search

Freekers / automated-pihole

Automated Self-Updating (Public) Pi-hole Stack using unbound as recursive DNS server with Ansible
https://public-pihole.com
GNU General Public License v3.0
60 stars 10 forks source link

How to use this icm with OpenVPN Split tunnel #1

Open Beverdam opened 5 years ago

Beverdam commented 5 years ago

Love this project, but would like to use it as a "private" pihole instance, with DNS queries going over OpenVPN (split tunnel) with pihole hosted on a VPS. See this example: https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs

For some reason, I cannot get this to work. I can connect via OpenVPN to the VPS, but no queries can be made or the ad-blocking doesn't work. I am probably fucking up some setting in make the routing work, so to prevent other people from making this mistake: would it be possible to include a OpenVPN container to ensure that everything will work 'out of the box'?

Let me know what you think.

Freekers commented 5 years ago

Great idea :) ! This was actually suggested to me by the Pi-hole devs themselves as well, as setting up a public DNS resolver is a really bad idea if you don't know what you're getting into (as stated in the README). Hence they kindly asked me to either remove the public part, or rewrite it in such a way it can be used only over a VPN connection. Therefore I'll be writing (most) of this playbook asap. Is OpenVPN a hard requirement or are you also option to other VPN protocols, such as WireGuard?

Anyway, I'm short on time this week but I'll try and see what I can come up with within the next 14 days.

Beverdam commented 5 years ago

Great to read! Most guides use OpenVPN, but other solutions are also possible. Actually, Wireguard might be an ever better option since:

  1. It's supposed to be much lighter in terms of processing and therefore battery life (https://news.ycombinator.com/item?id=17661510)
  2. Wireguard allows you to connect when you are/aren't on a specific network. So for example, I would like Wireguard to connect to my pi-hole on the VPS when I am NOT connected to my corporate or home wifi network (https://techcrunch.com/2018/12/21/you-can-now-connect-to-wireguard-vpn-servers-on-your-iphone/).

The downside of Wireguard is that its harder to implement and that the documentation is somewhat lacking, although someone did attempt to fix this: https://github.com/pirate/wireguard-docs / https://docs.sweeting.me/s/wireguard#

Some examples on implementation: https://gist.github.com/i4ApvDqgDV/e2e566385cae3081cc9850bdd3ab166f https://medium.com/@aveek/setting-up-pihole-wireguard-vpn-server-and-client-ubuntu-server-fc88f3f38a0a https://www.reddit.com/r/pihole/comments/bnihyz/guide_how_to_install_wireguard_on_a_raspberry_pi/

Freekers commented 5 years ago

I already wrote an Ansible Playbook for personal use that setups WireGuard with Subspace in combination with nginx-proxy and the letsencrypt-proxy-companion, so that part is already covered. The challenge here is to correctly setup routing so it only routes DNS requests instead of all traffic. That I'll have to look into :)

Beverdam commented 5 years ago

This is might be what you are looking for: https://www.reddit.com/r/WireGuard/comments/ak4aiz/dnsonly_tunnel/