installing pihole and openvpn on 1 raspberry pi

pihole + openvpn

############################################
setting up pihole + pivpn on 1 raspberry pi
for fun and profit (and privacy)
############################################

#################
# what you need #
#################

# - 1 raspberry pi
# - 1 5v mini usb power supply
# - 1 ethernet cable
# - 1 micro SD card (any size)
# - 1 SD card reader
# - USB keyboard
# - HDMI monitor + cord

# optional but useful

# SD Card Formatter
https://www.sdcard.org/downloads/formatter_4/

# Etcher
brew cask install etcher

##############
1. prep the OS
##############

# Download Raspbian
https://downloads.raspberrypi.org/raspbian_lite_latest.torrent

# Wipe the SD card with SD Card Formatter

# Use Etcher to write Raspbian to the SD Card

########################
2. initial raspi configs
########################

# Run initial optimization
sudo raspi-config

# Set the following
2 Change User Password -> new password
5 Interfacing Options -> SSH
7 Advanced Options -> 16

# Run updates
sudo apt get update && sudo apt -y upgrade
sudo apt install -y rpi-update
sudo rpi-update

# Reboot
sudo reboot

#########
3. set IP
#########

# connect the Pi to your router via ethernet

# get IP info
ifconfig

# take note of the following:
inet addr
bcast
mask

# get router info
sudo route -n

# take note of the following:
gateway
destination

# configure static IP
sudo nano /etc/network/interfaces

# underneath the line `iface eth0 inet x`
# fill in with info from above
address [current ip]
netmask [subnet mask]
network [destination]
broadcast [broadcast range]
gateway [gateway]

# reboot
sudo reboot

################
4. ssh + updates
################

# ssh into the pi
ssh pi@static-ip

# update & upgrade
sudo apt-get update && sudo apt-get upgrade

###########################
5. install + config openvpn
###########################

# install openvpn
sudo apt-get openvpn

# execute in root
sudo -s

# get easy_rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

# edit easy-rsa conf
nano /etc/openvpn/easy-rsa/vars

# find the line `EASY_RSA=`
export EASY_RSA="/etc/openvpn/easy-rsa"

# find `KEY_SIZE=`
export KEY_SIZE=1024

#####################
6. build certificates
#####################

# make sure we're in the right dir
cd /etc/openvpn/easy-rsa

# load vars
source ./vars

# clean previous keys
./clean-all

# build certificate authority
./build-ca

# complete the location steps as you want them

############################
7. build user keys and certs
############################

# name your server and build the key
./build-key-server x

####
IMPORTANT: 
- make sure common name is your server name
- leave challenge password blank
####

# build user keys
./build-key-pass x

# choose a passphrase
# leave challenge password blank

# generate the certs
cd keys
openssl rsa -in [username].key -des3 -out [username].3des.key

# generate diffie-hellmen exchange
cd ..
./build-dh

# generate HMAC key
openvpn --genkey --secret keys/ta.key

###################
8. configure server
###################

# create config file
nano /etc/openvpn/server.conf

# add in your values
local X.X.X.X # your raspi ip
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/SERVER.crt
key /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route X.X.X.X 255.255.255.0" # your raspi ip
push "dhcp-option DNS 192.168.0.1 # should match your router
push "redirect-gateway def1"
client-to-clien
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

# edit sysctl
nano /etc/sysctl.conf

# enable packet forwarding by uncommenting `enable packet forwarding`

# configure the change if you made it
sysctl -p

##################
9. firewall config
##################

# set rules to allow traffic from openvpn
nano /etc/firewall-openvpn-rules.sh

# add the following
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source X.X.X.X # your raspi ip

# change file perms + ownership
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh

# add to interfaces so it runs on boot
nano /etc/network/interfaces

# find `iface eth0 inet static` and underneath add the following
pre-up /etc/firewall-openvpn-rules.sh

# reboot
sudo reboot

##################
10. configure ddns
##################

# we're going to use DuckDNS as our ddns

# create your domain at duckdns.org

# create duck script
mkdir duckdns
cd duckdns
nano duck.sh

# add the following
# add your domain and token
echo url="https://www.duckdns.org/update?domains=YOURDOMAIN&token=YOURTOKENip=YOURIP" | curl -k -o ~/duckdns/duck.log -K -

# change perms
chmod 700 duck.sh

# create a crontab
crontab -e

# add the following
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1

# start the script
./duck.sh

# verify it worked by checking for OK
cat duck.log

# configure with ddclient
sudo apt-get install ddclient

# start ddclient
sudo ddclient

######################
11. create client keys
######################

# we're going to make a script that
# automatically generates client keys
sudo nano /etc/openvpn/easy-rsa/keys/Default.txt

# add the following
client
dev tun
proto udp
remote YOURDOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

# create profile key script
nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

# add the following
#!/bin/bash
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
echo "Please enter an existing Client Name:"
read NAME
if [ ! -f $NAME$CRT ]; then
    echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
    exit
fi
echo "Client's cert found: $NAME$CR"
if [ ! -f $NAME$KEY ]; then
    echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
    exit
fi
echo "Client's Private Key found: $NAME$KEY"
if [ ! -f $CA ]; then
    echo "[ERROR]: CA Public Key not found: $CA"
    exit
fi
echo "CA public Key found: $CA"
if [ ! -f $TA ]; then
    echo "[ERROR]: tls-auth Key not found: $TA"
    exit
fi
echo "tls-auth Private Key found: $TA"
cat $DEFAULT > $NAME$FILEEXT
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin

# change perms
chmod 700 MakeOVPN.sh

# run the script
# you'll be prompted to add usernames
# of the client you generated before
# repeat this for every client you've created
./MakeOVPN.sh

######################
12. export client keys
######################

# change perms
chmod 777 /etc/openvpn
chmod 777 /etc/openvpn/easy-rsa/keys
chmod 777 /etc/openvpn/easy-rsa/keys/CLIENTNAME.ovpn

# copy the files to your computer
scp pi@PI.IP:/etc/openvpn/easy-rsa/keys/CLIENTNAME.ovpn CLIENTNAME.ovpn

# after copying files, change all the perms back to 600

###########################
13. install + config pihole
###########################

# install pihole
curl -sSL https://install.pi-hole.net | bash

# configure pihole to eth0

# open dnsmasq to listen on all ports
pihole -a -i all

# add ddns
pihole -a hostrecord YOURDOMAIN RASPI.IP

# reboot
sudo reboot