brimble.com

User Tools

Site Tools

Trace: monterey unifiaclite mysql win10 inateckpcie bazarr hoobsf33 protectli_fw4c sonarr radarr
unraid:virtual:openvpnu16.04

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
unraid:virtual:openvpnu16.04 [2021/07/21 20:37] – [Install OpenVPN] dirkunraid:virtual:openvpnu16.04 [2025/04/19 15:13] (current) – [Install OpenVPN and IpTables] dirk
Line 1: Line 1:
 ====== Install OpenVPN virtual router on Ubuntu 16.04 LTS as Unraid Virtual Machine ====== ====== Install OpenVPN virtual router on Ubuntu 16.04 LTS as Unraid Virtual Machine ======
-This will guide you through the setup of an OpenVPN virtual router on an installation of [[Ubuntu 20.04 LTS]] as an Unraid Virtual Machine.+This will guide you through the setup of an OpenVPN virtual router on an installation of [[Ubuntu 16.04 LTS]] as an Unraid Virtual Machine.
 ===== VM Settings ===== ===== VM Settings =====
   * Autostart: Yes   * Autostart: Yes
Line 78: Line 78:
 <code>sudo apt-get install openvpn</code> <code>sudo apt-get install openvpn</code>
 <code>sudo apt-get install iptables-persistent</code> <code>sudo apt-get install iptables-persistent</code>
 +  * click yes to both prompts on iptables install
  
-==== Install Unbound ==== +=== Setup ===
-<code>sudo apt-get install unbound</code> +
-  * write config file +
-<code>sudo vim /etc/unbound/unbound.conf.d/pi-hole.conf</code> +
-<code>server: +
-    # If no logfile is specified, syslog is used +
-    # logfile: "/var/log/unbound/unbound.log" +
-    verbosity: 0+
  
-    interface: 127.0.0.1 +  * Upload OpenVPN config files to home directory. 
-    port: 5335 +  * Copy boston.ovpn file to /etc/openvpn/boston.conf 
-    do-ip4: yes +  * create text file /etc/openvpn/vpnauth.txt 
-    do-udp: yes +    * put username on line 1 and password on line 2 of that vpnauth.txt file 
-    do-tcp: yes +  * edit /etc/openvpn/boston.conf 
- +    * <code>sudo vim /etc/openvpn/boston.conf</code> 
-    # May be set to yes if you have IPv6 connectivity +    * add path to vpnauth.txtauth-user-pass /etc/openvpn/vpnauth.txt 
-    do-ip6no +  * add the cert file in that folder too 
- +  * remove the keysize thing (i think it was keysize) that line needs to go. 
-    # You want to leave this to no unless you have *nativeIPv6. With 6to4 and +  reboot 
-    # Terredo tunnels your web browser should favor IPv4 for the same reasons +  check connection 
-    prefer-ip6: no +    * <code>sudo openvpn --config /etc/openvpn/boston.conf</code> 
- +  * enable openvpn on startup 
-    # Use this only when you downloaded the list of primary root servers! +    * <code>sudo systemctl enable openvpn@boston</code> 
-    # If you use the default dns-root-data package, unbound will find it automatically +  * enable forwarding 
-    #root-hints: "/var/lib/unbound/root.hints" +    * <code>sudo vim /etc/sysctl.conf</code> 
- +    * remove the # in front of net.ipv4.ip_forward = 1 
-    # Trust glue only if it is within the server's authority +  * enable service 
-    harden-glue: yes +    * <code>sudo sysctl -p</code> 
- +  * paste in iptables rules 
-    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS +    * <code>sudo iptables --flush 
-    harden-dnssec-stripped: yes +sudo iptables --delete-chain 
- +sudo iptables -nat -F 
-    # Don'use Capitalization randomization as it known to cause DNSSEC issues sometimes +sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE 
-    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details +sudo iptables -A INPUT -i ens18 -p tcp --dport 22 -j ACCEPT 
-    use-caps-for-id: no +sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT 
- +sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT 
-    # Reduce EDNS reassembly buffer size. +sudo iptables -I INPUT -i ens18 -m comment --comment "In from LAN" -j ACCEPT 
-    # Suggested by the unbound man page to reduce fragmentation reassembly problems +sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT 
-    edns-buffer-size1472 +sudo iptables -A OUTPUT -o ens18 -p udp --dport 443 -m comment --comment "openvpn" -j ACCEPT 
- +sudo iptables -A OUTPUT -o ens18 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT 
-    # Perform prefetching of close to expired message cache entries +sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT 
-    # This only applies to domains that have been frequently queried +sudo iptables -A OUTPUT -o ens18 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT 
-    prefetch: yes +sudo iptables -A FORWARD -i tun+ -o ens18 -m state --state RELATED,ESTABLISHED -j ACCEPT 
- +sudo iptables -A FORWARD -i ens18 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT 
-    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. +sudo iptables -P FORWARD DROP</code> 
-    num-threads:+    * first three lines erase old rules (if any) 
- +    * next line enables nat 
-    # Ensure kernel buffer is large enough to not lose messages in traffic spikes +    * next line opens port 22 for ssh 
-    so-rcvbuf: 1m +    * next two lines enable loopback 
- +    * next two lines enable traffic ok by defualt 
-    # Ensure privacy of local IP ranges +    * next line opens vpn socket (use the correct port) 
-    private-address: 192.168.0.0/16 +    * next line enables ntp for time sync 
-    private-address: 169.254.0.0/16 +    * next line enables dhcp 
-    private-address: 172.16.0.0/12 +    * next line enables dns 
-    private-address: 10.0.0.0/8 +    * next two lines enable vpn kill switch (traffic blocked if VPN down) 
-    private-address: fd00::/8 +    * last line adds default drop (only use above rules) 
-    private-address: fe80::/10</code> +  * save rules 
-     +    * <code>sudo netfilter-persistent save</code> 
-==== Point Pi-hole to Unbound ==== +  * apply to startup 
-  * log into pi-hole +    <code>sudo systemctl enable netfilter-persistent</code
-  go to Settings -> DNS +  * install dnsmasq 
-  * uncheck Google servers and add Custom 127.0.0.1#5335 +    <code>sudo install dnsmasq</code> 
-  Save +  * add dns forwarding to conf file 
- +    * <code>sudo /etc/openvpn/boston.conf</code> 
-==== Fix domain pointing to /admin page ==== +    * add this to end 
-  * To redirect the root address to /admin, add the following line to /etc/lighttpd/external.conf: (it used to be /etc/lighttpd/lighttpd.conf but it is recommended to use /etc/lighttpd/external.conf so that it isn't overwritten by updates) +      * <code>script-security 2 
- +up /etc/openvpn/update-resolv-conf 
-<code>url.redirect = ( "^/$" => "/admin" )</code>+down /etc/openvpn/update-resolv-conf</code>
  
 * Links: * Links:
-      * https://www.youtube.com/watch?v=FnFtWsZ8IP0 +      * https://www.youtube.com/watch?v=J_cRe__c3Mc
-      * https://www.reddit.com/r/pihole/comments/4eirjz/is_it_possible_to_forward_a_domain_to_the_pihole/+
unraid/virtual/openvpnu16.04.1626917844.txt.gz · Last modified: by dirk

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki