Documentation Improvements

[thexmanxyz]

Hey there,

first of all I have to thank you for your great documentation. Even thought I set up my PI in a similar setup before you created the Githup repo, there were still a lot of interesting and helpful things in your repo and docs which also were very useful for me. Especially the cron, ssmtp and maintance steps.

However I noticed a few things which do not work, are not up to date anymore or need some sort of rework.

2-Configuration:

• Pi-hole: https://www.malwaredomainlist.com/hostslist/hosts.txt I'm not sure why but the list is not available / accessible anymore. But however I would remove and skip this step because the Pi-hole team is really into managing the default block lists and I personally would leave the management of the lists to them. It might be just useful to state that lists can be changed and where.
• PiVPN (OpenVPN): interface=tun0 is not necessary anymore as config for dnsmasq so the whole step concerning this can be skipped. The interface=eth0 is also gone from the default configuration and it works flawlessly without I verified that on my PI ;).
• PiVPN (OpenVPN): There is a duplication in the documentation which is also confusing and misleading. Even before the Pi-hole changes it wasn't necessary to specify interface=tun0 in 02-addint.conf and 01-pihole.conf at one of the files would have been enough. Also 01-pihole.conf is overriden on updates so not the best place anyway.

3-Hardening:

• Screenlock protection with xscreensaver: On my setup xscreensaver caused a lot of trouble and I would at least state my findings here. As soon as I installed and configured it it caused a very high load on the PI can't really explain myself but I had to remove it because it was not worth the benefit.

• E-mail capabilities: I would here also do some modifications because the file /etc/default/cron is deprecated and should no be used anymore. I don't know whether this is even necessary because it should be enough to simply set MAILTO= only for root and the default user e.g. pi everything else sound to me a bit of an overload. Because all of the cron jobs within the docs are explicitly done for one of those users. Moreover it would also state here how to exclude the cron mail notification for certain cron tasks because this is necessary if you have some sort of very frequent job which would result in an high amount of emails send to the admin.

• E-mail capabilities: Secondly I would leave beside the crontab -e command a little note that it might be necessary to change the MAILTO= setting for the pi a/o root user with crontab -u pi -e or crontab -u root -e command. This is obvious but would be the right place to state.

• E-mail capabilities: Last but not least I would leave a note that the /etc/ssmtp/ssmtp.conf permissions have to be checked carefully because it contains the credentials for the mail login so it should be in group mail and owned by user root under permissions 0640.

PS.: This is just a draft I will change that one if I have read everything. I already forked the repo and will prepare a PR so you don't have to worry on modifications right now.

[teusink]

Wauw, very nice comment and suggestions! Really appreciated! I will dive in it asap. Staying up-to-date is key in guides like these, so thanks for pointing out already out-dated stuff :).

Edit: Oh, and I'll also wait for the PR before editing it. Again, thanks!

[teusink]

URL: https://www.malwaredomainlist.com/hostslist/hosts.txt --> Needs to be: http://www.malwaredomainlist.com/hostslist/hosts.txt

It's not https...

[teusink]

interface=tun0 --> gone from my setup too, by an update... 💃 So, can indeed by deleted from manual.

[teusink]

/etc/dnsmasq.d/02-addint.conf --> I should have documented the why, so that is a general improvement. Especially when I do not really remember anymore why... I'll look it up.

Could it be to make sure that Pihole is also used when connecting through VPN?

[thexmanxyz]

@teusink Strange I tried also the non-secure version but now it seems to work. Because I directly copied the link to the Pi-hole backend and it didn't resolve (like in browser).

[teusink]

@thexmanxyz Yeah, I had the same experience. If its keep acting strange, I'll remove it :). I really think it worked before through https

[thexmanxyz]

@teusink concerning the /etc/dnsmasq.d/02-addint.conf it was/is for the tun0 and the DNS resolve through the VPN tunnel. However this isn't necessary anymore I have no interface= line in my dnsmasq configs and it resolves and pi holes everything as without the interface line. It seems like pihole now detects multiple interfaces.

[teusink]

E-mail capabilities --> Didn't know about the deprecation. Then indeed it should be avoided. The suggested sudos crontabs are nice. Didn't know it could be that easy. Best indeed to do that.

'But', I do not seem to get emails from cron on the pi-user. Hence I implemented the email. Something I need to look over? I added a MAILTO to the cron of root. Let's wait and see what happens :).

[teusink]

@thexmanxyz Ok, then deletion can be done. Less is more!

[thexmanxyz]

@teusink Yes but please try it before you change it because we have two different configurations...it might still be necessary, maybe I have something else configured which fixes the tun0 for me. It's already months since I set up my DNS :D so I can't 100% say if there is something else involved but I'm pretty sure it isn't necessary.

[teusink]

@thexmanxyz I tried removing file /etc/dnsmasq.d/02-addint.conf, but it killed my dns-resolving through VPN. IP connections still work though!

[thexmanxyz]

@teusink Ok so there might be something else involved because if I add the 02-addint.conf it kills my whole DNS resolving even without the VPN. Will check my configuration again and see why.

