Openvpn Mod

0 views

Skip to first unread message

Maricel Fergason

unread,

Aug 4, 2024, 5:01:22 PM8/4/24

to elpinrodea

VERYIMPORTANT: In case your posting gets rejected as spam, you can boost your "karma" by defining your real name and email address in Trac-specific preferences. Our spam filters are generally well-behaved, but if your postings get rejected several times in a row see the "Contact us" section at the bottom of this page.

If you're experiencing any difficulties with any of our services, please contact #openvpn-devel IRC channel on irc -dot- libera _dot_ net and ask for djpig. Alternatively, send email to frank.lichtenheld openvpn net or ecrist openvpn net.

and replace with all files in this format (starts with openvpn and ends with .service) in the directory. The one that truly stops and starts openvpn service is the file you need and others could be removed (you shouldn't have made them in first place by enabling them):

Another thing you can do if you don't know the exact service name or are lazy like I am.Run systemctl status openvpn*The * match up the service closest to that string.Works for the other functions like stop & start.

I installed pihole a few months ago, and loved it.....

then I saw openvpn integration and jumped into the bandwagon immediately...... however..... my network is not longer piholed...I'll try and explain:

Issue:

I still have the DNS mapped to my current piholed/raspberry device

when I connect through the OpenVPN on my cell, everything seems to be piholed and blocked as it should be (btw: Im able to see all my lan/wlan devices if I'm, lets say, my cell connection away from home)

When I connect through any of the lan/wlan computers around the home, it seems like Im not getting protected by the pihole, I figure if I connect through the openvpn connection I get protected by testing.... but then..... not sure I want to do that every time.... is that the way its supposed to work? am I missing something?

What I would like:

-connect from my cell while away, lets say airport wi-fi and be protected by my pihole-openvpn (not important if i connect to the other devices or not, which I read under the wiki that can be easily changed)

-connect from lan/wlan devices around the home without having to connect to the openvpn and be protected by the pihole

I think you might have followed our tutorial and changed the interface from eth0 (or similar) to tun0 in /etc/dnsmasq.d/01-pihole.conf? If so, you disabled it for your local network - I see that I should add a note in the tutorial.

Since it's working properly via the VPN, you'd need to make pihole listen on your local LAN IP, in addition to just the tun/vpn IP...

Make a new file (to ensure it stays after upgrades) /etc/dnsmasq.d/02-ANYNAME.conf

Add the LAN IP of your Pi (the IP of eth0) in it (which you edited in the modem/router)

issue: after installing PiHole and run it for a while, I installed OpenVPN by following the instructions from here .

I had to to tweak a few things, however, in order to have the VPN and internal network, both run through my pihole:

I'm running one debian/pihole in the home network behind a router. Another on a VPS with openvpn as described here -hole/pi-hole/wiki/OpenVPN-server:-Installation

The second instance is the one I'm concerned about, which will listen on WAN by default. I guess if I add an IP or interface in /etc/dnsmasq.d/02-xxx.conf it will fix that. I suppose Pi-hole being for Pi's and having only one ethernet port can be assumed to always be be a LAN device and so it won't be a problem for many.

Have you followed my advises [here]( -hole/pi-hole/wiki/OpenVPN-server:-Firewall-configuration-(using-iptables)? A properly setup firewall sound IMHO much better than just having dnsmasq not listening on the device.

I understand that. But most users who use the CLI to install pi-hole put some level of trust into it's makers. If the above change makes into pi-hole, it will potentially leave some pi-hole installations, by default, as public DNS servers. I would expect the default pi-hole dnsmasq config to at least include local-service, to make future installations secure by default.

PS: following wiki to create an additional config file is less daunting than the wiki to create a firewall rule(s).

If you install a server package to a device that has public internet facing interfaces, then it is your responsibility to firewall the device. The only situation I can see that happening is if you put a device in a DMZ, or on a VPS. Both situations require a firewall. Would you place a Raspberry Pi on a network with a public interface and leave the default user/pass pi/raspberry?

Not having a firewall set up can never be secure by default. I didn't mark it as optional in the Wiki because it is actually optional, but rather because most installations are sitting behind a NAT/router which takes care for you about doing that properly. If your server is out in the wild (AKA VPS etc) you should never consider it as secure, especially not with any default configuration that might be there.

Same Problem here, I have updated my RV325, and basically created new openvpn users, exported the config into Tunnelblick (I am on osx but I have the same problem with Android) and no matter what I do I cannot get any connection.

I struggled to start OpenVPN server too but at the end I managed to run it. Also I needed to reset mu configuration anyway because I was upgrading from 1.1.1.xx firmware. Here I have a couple of points for attention:

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see openvpn(8) and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the tun module (CONFIG_TUN) in Device Drivers > Network device support > Network core driver support > Universal TUN/TAP device driver support.

To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with #The client configuration profile and skip ahead to #Starting OpenVPN after that. One should use the provider certificates and instructions, see Category:VPN providers for examples that can be adapted to other providers. OpenVPN client in Linux Containers also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.

When setting up an OpenVPN server, users need to create a Public Key Infrastructure (PKI) which is detailed in the Easy-RSA article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in /etc/openvpn/server at this point:

With the release of v2.4, server configurations are stored in /etc/openvpn/server and client configurations are stored in /etc/openvpn/client and each mode has its own respective systemd unit, namely, openvpn-client@.service and openvpn-server@.service.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

If TLS with elliptic curves is used, specify dh none and ecdh-curve secp521r1 (or ecdh-curve ed25519). DH parameters file is not used when using elliptic curves. Starting from OpenVPN 2.4.8, it is required to specify the type of elliptic curves in server configuration. Otherwise the server would fail to recognize the curve type and possibly use an incompatible one, resulting in authentication errors.

If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers. Starting from OpenVPN 2.4, the server and the client will automatically negotiate AES-256-GCM in TLS mode.

One can have multiple, concurrent instances of OpenVPN running on the same box. Each server needs to be defined in /etc/openvpn/server/ as a separate .conf file. At a minimum, the parallel servers need to be running on different ports. A simple setup directs traffic connecting in to a separate IP pool. More advanced setups are beyond the scope of this guide.

Using the options user nobody and group nobody in the configuration file makes OpenVPN drop its root privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.