Differences

This shows you the differences between two versions of the page.

--- unraid:virtual:openvpnu16.04 [2021/07/21 20:30] – [Install to Virtual Machine] dirk
+++ unraid:virtual:openvpnu16.04 [2025/04/19 15:13] (current) – [Install OpenVPN and IpTables] dirk
@@ Line 1: / Line 1: @@
 ====== Install OpenVPN virtual router on Ubuntu 16.04 LTS as Unraid Virtual Machine ======
-This will guide you through the setup of an OpenVPN virtual router on an installation of [[Ubuntu 20.04 LTS]] as an Unraid Virtual Machine.
+This will guide you through the setup of an OpenVPN virtual router on an installation of [[Ubuntu 16.04 LTS]] as an Unraid Virtual Machine.
 ===== VM Settings =====
   * Autostart: Yes
@@ Line 37: / Line 37: @@
   * Server: vpn
   * User Name: dirk
-  * Finish installing. I added OpenSSH server.
+  * Finish installing.
 ===== Setup =====
@@ Line 65: / Line 65: @@
 <code>sudo reboot -h now</code>
-==== Install Pi-hole ====
+==== Set Static IP ====
-<code>curl -sSL https://install.pi-hole.net | bash</code>
+<code>sudo vim /etc/network/interfaces</code>
-  * Select Google (we will remove it later)
+change the bottom to read:
-  * Ok to default "StevenBlock"
+<code>auto enp1s0
-  * Ok to IPv4 and IPv6
+iface enp1s0 inet static
-  * Yes to Static
+        address 192.168.1.99
-  * Yes to Web Admin Interface
+        netmask 255.255.255.0
-  * Yes to Web Server
+        gateway 192.168.1.1
-  * Yes to queries
+        dns-nameservers 208.67.222.222 208.67.220.220</code>
-  * Show everything
-  * Change password <code> pihole -a -p password</code>
+==== Install OpenVPN and IpTables ====
+<code>sudo apt-get install openvpn</code>
+<code>sudo apt-get install iptables-persistent</code>
+  * click yes to both prompts on iptables install
-==== Install Unbound ====
+=== Setup ===
-<code>sudo apt-get install unbound</code>
-  * write config file
-<code>sudo vim /etc/unbound/unbound.conf.d/pi-hole.conf</code>
-<code>server:
-    # If no logfile is specified, syslog is used
-    # logfile: "/var/log/unbound/unbound.log"
-    verbosity: 0
-    interface: 127.0.0.1
+  * Upload OpenVPN config files to home directory.
-    port: 5335
+  * Copy boston.ovpn file to /etc/openvpn/boston.conf
-    do-ip4: yes
+  * create text file /etc/openvpn/vpnauth.txt
-    do-udp: yes
+    * put username on line 1 and password on line 2 of that vpnauth.txt file
-    do-tcp: yes
+  * edit /etc/openvpn/boston.conf
+    * <code>sudo vim /etc/openvpn/boston.conf</code>
-    # May be set to yes if you have IPv6 connectivity
+    * add path to vpnauth.txt: auth-user-pass /etc/openvpn/vpnauth.txt
-    do-ip6: no
+  * add the cert file in that folder too
+  * remove the keysize thing (i think it was keysize) that line needs to go.
-    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
+  * reboot
-    # Terredo tunnels your web browser should favor IPv4 for the same reasons
+  * check connection
-    prefer-ip6: no
+    * <code>sudo openvpn --config /etc/openvpn/boston.conf</code>
+  * enable openvpn on startup
-    # Use this only when you downloaded the list of primary root servers!
+    * <code>sudo systemctl enable openvpn@boston</code>
-    # If you use the default dns-root-data package, unbound will find it automatically
+  * enable forwarding
-    #root-hints: "/var/lib/unbound/root.hints"
+    * <code>sudo vim /etc/sysctl.conf</code>
+    * remove the # in front of net.ipv4.ip_forward = 1
-    # Trust glue only if it is within the server's authority
+  * enable service
-    harden-glue: yes
+    * <code>sudo sysctl -p</code>
+  * paste in iptables rules
-    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
+    * <code>sudo iptables --flush
-    harden-dnssec-stripped: yes
+sudo iptables --delete-chain
+sudo iptables -t nat -F
-    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
+sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
-    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
+sudo iptables -A INPUT -i ens18 -p tcp --dport 22 -j ACCEPT
-    use-caps-for-id: no
+sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
+sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
-    # Reduce EDNS reassembly buffer size.
+sudo iptables -I INPUT -i ens18 -m comment --comment "In from LAN" -j ACCEPT
-    # Suggested by the unbound man page to reduce fragmentation reassembly problems
+sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
-    edns-buffer-size: 1472
+sudo iptables -A OUTPUT -o ens18 -p udp --dport 443 -m comment --comment "openvpn" -j ACCEPT
+sudo iptables -A OUTPUT -o ens18 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
-    # Perform prefetching of close to expired message cache entries
+sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
-    # This only applies to domains that have been frequently queried
+sudo iptables -A OUTPUT -o ens18 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
-    prefetch: yes
+sudo iptables -A FORWARD -i tun+ -o ens18 -m state --state RELATED,ESTABLISHED -j ACCEPT
+sudo iptables -A FORWARD -i ens18 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
-    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
+sudo iptables -P FORWARD DROP</code>
-    num-threads: 1
+    * first three lines erase old rules (if any)
+    * next line enables nat
-    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
+    * next line opens port 22 for ssh
-    so-rcvbuf: 1m
+    * next two lines enable loopback
+    * next two lines enable traffic ok by defualt
-    # Ensure privacy of local IP ranges
+    * next line opens vpn socket (use the correct port)
-    private-address: 192.168.0.0/16
+    * next line enables ntp for time sync
-    private-address: 169.254.0.0/16
+    * next line enables dhcp
-    private-address: 172.16.0.0/12
+    * next line enables dns
-    private-address: 10.0.0.0/8
+    * next two lines enable vpn kill switch (traffic blocked if VPN down)
-    private-address: fd00::/8
+    * last line adds default drop (only use above rules)
-    private-address: fe80::/10</code>
+  * save rules
+    * <code>sudo netfilter-persistent save</code>
-==== Point Pi-hole to Unbound ====
+  * apply to startup
-  * log into pi-hole
+    * <code>sudo systemctl enable netfilter-persistent</code>
-  * go to Settings -> DNS
+  * install dnsmasq
-  * uncheck Google servers and add Custom 127.0.0.1#5335
+    * <code>sudo install dnsmasq</code>
-  * Save
+  * add dns forwarding to conf file
+    * <code>sudo /etc/openvpn/boston.conf</code>
-==== Fix domain pointing to /admin page ====
+    * add this to end
-  * To redirect the root address to /admin, add the following line to /etc/lighttpd/external.conf: (it used to be /etc/lighttpd/lighttpd.conf but it is recommended to use /etc/lighttpd/external.conf so that it isn't overwritten by updates)
+      * <code>script-security 2
+up /etc/openvpn/update-resolv-conf
-<code>url.redirect = ( "^/$" => "/admin" )</code>
+down /etc/openvpn/update-resolv-conf</code>
 * Links:
-      * https://www.youtube.com/watch?v=FnFtWsZ8IP0
+      * https://www.youtube.com/watch?v=J_cRe__c3Mc
-      * https://www.reddit.com/r/pihole/comments/4eirjz/is_it_possible_to_forward_a_domain_to_the_pihole/

brimble.com

User Tools

Site Tools

Differences

Page Tools