[teusink]

@thexmanxyz Agree with /etc/ssmtp/ssmtp.conf Should it suffice to mention: "hey, there is a plaintext pw here, make sure you do not use it elsewhere and chmod it to 0640"?

sudo chmod 0640 ssmtp.conf Doesn't change it. It remains at 683 When opening file with pi (nano) then I see nothing, with root (sudo nano) then I do see the content.

[thexmanxyz]

@teusink Yes concerning ssmtp.conf something like that. But give a bit time and I will carefully update the chapters and create the PR. I will also take a look on the chmod. But I have used something like this dpkg-statoverride --update --add root mail 0640 /etc/ssmtp/ssmtp.conf taken from this debian docs

Ad: that's german sorry...this keeps the permission also after update.

[thexmanxyz]

@teusink 683 is not a valid permission if I'm not totally wrong. If you can't open without sudo it's ok but you can easily check the permissions of the SSMTP config files within the folder with stat -c "%a %n" * to quickly verify what there octal permissions are.

[teusink]

Please keep me posted on further findings! And please say when ready, I'll merge the suggestions. Thanks!

[teusink]

@thexmanxyz With stat -c "%a %n" * it says 640, so I think it defaults already. Nonetheless, this should be included as a note/step in te guide for security purpose due to the plaintext password.

[thexmanxyz]

@teusink Again on the 02-addint.conf I think I know now why I do not need interface=eth0 to define and why this would cause issues if I do so. Maybe you can verify that in your PiVPN configuration. This is something we can also state in the docs.

sudo nano /etc/openvpn/server.conf and check for the following lines

# Set your primary domain name server address for clients
push "dhcp-option DNS xxx.xxx.xxx.xxx" #IP_OF_PIHOLE
push "dhcp-option DNS 8.8.8.8"

I'm pretty sure you do not have the Pi-hole IP defined in the PiVPN configuration file or did not during installation. I did and therefore my requests are automatically pi-holed and yours require an additional dnsmasq config entry. I will verify that and change my settings later to proof that this is the reason for the difference. If you want you can also try to remove 02-addint.conf and add a second DNS config entry to the VPN config and try if it now works without the 02-addint.conf .

[thexmanxyz]

@teusink I keep posting here with more Information I hope this is okay. I know it's already a lot of text. But seems to me to be right to continue because I found out more things which would be really great within the documentation. But more on that later. I already tested a lot of things with all the involved files for DNS, VPN and their settings (which are quite a few) but I'm not completely done. The involved files and option are:

• /etc/openvpn/server.conf
  • push "dhcp-option DNS xxx.xxx.xxx.xxx"
• /etc/dnsmasq.conf and /etc/dnsmasq.d/02-addint.conf [overrides?]
  • interface=tun0 and listen-address=LOOP_IP, TUN_IP, LOCALIP
• /etc/resolv.conf
  • nameserver xxx.xxx.xxx.xxx, domain my.domain, search my.domain

We have to clearly include this information and state what combination should be used because multiple of them work and each tutorial I read included other settings. And I read already four of them :D. I have to better investigate about the exact behaviour of the attributes because I want to know myself.

Additionally I found out that the /etc/resolv.conf MUST be set correctly do empower Pi-hole with the functionality to resolve FQDN of local hosts within the backend (instead of the ip) and on the PI itself. Especially in case of a mixed network consisting of Windows and Linux machines. I will also include information on this topic.

But there is another thing concerning FQDN resolving which I have not found a solution yet and which may also be handled if possible. If a client connects via VPN the resolving should still be possible over the hostname. IDK if this is even achievable but I will find out.

Also I have noticed an issue on my backend, requests are counted twice by Pi-hole if my client is tunneled. Once for the VPN IP and once for the internal IP. But only if the client connects internally to the VPN. IDK if this is just a logging issue or if the DNS request is sent twice. This might be performance relevant.

I wanted to lay my findings down because I have a couple of days no time to finish testing and refine eveything. But now you also have the possibility to test and check yourself if you want. Otherwise I will come back as soon as I have time to finish :). But I think this is already helpful.

[teusink]

Thanks! I will look into it as soon as I can. Let's use this issue indeed to keep all info together.

[teusink]

@thexmanxyz In regard to:

• ssmtp.conf: let's add your suggestion for chmod and its persistence through updates.
• server.conf: I have this: push "dhcp-option DNS 192.x.x.x" and it points to the IP of my Pi.
• 02-addint.conf: With the line above intact, I did remove the file and rebooted the Pi 2 nights ago. Resolving stopped. IP-traffic still worked.
• /etc/dnsmasq.d/02-addint.conf: Has the line: interface=tun0. No listen-address set.
• /etc/dnsmasq.conf: No interface set. No listen-address set.
• /etc/resolv.conf: Has the line: nameserver 127.0.0.1, and a record of the home domain.
• Seeing 2 log entries for resolving in Pihole: might this be a DNS-leak? That your system internally sends the request 2 times, on over VPN, and over the 'other' configured DNS which happens to be the same device?

Let's aim for consistency here indeed. Mentioning multiple ways is also really good, it helps prevent over-configuration which might send you in the dark with future issues.

