Created
June 7, 2018 00:34
-
-
Save gretzky/745807e60558abbb1f5454389ab846b0 to your computer and use it in GitHub Desktop.
installing pihole and openvpn on 1 raspberry pi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################ | |
setting up pihole + pivpn on 1 raspberry pi | |
for fun and profit (and privacy) | |
############################################ | |
################# | |
# what you need # | |
################# | |
# - 1 raspberry pi | |
# - 1 5v mini usb power supply | |
# - 1 ethernet cable | |
# - 1 micro SD card (any size) | |
# - 1 SD card reader | |
# - USB keyboard | |
# - HDMI monitor + cord | |
# optional but useful | |
# SD Card Formatter | |
https://www.sdcard.org/downloads/formatter_4/ | |
# Etcher | |
brew cask install etcher | |
############## | |
1. prep the OS | |
############## | |
# Download Raspbian | |
https://downloads.raspberrypi.org/raspbian_lite_latest.torrent | |
# Wipe the SD card with SD Card Formatter | |
# Use Etcher to write Raspbian to the SD Card | |
######################## | |
2. initial raspi configs | |
######################## | |
# Run initial optimization | |
sudo raspi-config | |
# Set the following | |
2 Change User Password -> new password | |
5 Interfacing Options -> SSH | |
7 Advanced Options -> 16 | |
# Run updates | |
sudo apt get update && sudo apt -y upgrade | |
sudo apt install -y rpi-update | |
sudo rpi-update | |
# Reboot | |
sudo reboot | |
######### | |
3. set IP | |
######### | |
# connect the Pi to your router via ethernet | |
# get IP info | |
ifconfig | |
# take note of the following: | |
inet addr | |
bcast | |
mask | |
# get router info | |
sudo route -n | |
# take note of the following: | |
gateway | |
destination | |
# configure static IP | |
sudo nano /etc/network/interfaces | |
# underneath the line `iface eth0 inet x` | |
# fill in with info from above | |
address [current ip] | |
netmask [subnet mask] | |
network [destination] | |
broadcast [broadcast range] | |
gateway [gateway] | |
# reboot | |
sudo reboot | |
################ | |
4. ssh + updates | |
################ | |
# ssh into the pi | |
ssh pi@static-ip | |
# update & upgrade | |
sudo apt-get update && sudo apt-get upgrade | |
########################### | |
5. install + config openvpn | |
########################### | |
# install openvpn | |
sudo apt-get openvpn | |
# execute in root | |
sudo -s | |
# get easy_rsa | |
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa | |
cd /etc/openvpn/easy-rsa | |
# edit easy-rsa conf | |
nano /etc/openvpn/easy-rsa/vars | |
# find the line `EASY_RSA=` | |
export EASY_RSA="/etc/openvpn/easy-rsa" | |
# find `KEY_SIZE=` | |
export KEY_SIZE=1024 | |
##################### | |
6. build certificates | |
##################### | |
# make sure we're in the right dir | |
cd /etc/openvpn/easy-rsa | |
# load vars | |
source ./vars | |
# clean previous keys | |
./clean-all | |
# build certificate authority | |
./build-ca | |
# complete the location steps as you want them | |
############################ | |
7. build user keys and certs | |
############################ | |
# name your server and build the key | |
./build-key-server x | |
#### | |
IMPORTANT: | |
- make sure common name is your server name | |
- leave challenge password blank | |
#### | |
# build user keys | |
./build-key-pass x | |
# choose a passphrase | |
# leave challenge password blank | |
# generate the certs | |
cd keys | |
openssl rsa -in [username].key -des3 -out [username].3des.key | |
# generate diffie-hellmen exchange | |
cd .. | |
./build-dh | |
# generate HMAC key | |
openvpn --genkey --secret keys/ta.key | |
################### | |
8. configure server | |
################### | |
# create config file | |
nano /etc/openvpn/server.conf | |
# add in your values | |
local X.X.X.X # your raspi ip | |
dev tun | |
proto udp | |
port 1194 | |
ca /etc/openvpn/easy-rsa/keys/ca.crt | |
cert /etc/openvpn/easy-rsa/keys/SERVER.crt | |
key /etc/openvpn/easy-rsa/keys/dh1024.pem | |
server 10.8.0.0 255.255.255.0 | |
ifconfig 10.8.0.1 10.8.0.2 | |
push "route 10.8.0.1 255.255.255.255" | |
push "route 10.8.0.0 255.255.255.0" | |
push "route X.X.X.X 255.255.255.0" # your raspi ip | |
push "dhcp-option DNS 192.168.0.1 # should match your router | |
push "redirect-gateway def1" | |
client-to-clien | |
duplicate-cn | |
keepalive 10 120 | |
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 | |
cipher AES-128-CBC | |
comp-lzo | |
user nobody | |
group nogroup | |
persist-key | |
persist-tun | |
status /var/log/openvpn-status.log 20 | |
