Ideally, I like to run one vpn. I have OpenVPN/PiVPN working just fine.
On the PiVPN server, I'd like to run a VPN client to my work office.
It's difficult to get Cisco VPN client and Tunnelblick clients running side-by-side on the same machine, ie my local dev machine, without a seeming hack(see below).
I have it working locally.
- Cisco AnyConnect Client connect to work VPN. Only specific resources are made available. All other traffic is routed as normal.
- Tunnelblick will connect my personal vpn (PiVPN) routing all other traffic.
- With an entry in
/etc/hosts, ie an entry like
18.104.22.168 work-resource.my-company.comI'm able to access URL's that are for work only.
- Without the
/etc/hostsentry, the work resource URL's do not resolve. this seems like a hack. :(
- Maybe this is a DNS or IP mask issue that can be handled through a local OpenVPN config? TBD.
A few notes about what is working for PiVPN:
- OpenConnect connects to my work VPN when logged into the VPN server via ssh. Successfully able to route traffic to my work VPN if I am logged into the server as a user.
- When connected through the VPN, this will NOT route work specific URL's though PiVPN and then through the OpenConnect Client
- WIP/TODO need to figure out how to route select PiVPN traffic throught a local PiVPN server OpenConnect client connection.
- after openconnect install, this works for connection. I did not have any issues getting this to work.
sudo openconnect https://vpn.my-company.com
- I installed the OpenVPN app, Version 3.1.0 (890), on my OS X dev machine as a replacement for Tunnelblick. The OpenVPN app works MUCH better.
- Regardless of app I use to connect to my PiVPN, I first need to connect to my work VPN using the Cisco AnyConnect app and then launch the OpenVPN PiVPN client.
- I still need the dns entry in
/etc/hostsfor my work resource as mentioned above.
- I'm now using
openconnectinstead of Cisco AnyConnect to connect to my work vpn. Install with
brew install openconnect. Run with
sudo openconnect https://vpn.my-office.com. Enter username and password. ez pz.
Another Update, Pi-Hole DNS when on the local network
When on my local network, without running a OpenVPN client on my local machine, I still want to have Pi-Hole handle the the DNS resolution. I followed a few of the instructions online, but mostly this one from Marc Stan. The key to getting DNS resolution to work localally with DHCP, was adding the
eth0 entry to the the config file. The
/etc/dnsmasq.d/02-ovpn.conf file looks like this:
This change allows Pi-hole to listen to both the tunnel connection and the traffic coming into the Pi-Hole DNS from the local network.
dd-wrt on my router.
Running PiVPN(OpenVPN) on UDP and TCP protocols
Sometimes networks block 1194/UDP. Running on 443/TCP might be a way around this.
Install PiVPN and Pihole
Please note, I initially used the recommened
udp protocol and port
1194 when setting up PiVPN. I also made modifiations to my conf files to get PiVPN and PiHole to play nice together for both the VPN connections and local network traffic.
My router handles all port forwarding. (another topic and documented elsewhere.)
cp /etc/openvpn/server.conf /etc/openvpn/server_tcp.conf
Duplicate the current
server.conf file. We'll edit the new version below.
The only lines I need to update were the following:
dev tun_tcp proto tcp port 1194 server 10.9.0.0 255.255.255.0
Keep the rest of the conf file the same.
I'm running pi-hole to resolve dns queries for both vpn and internal network traffic. The
dnsmasq file looks like this:
interface=eth0 interface=tun0 interface=tun_tcp
I needed to add one line,
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
Generated by iptables-save v1.4.21 on Thu Dec 29 19:17:57 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [1:184] :POSTROUTING ACCEPT [1:184] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE COMMIT
This is the easiest way to restart the services, but there are quicker ways to restart services for
openvpn. The Raspberry Pi restarts so fast, whatev's. :)