Run your own privacy-first ad blocking service in the cloud for free on Google Cloud Services.
License: MIT License
Hi, when I connect to the VPN using the full UDP tunnel in my Linux machine my public IP becomes the external IP from the GCP VM, but the testes from https://www.dnsleaktest.com still shows my ISP server as the DNS resolver, neither Google's upstream nor pi-hole it self, as consequence non ads are blocked. Using the same profile on android tough works perfectly: the public IP is the VM's IP, the leakage tests returns Google's upstream as the resolver and the ads are blocked.
To run the VPN client I use the following command:
sudo openvpn --config ~/.vpn_profiles/mylaptop-udp-1194-full-tunnel.ovpn
Is there any additional configuration to the client in order to get it to connect properly to the VPN?
Hi.
During PiVPN Installation, the guide says to click OK or answer posivitely to all the prompts until the upstream DNS provider is chosen, so it is not clear if the custom search domain is required or not. If it is required, is missing a step explaining how to set it correctly. Otherwise, if it is not required, I believe that the following wording should be revised: "Choose OK or answer positively for all the prompts until you have to choose an upstream DNS provider. "
Many thanks for this very detailed and well done guide.
| version | |
|---|---|
| Device | Pixel 3 XL |
| OS | Android 9 build # PQ1A.181205.006 |
| OpenVPN for Android | 0.7.8 |
The DNS Server 10.0.8.1 does not get pushed, so ads begin appearing when using the Split Tunnel VPN Profile on Android, with the "OpenVPN for Android" app.
10.0.8.1 in the DNS Server field.I am still testing these fixes to ensure everything continues working smoothly before updating the documentation. I should have my testing completed in the next couple of days.
Is there a way to do the pihole bit, expose DNS over the public internet via DNS+TLS or 443 (think cloudflared) and then let only my address range work with it?
Phone: Pixel 3 on beta-enabled Android 9
App: OpenVPN 0.7.5
Does not work with Wi-Fi or Verizon LTE
Went through and checked all settings. However, during check, I forgot to add the firewall rule in VPC Networks. I've since rebooted the instance via SSH, checked the service to see if it's enabled, and I'm not receiving any errors in the log.
log:
2018-12-30 09:41:25 official build 0.7.5 running on google Pixel 3 (blueline), Android 9 (PQ1A.181205.006) API 28, ABI arm64-v8a, (REDACTED)
2018-12-30 09:41:25 Building configuration…
2018-12-30 09:41:25 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2018-12-30 09:41:25 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2018-12-30 09:41:25 Network Status: CONNECTED to WIFI
2018-12-30 09:41:25 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2018-12-30 09:41:25 OpenVPN core 3.git:master(983b0f28) android arm64 64-bit built on May 3 2018 08:32:37
2018-12-30 09:41:25 Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
2018-12-30 09:41:25 Frame=512/2048/512 mssfix-ctrl=1250
2018-12-30 09:41:25 UNUSED OPTIONS
0 [machine-readable-output]
1 [allow-recursive-routing]
2 [ifconfig-nowarn]
4 [verb] [4]
5 [connect-retry] [2] [300]
6 [resolv-retry] [60]
16 [nobind]
17 [verify-x509-name] [server_[REDACTED]] [name]
21 [persist-tun]
22 [preresolve]
23 [resolv-retry] [infinite]
2018-12-30 09:41:25 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:25 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:25 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2018-12-30 09:41:25 Contacting [REDACTED]:1194 via UDP
2018-12-30 09:41:25 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:25 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:25 Connecting to [REDACTED]:1194 (REDACTED) via UDPv4
2018-12-30 09:41:25 New OpenVPN Status (CONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:25 New OpenVPN Status (CONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:25 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth SHA256,keysize 128,key-method 2,tls-client
2018-12-30 09:41:25 Creds: UsernameEmpty/PasswordEmpty
2018-12-30 09:41:25 Peer Info:
IV_GUI_VER=de.blinkt.openvpn 0.7.5
IV_VER=3.git:master
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
2018-12-30 09:41:25 VERIFY OK : depth=1
cert. version : 3
serial number : [REDACTED]
issuer name : CN=ChangeMe
subject name : CN=ChangeMe
issued on : 2018-12-30 13:44:02
expires on : 2028-12-27 13:44:02
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2018-12-30 09:41:25 VERIFY OK : depth=0
cert. version : 3
serial number : [REDACTED]
issuer name : CN=ChangeMe
subject name : CN=server_[REDACTED]
issued on : 2018-12-30 13:44:02
expires on : 2028-12-27 13:44:02
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : server_[REDACTED]
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2018-12-30 09:41:26 SSL Handshake: TLSv1.2/TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
2018-12-30 09:41:26 Session is ACTIVE
2018-12-30 09:41:26 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:41:26 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:41:26 Sending PUSH_REQUEST to server...
2018-12-30 09:41:26 OPTIONS:
0 [route] [10.0.0.8] [255.0.0.0] [net_gateway]
1 [route] [172.16.0.0] [255.240.0.0] [net_gateway]
2 [route] [192.168.0.0] [255.255.0.0] [net_gateway]
3 [dhcp-option] [DNS] [10.8.0.1]
4 [block-outside-dns]
5 [compress] [lz4-v2]
6 [route-gateway] [10.8.0.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [10.8.0.2] [255.255.255.0]
11 [peer-id] [0]
12 [cipher] [AES-256-GCM]
2018-12-30 09:41:26 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: LZ4v2
peer ID: 0
2018-12-30 09:41:26 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:41:26 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:41:26 exception parsing IPv4 route: [route] [10.0.0.8] [255.0.0.0] [net_gateway] : tun_prop_error: route is not canonical
2018-12-30 09:41:26 We should call this session[REDACTED]
2018-12-30 09:41:26 Opening tun interface:
2018-12-30 09:41:26 Local IPv4: 10.8.0.2/24 IPv6: null MTU: 1500
2018-12-30 09:41:26 DNS Server: 10.8.0.1, Domain: null
2018-12-30 09:41:26 Routes:
2018-12-30 09:41:26 Routes excluded: 172.16.0.0/12, 192.168.0.0/16
2018-12-30 09:41:26 VpnService routes installed:
2018-12-30 09:41:26 Disallowed VPN apps: com.android.providers.telephony, com.google.android.apps.docs, com.android.vending, com.google.android.apps.tachyon, com.google.android.dialer, com.android.phone
2018-12-30 09:41:26 TunPersist: saving tun context:
Session Name: [REDACTED]
Layer: OSI_LAYER_3
Remote Address: [REDACTED]
Tunnel Addresses:
10.8.0.2/24 -> 10.8.0.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
172.16.0.0/12
192.168.0.0/16
DNS Servers:
10.8.0.1
Search Domains:
2018-12-30 09:41:26 Connected via tun
2018-12-30 09:41:26 LZ4v2 init asym=0
2018-12-30 09:41:26 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): [REDACTED]:1194 ([REDACTED]) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-12-30 09:41:26 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): [REDACTED]:1194 ([REDACTED]) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-12-30 09:41:26 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2018-12-30 09:41:31 Network Status: not connected
2018-12-30 09:41:31 Debug state info: not connected, pause: userPause, shouldbeconnected: false, network: PENDINGDISCONNECT
2018-12-30 09:41:31 UDP send exception: send: Invalid argument
2018-12-30 09:41:31 UDP send exception: send: Invalid argument
2018-12-30 09:41:32 UDP send exception: send: Invalid argument
2018-12-30 09:41:32 UDP send exception: send: Invalid argument
2018-12-30 09:41:32 UDP send exception: send: Invalid argument
2018-12-30 09:41:34 Network Status: CONNECTED LTE to MOBILE VZWINTERNET
2018-12-30 09:41:34 Debug state info: CONNECTED LTE to MOBILE VZWINTERNET, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2018-12-30 09:41:34 Client terminated, reconnecting in 1...
