MichaIng / DietPi

Lightweight justice for your single-board computer!
https://dietpi.com/
GNU General Public License v2.0
4.91k stars 501 forks source link

DietPi-Software | Bundle Pi-hole & PiVPN #1245

Open vmavromatis opened 7 years ago

vmavromatis commented 7 years ago

This is a feature request :)

With these two becoming a very popular option for RPi's (and the like) make it so that these two play nicely together. There is a nice guide to make them work together https://itchy.nl/raspberry-pi-3-with-openvpn-pihole-dnscrypt and dnscrypt is surely nice, but if it's too much work it can be skipped. The other two however seem to work very well together (remote network ad-free vpn is awesome - with your phone too!)

Just an idea, let me know what you think.

Fourdee commented 7 years ago

@vmavromatis

Thanks for the request 👍

We've had a few users attempt this installation manually, would be great if we could automate this for them.

If noone else is able to take this on, i'll pick this up when I can (unsure at the moment, lack of time)

vmavromatis commented 7 years ago

@Fourdee many thanks for the response. If this ever does get implemented, it would make sense to tweak the iptables as well accordingly. (I'm still struggling with them, that's why I note this :P)

MichaIng commented 5 years ago

Additional vote for this: https://dietpi.com/phpbb/viewtopic.php?p=15828#p15828

miguipda commented 5 years ago

Hi,

great to read this should be considered to be impemented in DietPi. I will wait it soon ;-)

LexiconCode commented 5 years ago

Additional vote for this: dietpi.com/phpbb/viewtopic.php?p=15828#p15828

I think you meant for a different Hyperlink.

MichaIng commented 5 years ago

@LexiconCode It's more-less the same: Auto configure Pi-hole and a VPN server (optionally with dnscrypt) to allow e.g. your mobile phone or notebook externally being ad-blocked? But I did not yet add it to our FeatHub page, if you were thinking about this.

Joulinar commented 3 years ago

is this still a valid request? because during installation of PiVPN you could specify to use local DNS server

picture
MichaIng commented 3 years ago

I think it's not entirely the same aim, while the result could be the same: The PiVPN selection AFAIU is more about defining the upstream DNS that you trust, when using your VPN for other purpose, while the aim of this PR is to setup the VPN only to use Pi-hole remotely. But of course both might be wanted or overlap at least.

Also what I am not 100% sure about is:

Does the PiVPN client setup script as well allow to define which requests to tunnel, or is everything tunnelled by default?


Actually, since we recently implemented the Pi-hole + Unbound co-configuration and I just added OctoPrint + mjpg-streamer, and it is quite some doubled code and guessing involved to configure those to work together automatically, I think it would make sense to instead add dedicated bundled install options, so that when those are selected it is 100% clear that both shall be configured to work together, otherwise it's standalone installs. The same could be done then for:

While PiVPN is great and now again fixed in regards to WireGuard on ARM installs, it's WireGuard support is limited compared to ours, and some might not need or want the additional scripts and features it provides.

Joulinar commented 3 years ago

PiVPN is quite simple on this. There is exactly a single place where you can specify the upstream DNS. This is done during installation as shown above. Looks like PiVPN is storing this information somewhere and it's used during client configuration creation. During client creation, nothing is ask, except the client name. Nothing you can specify.

root@DietPi3:~# pivpn add
Enter a Name for the Client: demo
::: Client Keys generated
::: Client config generated
::: Updated server config
::: WireGuard reloaded
======================================================================
::: Done! demo.conf successfully created!
::: demo.conf was copied to /home/dietpi/configs for easy transfer.
::: Please use this profile only on one device and create additional
::: profiles for other devices. You can also use pivpn -qr
::: to generate a QR Code you can scan with the mobile app.
======================================================================
root@DietPi3:~#

By default entire traffic is routed to the VPN tunnel as AllowedIPs = 0.0.0.0/0, ::0/0 will be set. If you really like to use your own config, better to use DietPi WireGuard 😃

BTW: PiVPN did not detected the new kernel module for WireGuard since we are on kernel 5.10 with RPi OS. 😉

:::    Checking for raspberrypi-kernel-headers... not installed!
:::    Checking for wireguard-tools... not installed!
:::    Checking for wireguard-dkms... not installed!
:::    Checking for qrencode... not installed!
MichaIng commented 3 years ago

Okay, indeed then such a bundle still makes sense, where the VPN is used only for DNS purpose. Then PiVPN actually never was a great choice to achieve this.

BTW: PiVPN did not detected the new kernel module for WireGuard since we are on kernel 5.10 with RPi OS.

Hmm, what's wrong there again? I'll have a look.

Joulinar commented 3 years ago

probably 5.10 ist still to new and they are lacking behind to adopt.?

MichaIng commented 3 years ago

Indeed, although they could have adapted already without breaking anything with older kernel versions.

On all systems it is checked whether WireGuard is builtin or not. But on Raspbian the result of this check is not used to decide whether to install kernel headers and DKMS or not: https://github.com/pivpn/pivpn/blob/master/auto_install/install.sh#L1269 See a few lines below where the WIREGUARD_BUILTIN variable is used intentionally.

I'm gonna fix that: https://github.com/pivpn/pivpn/pull/1243

MichaIng commented 2 years ago

PiVPN (in the meantime?) detects Pi-hole already and allows to configure it as VPN DNS 👍. So nothing to do on that end, but plain OpenVPN and WireGuard install options only.