Qpasa 0 Posted ... Hiya I was advised by airvpn team to put my question on the forum so here I am. I'm using w10. Running airvpn only at the moment. Pihole is only used to check againstadlists/trackerlist. About pihole and airvpn,both work flawlessly, pihole without vpn and vpn without pihole but together it's not (yet) working. Mainly because I have basic networkingskills,am new to linux & I could use some help. Must have been too fast... well,I've given up for now. Maybe I'll try later again. Quote Share this post Link to post
phlogiston 1 Posted ... I am working on this issue as well. I use pi-hole on a raspberry pi to block ads to my network. I also use AirVPN and want my DNS to be handled by airvpn, not by direct connection to google DNS server. At the moment, my pi-hole server is down so that I can reconfigure it to operate with VPN. There are multiple possible solutions, and I'm going to try some things out today and report back. This already would sound complex if you are new to networking but here's the issue: On my computer connection right now, a web connection would look like this: In order to go to www.google.ca, I would need to first get the IP address of google.ca through DNS. I want this to go through the VPN ( tun0 ), not through my local ISP. Here is simplified diagram, in which connections that are encrypted by openVPN format are enclosed in brackets "[[ ]]". Browser <----------------------- | |[Eddie application] | | |[[ AirVPN DNS (this address is shown on stats in eddie -- it is 10.4.0.1 in my case) ]] |[[ tun0 ]] |[[Router / DSL]] | [[ my ISP ]] |[[OpenVPN Server]] |internet Above, my traffic is encrypted before it leaves my computer, and, thus, is private until it leaves openVPN server. Also, DNS is being provided through VPN, so that loop back to my OS and browser where the physical IP is served is private. BUT, my default pihole configuration looks like this: Pihole ---> ISP ----> Public DNS (usually google 8.8.8.8) This is not private, and does not go through the VPN. The problem is, if I want pihole DNS ad blocking, I need to use pihole as my DNS server. The path to get DNS would look like this: Browser <-- | |[Eddie] | | |Pihole DNS <------> ISP <-----> Public DNS server My internet traffic is still encrypted until it reaches the OpenVPN server, but my request to get the IP address of google.ca is not. Not only that, but the eddie application wants to keep things private by preventing a DNS leak like this. The results can vary, but the best case scenario is that browsing is encrypted, but all the DNS requests are not. This is a DNS leak. My ISP and the internet know every IP address I access and can connect this to me and my location. I am going to try a couple setups, but the most common sense idea would be to run airVPN on the router that connects my network to the ISP. I can do this with DD-WRT, Tomato, etc. If my pihole is behind this router, it can get DNS through VPN and my computer can then get DNS from the pihole. There are other options, like running openVPN on the pi, SSH tunnel for pihole application, and more. I'll admit that I am confused too, but maybe by writing my ideas out either I can help, or someone more knowledgeable can jump in and help us out. Regards Quote Share this post Link to post
phlogiston 1 Posted ... Okay, got pihole working on my whole network with airVPN. I tried out a few options. I did not have success with my dd-wrt router (whoops, I bricked it). BUT, I found a good solution by setting up airvpn in the pi: I will assume you already have pihole installed and working Now to use pihole with airVPN: First, you need to update repos and upgrade packages: sudo apt-get update && sudo apt-get upgrade Then install openvpn and stunnel sudo apt-get install openvpn stunnel Reboot the Raspberry PI -- this is important, as the openvpn will not work until the Pi is rebooted (error states it can't find /dev/tun) sudo rebootNow that you have openvpn and stunnel ready to go, we need an AirVPN config Use the airVPN config generator (in client area) to make a .ovpn file Choose RPI as your system, your server preference, and UDP (no proxy in my case) I placed this file in my home directory on the PI We still need to do 2 things; make openvpn to use DNS through airVPN, and make pihole use this private DNS server too 1. Resolve DNS through openVPN: I am using the script which is used by the eddie-cli portable program for Pi. Download eddie from airVPN. Choose linux, ARM, portable, command line. tar -zxcf ./eddie-cli_2.11.15_linux_arm7l_portable.tar.gz From the directory that is unpacked, we need to make the script executable and copy the update-resolv-config script to a place where openVPN can use it sudo chmod +x ./update-resolv-conf sudo cp ./update-resolv-conf /etc/openvpn/ This script will change the DNS server the Pi and pihole use to the airVPN private DNS (hooray, no DNS leaks). 