This is more of a note-to self, but please feel more than free to replicate it.
-
Follow this PiHole guide:
- But in the first command replace
wget https://git.io/vpn -O openvpn-install.shwget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh -O openvpn-install.sh- This is Angristan's more secure fork of Nyr's installer.
- Stick with the default options unless you know better (or the guide does in the case of
tun0vseth0)- Depending on your privacy concerns and the development status of FTLDNS you may want to opt out of the DNS logging options.
- Make sure to configure iptables to reload on restart by doing
sudo bash -c "iptables-save > /etc/iptables.conf"and then addingiptables-restore < /etc/iptables.confto /etc/rc.local - If doing hosted, consider opting out of the static IP option, it may help when restoring the server to a different IP in future (untested)
- If setting up on an internal network, rather than hosted do:
- Optional: Dual operation: LAN & VPN at the same time and Optional: Dynamic DNS (do not include the
<b> </b>tags in the dual operation section). - You must configure a static/reserved IP for the Pi and forward port 1194 to it in the router settings.
- Optional: Dual operation: LAN & VPN at the same time and Optional: Dynamic DNS (do not include the
- I have recently found that sometimes on connecting to the VPN I get unusably slow speeds and pages fail to load. adding
tun-mtu 1400andmssfix 1360to the bottom of/etc/openvpn/server.confseems to fix this.
- But in the first command replace
-
Until the functionallity is added natively in FTLDNS lets use cloudfare's encrypted DNS protocol DNS over HTTPS .
- Use this tutorial or this official one.
- Since all my domain names are managed on DigitalOcean I created a subdomain for my VPN that points to a random IP, then I use the following script to update the DNS records from my Pi(Hole) dynamically:
#!/bin/bash PUBLIC_IPV4=$(curl ifconfig.co) MY_API_ACCESS_TOKEN="my-api-key-from-https://cloud.digitalocean.com/settings/api/tokens" curl -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer "${MY_API_ACCESS_TOKEN}"" -d '{"data":"'"${PUBLIC_IPV4}"'"}' "https://api.digitalocean.com/v2/domains/examlple.com/records/MY_DOMAIN_ID"Where
example.comis your domain andMY_DOMAIN_IDcan be found by doingcurl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer MY_API_ACCESS_TOKEN_HERE" "https://api.digitalocean.com/v2/domains/example.com/records"Then make the script executable and add it tocrontab -e
-
Update the remote (aka server) ip in all existing client
.opnvpnfiles/configurations and in/etc/openvpn/client-template.txt- This is unessasary if using a DynamicDNS that is configured in these files (which I have).
- If using a Domain name then update the DNS record on your Domain Name Registrar/Nameserver.
-
If you set up Dual operation: LAN & VPN then in
/etc/openvpn/server.confupdatepush "route 192.168.0.0 255.255.255.0"andpush "dhcp-option DNS 192.168.0.35"to the new IP and subnet if applicable. Otherwise, skip this step. -
Update
/etc/dhcpcd.confwith the new static IP and gateway (in DigitalOcean you can find this in settings>networking). At this point reboot and test, you may not need to go any further. -
Update the IPV4 (local) address in
/etc/pihole/setupVars.confor consider runningpihole -r, but you will have to reconfigure your DNS server afterwards for the cloudflared service you set up in 2- If you do run
pihole -rand reconfigure, you will be forced to choose a DNS server, you may then then have to re-configure PiHole to use the locally running cloudflared service by doing this.
- If you do run
-
Update any static IP configuration and OpenVPN portforwarding (usually
1194) in the new router -
Again, if you set up Dual operation: LAN & VPN then update
/etc/iptables.confto the new local subnet if applicable. E.g192.168.0.0/24to192.168.1.0/24 -
Restart the Pi in-order to apply the firewall changes