PiHole, Wireguard, OVPN Client

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
diggidre
Posts: 4
Joined: Sat Jul 25, 2020 8:46 pm

PiHole, Wireguard, OVPN Client

Post by diggidre »

Hey guys,

I have a RPI2b running dietpi with PiHole and PiVPN Wireguard.
I can reach my home network from outside and have the advantage of Ad Blocking. Really cool :)
But my goal is to also have an openvpn connection running as client to route all outgoing traffic though VPN provider.
So my mobile devices should be able to be part of my home network from outside, have the advantage from ad blocking and use the OpenVPN connection for outgoing traffic as long as I'm connected to the Wireguard VPN.
I read couple of tutorials about this double hop thing but really I'm not familar enough with this to configure that.
Could someone please tell me what I have to edit / configure to let outgoing traffic pass through an OpenVPN client connection besides Wireguard and PiHole...
User avatar
Joulinar
Posts: 2025
Joined: Sat Nov 16, 2019 12:49 am

Re: PiHole, Wireguard, OVPN Client

Post by Joulinar »

Hi,

many thanks for your request. I guess you would need to configure iptables that way, that all traffic is forwarded between the VPN interfaces. Maybe @trendy could help on this network forwarding stuff.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
diggidre
Posts: 4
Joined: Sat Jul 25, 2020 8:46 pm

Re: PiHole, Wireguard, OVPN Client

Post by diggidre »

thank you for your reply @Joulinar .
Would be very nice if @trendy could advice me on how to configure iptables correct for this usecase :)
trendy
Posts: 117
Joined: Tue Feb 25, 2020 2:54 pm

Re: PiHole, Wireguard, OVPN Client

Post by trendy »

It is a bit more complicated than just some iptables rules I am afraid.
Currently you have only one gateway, your ISP, so everything works through that.
However when you add the OpenVPN client, it will push the default gateway through that. This will break you wireguard server, as replies will be routed via OpenVPN and not the ISP. So you'll need to filter the default gateway from the VPN and manually route whatever you wish to be routed via the VPN. To do that you need to create a new routing table, which will contain the local subnet and the VPN as default gateway (usually you can do that with route-up scripts). Finally you need to add a few policy routing rules to mark the source IPs which will be using the VPN routing table.
iptables should not be much of an issue, just allow lan and remote hosts towards the VPN and drop everything else.

This scenario is when the Wireguard and OpenVPN run on the router. If the device is inside the LAN then it is more complicated if you want to route via VPN also lan hosts, apart from remote.

If you are still interested, let me know exactly the topology as well as if only remote or lan hosts should use the OpenVPN.
diggidre
Posts: 4
Joined: Sat Jul 25, 2020 8:46 pm

Re: PiHole, Wireguard, OVPN Client

Post by diggidre »

thank you for the reply @trendy
The VPN runs inside my lan not direct on router. As mentioned its dietpi running pihole pivpn and ovpn.
I want all traffic from inside lan or lets better say the lan devices I tell to use this pi as gateway and all clients from extern that are connected per wireguard as "home devices" to route the outgoing traffic through the ovpn connection.
trendy
Posts: 117
Joined: Tue Feb 25, 2020 2:54 pm

Re: PiHole, Wireguard, OVPN Client

Post by trendy »

diggidre wrote: Fri Aug 14, 2020 10:56 am lets better say the lan devices I tell to use this pi as gateway
Configure the dhcp server with option 3 for those specific hosts to use the Pi as default gateway.
Alternatively use static IP/mask/GW/DNS.
diggidre wrote: Fri Aug 14, 2020 10:56 am all clients from extern that are connected per wireguard as "home devices" to route the outgoing traffic through the ovpn connection.
First step is to filter the default gateway from the VPN.
Second, create a rule for all the IPs of the WG server to use a custom routing table:

Code: Select all

ip rule add from <allow_net> to <lan_net> lookup main prio 16000
ip rule add from <allow_net> to default lookup 101 prio 16010
Setup the default gateway for the custom routing table

Code: Select all

ip route add to default via <gateway> table 101
if the gateway is not standard you can try with "dev wg0" or whatever your WG interface is.

On top of all these you'd need to setup the firewall accordingly to:
  1. Protect your network
  2. NAT the internal network when you access the internet
Post Reply