2. Reconfigure pihole to use the VPN Pihole is set up to use google DNS by default. We need to change this, so it uses airVPN DNS. Edit pihole's upstream DNS configuration cp /etc/dnsmasq.d/01-pihole.conf ~/01-pihole.conf.old #save a backup just in case sudo nano /etc/dnsmasq.d/01-pihole.conf In this file, we change the line that reads "no-resolv" to "resolv-file=/etc/ppp/resolv.conf"Then, comment out the "server=8.8.8.8" and similar lines to disable usage of upstream google DNS via eth0my file looks like this: address=/pi.hole/192.168.0.101 address=/pi.hole/fe80::4c9c:a4fc:d7b8:7d62 address=/officehole/192.168.0.101 address=/officehole/fe80::4c9c:a4fc:d7b8:7d62 addn-hosts=/etc/pihole/gravity.list domain-needed bogus-priv resolv-file=/etc/ppp/resolv.conf #server=8.8.8.8 #server=8.8.4.4 interface=eth0 cache-size=10000 log-queries log-facility=/var/log/pihole.log local-ttl=300 log-async address=/pi.hole/192.168.0.101 restart dnsmasq.d : sudo pihole restartdns FINALLY, we can start openVPN with proper DNS and pihole all working together: sudo openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config ~/< your airVPN .ovpn config file > This starts openVPN for the Pi, resolves the VPN DNS, and uses the ovpn file to connect to the server and go! Lastly, test this by visiting ipleak.net -- your DNS IP shown should match the airVPN server IP and location. Do this on another computer which is also connected to airVPN. I did this on a Raspberry Pi B+. I have also gotten eddie-cli to work on a Pi 3, but not a B+. openvpn is simple and works well here, with little overhead. I might make some scripts of the command above to restart if VPN disconnects, etc. On my PI, DNS does not revert to a public DNS server if openvpn stops. This way, pihole won't use anything except private DNS. FYI now any traffic coming from your PI should go through the VPN, not just pihole. I think I will add a wireless access point to this pi so my wife can occasionally connect via VPN through this PI if she needs to. It could also be used as a sort of ad-blocker and VPN router "to-go". Lots of possibilities. Finally, you can put a script that invokes the command above in /etc/init.d if you want to launch the VPN at startup. Make sure it launches before pihole starts, though so that the DNS is right. Have fun. Quote Share this post Link to post
phlogiston 1 Posted ... If you want to use pihole with your other computers running VPN, don't forget to change your DNS settings in airVPN client to use the pihole DNS server. Otherwise, you will get ads. Quote Share this post Link to post
phlogiston 1 Posted ... Slight modification needed: With the above openvpn setup on PI, it will not start vpn on boot properly, and openresolv is likely to change nameserver in resolv.conf and leave you without DNS. openresolv is used by pihole software, and I don't quite understand how their optimal setup is. Here is the workaround: We make a script that starts openvpn in the background and connects to AirVPN dependencies: openvpn stunnel screen (apt-get these if needed) sudo nano start_vpn_pihole.sh Then make a script like the following: #!/bin/bash # this script connects openvpn to airVPN if you also run pihole on this raspberry pi #replace resolv.conf with a temporary resolv.conf which uses a public DNS #this is necessary to bypass the local DNS server, which will not serve DNS unless VPN is connected cp /home/pi/resolv.conf.temp /etc/resolv.conf #start openvpn and push DNS using --up and --down script update-resolv-conf screen -dm openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config /home/pi/AirVPN_America_UDP-443.ovpn #uncomment this line if there are problems with dnsmaq after boot. not needed unless there's a problem #pihole restartdns #display the name of the screen session #can attach the screen session to see the openvpn console for troubleshooting by runnin screen -r screen -ls Create a temporary resolv.conf that lets openvpn have DNS via google to connect to airVPN. This will only be used to connect initially, and will then be replaced by airVPN DNS so there is not a DNS leak. That's what the --up script does. In addition pihole software should be configured to use upstream DNS 10.4.0.1 (the airVPN DNS server) nano resolv.conf.temp This file should contain the nameserver, and is a simple one line file: nameserver 8.8.8.8 Make the start_vpn.sh script executable and give it root priveledges chmod sudo chmod 755 /etc/init.d/start_vpn.sh Copy to /etc/init.d sudo cp start_vpn.sh /etc/init.d/ Register the script with rc.d so it gets run at boot sudo update-rc.d start_vpn.sh defaults You can test the scipt by running it with sudo. Check ipleak.net to see you don't have DNS leaks. Also, this script will run on boot If you have DNS leaks make sure your VPN DNS server is configured in pihole. For Airvpn, /etc/dnsmasq.d/01-pihole.conf should have nameserver=10.4.0.1 (do not have any other nameservers, like 8.8.8.8 if you don't want a DNS leak). Also change /etc/pihole/setupVars.conf to have nameserver=10.4.0.1 as well. This will prevent pihole from changing the DNS when it is upgraded. On another computer using pihole as its DNS server, you can check the ad block and also try ipleak.net with and without VPN connected on this computer. This works excellently for me and is my best solution for Pi B+. I love using pihole. The DNS caching and ad blocker makes my internet a lot faster. It also blocks ads for all clients on my LAN, regardless of whether someone is running airVPN or not. ` 1 MonkeyBanannaPoopFace reacted to this Quote Share this post Link to post
MonkeyBanannaPoopFace 0 Posted ... If I do only this portion will I get network wide Pi-hole blocking while using AirVPN? I have no need for openvpn to be running on my pihole as it is only used by me to VPN into my own house. Slight modification needed: With the above openvpn setup on PI, it will not start vpn on boot properly, and openresolv is likely to change nameserver in resolv.conf and leave you without DNS. openresolv is used by pihole software, and I don't quite understand how their optimal setup is. Here is the workaround: We make a script that starts openvpn in the background and connects to AirVPN dependencies: openvpn stunnel screen (apt-get these if needed) sudo nano start_vpn_pihole.sh Then make a script like the following: #!/bin/bash # this script connects openvpn to airVPN if you also run pihole on this raspberry pi #replace resolv.conf with a temporary resolv.conf which uses a public DNS #this is necessary to bypass the local DNS server, which will not serve DNS unless VPN is connected cp /home/pi/resolv.conf.temp /etc/resolv.conf #start openvpn and push DNS using --up and --down script update-resolv-conf screen -dm openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config /home/pi/AirVPN_America_UDP-443.ovpn #uncomment this line if there are problems with dnsmaq after boot. not needed unless there's a problem #pihole restartdns #display the name of the screen session #can attach the screen session to see the openvpn console for troubleshooting by runnin screen -r screen -ls Create a temporary resolv.conf that lets openvpn have DNS via google to connect to airVPN. This will only be used to connect initially, and will then be replaced by airVPN DNS so there is not a DNS leak. That's what the --up script does. In addition pihole software should be configured to use upstream DNS 10.4.0.1 (the airVPN DNS server) nano resolv.conf.temp This file should contain the nameserver, and is a simple one line file: nameserver 8.8.8.8 Make the start_vpn.sh script executable and give it root priveledges chmod sudo chmod 755 /etc/init.d/start_vpn.sh Copy to /etc/init.d sudo cp start_vpn.sh /etc/init.d/ Register the script with rc.d so it gets run at boot sudo update-rc.d start_vpn.sh defaults You can test the scipt by running it with sudo. Check ipleak.net to see you don't have DNS leaks. Also, this script will run on boot If you have DNS leaks make sure your VPN DNS server is configured in pihole. For Airvpn, /etc/dnsmasq.d/01-pihole.conf should have nameserver=10.4.0.1 (do not have any other nameservers, like 8.8.8.8 if you don't want a DNS leak). Also change /etc/pihole/setupVars.conf to have nameserver=10.4.0.1 as well. This will prevent pihole from changing the DNS when it is upgraded. On another computer using pihole as its DNS server, you can check the ad block and also try ipleak.net with and without VPN connected on this computer. This works excellently for me and is my best solution for Pi B+. I love using pihole. The DNS caching and ad blocker makes my internet a lot faster. It also blocks ads for all clients on my LAN, regardless of whether someone is running airVPN or not. ` Quote Share this post Link to post
phlogiston 1 Posted ... The issue with Pi-Hole is that it must be behind your VPN, otherwise it will leak your DNS like crazy. So, if your router runs airVPN and the pihole is behind the router you are okay. If you run eddie on your computer, but use pihole on your network, you have two choices: a). Do not use pi-hole when connected to VPN (use default setting in eddie) -- you will get ads. Keep the Pi running pi-hole running through VPN continuously so you can use pi-hole and not leak DNS. Update: I have found that eddie for mono and linux will now work no raspberry Pi 3. This would be an easier solution if you have a pi3 than setting up openvpn. You could also use the pi itself as an access point - many tutorials for Tor access points (substitute AirVPN for the Tor client and it'll be a VPN access point). I have not done this yet, but may try it as my next solution. There are many many ways to set up a local network and VPN, this is just my "hacked together solution" for the moment, but it does work, and does not leak DNS. There is probably an easier way, though... Quote Share this post Link to post