log /var/log/openvpn.log | |
verb 1 | |
# edit sysctl | |
nano /etc/sysctl.conf | |
# enable packet forwarding by uncommenting `enable packet forwarding` | |
# configure the change if you made it | |
sysctl -p | |
################## | |
9. firewall config | |
################## | |
# set rules to allow traffic from openvpn | |
nano /etc/firewall-openvpn-rules.sh | |
# add the following | |
#!/bin/sh | |
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source X.X.X.X # your raspi ip | |
# change file perms + ownership | |
chmod 700 /etc/firewall-openvpn-rules.sh | |
chown root /etc/firewall-openvpn-rules.sh | |
# add to interfaces so it runs on boot | |
nano /etc/network/interfaces | |
# find `iface eth0 inet static` and underneath add the following | |
pre-up /etc/firewall-openvpn-rules.sh | |
# reboot | |
sudo reboot | |
################## | |
10. configure ddns | |
################## | |
# we're going to use DuckDNS as our ddns | |
# create your domain at duckdns.org | |
# create duck script | |
mkdir duckdns | |
cd duckdns | |
nano duck.sh | |
# add the following | |
# add your domain and token | |
echo url="https://www.duckdns.org/update?domains=YOURDOMAIN&token=YOURTOKENip=YOURIP" | curl -k -o ~/duckdns/duck.log -K - | |
# change perms | |
chmod 700 duck.sh | |
# create a crontab | |
crontab -e | |
# add the following | |
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1 | |
# start the script | |
./duck.sh | |
# verify it worked by checking for OK | |
cat duck.log | |
# configure with ddclient | |
sudo apt-get install ddclient | |
# start ddclient | |
sudo ddclient | |
###################### | |
11. create client keys | |
###################### | |
# we're going to make a script that | |
# automatically generates client keys | |
sudo nano /etc/openvpn/easy-rsa/keys/Default.txt | |
# add the following | |
client | |
dev tun | |
proto udp | |
remote YOURDOMAIN 1194 | |
resolv-retry infinite | |
nobind | |
persist-key | |
persist-tun | |
mute-replay-warnings | |
ns-cert-type server | |
key-direction 1 | |
cipher AES-128-CBC | |
comp-lzo | |
verb 1 | |
mute 20 | |
# create profile key script | |
nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh | |
# add the following | |
#!/bin/bash | |
DEFAULT="Default.txt" | |
FILEEXT=".ovpn" | |
CRT=".crt" | |
KEY=".3des.key" | |
CA="ca.crt" | |
TA="ta.key" | |
echo "Please enter an existing Client Name:" | |
read NAME | |
if [ ! -f $NAME$CRT ]; then | |
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" | |
exit | |
fi | |
echo "Client's cert found: $NAME$CR" | |
if [ ! -f $NAME$KEY ]; then | |
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" | |
exit | |
fi | |
echo "Client's Private Key found: $NAME$KEY" | |
if [ ! -f $CA ]; then | |
echo "[ERROR]: CA Public Key not found: $CA" | |
exit | |
fi | |
echo "CA public Key found: $CA" | |
if [ ! -f $TA ]; then | |
echo "[ERROR]: tls-auth Key not found: $TA" | |
exit | |
fi | |
echo "tls-auth Private Key found: $TA" | |
cat $DEFAULT > $NAME$FILEEXT | |
echo "<ca>" >> $NAME$FILEEXT | |
cat $CA >> $NAME$FILEEXT | |
echo "</ca>" >> $NAME$FILEEXT | |
echo "<cert>" >> $NAME$FILEEXT | |
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT | |
echo "</cert>" >> $NAME$FILEEXT | |
echo "<key>" >> $NAME$FILEEXT | |
cat $NAME$KEY >> $NAME$FILEEXT | |
echo "</key>" >> $NAME$FILEEXT | |
echo "<tls-auth>" >> $NAME$FILEEXT | |
cat $TA >> $NAME$FILEEXT | |
echo "</tls-auth>" >> $NAME$FILEEXT | |
echo "Done! $NAME$FILEEXT Successfully Created." | |
#Script written by Eric Jodoin | |
# change perms | |
chmod 700 MakeOVPN.sh | |
# run the script | |
# you'll be prompted to add usernames | |
# of the client you generated before | |
# repeat this for every client you've created | |
./MakeOVPN.sh | |
###################### | |
12. export client keys | |
###################### | |
# change perms | |
chmod 777 /etc/openvpn | |
chmod 777 /etc/openvpn/easy-rsa/keys | |
chmod 777 /etc/openvpn/easy-rsa/keys/CLIENTNAME.ovpn | |
# copy the files to your computer | |
scp pi@PI.IP:/etc/openvpn/easy-rsa/keys/CLIENTNAME.ovpn CLIENTNAME.ovpn | |
# after copying files, change all the perms back to 600 | |
########################### | |
13. install + config pihole | |
########################### | |
# install pihole | |
curl -sSL https://install.pi-hole.net | bash | |
# configure pihole to eth0 | |
# open dnsmasq to listen on all ports | |
pihole -a -i all | |
# add ddns | |
pihole -a hostrecord YOURDOMAIN RASPI.IP | |
# reboot | |
sudo reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment