Jump to content
Not connected, Your IP: 18.224.43.98

Recommended Posts

Hiya

 

I was advised by airvpn team to put my question on the forum so here I am. I'm using w10. Running airvpn only at the moment. Pihole is only used to check against

adlists/trackerlist. About pihole and airvpn,both work flawlessly, pihole without vpn and vpn without pihole but together it's not (yet) working. Mainly because I have basic networking

skills,am new to linux & I could use some help.

 

Must have been too fast... well,I've given up for now. Maybe I'll try later again.

Share this post


Link to post

I am working on this issue as well. I use pi-hole on a raspberry pi to block ads to my network. I also use AirVPN and want my DNS to be handled by airvpn, not by direct connection to google DNS server. At the moment, my pi-hole server is down so that I can reconfigure it to operate with VPN. 

 

There are multiple possible solutions, and I'm going to try some things out today and report back.

 

This already would sound complex if you are new to networking but here's the issue:

 

On my computer connection right now, a web connection would look like this:

 

In order to go to www.google.ca, I would need to first get the IP address of google.ca through DNS. I want this to go through the VPN ( tun0 ), not through my local ISP. Here is simplified diagram, in which connections that are encrypted by openVPN format are enclosed in  brackets "[[   ]]". 

 

Browser      <-----------------------

   |                                               |

[Eddie application]                    |

   |                                               |

[[ AirVPN DNS (this address is shown on stats in eddie -- it is 10.4.0.1 in my case) ]]   

   |

[[ tun0 ]]

   |

[[Router / DSL]]

   | 

[[ my ISP ]]

   |

[[OpenVPN Server]]

   |

internet

 

Above, my traffic is encrypted before it leaves my computer, and, thus, is private until it leaves openVPN server. Also, DNS is being provided through VPN, so that loop back to my OS and browser where the physical IP is served is private.

 

BUT, my default pihole configuration looks like this:

 

Pihole ---> ISP ----> Public DNS (usually google 8.8.8.8) 

 

This is not private, and does not go through the VPN. 

 

The problem is, if I want pihole DNS ad blocking, I need to use pihole as my DNS server. The path to get DNS would look like this:

 

Browser   <--

   |                |

[Eddie]         |

   |                |

Pihole DNS   <------> ISP <-----> Public DNS server

 

My internet traffic is still encrypted until it reaches the OpenVPN server, but my request to get the IP address of google.ca is not. Not only that, but the eddie application wants to keep things private by preventing a DNS leak like this. The results can vary, but the best case scenario is that browsing is encrypted, but all the DNS requests are not. This is a DNS leak. My ISP and the internet know every IP address I access and can connect this to me and my location. 

 

I am going to try a couple setups, but the most common sense idea would be to run airVPN on the router that connects my network to the ISP. I can do this with DD-WRT, Tomato, etc. If my pihole is behind this router, it can get DNS through VPN and my computer can then get DNS from the pihole. 

 

There are other options, like running openVPN on the pi, SSH tunnel for pihole application, and more. I'll admit that I am confused too, but maybe by writing my ideas out either I can help, or someone more knowledgeable can jump in and help us out. 

 

Regards

 

 

 

Share this post


Link to post

Okay, got pihole working on my whole network with airVPN. 

 

I tried out a few options. I did not have success with my dd-wrt router (whoops, I bricked it). BUT, I found a good solution by setting up airvpn in the pi:

 

I will assume you already have pihole installed and working

 

Now to use pihole with airVPN:

 

First, you need to update repos and upgrade packages:

 

sudo apt-get update && sudo apt-get upgrade 

Then install openvpn and stunnel 

sudo apt-get install openvpn stunnel 

Reboot the Raspberry PI -- this is important, as the openvpn will not work until the Pi is rebooted (error states it can't find /dev/tun)

sudo reboot

Now that you have openvpn and stunnel ready to go, we need an AirVPN config

 

Use the airVPN config generator (in client area) to make a .ovpn file 

 

Choose RPI as your system, your server preference, and UDP (no proxy in my case)

 

I placed this file in my home directory on the PI

 

We still need to do 2 things; make openvpn to use DNS through airVPN, and make pihole use this private DNS server too

 

1. Resolve DNS through openVPN:

 

I am using the script which is used by the eddie-cli portable program for Pi. Download eddie from airVPN. Choose linux, ARM, portable, command line. 

 

tar -zxcf ./eddie-cli_2.11.15_linux_arm7l_portable.tar.gz

From the directory that is unpacked, we need to make the script executable and copy the update-resolv-config script to a place where openVPN can use it

sudo chmod +x ./update-resolv-conf
sudo cp ./update-resolv-conf /etc/openvpn/

This script will change the DNS server the Pi and pihole use to the airVPN private DNS (hooray, no DNS leaks).

 

2. Reconfigure pihole to use the VPN

 

Pihole is set up to use google DNS by default. We need to change this, so it uses airVPN DNS. 

 

Edit pihole's upstream DNS configuration

 

cp /etc/dnsmasq.d/01-pihole.conf ~/01-pihole.conf.old #save a backup just in case
sudo nano /etc/dnsmasq.d/01-pihole.conf

In this file, we change the line that reads "no-resolv" to "resolv-file=/etc/ppp/resolv.conf"

Then, comment out the "server=8.8.8.8" and similar lines to disable usage of upstream google DNS via eth0

my file looks  like this:

address=/pi.hole/192.168.0.101
address=/pi.hole/fe80::4c9c:a4fc:d7b8:7d62

address=/officehole/192.168.0.101
address=/officehole/fe80::4c9c:a4fc:d7b8:7d62

addn-hosts=/etc/pihole/gravity.list

domain-needed

bogus-priv

resolv-file=/etc/ppp/resolv.conf

#server=8.8.8.8
#server=8.8.4.4

interface=eth0

cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=300

log-async address=/pi.hole/192.168.0.101 

restart dnsmasq.d :

sudo pihole restartdns 

 

FINALLY, we can start openVPN with proper DNS and pihole all working together:

 

sudo openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config ~/< your airVPN .ovpn config file > 

This starts openVPN for the Pi, resolves the VPN DNS, and uses the ovpn file to connect to the server and go!

 

Lastly, test this by visiting ipleak.net -- your DNS IP shown should match the airVPN server IP and location. Do this on another computer which is also connected to airVPN.

 

I did this on a Raspberry Pi B+. I have also gotten eddie-cli to work on a Pi 3, but not a B+. openvpn is simple and works well here, with little overhead. I might make some scripts of the command above to restart if VPN disconnects, etc. On my PI, DNS does not revert to a public DNS server if openvpn stops. This way, pihole won't use anything except private DNS. 

 

FYI now any traffic coming from your PI should go through the VPN, not just pihole. I think I will add a wireless access point to this pi so my wife can occasionally connect via VPN through this PI if she needs to. It could also be used as a sort of ad-blocker and VPN router "to-go". Lots of possibilities.

 

Finally, you can put a script that invokes the command above in /etc/init.d if you want to launch the VPN at startup. Make sure it launches before pihole starts, though so that the DNS is right.

 

Have fun. 

Share this post


Link to post

If you want to use pihole with your other computers running VPN, don't forget to change your DNS settings in airVPN client to use the pihole DNS server. Otherwise, you will get ads.

Share this post


Link to post

Slight modification needed:

 

With the above openvpn setup on PI, it will not start vpn on boot properly, and openresolv is likely to change nameserver in resolv.conf and leave you without DNS. openresolv is used by pihole software, and I don't quite understand how their optimal setup is. 

 

Here is the workaround:

 

We make a script that starts openvpn in the background and connects to AirVPN

 

dependencies: openvpn stunnel screen (apt-get these if needed)

sudo nano start_vpn_pihole.sh

Then make a script like the following:

#!/bin/bash
# this script connects openvpn to airVPN if you also run pihole on this raspberry pi 

#replace resolv.conf with a temporary resolv.conf which uses a public DNS
#this is necessary to bypass the local DNS server, which will not serve DNS unless VPN is connected
cp /home/pi/resolv.conf.temp /etc/resolv.conf

#start openvpn and push DNS using --up and --down script update-resolv-conf
screen -dm openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config /home/pi/AirVPN_America_UDP-443.ovpn

#uncomment this line if there are problems with dnsmaq after boot. not needed unless there's a problem
#pihole restartdns

#display the name of the screen session
#can attach the screen session to see the openvpn console for troubleshooting by runnin screen -r
screen -ls

Create a temporary resolv.conf that lets openvpn have DNS via google to connect to airVPN. This will only be used to connect initially, and will then be replaced by airVPN DNS so there is not a DNS leak. That's what the --up script does. In addition pihole software should be configured to use upstream DNS 10.4.0.1 (the airVPN DNS server)

nano resolv.conf.temp

 

This file should contain the nameserver, and is a simple one line file:

nameserver 8.8.8.8

Make the start_vpn.sh script executable and give it root priveledges

chmod sudo chmod 755 /etc/init.d/start_vpn.sh

Copy to /etc/init.d

sudo cp start_vpn.sh /etc/init.d/

Register the script with rc.d so it gets run at boot

sudo update-rc.d start_vpn.sh defaults

 

You can test the scipt by running it with sudo. Check ipleak.net to see you don't have DNS leaks.