2018-12-30 09:41:34 UDP send exception: send: Invalid argument
2018-12-30 09:41:34 UDP send exception: send: Invalid argument
2018-12-30 09:41:35 UDP send exception: send: Invalid argument
2018-12-30 09:41:35 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:35 New OpenVPN Status (RECONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:35 Contacting [REDACTED]:1194 via UDP
2018-12-30 09:41:35 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:35 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:35 Connecting to [[REDACTED]]:1194 ([REDACTED]) via UDPv4
2018-12-30 09:41:35 New OpenVPN Status (CONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:35 New OpenVPN Status (CONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:41:35 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth SHA256,keysize 128,key-method 2,tls-client
2018-12-30 09:41:35 Creds: UsernameEmpty/PasswordEmpty
2018-12-30 09:41:35 Peer Info:
IV_GUI_VER=de.blinkt.openvpn 0.7.5
IV_VER=3.git:master
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
2018-12-30 09:41:35 VERIFY OK : depth=1
cert. version : 3
serial number : B8:3D:BE:29:02:03:A9:E6
issuer name : CN=ChangeMe
subject name : CN=ChangeMe
issued on : 2018-12-30 13:44:02
expires on : 2028-12-27 13:44:02
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2018-12-30 09:41:35 VERIFY OK : depth=0
cert. version : 3
serial number : 08:5B:8C:5A:77:E2:F7:B9:CD:38:88:6E:22:39:EA:4C
issuer name : CN=ChangeMe
subject name : CN=server_[REDACTED]
issued on : 2018-12-30 13:44:02
expires on : 2028-12-27 13:44:02
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : server_[REDACTED]
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2018-12-30 09:41:35 SSL Handshake: TLSv1.2/TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
2018-12-30 09:41:35 Session is ACTIVE
2018-12-30 09:41:35 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:41:35 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:41:35 Sending PUSH_REQUEST to server...
2018-12-30 09:41:35 OPTIONS:
0 [route] [10.0.0.8] [255.0.0.0] [net_gateway]
1 [route] [172.16.0.0] [255.240.0.0] [net_gateway]
2 [route] [192.168.0.0] [255.255.0.0] [net_gateway]
3 [dhcp-option] [DNS] [10.8.0.1]
4 [block-outside-dns]
5 [compress] [lz4-v2]
6 [route-gateway] [10.8.0.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [10.8.0.2] [255.255.255.0]
11 [peer-id] [1]
12 [cipher] [AES-256-GCM]
2018-12-30 09:41:35 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: LZ4v2
peer ID: 1
2018-12-30 09:41:35 TunPersist: reused tun context
2018-12-30 09:41:35 Connected via tun
2018-12-30 09:41:35 LZ4v2 init asym=0
2018-12-30 09:41:35 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): [REDACTED]:1194 ([REDACTED]) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-12-30 09:41:35 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): [REDACTED]:1194 ([REDACTED]) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-12-30 09:43:38 New OpenVPN Status (DISCONNECTED->LEVEL_NOTCONNECTED):
2018-12-30 09:43:38 New OpenVPN Status (DISCONNECTED->LEVEL_NOTCONNECTED):
2018-12-30 09:43:38 OpenVPN3 thread finished
2018-12-30 09:46:10 official build 0.7.5 running on google Pixel 3 (blueline), Android 9 (PQ1A.181205.006) API 28, ABI arm64-v8a, ([REDACTED])
2018-12-30 09:46:10 Building configuration…
2018-12-30 09:46:10 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2018-12-30 09:46:10 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2018-12-30 09:46:10 Network Status: CONNECTED to WIFI
2018-12-30 09:46:10 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2018-12-30 09:46:10 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2018-12-30 09:46:10 OpenVPN core 3.git:master(983b0f28) android arm64 64-bit built on May 3 2018 08:32:37
2018-12-30 09:46:10 Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
2018-12-30 09:46:10 Frame=512/2048/512 mssfix-ctrl=1250
2018-12-30 09:46:10 UNUSED OPTIONS
0 [machine-readable-output]
1 [allow-recursive-routing]
2 [ifconfig-nowarn]
4 [verb] [4]
5 [connect-retry] [2] [300]
6 [resolv-retry] [60]
16 [nobind]
17 [verify-x509-name] [server_[REDACTED]] [name]
21 [persist-tun]
22 [preresolve]
23 [resolv-retry] [infinite]
2018-12-30 09:46:10 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:46:10 New OpenVPN Status (RESOLVE->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:46:10 Contacting [REDACTED]:1194 via UDP
2018-12-30 09:46:10 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:46:10 New OpenVPN Status (WAIT->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:46:10 Connecting to [[REDACTED]]:1194 ([REDACTED]) via UDPv4
2018-12-30 09:46:10 New OpenVPN Status (CONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:46:10 New OpenVPN Status (CONNECTING->LEVEL_CONNECTING_NO_SERVER_REPLY_YET):
2018-12-30 09:46:10 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth SHA256,keysize 128,key-method 2,tls-client
2018-12-30 09:46:10 Creds: UsernameEmpty/PasswordEmpty
2018-12-30 09:46:10 Peer Info:
IV_GUI_VER=de.blinkt.openvpn 0.7.5
IV_VER=3.git:master
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
2018-12-30 09:46:10 VERIFY OK : depth=1
cert. version : 3
serial number : B8:3D:BE:29:02:03:A9:E6
issuer name : CN=ChangeMe
subject name : CN=ChangeMe
issued on : 2018-12-30 13:44:02
expires on : 2028-12-27 13:44:02
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2018-12-30 09:46:10 VERIFY OK : depth=0
cert. version : 3
serial number : 08:5B:8C:5A:77:E2:F7:B9:CD:38:88:6E:22:39:EA:4C
issuer name : CN=ChangeMe
subject name : CN=server_[REDACTED]
issued on : 2018-12-30 13:44:02
expires on : 2028-12-27 13:44:02
signed using : ECDSA with SHA256
EC key size : 256 bits
basic constraints : CA=false
subject alt name : server_[REDACTED]
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2018-12-30 09:46:10 SSL Handshake: TLSv1.2/TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
2018-12-30 09:46:10 Session is ACTIVE
2018-12-30 09:46:10 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:46:10 New OpenVPN Status (GET_CONFIG->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:46:10 Sending PUSH_REQUEST to server...
2018-12-30 09:46:10 OPTIONS:
0 [route] [10.0.0.8] [255.0.0.0] [net_gateway]
1 [route] [172.16.0.0] [255.240.0.0] [net_gateway]
2 [route] [192.168.0.0] [255.255.0.0] [net_gateway]
3 [dhcp-option] [DNS] [10.8.0.1]
4 [block-outside-dns]
5 [compress] [lz4-v2]
6 [route-gateway] [10.8.0.1]
7 [topology] [subnet]
8 [ping] [10]
9 [ping-restart] [60]
10 [ifconfig] [10.8.0.2] [255.255.255.0]
11 [peer-id] [0]
12 [cipher] [AES-256-GCM]
2018-12-30 09:46:10 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: LZ4v2
peer ID: 0
2018-12-30 09:46:10 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:46:10 New OpenVPN Status (ASSIGN_IP->LEVEL_CONNECTING_SERVER_REPLIED):
2018-12-30 09:46:10 exception parsing IPv4 route: [route] [10.0.0.8] [255.0.0.0] [net_gateway] : tun_prop_error: route is not canonical
2018-12-30 09:46:10 We should call this session[REDACTED]
2018-12-30 09:46:10 Opening tun interface:
2018-12-30 09:46:10 Local IPv4: 10.8.0.2/24 IPv6: null MTU: 1500
2018-12-30 09:46:10 DNS Server: 10.8.0.1, Domain: null
2018-12-30 09:46:10 Routes:
2018-12-30 09:46:10 Routes excluded: 172.16.0.0/12, 192.168.0.0/16
2018-12-30 09:46:10 VpnService routes installed:
2018-12-30 09:46:10 Disallowed VPN apps: com.android.providers.telephony, com.google.android.apps.docs, com.android.vending, com.google.android.apps.tachyon, com.google.android.dialer, com.android.phone
2018-12-30 09:46:10 TunPersist: saving tun context:
Session Name: [REDACTED]
Layer: OSI_LAYER_3
Remote Address: [REDACTED]
Tunnel Addresses:
10.8.0.2/24 -> 10.8.0.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
172.16.0.0/12
192.168.0.0/16
DNS Servers:
10.8.0.1
Search Domains:
2018-12-30 09:46:10 Connected via tun
2018-12-30 09:46:10 LZ4v2 init asym=0
2018-12-30 09:46:10 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): [REDACTED]:1194 ([REDACTED]) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-12-30 09:46:10 New OpenVPN Status (CONNECTED->LEVEL_CONNECTED): [REDACTED]:1194 ([REDACTED]) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]
2018-12-30 09:46:11 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
Hi. First off thanks for the cool guide.
I was able to follow it 100% and get things running OK.
I believe the split tunnel is working as it should on my phone.
But whenever I use the full tunnel and do something with heavy traffic load, like watch youtube, I do not see that network load on the GCP monitoring. The load is still only a few kb, ie. DNS related.
I thought the full tunnel was support to run all the traffic through the VPN and even encrypt it?
Describe the bug
Voicemail attachments in the Phone app do not play, it appears the phone is unable to download them while the VPN is connected.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Voicemail should play back, if the service is sensitive to DNS the appropriate application should be whitelisted.
Smartphone (please complete the following information):
Known Workarounds
Disabling the VPN works.
Instead of whitelisting apps that should not go through the VPN, flipping it around and explicitly declaring which applications should go over the VPN would be better.
First of all, thank you very much for this guide! This was awesome, I wasn't familiar with setting up a Pi-hole and static IP before, but it was a blast! What an easy setup.
I do have a question, something wasn't really clear for me. The IPv4 address is Anycast, however how do I set up multiple servers?
Let's say I were to have 1 server in the US and 1 in Europe West, what's the best way to do this? I would like to have people in Europe connecting to the europe-west DNS Server and people from the US to the US server. Europe to my US Pi-hole server still gives me about 102 ms for a DNS query.
Edit: I'm not entirely sure what the documentation in REASONS.md says. It tells me that the DNS request would take 1 hop to my nearest ISP on average... However, pinging a website gives me about 100ms, and my surfing is noticeably slower. What is being explained in the REASONS file then? Am I doing something wrong? It would be really great to set this up with the closest PoP Server from Google.
Thanks in advance! Really appreciate you guys taking the time for this.
Request in title.
Thanks for this excellent job.
Applications fail to download or update with an active Split Tunnel VPN.
Because OpenVPN Connect does not support individual application whitelisting, we cannot use OpenVPN Connect.
hi,
i have been connected in win10 using the tcp split tunnel file (the udp file cannot connect ("read UDP: Unknown error (code=10054)").
even my public ip is not the google cloud public ip, the dns are from cloudflare (set in pihole web interface) and in the pihole dashboard i see blocked queries.
am i ok or my public ip should be the google cloud ip?
also in android 8 (oneplus 6), none of the ovpn files could establish a connection.
for example in tcp full ovpn file i get this error ("Server poll timeout, trying next remote entry...")
The Southpark Shopping Mall in Charlotte, NC operated by Simon Properties provides WiFi in the mall. They block OpenVPN with deep packet inspection. Running OpenVPN over Port 443 is not sufficient. Approaches to bypass this include:
Further testing around this is required before updating the documentation.
If It violates, is it possible to "bypass" the VPN just for requests from the torrent program or I should stop the client entirely while downloading?
Edit: Actually what I meant is the traffic goes through the VPN, but pi-hole is not working as ads are still being served.
I have rebuilt the VM for the second time following the instructions step by step but I end up in the same place. The only different thing is that on Google I chose a Europe location because it's closer to me, but I don't think that is the issue.
After having everything setup and ready, I connect to the VPN using Tunnelblick but it gives me the error that my IP is the same as before. I can navigate just fine but my IP is the same as before.
I'm succesfully connected to VPN, and if I enter the 10.8.0.1 IP on the address bar I can log into Pihole admin panel.
On the Tunnelblick log I find this notes and warnings:
2019-04-22 15:57:22 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-04-22 15:57:22 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1550' 2019-04-22 15:57:22 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2019-04-22 15:57:23 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.4.6)
WARNING: Ignoring ServerAddresses '10.8.0.1' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
What am I missing?
Thanks
Having trouble getting this to work with Android after getting it to work with my desktop - Any help would be appreciated! Logs below
Device Logs
2019-06-21 19:37:54 official build 0.7.8 running on [REDACTED]
2019-06-21 19:37:54 Building configuration…
2019-06-21 19:37:54 OpenVPN core 3.2 (qa:d87f5bbc04)(icsopenvpn/v0.7.8-0-ga8d2d82c) android arm64 64-bit built on Feb 22 2019 13:59:24
2019-06-21 19:37:54 Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
2019-06-21 19:37:54 Frame=512/2048/512 mssfix-ctrl=1250
2019-06-21 19:37:54 UNUSED OPTIONS
1 [verb] [4]
2 [connect-retry] [2] [300]
3 [resolv-retry] [60]
6 [connect-timeout] [60]
15 [nobind]
16 [verify-x509-name] [REDACTED][name]
20 [persist-tun]
21 [preresolve]
22 [resolv-retry] [infinite]
2019-06-21 19:37:54 Network Status: CONNECTED to WIFI [REDACTED]
2019-06-21 19:37:54 Debug state info: CONNECTED to WIFI [REDACTED] pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-06-21 19:37:54 Contacting [REDACTED] via UDP
2019-06-21 19:37:54 Debug state info: CONNECTED to WIFI [REDACTED] pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-06-21 19:37:54 Connecting to [REDACTED] ([REDACTED]) via UDPv4
2019-06-21 19:37:54 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth SHA256,keysize 128,key-method 2,tls-client
2019-06-21 19:37:54 Creds: UsernameEmpty/PasswordEmpty
2019-06-21 19:37:54 Peer Info:
IV_GUI_VER=de.blinkt.openvpn 0.7.8
IV_VER=3.2 (qa:d87f5bbc04)
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
2019-06-21 19:37:54 VERIFY OK: depth=1, /CN=ChangeMe
2019-06-21 19:37:54 VERIFY OK: depth=0, /CN=server_[REDACTED]
2019-06-21 19:37:55 SSL Handshake: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
2019-06-21 19:37:55 Session is ACTIVE
2019-06-21 19:37:55 Sending PUSH_REQUEST to server...
2019-06-21 19:37:55 OPTIONS:
0 [route] [10.0.0.8] [255.0.0.0] [net_gateway]
1 [route] [172.16.0.0] [255.240.0.0] [net_gateway]
2 [route] [192.168.0.0] [255.255.0.0] [net_gateway]
3 [dhcp-option] [DNS] [10.8.0.1]
4 [dhcp-option] [DNS] [10.8.0.1]
5 [block-outside-dns]
6 [compress] [lz4-v2]
7 [route-gateway] [10.8.0.1]
8 [topology] [subnet]
9 [ping] [10]
10 [ping-restart] [60]
11 [ifconfig] [10.8.0.3] [255.255.255.0]
12 [peer-id] [0]
13 [cipher] [AES-256-GCM]
2019-06-21 19:37:55 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: LZ4v2
peer ID: 0
2019-06-21 19:37:55 exception parsing IPv4 route: [route] [10.0.0.8] [255.0.0.0] [net_gateway] : tun_prop_error: route is not canonical
2019-06-21 19:37:55 exception parsing IPv4 route: [route] [192.168.0.14/24] [] [vpn_gateway] : tun_prop_error: route is not canonical
2019-06-21 19:37:55 We should call this session [REDACTED]
2019-06-21 19:37:55 Opening tun interface:
2019-06-21 19:37:55 Local IPv4: 10.8.0.3/24 IPv6: (not set) MTU: 1500
2019-06-21 19:37:55 DNS Server: 10.8.0.1, 10.8.0.1, Domain: null
2019-06-21 19:37:55 Routes:
2019-06-21 19:37:55 Routes excluded: 172.16.0.0/12, 192.168.0.0/16
2019-06-21 19:37:55 VpnService routes installed:
2019-06-21 19:37:55 Disallowed VPN apps: com.google.android.gm, com.android.mms, com.android.providers.telephony, com.android.phone, com.google.android.apps.docs, com.google.android.gms, com.android.vending
2019-06-21 19:37:55 TunPersist: saving tun context:
Session Name: [REDACTED]
Layer: OSI_LAYER_3
Remote Address: [REDACTED]
Tunnel Addresses:
10.8.0.3/24 -> 10.8.0.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
172.16.0.0/12
192.168.0.0/16
DNS Servers:
10.8.0.1
10.8.0.1
Search Domains:
2019-06-21 19:37:55 Connected via tun
2019-06-21 19:37:55 LZ4v2 init asym=1
2019-06-21 19:37:55 Debug state info: CONNECTED to WIFI "[REDACTED]", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
Open VPN profile for Android (tested it with Desktop briefly and it worked)
-----BEGIN CERTIFICATE----- ...client
dev tun
proto tcp
remote [REDACTED] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_[REDACTED] name
cipher AES-128-GCM
auth SHA256
auth-nocache
verb 3
So I have been able to mostly get this to work using google compute engine. I am doing the UDP split tunnel on my LG V40 but:
1.My dns is being leaked
2. The speeds are well under what I would consider acceptable.
3. I also have the AWS set up to do this as well, I think, and I am unsure how I would go about trying to run this through AWS instead of google. Is it something I can quickly change in the config files (change the IP address to AWS) or does it have to do with the 10.8.0.1 and 10.9.0.1 addresses?
Sorry to roll a few issues into 1 post. I can split them up if its more helpful
All of this could be automated with Terraform and a bit of scripting. That would be a nice feature.
Got the VPN to work on my LG V40, got the key in the bar up top. Not going through Pihole though.
Downloading attachments and following certain links from within e-mails inside the Gmail client fails.
This application has to be whitelisted inside the OpenVPN for Android. Because OpenVPN Connect does not support individual application whitelisting, we cannot use OpenVPN Connect.
I noticed that my phone reverts to using SMS messages for contacts who would normally have RCS messages after enabling pi-hole with split tunneling. I started a thread in the pi-hole userspace where one of their developers helped me realize it was the split tunnel that was causing the problem.
I've opened this issue to work through figuring out which apps I need to whitelist in order for RCS messaging to keep working. Unfortunately whitelisting the messages app wasn't sufficient enough :(
Thank you for putting this guide together. I used it.
I noticed that while there is a step to enable auto updates on linux, there isn't a step which encourages us to automate the reboot.
Similarly, there isn't a step to configure auto updates of pi-hole itself.
I'm going to hack away at this and will submit a PR with my updates. I look forward to your thoughts.
Hi,
I've followed this guide and successfully setup a full tunnel VPN on port 1194.
I've also followed the guide to setup the full tunnel VPN on port 443 however, it appears I've done something wrong as I can't establish a connection to ANYTHING when it's enabled.
I'm a relative noob so can anyone suggest methods, on either my android device or the Google VM, to troubleshoot the problem?
Thanks
Thanks for the VPN write up, it is working great.
I am very new to VPN's and have some questions.
How can I tell/know what is going through the VPN (tunnel version) and what is not going through it? You state that full tunnel will use a lot of bandwidth on a pc, so what is and what is not going through the split tunnel?
