automated-pihole icon indicating copy to clipboard operation
automated-pihole copied to clipboard

Published 20 hours ago verified publisher icon Freekers

How to use this icm with OpenVPN Split tunnel

Open Beverdam opened this issue 5 years ago • 4 comments

Love this project, but would like to use it as a "private" pihole instance, with DNS queries going over OpenVPN (split tunnel) with pihole hosted on a VPS. See this example: https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs

For some reason, I cannot get this to work. I can connect via OpenVPN to the VPS, but no queries can be made or the ad-blocking doesn't work. I am probably fucking up some setting in make the routing work, so to prevent other people from making this mistake: would it be possible to include a OpenVPN container to ensure that everything will work 'out of the box'?

Let me know what you think.

Beverdam avatar Jun 11 '19 14:06 Beverdam

Great idea :) ! This was actually suggested to me by the Pi-hole devs themselves as well, as setting up a public DNS resolver is a really bad idea if you don't know what you're getting into (as stated in the README). Hence they kindly asked me to either remove the public part, or rewrite it in such a way it can be used only over a VPN connection. Therefore I'll be writing (most) of this playbook asap. Is OpenVPN a hard requirement or are you also option to other VPN protocols, such as WireGuard?

Anyway, I'm short on time this week but I'll try and see what I can come up with within the next 14 days.

Freekers avatar Jun 12 '19 11:06 Freekers

Great to read! Most guides use OpenVPN, but other solutions are also possible. Actually, Wireguard might be an ever better option since:

  1. It's supposed to be much lighter in terms of processing and therefore battery life (https://news.ycombinator.com/item?id=17661510)
  2. Wireguard allows you to connect when you are/aren't on a specific network. So for example, I would like Wireguard to connect to my pi-hole on the VPS when I am NOT connected to my corporate or home wifi network (https://techcrunch.com/2018/12/21/you-can-now-connect-to-wireguard-vpn-servers-on-your-iphone/).

The downside of Wireguard is that its harder to implement and that the documentation is somewhat lacking, although someone did attempt to fix this: https://github.com/pirate/wireguard-docs / https://docs.sweeting.me/s/wireguard#

Some examples on implementation: https://gist.github.com/i4ApvDqgDV/e2e566385cae3081cc9850bdd3ab166f https://medium.com/@aveek/setting-up-pihole-wireguard-vpn-server-and-client-ubuntu-server-fc88f3f38a0a https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/

Beverdam avatar Jun 12 '19 11:06 Beverdam

I already wrote an Ansible Playbook for personal use that setups WireGuard with Subspace in combination with nginx-proxy and the letsencrypt-proxy-companion, so that part is already covered. The challenge here is to correctly setup routing so it only routes DNS requests instead of all traffic. That I'll have to look into :)

Freekers avatar Jun 12 '19 12:06 Freekers

This is might be what you are looking for: https://www.reddit.com/r/WireGuard/comments/ak4aiz/dnsonly_tunnel/

Beverdam avatar Jun 12 '19 13:06 Beverdam