simonwep / openvpn-pihole Goto Github PK

docker-compose is legacy and docker compose should be used instead, also, after a year the certificate expires. Docs should be added about how to refresh it.

The docker works just out of the box. That is really nice.
But the current installation is vulnerable for amplification attack trough dnsmasq-pi-hole on port 53.

A semi fix could be to add ratelimit to port 53 trough iptables:
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables -A INPUT -p udp --dport 53 -m string --from 40 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery
iptables -A INPUT -p tcp --dport 53 -m string --from 52 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 3 -j DROP

Or just remove the open port 53 & 67 in docker? Because it aready depends on openvpn.
depends_on:
- "openvpn"
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"

The ads still won't show and keeps the dns hidden trough https://www.dnsleaktest.com

Greets

Hi, first of all, I really appreciate the work you have done here.
I'm facing a problem with .ovpn files, as every file I generate despite having a different unique name it always connects with the same IP.

I did update the host in client configuration. I only changed the remote IP before using this command:
docker exec openvpn bash /opt/app/bin/genclient.sh <name> <password?>

this is what I get:

root@docker-ubuntu:~# sudo docker exec openvpn bash /opt/app/bin/genclient.sh raddadz-test
Generate client certificate...
Without password...
Using SSL: openssl OpenSSL 1.1.1  11 Sep 2018
Generating a RSA private key
........................................................................+++++
......+++++
writing new private key to '/opt/app/easy-rsa/pki/easy-rsa-26.Ie6cbd/tmp.KImTmr'
-----
./easyrsa: 341: set: Illegal option -o echo
Using SSL: openssl OpenSSL 1.1.1  11 Sep 2018
Using configuration from /opt/app/easy-rsa/pki/easy-rsa-49.6jqTTg/tmp.1yoe0I
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'ChangeMe'
Certificate is to be certified until Dec 22 06:21:36 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated
./easyrsa: 341: set: Illegal option -o echo
/opt/app/bin/genclient.sh: line 42: warning: command substitution: ignored null byte in input
Sync pki directory...
Generate .ovpn file...
OpenVPN Client configuration successfully generated!
Checkout <service-name>/clients/raddadz-test.ovpn

there are two lines I think causing the problem:
./easyrsa: 341: set: Illegal option -o echo
and
commonName :ASN.1 12:'ChangeMe'

I'm still new to OpenVPN and certification generation, but I looked into this problem and my results as follows:

• I've found the same IP problem related to using the same client certificate to generate files, and the suggested solution was using ccd files for each client cert. I don't think this the problem though, since I think this repo uses different client certificates.
• there are old issues opened may be related to this issue, here which suggests changing #set_var EASYRSA_REQ_CN "ChangeMe" in vars.
• there is also another issue talking about set: Illegal option -o echo here
• also changing ;duplicate-cn in server.conf might solve the problem, but I don't think it's the problem, because the generated .ovpn files have different <cert> and <key> values

I'm not sure what to do as I've tried a couple of solutions and I wasn't able to get different IPs for different clients.
Your guidance will be appreciated.

my environment (if relevant)

• OS: Ubuntu 20.04.1 LTS
• Docker version 19.03.12
• docker-compose version 1.22.0
• Pi-hole v5.1.2
• OpenVPN 2.4.4

Hello Simon,
first of all, many thanks for your effort in building this really good app.
I installed some days ago and now I would like to set specific rules based on clients' names. I know that for this purpose I need to have configured the CN field.

What I observed is this:

1. when I create a client profile, it looks like the CN is correctly setup. The following is the output for a test.ovpn:

Generate client certificate...
With password...
Using SSL: openssl OpenSSL 1.1.1  11 Sep 2018
Generating a RSA private key
.......................++++
......................................++++
writing new private key to '/opt/app/easy-rsa/pki/easy-rsa-354.tMEzz9/tmp.tOcYz7'
-----
./easyrsa: 341: set: Illegal option -o echo
Using SSL: openssl OpenSSL 1.1.1  11 Sep 2018
Using configuration from /opt/app/easy-rsa/pki/easy-rsa-377.hkgN63/tmp.5BTZuW
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test'
Certificate is to be certified until Jul 24 07:58:41 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated
./easyrsa: 341: set: Illegal option -o echo
Sync pki directory...
Generate .ovpn file...
OpenVPN Client configuration successfully generated!
Checkout openvpn/clients/test.ovpn

2. The problem: when I inquiry the created certificate I get this:

[username@hostname  clients]$ openssl x509 -subject -noout -in test.ovpn 
subject= /CN=ChangeMe

CN is the default "ChangeMe".

I don't have many skills on the matter, so I don't know how to fix this issue.

Could you help me please in funding a solution?
Thank you.
Bye.

DHCP does not fully work when enabling it.
I'd already played with pibox and using it as dhcp (background: my livebox/router does not let me choose the DNS, so I simply turn off DHCP there and activate it in pibox).
I was using pibox separately before, until I found your great solution to combine it with openvpn. I'd like to keep your solution, but I need a working DHCP.

I had the same problem when running a single docker container, and it was fixed by using host mode instead of bridge. But as there are two containers, I don't know how to work around this. My knowledge of docker is limited though, maybe you spot the solution easily.

I was not using docker compose, but adding --net=host was the fix. I learnt how to edit the yml file for docker-compose, but after having found the right place for it, it'll end up telling you that you can't combine the options network_mode together with networks.

Glad to help you debug if needed.

Hi,
I'm creating simple playbook to prepare VPS configuration like create own user, install docker, configure SSH and finally clone this repo and run docker compose. Let me know if you are interested in it, I can submit PR soon.