What are your thoughts on this?

[teusink]

Added label help wanted, because you are helping :) 👍

[thexmanxyz]

@teusink Thanks for your efforts in listing all your settings this is great so I can better verify your it on my PI.

• What is the second line in your /etc/resolv.conf?
• Does DNS resolving via hostnames work over VPN in your tunnel? Does the PI dashboard list the hostnames or 10.8.0.X?
• What have you set here in the backend DNS Setting Pi-Hole?
• So you don't have any doubled requests listed in the dashboard when connected through your private network to the VPN? Because if you don't have it, it is some sort of configuration issue in any of my settings.

I will revert all my setting to yours as soon as I have the missing ones and a bit more time. Then I will check what the results are and what is truely missing / still not working. Because as you see there are a lot of settings and I'm still figuring out what are the side effects of the different settings because not all work together and it can be easily messed up. But we will get a clear view as soon as I go on with my testings. Thanks again for your efforts. I already made another list of things which I noticed through improving my install but not too much at once.

[teusink]

@thexmanxyz No problemo :).

• /etc/resolv.conf shows (only) this:

  # Generated by resolvconf
  domain my.domain
  nameserver 127.0.0.1

• What you mean with resolving hostnames? Something like router.my.domain?

• Interface listening behavior: Listen only on interface eth0. This might be the cause of the interupted resolving right? With deleting 02-addint.conf that is. :)

• In regard to dual recording in log of Pihole query log: -- I do not have resolving while connecting through VPN on internal IP from within the LAN. -- I do have resolving while connecting through VPN on external IP (via ISP, router, Pihole) from within the LAN. -- In the lather case, I see only one resolvement: 2018-03-02 20:28:55 | IPv4 | www.nu.nl | 10.8.x.x | OK (forwarded). Resolving of a internal made up dns-record (for instance: router.my.domain) also works.

Please keep me posted. I'll keep doing my best to check everything you need me to check! 👍

And thank you too!

[teusink]

@thexmanxyz In addition, since changing the permissions (so it seems) of ssmtp.conf, I get this error: Mar 3 02:12:08 hostname cron[297]: sendmail: Cannot open mailhub:25.

I have added a MAILTO=email@address.com using sudo crontab -u root -e to the crontab of root.

I still receive all my own configured mailing, but this error is new in my Logwatch :)

[teusink]

@thexmanxyz If there is anything I can do, please let me know! In the meantime, happy Pi-ing!

[thexmanxyz]

@teusink I think I have everything I need. With hostnames I mean the DN or FQDN of the hosts located in the internal network. So yes exactly e.g. my.computer.domain.

I will also check the interface listening behavior that might also be a factor concerning the issue of the DNS resolving without 02-addint.conf. I'm pretty sure it has an impact.

Concerning the hostname resolving through VPN e.g. router.my.domain. Can you please recheck what you wrote because under that bullet you describe two times two differnt resolving behaviour for internal and external. Just that I can be sure what is the behaviour you see you probably just confused the word not. When you reread you will see what I mean :). You can just correct the post so that I can reconstruct when I compare with my behaviour.

I will rerun the dpkg-statoverride on my pi and see if i get the same error message afterwards. But you should be able to reproduce the error Cannot open mailhub when directly calling mail or ssmpt via terminal. I have also set the cron this way and also for root and do not get this error in Logwatch. However it can be the dpkg-statoverride you can try it again with -remove parameter and then check/correct the permissions, group and ownership afterwards.

I haven't had the time to test further but I will. A bit of patience please, because I take my time to finally finish it :). But still need a few days.

[teusink]

Thanks! Let me retry the resolving part XD

• I do not have resolving: -- while connecting through VPN -- using a local IP (192.168.x.x)
• I do have resolving: -- while connecting through VPN -- using my own public IP (the one from my ISP)

So:

• Computer -> VPN -> PiHole | does not work
• Computer -> Internet -> VPN -> PiHole | does work

[teusink]

In regard to email.

• sudo ssmtp .... works
• ssmtp .... gives access denied error

Seems indeed issues now with sending as the Pi user, due to chmod settings of ssmtp.conf

[teusink]

I made some small changes in the guide in regard to ssmtp and crontab. Nothing fancy, but just so you know!

[thexmanxyz]

@teusink Thanks for info :)

[teusink]

More than 6 months have passed since first report, and more than 5 months have passed since latest comment. For now issue is closed. Of course most suggestion already given are taken in to this guide.

[thexmanxyz]

@teusink Sorry for the late feedback but I didn't even find the time to update my pi-hole in the last months and also didn't get onto it to do a full reconfiguration which I had planed and haven't done until now. The close is just fine, I keep the issue saved and will come back on this. At least to compare the actual state. If there is still something I consider useful I will simply open another issue or just prepare a PR. Sorry for the inconveniences.

[teusink]

@thexmanxyz Really no problem sir, cause your info helped already move this repo forward. Allot have changed since then, so you might want to merge my branch with yours.

Apart from that, feel free to initiate new tickets and thanks again for your time and effort!