Purevpn gateway

Monic · 18 March 2021 17:59

Hi @ll,
I’m new and I need so.e support.
I have buy my first pi 4/2gb for a vpn gateway & pihole.
I have installed dietpi,pihole and pivpn…
Pihole works already great in my network, but I need help to configure my purevpn account.

I have installed pivpn with openvpn option…
So, now where should I put this files?

ca.crt
Auth.txt
Wdc.key
*.ovpn (server)

Another question is if there are a possibility to have a webif for openvpn if I want to change server location…

Thx to all helping me

Sorry for my bad English…

Monic

MichaIng · 18 March 2021 18:39

PiVPN is actually meant to setup a VPN server, how a client. However, bare OpenVPN can be used for both.

It should work to put the files into /etc/openvpn/.
Rename the .ovpn file to have a .conf ending.
Then start it via: systemctl start openvpn@ with being the filename without the ending.

Coincidentally we’re working on a dietpi-nordvpn rewrite for DietPi v7.1 that will allow to use custom .ovpn files .

Take care that either the server supports IPv6 or disable it on the client to not have IPv6 leaks or failing requests.

Joulinar · 18 March 2021 19:13

indeed PiVPN is no needed as it will act as server. Simply instll of OpenVPN and following the advice of MichaIng should be enough

Monic · 18 March 2021 19:29

Thx !!
I will try.
So if the server file name is xy.conf I start it with systemctl start openvpn@xy
Right?

Ipv6 is already disabled on my router.

So I can soon try the dietpi-nordvpn with my purevpn account?
This is great!!!

Schoud I deinstal pivpn and replace it with openvpn on dietpi-software?

Thx for helping me

MichaIng · 18 March 2021 19:36

Also dietpi-software OpenVPN selection sets it up for server usage. You could uninstall PiVPN, but it does not hurt. In case you might need to reinstall the plain OpenVPN package: apt install openvpn

The lack of an OpenVPN client setup is also the reason I like the dietpi-nordvpn rework. It will be called dietpi-vpn then btw .

Monic · 20 March 2021 06:28

Hi Michalng,
I have now connection to my vpn account. Many thanks
I’m trying now to redirect all network through the raspberry
But it doesn’t work.

What should I do?
M.

Joulinar · 20 March 2021 06:36

You would need to change default network on your local device pointing to the RPi

Monic · 22 March 2021 16:43

Hi…
It doesn’t work…
Where can I find a step-by-step tutorial?

I have installed dietpi 》pihole and pivpn (openvpn)
Pihole work great (pi ip 192.168.1.54).

Pivpn I have a connection to my purevpn but when I give gateway and das on my devices I don’t have connection to internet.

My fritzbox 7590 : dns and gateway are on the rpi ip.

What I need is:

connection on boot to my purevpn
a gateway that all my devices in my home goes through the vpn. (With rpi ip on the settings)
a script that reconnect to the vpn service when it goes down.
when no connection to vpn then no internet. (For my synology download station)

I hope someone can help me.

Joulinar · 22 March 2021 20:38

did you changed the default gateway on your clients? Usually this can be done on the DHCP server or on the clients directly if you use STATIC IP

Monic · 27 March 2021 08:09

Hi Joulinar,
It finally works.
Is there a way to add in dietpi pivpn&pihole a killswitch?
I need it for my synology download station…

Thx

Joulinar · 5 April 2021 00:00

a killswitch can be created using iptables similar to this guide. https://linuxconfig.org/how-to-create-a-vpn-killswitch-using-iptables-on-linux

usually trendy has good ideas on this topic

MichaIng · 5 April 2021 10:23

See how we did it for the new DietPi-VPN tool: https://github.com/MichaIng/DietPi/blob/dev/dietpi/dietpi-vpn#L346-L360
Feedback are highly welcome. Btw, good change to have PureVPN natively integrated as well .

trendy · 6 April 2021 09:40

That guide looks god to me Joulinar!
Regarding Diepti-vpn I would suggest:

to include also the FORWARD chain
to get the $VPN_SERVER, $PROTOCOL and $PORT from the ovpn config file.
allow the VPN nameserver to be reachable from the ISP.

MichaIng · 9 April 2021 12:28

What do you mean by this? It is dropped when the killswitch is enabled, so you mean to also allow forwarded requests to the VPN server and LAN by default, so that the VPN connection can be shared to the LAN?

VPN_SERVER in the first place is a variable to have the correct OVPN file selected/created. So in case of NordVPN and ProtonVPN it’s the other way round: The variable defines the OVPN file. If it would not match the actually contained remote IP/hostname, then the killswitch would break the VPN server connection, which is fine since we don’t want to establish a connection to a server that is not represented by the selected server/variable name. In case of a custom OVPN file, the variable is already derived from the file, so that that killswitch is assured to work correctly: https://github.com/MichaIng/DietPi/blob/dev/dietpi/dietpi-vpn#L128
Same with PROTOCOL, only that it does not play any role for a custom OVPN file. But since the variable is stored in the settings file, to avoid confusion, we could indeed get it from the custom OVPN file to have the settings file showing the correct protocol.
About PORT I agree that this should be scraped from the OVPN file. In case of ProtonVPN we currently use a variety of multiple ports, but to keep it simple I think we should stick with 1194 only: https://www.reddit.com/r/ProtonVPN/comments/5z17eb/what_ports_are_being_used/
It’s the same with NordVPN. For a custom OVPN file, to not make it too complicated, we should as well expect a single remote (or port) entry only, so that we can scrape one port and use that for the killswitch.

By the ISP? You mean by the client? Could you explain a bit more? I mean any DNS can be used, but requests are tunnelled. The same should be true when using the VPN provider’s DNS, which should work even when not allowing to connect directly to it. But I think I misunderstand what you mean .

trendy · 9 April 2021 13:10

Yes, the VPN can be shared with the LAN or a roadwarrior incoming to a VPN server.

to get the $VPN_SERVER, $PROTOCOL and $PORT from the ovpn config file.

VPN_SERVER in the first place is a variable to have the correct OVPN file selected/created. So in case of NordVPN and ProtonVPN it’s the other way round: The variable defines the OVPN file. If it would not match the actually contained remote IP/hostname, then the killswitch would break the VPN server connection, which is fine since we don’t want to establish a connection to a server that is not represented by the selected server/variable name. In case of a custom OVPN file, the variable is already derived from the file, so that that killswitch is assured to work correctly: https://github.com/MichaIng/DietPi/blob/dev/dietpi/dietpi-vpn#L128

Same with PROTOCOL, only that it does not play any role for a custom OVPN file. But since the variable is stored in the settings file, to avoid confusion, we could indeed get it from the custom OVPN file to have the settings file showing the correct protocol.

About PORT I agree that this should be scraped from the OVPN file. In case of ProtonVPN we currently use a variety of multiple ports, but to keep it simple I think we should stick with 1194 only: https://www.reddit.com/r/ProtonVPN/comments/5z17eb/what_ports_are_being_used/
It’s the same with NordVPN. For a custom OVPN file, to not make it too complicated, we should as well expect a single remote (or port) entry only, so that we can scrape one port and use that for the killswitch.

Excellent!

Let me clarify. I am not exactly sure at which point these rules will be applied, so I wanted to cover the case that the tunnel is still not up, so the nameserver to resolve the hostname of the tunnel endpoint needs to be routed over the ISP, hence it needs to be allowed.

Paraa · 13 March 2023 16:21

Had the same issue, thank you guys for helping.