Skip to content

Instantly share code, notes, and snippets.

@gretzky
Created June 7, 2018 00:34
Show Gist options
  • Save gretzky/745807e60558abbb1f5454389ab846b0 to your computer and use it in GitHub Desktop.
Save gretzky/745807e60558abbb1f5454389ab846b0 to your computer and use it in GitHub Desktop.
installing pihole and openvpn on 1 raspberry pi
############################################
setting up pihole + pivpn on 1 raspberry pi
for fun and profit (and privacy)
############################################
#################
# what you need #
#################
# - 1 raspberry pi
# - 1 5v mini usb power supply
# - 1 ethernet cable
# - 1 micro SD card (any size)
# - 1 SD card reader
# - USB keyboard
# - HDMI monitor + cord
# optional but useful
# SD Card Formatter
https://www.sdcard.org/downloads/formatter_4/
# Etcher
brew cask install etcher
##############
1. prep the OS
##############
# Download Raspbian
https://downloads.raspberrypi.org/raspbian_lite_latest.torrent
# Wipe the SD card with SD Card Formatter
# Use Etcher to write Raspbian to the SD Card
########################
2. initial raspi configs
########################
# Run initial optimization
sudo raspi-config
# Set the following
2 Change User Password -> new password
5 Interfacing Options -> SSH
7 Advanced Options -> 16
# Run updates
sudo apt get update && sudo apt -y upgrade
sudo apt install -y rpi-update
sudo rpi-update
# Reboot
sudo reboot
#########
3. set IP
#########
# connect the Pi to your router via ethernet
# get IP info
ifconfig
# take note of the following:
inet addr
bcast
mask
# get router info
sudo route -n
# take note of the following:
gateway
destination
# configure static IP
sudo nano /etc/network/interfaces
# underneath the line `iface eth0 inet x`
# fill in with info from above
address [current ip]
netmask [subnet mask]
network [destination]
broadcast [broadcast range]
gateway [gateway]
# reboot
sudo reboot
################
4. ssh + updates
################
# ssh into the pi
ssh pi@static-ip
# update & upgrade
sudo apt-get update && sudo apt-get upgrade
###########################
5. install + config openvpn
###########################
# install openvpn
sudo apt-get openvpn
# execute in root
sudo -s
# get easy_rsa
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
# edit easy-rsa conf
nano /etc/openvpn/easy-rsa/vars
# find the line `EASY_RSA=`
export EASY_RSA="/etc/openvpn/easy-rsa"
# find `KEY_SIZE=`
export KEY_SIZE=1024
#####################
6. build certificates
#####################
# make sure we're in the right dir
cd /etc/openvpn/easy-rsa
# load vars
source ./vars
# clean previous keys
./clean-all
# build certificate authority
./build-ca
# complete the location steps as you want them
############################
7. build user keys and certs
############################
# name your server and build the key
./build-key-server x
####
IMPORTANT:
- make sure common name is your server name
- leave challenge password blank
####
# build user keys
./build-key-pass x
# choose a passphrase
# leave challenge password blank
# generate the certs
cd keys
openssl rsa -in [username].key -des3 -out [username].3des.key
# generate diffie-hellmen exchange
cd ..
./build-dh
# generate HMAC key
openvpn --genkey --secret keys/ta.key
###################
8. configure server
###################
# create config file
nano /etc/openvpn/server.conf
# add in your values
local X.X.X.X # your raspi ip
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/SERVER.crt
key /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.255.255.0"
push "route X.X.X.X 255.255.255.0" # your raspi ip
push "dhcp-option DNS 192.168.0.1 # should match your router
push "redirect-gateway def1"
client-to-clien
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
# edit sysctl
nano /etc/sysctl.conf
# enable packet forwarding by uncommenting `enable packet forwarding`
# configure the change if you made it
sysctl -p
##################
9. firewall config
##################
# set rules to allow traffic from openvpn
nano /etc/firewall-openvpn-rules.sh
# add the following
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source X.X.X.X # your raspi ip
# change file perms + ownership
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh
# add to interfaces so it runs on boot
nano /etc/network/interfaces
# find `iface eth0 inet static` and underneath add the following
pre-up /etc/firewall-openvpn-rules.sh
# reboot
sudo reboot
##################
10. configure ddns
##################
# we're going to use DuckDNS as our ddns
# create your domain at duckdns.org
# create duck script
mkdir duckdns
cd duckdns
nano duck.sh
# add the following
# add your domain and token
echo url="https://www.duckdns.org/update?domains=YOURDOMAIN&token=YOURTOKENip=YOURIP" | curl -k -o ~/duckdns/duck.log -K -
# change perms
chmod 700 duck.sh
# create a crontab
crontab -e
# add the following
*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1
# start the script
./duck.sh
# verify it worked by checking for OK
cat duck.log
# configure with ddclient
sudo apt-get install ddclient
# start ddclient
sudo ddclient
######################
11. create client keys
######################
# we're going to make a script that
# automatically generates client keys
sudo nano /etc/openvpn/easy-rsa/keys/Default.txt
# add the following
client
dev tun
proto udp
remote YOURDOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
# create profile key script
nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh
# add the following
#!/bin/bash
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
CA="ca.crt"
TA="ta.key"
echo "Please enter an existing Client Name:"
read NAME
if [ ! -f $NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CR"
if [ ! -f $NAME$KEY ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
exit
fi
echo "Client's Private Key found: $NAME$KEY"
if [ ! -f $CA ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
if [ ! -f $TA ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
echo "tls-auth Private Key found: $TA"
cat $DEFAULT > $NAME$FILEEXT
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin
# change perms
chmod 700 MakeOVPN.sh
# run the script
# you'll be prompted to add usernames
# of the client you generated before
# repeat this for every client you've created
./MakeOVPN.sh
######################
12. export client keys
######################
# change perms
chmod 777 /etc/openvpn
chmod 777 /etc/openvpn/easy-rsa/keys
chmod 777 /etc/openvpn/easy-rsa/keys/CLIENTNAME.ovpn
# copy the files to your computer
scp pi@PI.IP:/etc/openvpn/easy-rsa/keys/CLIENTNAME.ovpn CLIENTNAME.ovpn
# after copying files, change all the perms back to 600
###########################
13. install + config pihole
###########################
# install pihole
curl -sSL https://install.pi-hole.net | bash
# configure pihole to eth0
# open dnsmasq to listen on all ports
pihole -a -i all
# add ddns
pihole -a hostrecord YOURDOMAIN RASPI.IP
# reboot
sudo reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment