I am using my Gateway/Router xxx.xxx.xxx.1 for the Address value. Should I be using the Raspberry Pi that I have Wireguard and Pihole installed on xxx.xxx.xxx.66? (I'm not sure why I used the Gateway/Router).
And if I use my Raspberry Pi for Address, do I keep the DNS field as that device serves both purposes (VPN and DNS server through Pihole)?
Should Address for Server and Client be the same IP?
I seem to have a pretty good grasp on everything but Address (and the use of the CIDR notation). Any clarification around those areas would be great!
Thanks for your response!
If 51820 is specified, then okay. I normally see a port selected at random during the creation of the endpoint config if no port is specified.
If you are saying that is in your PiHole config, then it is utilizing the IP that is assigned to it on the default network connection for requests. If you want to allow requests from Wireguard, then you must specify the Wireguard interface IP.
Depending on where your server is located, you may need to specify allowed ip address ranges in your Wireguard config to allow the requesting client ip or ip ranges. I learned this the hard way initially when I couldn't figure out why the server wasn't responding. (However I don't run it on a Pi myself, I have a Ubuntu 19.04 instance in the cloud and I run 3 LANs off of it with a total of 52 clients.)
Thanks for the info! I appreciate it. I'll keep digging.