 

Also, this script will run on boot

 

If you have DNS leaks make sure your VPN DNS server is configured in pihole. For Airvpn, /etc/dnsmasq.d/01-pihole.conf should have nameserver=10.4.0.1 (do not have any other nameservers, like 8.8.8.8 if you don't want a DNS leak). 

 

Also change /etc/pihole/setupVars.conf to have nameserver=10.4.0.1 as well. This will prevent pihole from changing the DNS when it is upgraded.

 

On another computer using pihole as its DNS server, you can check the ad block and also try ipleak.net with and without VPN connected on this computer. 

 

This works excellently for me and is my best solution for Pi B+. 

 

I love using pihole. The DNS caching and ad blocker makes my internet a lot faster. It also blocks ads for all clients on my LAN, regardless of whether someone is running airVPN or not.

 

 `

Share this post


Link to post

If I do only this portion will I get network wide Pi-hole blocking while using AirVPN?  I have no need for openvpn to be running on my pihole as it is only used by me to VPN into my own house.

 

 

Slight modification needed:

 

With the above openvpn setup on PI, it will not start vpn on boot properly, and openresolv is likely to change nameserver in resolv.conf and leave you without DNS. openresolv is used by pihole software, and I don't quite understand how their optimal setup is. 

 

Here is the workaround:

 

We make a script that starts openvpn in the background and connects to AirVPN

 

dependencies: openvpn stunnel screen (apt-get these if needed)

sudo nano start_vpn_pihole.sh

Then make a script like the following:

#!/bin/bash
# this script connects openvpn to airVPN if you also run pihole on this raspberry pi 

#replace resolv.conf with a temporary resolv.conf which uses a public DNS
#this is necessary to bypass the local DNS server, which will not serve DNS unless VPN is connected
cp /home/pi/resolv.conf.temp /etc/resolv.conf

#start openvpn and push DNS using --up and --down script update-resolv-conf
screen -dm openvpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --config /home/pi/AirVPN_America_UDP-443.ovpn

#uncomment this line if there are problems with dnsmaq after boot. not needed unless there's a problem
#pihole restartdns

#display the name of the screen session
#can attach the screen session to see the openvpn console for troubleshooting by runnin screen -r
screen -ls

Create a temporary resolv.conf that lets openvpn have DNS via google to connect to airVPN. This will only be used to connect initially, and will then be replaced by airVPN DNS so there is not a DNS leak. That's what the --up script does. In addition pihole software should be configured to use upstream DNS 10.4.0.1 (the airVPN DNS server)

nano resolv.conf.temp

 

This file should contain the nameserver, and is a simple one line file:

nameserver 8.8.8.8

Make the start_vpn.sh script executable and give it root priveledges

chmod sudo chmod 755 /etc/init.d/start_vpn.sh

Copy to /etc/init.d

sudo cp start_vpn.sh /etc/init.d/

Register the script with rc.d so it gets run at boot

sudo update-rc.d start_vpn.sh defaults

 

You can test the scipt by running it with sudo. Check ipleak.net to see you don't have DNS leaks.

 

Also, this script will run on boot

 

If you have DNS leaks make sure your VPN DNS server is configured in pihole. For Airvpn, /etc/dnsmasq.d/01-pihole.conf should have nameserver=10.4.0.1 (do not have any other nameservers, like 8.8.8.8 if you don't want a DNS leak). 

 

Also change /etc/pihole/setupVars.conf to have nameserver=10.4.0.1 as well. This will prevent pihole from changing the DNS when it is upgraded.

 

On another computer using pihole as its DNS server, you can check the ad block and also try ipleak.net with and without VPN connected on this computer. 

 

This works excellently for me and is my best solution for Pi B+. 

 

I love using pihole. The DNS caching and ad blocker makes my internet a lot faster. It also blocks ads for all clients on my LAN, regardless of whether someone is running airVPN or not.

 

 `

Share this post


Link to post

The issue with Pi-Hole is that it must be behind your VPN, otherwise it will leak your DNS like crazy. 

 

So, if your router runs airVPN and the pihole is behind the router you are okay. If you run eddie on your computer, but use pihole on your network, you have two choices:

 

a). Do not use pi-hole when connected to VPN (use default setting in eddie) -- you will get ads

. Keep the Pi running pi-hole running through VPN continuously so you can use pi-hole and not leak DNS.

 

Update: I have found that eddie for mono and linux will now work no raspberry Pi 3. This would be an easier solution if you have a pi3 than setting up openvpn. You could also use the pi itself as an access point - many tutorials for Tor access points (substitute AirVPN for the Tor client and it'll be a VPN access point). I have not done this yet, but may try it as my next solution. 

 

There are many many ways to set up a local network and VPN, this is just my "hacked together solution" for the moment, but it does work, and does not leak DNS. There is probably an easier way, though... 

Share this post


Link to post

phlogiston, Sorry to necro this thread. I just installed pihole, and have what I hope is a basic question. I'm in the situation you describe in your last post as, "you are okay": I have airvpn setup in my router, so every device on my network uses the vpn. I'm using the airvpn's server IP for DNS (per these instructions).

 

So, now that I have a pihole on my network that's behind the router/airvpn, what's the best way to get this working on my network? I'm hoping to retain this airvpn-in-my-router setup, so I'm guessing I wouldn't be touching the DNS in the router... But I dunno. I'm confused.

 

All I've done so far is install pihole. I haven't even looked at the settings/admin. Perhaps I should start there...

Share this post


Link to post

phlogiston, Sorry to necro this thread. I just installed pihole, and have what I hope is a basic question. I'm in the situation you describe in your last post as, "you are okay": I have airvpn setup in my router, so every device on my network uses the vpn. I'm using the airvpn's server IP for DNS (per these instructions).

 

So, now that I have a pihole on my network that's behind the router/airvpn, what's the best way to get this working on my network? I'm hoping to retain this airvpn-in-my-router setup, so I'm guessing I wouldn't be touching the DNS in the router... But I dunno. I'm confused.

 

All I've done so far is install pihole. I haven't even looked at the settings/admin. Perhaps I should start there...

 

In Pi-hole you want to point the DNS it uses to your router (i.e. 192.168.1.1). Then both the Pi-hole connectivity and Pi-hole DNS queries will route through the VPN connection on your router.

 

If you are only connecting to the VPN through the router, then all you have to do is point your client ipv4 DNS server entry to the Pi-Hole IP. If you end up using Eddie and are in Windows, you point the DNS entry in Eddie to the Pi-Hole. The following worked for me:

 

ez7SnKB.jpg

 

BIG NOTE: If you are using an off the shelf router, it will severely limit your VPN connection speeds. The CPU in off the shelf routers are not powerful enough to do the OpenVPN encoding/decoding. What I end up doing is setting up the VPN on my router, but then whitelisting the PC's behind me router that I want to run the VPN connectivity separately. That away I am not hit with the speed issue on my normal PC's, while still having VPN connectivity for those clients that don't run Eddie/OpenVPN software.

Share this post


Link to post

Oh awesome. Thank you.

 

I changed the DNS on my router from 10.6.0.1 to my pi. Very easy. I had forgotten that I was pointing to the airvpn server IP in the VPN section of the router settings, and not in that DNS section... I was overthinking it.

 

My router is a BUFFALO AirStation HighPower N600 Gigabit Dual Band Wireless Router WZR-600DHP. I haven't noticed limited connection speeds, but I haven't done a proper test.

Share this post


Link to post

Oh awesome. Thank you.

 

I changed the DNS on my router from 10.6.0.1 to my pi. Very easy. I had forgotten that I was pointing to the airvpn server IP in the VPN section of the router settings, and not in that DNS section... I was overthinking it.

 

My router is a BUFFALO AirStation HighPower N600 Gigabit Dual Band Wireless Router WZR-600DHP. I haven't noticed limited connection speeds, but I haven't done a proper test.

 

If you are pointing your router DNS entry to Pi-hole then it would seem like you would be leaking DNS. Basically PC -> Router -> Pi-Hole -> Google DNS.

 

Admittedly, I have never understood why it is a DNS leak to use a non-VPN DNS server if the DNS requests are going through the VPN connection.

Share this post


Link to post

Admittedly, I have never understood why it is a DNS leak to use a non-VPN DNS server if the DNS requests are going through the VPN connection.

 

Hello!

 

Actually it's not a leak, as long as DNS queries are tunneled  The whole concept of "DNS leaks", i.e. queries sent out in clear text through the gateway of some interface that's not the tun interface, was born because of systems which did not have a proper DNS implementation, typically the whole Windows line which lacked and lacks a global DNS.

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...