Can I choose what goes through the split tunnel (which programs etc) or not?
Thanks again.
If i lock my iOS devices for 10s, the vpn will no longer working. Is there a way to keep it alive all the time?
Other VPNs work fine tho
Video calls have not worked successfully.
This application has to be whitelisted inside the OpenVPN for Android. Because OpenVPN Connect does not support individual application whitelisting, we cannot use OpenVPN Connect.
I believe getting some documentation around split tunnel .ovpn configurations in desktop clients such as Tunnelblick, OpenVPN's official client, and Viscosity VPN Client would be useful for the community. If anyone has time to explore this, we can broaden the scope of this documentation from mobile devices to all devices.
https://github.com/pivpn/pivpn#pivpn-is-no-longer-maintained
This should at least be noted in the readme so people don't waste their time configuring this with a service that will soon stop functioning.
It would be great if the guide could include instructions for setting this up for a home router.
First off thanks for the amazing guide!
I've been using this for my phone and laptop for the past few months and it has been working flawlessly.
This morning I've received an email from GCP saying that the pricing for External IPs is going to cost going forwards from January 2020 (however people with current External IPs will have a 3-month discounted rate, so really until April 2020):
How will this affect the VM?
With the costs they've mentioned it looks like it will begin to cost about $2.688p/m (not that it is a huge amount, I would happily pay considering the advantages of remote ad blocking!)
This guide was fantastic. Thank you. I have the instance running successfully and have four or five devices currently using the OpenVPN. My home network is using DHCP from a Google Wifi Mesh router, and is given addresses in the 192.X.X.X spread. When connected to the pi-hole, the devices are given new IPs, 10.8.0.2, .3, .4, .5., I assume because of the POSTROUTING rules added in the guide. Because of that, I can't tell which devices are querying.
I edited the /etc/hosts file to assign these IPs names, and this worked briefly. But when one of them disconnects and another reconnects, the IP is reassigned, so my hosts file becomes misleading.
I have tried the check boxes with conditional forwarding (although I may have done it wrong) and also unchecked the "never forward" checkboxes.
Thanks in advance for any ideas and help.
After some further research, it appears that a quick way to get a broad range of VPN types supported would require:
You will get OpenVPN, IPSec, and Wireguard VPN capability on your Pi-Hole after that.
If anyone succeeds with this end-goal of supporting a broader range of VPN types, please submit a PR.
| version | |
|---|---|
| Device | Pixel 3 XL |
| OS | Android 9 build # PQ1A.181205.006 |
| Reddit app | 3.17.1 |
The in-app browser fails to open pages. It gets stuck on a screen similar to the one shown on the right:
Still looking for a more permanent fix. This may be a Reddit app issue, because other in-app browser work perfectly. Examples of in-app browsers that always work fine include:
I generated the files.ovpn and installed OpenVPN
when try to navigate theres is no internet, on Google Cloud I have all the installations without trouble
I should be able to navigate but without adds
Desktop
Do you have any tricks or proposed solutions to the problem?
hey guys i cant seem to connect to the pihole. doesnt matter if im using tcp or udp or if its split or full. it always says waiting for server reply while trying to connect
Steps to reproduce (these steps match the titles in the README.md)
Importing the mypixel3xl-tcp-443-full-tunnel.ovpn or the mypixel3xl-udp-1194-full-tunnel.ovpn profiles to either Android or iOS results in no IPv4 or IPv6 traffic going through, when the VPN is enabled in "OpenVPN Connect" or in "OpenVPN for Android".
If we modify Step 5 (OpenVPN Configuration):
port 1195server 10.8.0.0 255.255.255.0 to server 10.10.0.0 255.255.255.0push "dhcp-option DNS 10.8.0.1" to push "dhcp-option DNS 10.10.0.1"systemctl enable openvpn@server_udp1195.service followed by service openvpn restartI am noticing that I cannot send Full Tunnel traffic over UDP on Port 1195 either.
If other people set up PiVPN with the wrong protocol/port and attempt to bring OpenVPN to another port using the steps outlined in Step 5 above, they may wind up with a partially functioning VPN Tunnel (with no Full Tunnel capabilities).
Further testing around this is required to validate if this is a real bug, or just me being crosseyed all day.
Perhaps a video tutorial would be a better option.
There is no clarification on what 'second line' is supposed mean. A screenshot would be helpful here. I skipped it since it matched three lines already in nano under postrouting.
Add the correct routing rule (the second line)
> -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
> -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
I got to the end of the VPNserver setup and:
'systemctl enable openvpn@server_tcp443.service' returned
'bash: systemct1: command not found'
After a fresh re-install on a Google Cloud VM Instance I get a tls-crypt error server side after I try to connect to it from my OpenVPN Client:
root@pi-hole:~# sudo systemctl status [email protected]
● [email protected] - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Sat 2019-10-05 20:24:07 UTC; 27min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 611 (openvpn)
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─611 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn
--config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Oct 05 20:50:41 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed
Oct 05 20:50:41 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116.
67:51576
Oct 05 20:50:43 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed
Oct 05 20:50:43 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116.
67:51576
Oct 05 20:50:47 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed
Oct 05 20:50:47 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116.
67:51576
Oct 05 20:50:55 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed
Oct 05 20:50:55 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116.
67:51576
Oct 05 20:51:11 pi-hole ovpn-server[611]: tls-crypt unwrap error: packet authentication failed
Oct 05 20:51:11 pi-hole ovpn-server[611]: TLS Error: tls-crypt unwrapping failed from [AF_INET]174.3.116.
67:51576
Linux pi-hole 4.9.0-11-amd64 #1 SMP Debian 4.9.189-3+deb9u1 (2019-09-20) x86_64
pivpn -d is as follows:
:::: Latest commit ::::
commit d0c10db6ec391961b7201fb564055c1176ca73e3
Author: 4s3ti [email protected]
Date: Tue Sep 3 10:09:48 2019 +0200
install.sh: apt-get with , uninstall.sh: added var PKG_MANAGER and replaced apt-get with
:::: Server configuration shown below ::::
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.crt
key /etc/openvpn/easy-rsa/pki/private/pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-128-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
:::: Recursive list of files in ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
extensions.temp
index.txt
index.txt.attr
index.txt.old
issued
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
/etc/openvpn/easy-rsa/pki/ecparams:
prime256v1.pem
/etc/openvpn/easy-rsa/pki/issued:
pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.crt
/etc/openvpn/easy-rsa/pki/private:
ca.key
pi-hole_a912429c-0978-4b4f-8910-f3ac71673841.key
/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:
/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:
/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.txt
:::
Hi,
I have set up a Split Tunnel ovpn following your tutorial. When I choose this profile in Android it works but in Ubuntu (using gnome-manager) it redirects all traffic to the vpn not only the DNS requests. My public IP changes to the VM.
How can I fix it? Thanks in advance.
Describe the bug
The autoupdate described in the README.md file seems to not work for me.
Here is crontab log (from /var/log/syslog):
cat /var/log/syslog | grep CRON
Aug 31 06:25:02 pi-hole CRON[26368]: (CRON) info (No MTA installed, discarding output)
Aug 31 06:30:01 pi-hole CRON[26518]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 06:39:01 pi-hole CRON[26641]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 06:40:01 pi-hole CRON[26688]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 06:50:01 pi-hole CRON[26794]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 07:00:01 pi-hole CRON[26899]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 07:09:01 pi-hole CRON[27018]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 07:10:01 pi-hole CRON[27075]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 07:17:01 pi-hole CRON[27145]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 07:20:01 pi-hole CRON[27171]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 07:30:01 pi-hole CRON[27289]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 07:39:01 pi-hole CRON[27384]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 07:40:01 pi-hole CRON[27442]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 07:50:01 pi-hole CRON[27537]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 08:00:01 pi-hole CRON[27669]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 08:09:01 pi-hole CRON[27751]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 08:10:01 pi-hole CRON[27809]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 08:17:01 pi-hole CRON[27880]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 08:20:01 pi-hole CRON[27931]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 08:30:01 pi-hole CRON[28038]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 08:39:01 pi-hole CRON[28120]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 08:40:01 pi-hole CRON[28178]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 08:50:01 pi-hole CRON[28306]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 09:00:01 pi-hole CRON[28399]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 09:09:01 pi-hole CRON[28493]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 09:10:01 pi-hole CRON[28541]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 09:17:01 pi-hole CRON[28647]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 09:20:01 pi-hole CRON[28673]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 09:30:01 pi-hole CRON[28773]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 09:39:01 pi-hole CRON[29369]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 09:40:01 pi-hole CRON[29427]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 09:50:01 pi-hole CRON[29527]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 10:00:01 pi-hole CRON[29626]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 10:09:01 pi-hole CRON[29746]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 10:10:01 pi-hole CRON[29804]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 10:17:01 pi-hole CRON[29881]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 10:20:01 pi-hole CRON[29908]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 10:30:01 pi-hole CRON[30043]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 10:39:01 pi-hole CRON[30129]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 10:40:01 pi-hole CRON[30187]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 10:50:01 pi-hole CRON[30280]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 11:00:01 pi-hole CRON[30483]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 11:09:01 pi-hole CRON[30574]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 11:10:01 pi-hole CRON[30632]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 11:17:01 pi-hole CRON[30728]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 11:20:01 pi-hole CRON[30767]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 11:30:01 pi-hole CRON[30862]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 11:39:01 pi-hole CRON[30960]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 11:40:01 pi-hole CRON[31008]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 11:50:01 pi-hole CRON[31146]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 12:00:01 pi-hole CRON[31243]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 12:09:01 pi-hole CRON[31335]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 12:10:01 pi-hole CRON[31393]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 12:17:01 pi-hole CRON[31487]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 12:20:01 pi-hole CRON[31513]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 12:30:01 pi-hole CRON[31606]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 12:39:01 pi-hole CRON[31724]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 12:40:01 pi-hole CRON[31780]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 12:50:01 pi-hole CRON[31874]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 13:00:01 pi-hole CRON[31986]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 13:09:01 pi-hole CRON[32099]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 13:10:01 pi-hole CRON[32157]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 13:17:01 pi-hole CRON[32228]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 13:20:01 pi-hole CRON[32257]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 13:30:01 pi-hole CRON[32394]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 13:39:01 pi-hole CRON[32486]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 13:40:01 pi-hole CRON[32534]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 13:48:01 pi-hole CRON[32619]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker remote)
Aug 31 13:50:01 pi-hole CRON[32663]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 14:00:01 pi-hole CRON[315]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 14:09:01 pi-hole CRON[415]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 14:10:01 pi-hole CRON[466]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 14:17:01 pi-hole CRON[549]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 14:20:01 pi-hole CRON[575]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 14:30:01 pi-hole CRON[695]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 14:39:01 pi-hole CRON[790]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 14:40:01 pi-hole CRON[863]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 14:50:01 pi-hole CRON[956]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 15:00:01 pi-hole CRON[1219]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 15:09:01 pi-hole CRON[1707]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Aug 31 15:10:01 pi-hole CRON[1828]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Aug 31 15:17:01 pi-hole CRON[3456]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 31 15:20:01 pi-hole CRON[3641]: (root) CMD ( PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
This is pihole.log:
Aug 31 06:00:00 dnsmasq[26865]: query[PTR] <...>
Aug 31 06:00:00 dnsmasq[26865]: config <...>
Aug 31 06:00:00 dnsmasq[26865]: query[PTR] <...>
Aug 31 06:00:00 dnsmasq[26865]: config <...>
Aug 31 06:00:00 dnsmasq[26865]: query[PTR] <...>
Aug 31 06:00:00 dnsmasq[26865]: config <...>
Aug 31 06:00:00 dnsmasq[26865]: query[PTR] <...>
Aug 31 06:00:00 dnsmasq[26865]: cached <...>
Aug 31 06:00:00 dnsmasq[26865]: query[PTR] <...>
Aug 31 06:00:00 dnsmasq[26865]: cached <...>
Aug 31 07:00:00 dnsmasq[26865]: query[PTR] <...>
Expected behavior
Pi-hole is updated daily. Web interface shouldn't show that there are updates available
I just wanted to mention, by default, the configuration settings tab in Tunnelblick has Route all IPv4 traffic through the VPN unchecked. As a result, the following warning appears shortly after trying to connect:
This computer's apparent public IP address was not different after connecting to [.ovpn file]. It is still [redacted IP address].
This may mean that your VPN is not configured correctly.
Selecting the option and attempting to reconnect seems to have fixed the issue and is the only way I've been able to get it working using the following server/client config file setup:
server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_[redacted].crt
key /etc/openvpn/easy-rsa/pki/private/server_[redacted].key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-to-client
# keepalive 1800 3600
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
# cipher AES-256-CBC
cipher AES-128-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
# performance stuff
fast-io
compress lz4-v2
push "compress lz4-v2"
client.ovpn
client
dev tun
proto udp
remote [redacted] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_[redacted] name
cipher AES-128-GCM
auth SHA256
auth-nocache
verb 4
<ca>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[redacted]
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[redacted]
-----END OpenVPN Static key V1-----
</tls-crypt>
Can you confirm that I haven't done anything "wrong" by selecting that option?
Side Question:
The push "block-outside-dns" line in server.conf causes a warning/error, apparently because the line is for Windows computers. Outside of commenting out the line entirely(which I don't want to do), is something I can add to my non-windows client .ovpn files that would get rid of the warning altogether? I've tried both of the following options, with no luck and keep getting a "files or directories don't exist" even though '/etc/openvpn/update-resolv-conf' is on my VM.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
and
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre
If my side question is too far out of the scope of the original issue, I can submit a new one.