mannticleer 1 Posted ... phlogiston, Sorry to necro this thread. I just installed pihole, and have what I hope is a basic question. I'm in the situation you describe in your last post as, "you are okay": I have airvpn setup in my router, so every device on my network uses the vpn. I'm using the airvpn's server IP for DNS (per these instructions). So, now that I have a pihole on my network that's behind the router/airvpn, what's the best way to get this working on my network? I'm hoping to retain this airvpn-in-my-router setup, so I'm guessing I wouldn't be touching the DNS in the router... But I dunno. I'm confused. All I've done so far is install pihole. I haven't even looked at the settings/admin. Perhaps I should start there... Quote Share this post Link to post
wbynum 3 Posted ... phlogiston, Sorry to necro this thread. I just installed pihole, and have what I hope is a basic question. I'm in the situation you describe in your last post as, "you are okay": I have airvpn setup in my router, so every device on my network uses the vpn. I'm using the airvpn's server IP for DNS (per these instructions). So, now that I have a pihole on my network that's behind the router/airvpn, what's the best way to get this working on my network? I'm hoping to retain this airvpn-in-my-router setup, so I'm guessing I wouldn't be touching the DNS in the router... But I dunno. I'm confused. All I've done so far is install pihole. I haven't even looked at the settings/admin. Perhaps I should start there... In Pi-hole you want to point the DNS it uses to your router (i.e. 192.168.1.1). Then both the Pi-hole connectivity and Pi-hole DNS queries will route through the VPN connection on your router. If you are only connecting to the VPN through the router, then all you have to do is point your client ipv4 DNS server entry to the Pi-Hole IP. If you end up using Eddie and are in Windows, you point the DNS entry in Eddie to the Pi-Hole. The following worked for me: BIG NOTE: If you are using an off the shelf router, it will severely limit your VPN connection speeds. The CPU in off the shelf routers are not powerful enough to do the OpenVPN encoding/decoding. What I end up doing is setting up the VPN on my router, but then whitelisting the PC's behind me router that I want to run the VPN connectivity separately. That away I am not hit with the speed issue on my normal PC's, while still having VPN connectivity for those clients that don't run Eddie/OpenVPN software. Quote Share this post Link to post
mannticleer 1 Posted ... Oh awesome. Thank you. I changed the DNS on my router from 10.6.0.1 to my pi. Very easy. I had forgotten that I was pointing to the airvpn server IP in the VPN section of the router settings, and not in that DNS section... I was overthinking it. My router is a BUFFALO AirStation HighPower N600 Gigabit Dual Band Wireless Router WZR-600DHP. I haven't noticed limited connection speeds, but I haven't done a proper test. Quote Share this post Link to post
wbynum 3 Posted ... Oh awesome. Thank you. I changed the DNS on my router from 10.6.0.1 to my pi. Very easy. I had forgotten that I was pointing to the airvpn server IP in the VPN section of the router settings, and not in that DNS section... I was overthinking it. My router is a BUFFALO AirStation HighPower N600 Gigabit Dual Band Wireless Router WZR-600DHP. I haven't noticed limited connection speeds, but I haven't done a proper test. If you are pointing your router DNS entry to Pi-hole then it would seem like you would be leaking DNS. Basically PC -> Router -> Pi-Hole -> Google DNS. Admittedly, I have never understood why it is a DNS leak to use a non-VPN DNS server if the DNS requests are going through the VPN connection. Quote Share this post Link to post
Staff 10014 Posted ... Admittedly, I have never understood why it is a DNS leak to use a non-VPN DNS server if the DNS requests are going through the VPN connection. Hello! Actually it's not a leak, as long as DNS queries are tunneled The whole concept of "DNS leaks", i.e. queries sent out in clear text through the gateway of some interface that's not the tun interface, was born because of systems which did not have a proper DNS implementation, typically the whole Windows line which lacked and lacks a global DNS. Kind regards Quote Share this post Link to post
Not connected, Your IP: 18.117.94.221
Online: 27761 users - 357696 Mbit/s total BW