mr-bolle / docker-openvpn-pihole Goto Github PK

• Server Protokoll for ovpn_genconfig (tcp / udp)
• set DNS during ovpn_genconfig -n
• remove ip-pihole.sh
• move to own repository (docker-compose bad idea)
• PEM ca.key password as user entry variable -- not so easy
  https://stackoverflow.com/questions/22415601/using-easy-rsa-how-to-automate-client-server-creation-process
  kylemanna/docker-openvpn#181 (comment)
  https://github.com/kylemanna/docker-openvpn/blob/master/bin/ovpn_initpki -- easyrsa build-ca
• password for OpenVPN Configuration optional
  easyrsa build-client-full CLIENTNAME nopass
• docker-compose.yml adjustment pi-hole enviroment ex. adjust .env over script - relative path
• set the sub-network if this don't exist
• change the Pi-Hole Container IP and adjust sub-network
• adjust OpenVPN firewall.sh if external Port != 1194 sample-config-files/firewall.sh
• add revers proxy traefik, and use default https Port 443
• possibility to run this container on a Raspberry Pi #3
• create Menu Bash Script for easy Setup with whiptail
• add alternative OpenVPN with PiVPN Script (reason better maintenance) 🚧

Above error while running

bash openvpn-install.sh

On raspberry pi3 on Step 3 after entering a Client Name

Hello mr-bolle, I cannot get my openvpn and pihole containers working on Raspberry Pi 4 B+ using your script. When I'm adding a newly created ovpn client to my Tunneblick app on macOS it only displays a message "Waiting for server response..." without any further changes.

I did not modify any of the files and used exactly the same files from your repository except only one thing - I've changed the default openvpn udp port (in your docker-compose.yml it was - "1194:1194/udp"). I've double checked that the same port that I chose I'm using for port forwarding correctly.
Please point me into the right direction.

I have also a few questions:

1. For openvpn service and pihole service in docker-compose.yml you specified ipv4_address: 172.110.1.3 and ipv4_address: 172.110.1.4 respectively, should I adjust those IP address to fit my network local IP addresses (for example 192.168.1.3 , 192.168.1.4 ) ?
2. In what places do I need to specify my Raspberry Pi IP address ?
3. Should a dynDNS subdomain look only like vpn.<my_domain>.com or instead of a vpn subdomain name I can use my own subdomain name that I came up with? Should I specify a port in it as well ?

CVE-2019-5021

The current OpenVPN Image use the aarch64/alpine:3.5

• Rasperry Pi 2

Dockerfile.aarch64
	# FROM aarch64/alpine:3.5
	FROM arm32v7/alpine:latest

Hello, big thank you for your work first!
I've installed Docker and Docker-Compose on my Raspberry Pi 4 with Raspbian as OS following the instructions on https://withblue.ink/2019/07/13/yes-you-can-run-docker-on-raspbian.html
Then I followed your instruction to get docker-openvpn-pihole installed. Everything worked fine until step 3. The following error message occured and the script was aborted:

We are now at Step 3
Easy-RSA error:
The file '/etc/openvpn/vars' was not found.

Can you please support?

My software versions:
docker-compose version 1.25.5, build unknown
docker-py version: 4.2.0
CPython version: 3.7.3
OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019

Context

I have pihole set up already and running in a Docker Container on a Apple silicon Mac.
Everything is working well.
But I want to make it work with OpenVPN(to allow iPhone to access even outdoor to block ADs),
but I didn't use "tun0"(but eth0) at the very beginning and I don't know where to config it.
Is there a way to change eth0 to tun0 or add tun0 to make it work with OpenVPN?
Thank you very much😃

more details:

Pihole running in a container. Config command to pihole I used:
docker run --name=pihole1 -e TZ=Taiwan -e jq-UbajZ=password -e SERVERIP=192.168.0.69 -v pihole_app:/etc/pihole -v dns_config:/etc/dnsmasq.d -p 81:80 -p 53:53/tcp -p 53:53/udp --restart=unless-stopped pihole/pihole

pihole version
Pi-hole version is v5.11.4 (Latest: v5.11.4)
AdminLTE version is v5.13 (Latest: v5.13)
FTL version is v5.16.3 (Latest: v5.16.3)

Hello,

I am having trouble generating second clinet.ovpn file. Is it possible to have multiple clients with this setup?

Question, not an issue:
Is this possible with your image?
It is also described here: https://docs.pi-hole.net/guides/vpn/dual-operation/

Your diagram visualises almost exactly what I would like. I have a Intel/Ubuntu system running docker images already, adding your image would be easy for the road warrior setup.

However I would like to set the PiHole DNS as the DNS server in my home router as well. Is that possible?

I noticed in a closed issue, you recommended someone to install a secondary instance of PiHole. That's really not what I want since I will whitelist some IPs/addresses over time and don't want to manage that on 2 different PiHoles.

Would the documentation mentioned above be applicable to your image?

Hello. I'm using RPI 2B DietPI with Docker 19.03.8, and your installation script is throwing an error on Step 2.

