[SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

thepasto · 2017-06-18 12:26:39

Hi!
I succefully installed and configured pi-hole and i am able to use it in my local network.
Now i'd like to use it with my mobile devices when i'm away. So i tried to install openvpn. Unluckly i'm not able to use it with my android clients.
My opnvpn server is in the same machine where is running pi-hole, its address in my local network is 192.168.1.110

server.conf

port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/homeserver.crt
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.110"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
verb 6

client.conf

client
dev tun
remote *******.** 1194 tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
remote-cert-tls server
key-direction 1

Here's the result when i try to connect with my mobile device. The client was connecting as well with the server, but internet is unreachable.

In the server log i found some error like this

 Sun Jun 18 14:11:44 2017 us=888154 client1/X.X.X.X:59350 MULTI: bad source address from client [X.X.X.X], packet dropped

Anybody can help me to find what my problem is?
If you need more just ask!

***EDIT***
After some investigation and a good howto linked here from graysky, i fanally found a working configuration.

I added in /etc/dnsmasq.d/01-pihole-init.conf

interface=tun0

then i changed server.conf

port 1194
proto tcp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/homeserver.crt
dh /etc/openvpn/server/dh.pem
key /etc/easy-rsa/pki/private/homeserver.key

server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2

push "route 10.8.0.1 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"

keepalive 10 120

cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
tls-auth /etc/openvpn/server/ta.key 0

user nobody
group nobody

persist-key
persist-tun

verb 6

Finally the client.conf

client
dev tun
proto tcp
remote *******.** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server name
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
#comp-lzo
verb 6

Thanks!

Last edited by thepasto (2017-06-23 07:42:05)

jasonwryan · 2017-06-18 16:21:09

Arch ARM is a separate distribution, please ask on their boards: https://bbs.archlinux.org/viewtopic.php?id=153431

Closing -- for deletion

jasonwryan · 2017-06-18 21:19:29

Reopened on appeal; apparently runs on other architectures.

R00KIE · 2017-06-18 23:46:20

I wouldn't touch that with a 10-foot pole. From a quick look, alarm bells start ringing with the install method and keep ringing with what seems to be auto update with a cron job.

That said, you point your vpn clients to the correct dns server and it should work. You'll have to look at how the dns server is configured and make sure it accepts dns requests from the vpn.

fukawi2 · 2017-06-18 23:57:26

thepasto wrote:

In the server log i found some error like this

 Sun Jun 18 14:11:44 2017 us=888154 client1/X.X.X.X:59350 MULTI: bad source address from client [X.X.X.X], packet dropped

I'm guessing the censored address is not a 10.8.x.x address? If I'm right in saying that, then I'd hazard to say that the problem is with your client and its source address selection which isn't something we can help with here most likely.

R00KIE wrote:

I wouldn't touch that with a 10-foot pole. From a quick look, alarm bells start ringing with the install method and keep ringing with what seems to be auto update with a cron job.

I use Pi-Hole on my home network (running in a Debian VM) and it's actually quite good, despite the unorthodox install/update methods.

R00KIE · 2017-06-19 00:52:05

fukawi2 wrote:

R00KIE wrote:
I wouldn't touch that with a 10-foot pole. From a quick look, alarm bells start ringing with the install method and keep ringing with what seems to be auto update with a cron job.
I use Pi-Hole on my home network (running in a Debian VM) and it's actually quite good, despite the unorthodox install/update methods.

Fair enough. Did you ever investigate where they download the extra/blocked hosts list from?

I do have something similar setup (more basic, only using unbound) but I'm using everything from the repos. I do have some helper scripts I've done myself but those are only for downloading and massaging the hosts list into the proper format.

fukawi2 · 2017-06-19 01:03:33

R00KIE wrote:

Fair enough. Did you ever investigate where they download the extra/blocked hosts list from?

EDIT: Here's the full URL's: https://github.com/pi-hole/pi-hole/blob … ts.default

R00KIE · 2017-06-19 01:36:12

Great! Thanks

I might look at integrating some of those lists with the ones I already use. I do spot one I knew about but don't use, hosts-file.net. If trying to make use of the full list (not just the ad server list) it makes unbound eat more than 1GiB of memory, so let that be a tip for anyone reading this, if your list is big it can use lots of resources.

thepasto · 2017-06-19 06:35:30

fukawi2 wrote:

I'm guessing the censored address is not a 10.8.x.x address? If I'm right in saying that, then I'd hazard to say that the problem is with your client and its source address selection which isn't something we can help with here most likely.

Tanks! Yes it seems so, it's not a 10.8.X.X address.

R00KIE wrote:

I wouldn't touch that with a 10-foot pole. From a quick look, alarm bells start ringing with the install method and keep ringing with what seems to be auto update with a cron job.
That said, you point your vpn clients to the correct dns server and it should work. You'll have to look at how the dns server is configured and make sure it accepts dns requests from the vpn.

Tanks! There's an aur package to install and update.
Anyway i think i set the right configuration on the server side, i am missing something for sure! I will investigate better in these days. Thanks again

graysky · 2017-06-19 13:57:39

Thanks for this thread. Pi-hole seems like an interesting project to investigate further.

@op - if you solve your issue, please update the thread with top the solution or perhaps start a wiki page.

R00KIE · 2017-06-19 17:56:09

thepasto wrote:

Tanks! There's an aur package to install and update.

That looks good and you really should use it instead of the install script, having scripts messing directly with the system is not a good idea.

graysky · 2017-06-22 19:51:57

@ip - does this help: https://discourse.pi-hole.net/t/see-my- … rver/111/3

thepasto · 2017-06-23 07:43:36

@graysky Thank you! I finally found a working configuration! I marked this as solved with updated information on the first post!
Thanks again

graysky · 2017-06-23 09:56:11

@op - you probably don't want to edit the original content ... placing new content at the bottom of it showing what you did to fix it is probably more helpful to a reader finding your post in a search. That way, he/she can see your original setup AND the needed fixes.

Arch Linux

#1 2017-06-18 12:26:39

[SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#2 2017-06-18 16:21:09

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#3 2017-06-18 21:19:29

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#4 2017-06-18 23:46:20

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#5 2017-06-18 23:57:26

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#6 2017-06-19 00:52:05

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#7 2017-06-19 01:03:33

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#8 2017-06-19 01:36:12

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#9 2017-06-19 06:35:30

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#10 2017-06-19 13:57:39

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#11 2017-06-19 17:56:09

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#12 2017-06-22 19:51:57

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#13 2017-06-23 07:43:36

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

#14 2017-06-23 09:56:11

Re: [SOLVED] OpenVPN and Pi-Hole. Clients unable to reach the network

Board footer