Thanks
First of all, thanks for this guide. It's awesome!
I have successfully configured both my smartphone and laptop to use PiVPN. I have some technical questions though:
A connection is successfully established, but it is not a Split Tunnel connection. Modifying options in the Viscosity application does not bring about the desired behavior. OpenVPN's client for Windows works perfectly, and is the recommended application for Split Tunnel connections on Windows at this time.
Default gateway is not set once connected, DNS does work though.
OpenVPN complains of a pushed config error:
*Tunnelblick: macOS 10.13.6; Tunnelblick 3.7.8 (build 5180); prior version 3.7.7 (build 5150)
2019-03-06 21:39:08 *Tunnelblick: Attempting connection with dine-macbook using shadow copy; Set nameserver = 769; monitoring connection
2019-03-06 21:39:08 *Tunnelblick: openvpnstart start dine-macbook.tblk 57047 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2q
2019-03-06 21:39:08 *Tunnelblick: openvpnstart starting OpenVPN
2019-03-06 21:39:09 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 29 2018
2019-03-06 21:39:09 library versions: OpenSSL 1.0.2q 20 Nov 2018, LZO 2.10
2019-03-06 21:39:09 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:57047
2019-03-06 21:39:09 Need hold release from management interface, waiting...
2019-03-06 21:39:10 *Tunnelblick: openvpnstart log:
OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2q/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sdine-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sdine--macbook.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.57047.openvpn.log
--cd /Library/Application Support/Tunnelblick/Users/dine/dine-macbook.tblk/Contents/Resources
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5180 3.7.8 (build 5180)"
--verb 3
--config /Library/Application Support/Tunnelblick/Users/dine/dine-macbook.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/dine/dine-macbook.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Users/dine/dine-macbook.tblk/Contents/Resources
--management 127.0.0.1 57047 /Library/Application Support/Tunnelblick/moigdfhoopbbkmaeognjjgjlpokbdockgjloojde.mip
--management-query-passwords
--management-hold
--script-security 2
--up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
Disabled IPv6 for 'In-Circuit Debug Interface'
Disabled IPv6 for 'OpenSDA Hardware'
Disabled IPv6 for 'USB ACM'
Disabled IPv6 for 'MBED CMSIS-DAP 2'
Disabled IPv6 for 'MBED CMSIS-DAP'
Disabled IPv6 for 'USB 10/100/1000 LAN'
Disabled IPv6 for 'AX88179 USB 3.0 to Gigabit Ethernet'
Disabled IPv6 for 'BeagleBoneGreen'
Disabled IPv6 for 'BeagleBoneGreen 2'
Disabled IPv6 for 'Wi-Fi'
Disabled IPv6 for 'Bluetooth PAN'
Disabled IPv6 for 'Untitled VLAN'
Retrieved from OpenVPN: name server(s) [ 10.8.0.1 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on macOS 10.6 or higher
Setting search domains to 'openvpn' because the search domains were not set manually (or are allowed to be changed) and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '192.168.1.18 192.168.1.19' to '10.8.0.1'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from '' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '10.8.0.1' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Notified mDNSResponderHelper that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2019-03-06 21:39:11 *Tunnelblick: Established communication with OpenVPN
2019-03-06 21:39:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:57047
2019-03-06 21:39:11 MANAGEMENT: CMD 'pid'
2019-03-06 21:39:11 MANAGEMENT: CMD 'auth-retry interact'
2019-03-06 21:39:11 MANAGEMENT: CMD 'state on'
2019-03-06 21:39:11 MANAGEMENT: CMD 'state'
2019-03-06 21:39:11 MANAGEMENT: CMD 'bytecount 1'
2019-03-06 21:39:14 MANAGEMENT: CMD 'hold release'
2019-03-06 21:39:14 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-03-06 21:39:14 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-03-06 21:39:14 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-03-06 21:39:14 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-03-06 21:39:14 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-03-06 21:39:14 TCP/UDP: Preserving recently used remote address: [AF_INET]34.73.219.43:1194
2019-03-06 21:39:14 Socket Buffers: R=[196724->196724] S=[9216->9216]
2019-03-06 21:39:14 UDP link local: (not bound)
2019-03-06 21:39:14 UDP link remote: [AF_INET]34.73.219.43:1194
2019-03-06 21:39:14 MANAGEMENT: >STATE:1551908354,WAIT,,,,,,
2019-03-06 21:39:14 MANAGEMENT: >STATE:1551908354,AUTH,,,,,,
2019-03-06 21:39:14 TLS: Initial packet from [AF_INET]34.73.219.43:1194, sid=054429c4 9b65465d
2019-03-06 21:39:15 VERIFY OK: depth=1, CN=ChangeMe
2019-03-06 21:39:15 VERIFY KU OK
2019-03-06 21:39:15 Validating certificate extended key usage
2019-03-06 21:39:15 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-03-06 21:39:15 VERIFY EKU OK
2019-03-06 21:39:15 VERIFY X509NAME OK: CN=server_OmGZw6OMDSLxJWxz
2019-03-06 21:39:15 VERIFY OK: depth=0, CN=server_OmGZw6OMDSLxJWxz
2019-03-06 21:39:16 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1550'
2019-03-06 21:39:16 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-128-GCM'
2019-03-06 21:39:16 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth [null-digest]'
2019-03-06 21:39:16 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2019-03-06 21:39:16 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2019-03-06 21:39:16 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384, 256 bit EC, curve: prime256v1
2019-03-06 21:39:16 [server_OmGZw6OMDSLxJWxz] Peer Connection Initiated with [AF_INET]34.73.219.43:1194
2019-03-06 21:39:17 MANAGEMENT: >STATE:1551908357,GET_CONFIG,,,,,,
2019-03-06 21:39:17 SENT CONTROL [server_OmGZw6OMDSLxJWxz]: 'PUSH_REQUEST' (status=1)
2019-03-06 21:39:17 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,block-outside-dns,compress lz4-v2,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
2019-03-06 21:39:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.4.6)
2019-03-06 21:39:17 OPTIONS IMPORT: timers and/or timeouts modified
2019-03-06 21:39:17 OPTIONS IMPORT: compression parms modified
2019-03-06 21:39:17 OPTIONS IMPORT: --ifconfig/up options modified
2019-03-06 21:39:17 OPTIONS IMPORT: route-related options modified
2019-03-06 21:39:17 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2019-03-06 21:39:17 OPTIONS IMPORT: peer-id set
2019-03-06 21:39:17 OPTIONS IMPORT: adjusting link_mtu to 1624
2019-03-06 21:39:17 OPTIONS IMPORT: data channel crypto options modified
2019-03-06 21:39:17 Data Channel: using negotiated cipher 'AES-256-GCM'
2019-03-06 21:39:17 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-03-06 21:39:17 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019-03-06 21:39:17 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2019-03-06 21:39:17 Opened utun device utun1
2019-03-06 21:39:17 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019-03-06 21:39:17 MANAGEMENT: >STATE:1551908357,ASSIGN_IP,,10.8.0.2,,,,
2019-03-06 21:39:17 /sbin/ifconfig utun1 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2019-03-06 21:39:18 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2019-03-06 21:39:18 /sbin/ifconfig utun1 10.8.0.2 10.8.0.2 netmask 255.255.255.0 mtu 1500 up
2019-03-06 21:39:18 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
2019-03-06 21:39:18 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1552 10.8.0.2 255.255.255.0 init
**********************************************
Start of output from client.up.tunnelblick.sh
2019-03-06 21:39:41 Initialization Sequence Completed
2019-03-06 21:39:41 MANAGEMENT: >STATE:1551908381,CONNECTED,SUCCESS,10.8.0.2,34.73.219.43,1194,,
2019-03-06 21:39:42 *Tunnelblick: No 'connected.sh' script to execute
2019-03-06 21:39:43 *Tunnelblick process-network-changes: A system configuration change was ignored
2019-03-06 21:44:10 *Tunnelblick process-network-changes: A system configuration change was ignored
2019-03-06 21:46:58 *Tunnelblick process-network-changes: A system configuration change was ignored
2019-03-06 21:55:24 *Tunnelblick: Disconnecting; 'Disconnect' (toggle) menu command invoked
2019-03-06 21:55:25 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2019-03-06 21:55:25 *Tunnelblick: Disconnecting using 'kill'
2019-03-06 21:55:25 event_wait : Interrupted system call (code=4)
2019-03-06 21:55:25 Closing TUN/TAP interface
2019-03-06 21:55:25 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun1 1500 1552 10.8.0.2 255.255.255.0 init
**********************************************
Start of output from client.down.tunnelblick.sh
Cancelled monitoring of system configuration changes
Ignoring change of Network Primary Service from D5F39148-C221-45F5-8F27-60DE88B796C3 to D1ADC770-729A-497F-AD8B-56271038EC46
Restored the DNS and SMB configurations
Re-enabled IPv6 (automatic) for 'In-Circuit Debug Interface'
Re-enabled IPv6 (automatic) for 'OpenSDA Hardware'
Re-enabled IPv6 (automatic) for 'USB ACM'
Re-enabled IPv6 (automatic) for 'MBED CMSIS-DAP 2'
Re-enabled IPv6 (automatic) for 'MBED CMSIS-DAP'
Re-enabled IPv6 (automatic) for 'USB 10/100/1000 LAN'
Re-enabled IPv6 (automatic) for 'AX88179 USB 3.0 to Gigabit Ethernet'
Re-enabled IPv6 (automatic) for 'BeagleBoneGreen'
Re-enabled IPv6 (automatic) for 'BeagleBoneGreen 2'
Re-enabled IPv6 (automatic) for 'Wi-Fi'
Re-enabled IPv6 (automatic) for 'Bluetooth PAN'
Re-enabled IPv6 (automatic) for 'Untitled VLAN'
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
/Library/Application Support/Tunnelblick/expect-disconnect/ALL does not exist
End of output from client.down.tunnelblick.sh
**********************************************
2019-03-06 21:55:37 SIGTERM[hard,] received, process exiting
2019-03-06 21:55:37 MANAGEMENT: >STATE:1551909337,EXITING,SIGTERM,,,,,
2019-03-06 21:55:37 *Tunnelblick: No 'post-disconnect.sh' script to execute
2019-03-06 21:55:38 *Tunnelblick: Expected disconnection occurred.
All tunnels work fine, show no issue in leakdown, work fine on adblock checkers and block most ads on browser.
Apps like youtube and Instagram, for example, are unaffected, youtube pre-video ads still play etc.
Running latest app updates on IOS 12.4
Is another adblock list or something needed?
Hello I've followed the documentation completely however openVPN on ios is not getting Interent connection. Happy to post any debug info required.
I missed this step: Click Settings, and navigate to DNS. Set your Interface Listening Behavior to Listen on All Interfaces on this page: when I ran through initial setup, so if any of the subsequent scripts needed that option enabled, they would not have had it. Well into troubleshooting afterward, I discovered that I missed it, and enabled it. Then I restarted the system with it enabled. This may or may not be relevant.
When connecting with a Pixel 2, I am able to establish a VPN. If I navigate to 10.8.0.1 or 10.8.0.1/admin from a browser, I see the relevant PiHole pages. No url requests complete though. I suspect that some kind of DNS configuration is wrong either on the VPN side or the PiHole side.
To attempt to isolate the problem, I installed lynx on the VM, and successfully navigated to several webpages. The requests showed up in the PiHole logs. No other requests exist in the PiHole logs however. All connections have originated from localhost. (Perhaps this will always be the case, even when the VPN is functioning properly?)
Hi there,
After setting Pi-Hole and PiVPN on Google Cloud Platform and testing everything, I have few questions/doubts that I can't find answered anywhere. Would love it if you could clarify this for me:
I understand the one of the reasons for 128-bit encryption is "128 bit encryption offers a 40% savings on CPU time over 256 bit encryption." and that's nice but is 128-bit encryption really enough for nowadays? Most VPN guides always seem to recommend 256-bit encryption.
What's the recommended away to completely block the Pi-Hole DNS server installed on Google Cloud Platform so that it's only accessible through the VPN? I've added this rule to my firewall:
Is this the best way to achieve that or do you recommend something else?
In the Pi-hole installation step it's suggested to disable blocking ads over IPv6. Why? What's the reasoning for this? Does Pi-Hole not work with IPv6 ad blocking? What will happen if I enable it back?
I have changed both the server and client profiles cipher to AES-128-GCM as the guide recommends, but for some reason, OpenVPN Connect for Android seems to be forcing AES-256-GCM (here's a logfile for my home VPN exhibiting the exact same issue). Do you have any idea why?
That's about it for now, thank you for this awesome guide :)
Today I found out that my Asus DSL-AC52U always failing to connect to the openvpn server because of TLS handshake failed and I tried to change the tls configuration from using tls-crypt to tls-auth both in server and client-side and it worked!.
What I did was:
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key to tls-auth /etc/openvpn/easy-rsa/pki/ta.key.ovpn client file, I replaced <tls-crypt> ... </tls-crypt> to <tls-auth> ... </tls-auth>Hopefully, this will help anyone who gets the same problem with me.
FYI, the link in the section "Test the Ad-blocking" of the Readme is dead:
https://pi-hole.net/pages-to-test-ad-blocking-performance/
Wayback archive:
Voicemails cannot be played.
The "Phone", "Phone and Messaging Storage" and "Phone Services" applications had to be whitelisted inside the OpenVPN for Android on Pixel phones to resolve this issue. Because OpenVPN Connect does not support individual application whitelisting, we cannot use OpenVPN Connect.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.