Performing Step 1, we are going to make a directory at /openvpn_data

** OpenVPN Data Path is set to: /root/lmao/docker-openvpn-pihole/openvpn_data * *

Please enter your dynDNS Address:
Please choose your Protocol (tcp / [udp]): udp
Please enter the Pi-Hole Admin Password (default [fcvFjLIO2hWhkFCi]): asd

Step 2

Common name not specified, see '-u'
usage: /usr/local/bin/ovpn_genconfig [-d]
-u SERVER_PUBLIC_URL
[-e EXTRA_SERVER_CONFIG ]
[-E EXTRA_CLIENT_CONFIG ]
[-f FRAGMENT ]
[-n DNS_SERVER ...]
[-p PUSH ...]
[-r ROUTE ...]
[-s SERVER_SUBNET]

optional arguments:
-2 Enable two factor authentication using Google Authenticator.
-a Authenticate packets with HMAC using the given message digest algorithm (auth).
-b Disable 'push block-outside-dns'
-c Enable client-to-client option
-C A list of allowable TLS ciphers delimited by a colon (cipher).
-d Disable default route
-D Do not push dns servers
-k Set keepalive. Default: '10 60'
-m Set client MTU
-N Configure NAT to access external server network
-t Use TAP device (instead of TUN device)
-T Encrypt packets with the given cipher algorithm instead of the default on e (tls-cipher).
-z Enable comp-lzo compression.
Cleaning up before Exit ...

If you are still maintaining this repo, fix it please. Thanks!

When i try your script everything runs fine until vpn_pihole needs to be created

I'm getting
ERROR: for vpn_pihole Cannot start service pihole: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:58: mounting \\\"/etc/timezone\\\" to rootfs \\\"/var/lib/docker/overlay2/db5bcd01a6f78bfe2da8c1cd32a47d4f4ace333f0432e0f6ced9349d888edfd9/merged\\\" at \\\"/var/lib/docker/overlay2/db5bcd01a6f78bfe2da8c1cd32a47d4f4ace333f0432e0f6ced9349d888edfd9/merged/etc/timezone\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

Second thing. I cannot find the created key. I looked in /etc/openvpn but there's nothing. It would seem openvpn is up and running.
That was an major stupid moment from me

Hello @mr-bolle,

First of all thank you for your job, I tested connecting to OpenVPN through cell and it's blocking ads.

I'm trying to use Docker Pi-hole as DNS to also block all ads when I navigate from home by LAN without connecting to OpenVPN.

I tried changing DNS on router by setting Pi IP, and also tied to set Dcoker network gateway IP and Pihole docker network IP.

I'm not a network expert, last time I used Pihole (without Docker), I added Pi IP as DNS in router. With Docker, not sure which IP do I need to setup.

It would be great to complete this functionality, blocking all ads also in my home network!.

Thank you again.

Hello @mr-bolle,

First of all thank you for your job, I tested connecting to OpenVPN through cell and it's blocking ads.

I'm trying to use Docker Pi-hole as DNS to also block all ads when I navigate from home by LAN without connecting to OpenVPN.

I tried changing DNS on router by setting Pi IP, and also tied to set Dcoker network gateway IP and Pihole docker network IP.

I'm not a network expert, last time I used Pihole (without Docker), I added Pi IP as DNS in router. With Docker, not sure which IP do I need to setup.

It would be great to complete this functionality, blocking all ads also in my home network!.

Thank you again.

Hi @mr-bolle ,

I want to use OpenVpn and PiHole together but I'm nooby with all of these stuff, it's new for me :)
Hopping, you can help me a little bit ;)

I currently have an OpenVpn docker with port-share enabled with the IP(172.24.X.X) of the OpenVPN docker (my configuration):

version: '3'
services:
  openvpn:
    cap_add:
      - NET_ADMIN
    image: kylemanna/openvpn:latest
    container_name: openvpn
    ports:
      - "443:1194/tcp"
    restart: unless-stopped
    environment:
      - PORT-SHARE=172.24.X.X 444
    volumes:
      - ./openvpn-data/conf:/etc/openvpn

After that, I have in my nginx (virtual-hosts) with a listen on 444 to redirect on my azerty.mydomain.com, azerty2.mydomain.com ect

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name azerty.mydomain.com;
        return 301 https://$server_name$request_uri;
}

server {
    listen 444 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    root /media/toto/storage;
    autoindex on;
    server_name azerty.mydomain.com;
    location / {
      try_files $uri $uri/ =404;
      auth_basic "Restricted Content";
      auth_basic_user_file /etc/nginx/.htpasswd1;
    }

}

My clients (phone / computer) are directly connected in 443 which is the behavior that I want.

What is the most simple thing I can do to keep this behavior like that ?
Do you see something more easy ? I want to keep the 443 port because 1194 is sometimes blocked in airport for example ;)

If you can explain to me with some words what I have to change / what is the best idea or simply with a docker-compose.yml updated if it's more simple and quick for you ;)

Thanks

Regards

Hi mr-bolle,

First of all, great SW. Working finde out of the Box.
But I can not call the pihole Web Page.
What I try:
Choose the Browser of my choice.
Type in: http(s)://ipOfServer:portFromComposeFile
Try different ips:
Ip of external server with and without vpn connected
Ip of Internal pihole 172.110.1.4
May you have a smal hint how to connect.

Thanks and Regards

EDIT If I disconnect VPN I'll able to connect. Seems somting with the Routing wont work.
By the way. To protect the pihole web admin. World be great only allow connection over VPN.

Evening,

I have attempt to run the script as stated within this Github, but I repeatedly get this error:

cp: 'Dockerfile.aarch64' and 'Dockerfile.aarch64' are the same file

I am unsure what the cause of this, and would like some advice. Any help would be appreciated.

Hello,

this is not an issue.
I would like to know if it possible to implement unbound in order to have my personal recursive DNS ?

thanks for you great job