simonwep / openvpn-pihole Goto Github PK
View Code? Open in Web Editor NEW🕵️ A truly delicious combination of two wonderful pieces of software to setup a pi.hole-backed VPN as quick as possible.
License: MIT License
🕵️ A truly delicious combination of two wonderful pieces of software to setup a pi.hole-backed VPN as quick as possible.
License: MIT License
Hi,
I'm creating simple playbook to prepare VPS configuration like create own user, install docker, configure SSH and finally clone this repo and run docker compose. Let me know if you are interested in it, I can submit PR soon.
The docker works just out of the box. That is really nice.
But the current installation is vulnerable for amplification attack trough dnsmasq-pi-hole on port 53.
A semi fix could be to add ratelimit to port 53 trough iptables:
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP
Or just remove the open port 53 & 67 in docker? Because it aready depends on openvpn.
depends_on:
- "openvpn"
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
The ads still won't show and keeps the dns hidden trough https://www.dnsleaktest.com
Greets
DHCP does not fully work when enabling it.
I'd already played with pibox and using it as dhcp (background: my livebox/router does not let me choose the DNS, so I simply turn off DHCP there and activate it in pibox).
I was using pibox separately before, until I found your great solution to combine it with openvpn. I'd like to keep your solution, but I need a working DHCP.
I had the same problem when running a single docker container, and it was fixed by using host mode instead of bridge. But as there are two containers, I don't know how to work around this. My knowledge of docker is limited though, maybe you spot the solution easily.
I was not using docker compose, but adding --net=host was the fix. I learnt how to edit the yml file for docker-compose, but after having found the right place for it, it'll end up telling you that you can't combine the options network_mode together with networks.
Glad to help you debug if needed.
Hi, first of all, I really appreciate the work you have done here.
I'm facing a problem with .ovpn files, as every file I generate despite having a different unique name it always connects with the same IP.
I did update the host in client configuration. I only changed the remote IP before using this command:
docker exec openvpn bash /opt/app/bin/genclient.sh <name> <password?>
this is what I get:
root@docker-ubuntu:~# sudo docker exec openvpn bash /opt/app/bin/genclient.sh raddadz-test
Generate client certificate...
Without password...
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Generating a RSA private key
........................................................................+++++
......+++++
writing new private key to '/opt/app/easy-rsa/pki/easy-rsa-26.Ie6cbd/tmp.KImTmr'
-----
./easyrsa: 341: set: Illegal option -o echo
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Using configuration from /opt/app/easy-rsa/pki/easy-rsa-49.6jqTTg/tmp.1yoe0I
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'ChangeMe'
Certificate is to be certified until Dec 22 06:21:36 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
./easyrsa: 341: set: Illegal option -o echo
/opt/app/bin/genclient.sh: line 42: warning: command substitution: ignored null byte in input
Sync pki directory...
Generate .ovpn file...
OpenVPN Client configuration successfully generated!
Checkout <service-name>/clients/raddadz-test.ovpn
there are two lines I think causing the problem:
./easyrsa: 341: set: Illegal option -o echo
and
commonName :ASN.1 12:'ChangeMe'
I'm still new to OpenVPN and certification generation, but I looked into this problem and my results as follows:
#set_var EASYRSA_REQ_CN "ChangeMe"
in vars. set: Illegal option -o echo
here;duplicate-cn
in server.conf might solve the problem, but I don't think it's the problem, because the generated .ovpn files have different <cert>
and <key>
valuesI'm not sure what to do as I've tried a couple of solutions and I wasn't able to get different IPs for different clients.
Your guidance will be appreciated.
Hello Simon,
first of all, many thanks for your effort in building this really good app.
I installed some days ago and now I would like to set specific rules based on clients' names. I know that for this purpose I need to have configured the CN field.
What I observed is this:
Generate client certificate...
With password...
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Generating a RSA private key
.......................++++
......................................++++
writing new private key to '/opt/app/easy-rsa/pki/easy-rsa-354.tMEzz9/tmp.tOcYz7'
-----
./easyrsa: 341: set: Illegal option -o echo
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Using configuration from /opt/app/easy-rsa/pki/easy-rsa-377.hkgN63/tmp.5BTZuW
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'test'
Certificate is to be certified until Jul 24 07:58:41 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
./easyrsa: 341: set: Illegal option -o echo
Sync pki directory...
Generate .ovpn file...
OpenVPN Client configuration successfully generated!
Checkout openvpn/clients/test.ovpn
[username@hostname clients]$ openssl x509 -subject -noout -in test.ovpn
subject= /CN=ChangeMe
CN is the default "ChangeMe".
I don't have many skills on the matter, so I don't know how to fix this issue.
Could you help me please in funding a solution?
Thank you.
Bye.
docker-compose
is legacy and docker compose
should be used instead, also, after a year the certificate expires. Docs should be added about how to refresh it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.