Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
MichaIng
Site Admin
Posts: 3097
Joined: Sat Nov 18, 2017 6:21 pm

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by MichaIng »

dwr wrote: Fri Mar 12, 2021 9:31 pm “niface” and “naddress” are accurate, correct?
When echo is called with the -e flag, \n is interpreted as newline character. So it will be:

Code: Select all

allow-hotplug eth1
iface eth1 inet static
address <ip_address>/24
That will automatically assign a static IPv4 address to the eth1 interface, which will most likely be the USB adapter, while eth0 will be the onboard adapter. I changed <CIDR> to 24 as this is pretty much the subnet you want. So if <ip_address> is replaced with 192.168.1.1, then all 192.168.1.* addresses belong to this network, or more precisely, ifup will create a route to have all packets addressed to 192.168.1.* IPs sent through this adapter automatically, to make it become effectively used.
dwr wrote: Fri Mar 12, 2021 9:31 pm What about “eth1”? Do I need to add an additional line to include “eth1” as well?
Ah wait, eth0 is connected to the gateway, tun0 is the VPN interface and eth1 is connected to the LAN. So you want forward traffic from eth1 to tun0 vice versa and nothing forwarded through eth0 directly. The following should work then:

Code: Select all

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
OpenVPN takes care about the VPN routes, so that all packets not addressed to 192.168.1.* IPs will be routed through tun0 automatically. Let me know if that works, since I have not tested it yet but it would be a good resource to direct other to and finally implement into DietPi as (VPN) router setup steps :D.
dwr wrote: Fri Mar 12, 2021 9:31 pm if you are suggesting that I can simply run the code above rather than use the persistent script, I will do so.
iptables-persistent will be fine.
dwr wrote: Fri Mar 12, 2021 9:31 pm I have no intention of using IPv6 since, from what I have read, it tends to cause more trouble than benefits.
Sadly even in 2021, yes.
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

MichaIng wrote: Sat Mar 13, 2021 3:32 pm When echo is called with the -e flag, \n is interpreted as newline character.
Thanks for clarifying!

MichaIng wrote: Sat Mar 13, 2021 3:32 pm So it will be:

Code: Select all

allow-hotplug eth1
iface eth1 inet static
address <ip_address>/24
That will automatically assign a static IPv4 address to the eth1 interface, which will most likely be the USB adapter, while eth0 will be the onboard adapter. I changed <CIDR> to 24 as this is pretty much the subnet you want. So if <ip_address> is replaced with 192.168.1.1, then all 192.168.1.* addresses belong to this network, or more precisely, ifup will create a route to have all packets addressed to 192.168.1.* IPs sent through this adapter automatically, to make it become effectively used.
Ah, ok. So just to verify my understanding of this, the prefix to the <ip_address> (e.g.; x.x.x.*) needs to be what the DCHP Server is using as the IP Address prefix? Meaning that if the DCHP Server is assigning 10.0.1.*, I would input 10.0.1.1 in the code above?

MichaIng wrote: Sat Mar 13, 2021 3:32 pm Ah wait, eth0 is connected to the gateway, tun0 is the VPN interface and eth1 is connected to the LAN. So you want forward traffic from eth1 to tun0 vice versa and nothing forwarded through eth0 directly. The following should work then:

Code: Select all

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT
OpenVPN takes care about the VPN routes, so that all packets not addressed to 192.168.1.* IPs will be routed through tun0 automatically. Let me know if that works, since I have not tested it yet but it would be a good resource to direct others to and finally implement into DietPi as (VPN) router setup steps. :D
You mention that “all packets not addressed to the 192.168.1.* IPs will be routed through tun0 automatically” - what about all packets that ARE addressed to the 192.168.1.* IP’s? I assume OpenVPN will route those through the VPN (tun0) as well?

MichaIng wrote: Sat Mar 13, 2021 3:32 pm iptables-persistent will be fine.
Excellent - thank you. I will look through some tutorials online to see if I can find the proper commands to use this, and then execute it. In the meantime, might you have the needed commands to install and activate this?
Last edited by dwr on Sun Mar 14, 2021 3:14 am, edited 1 time in total.
dwr - SpicyLimes.io
User avatar
Joulinar
Posts: 5115
Joined: Sat Nov 16, 2019 12:49 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by Joulinar »

This begs the question of, where does the DCHP functionality coming into play? I do not think I took this into account. I assume that I will need to install a DCHP server as well…?
Pihole as well as AdGuard are able to act as DHCP server. There is no need to install one in addition
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

Joulinar wrote: Sat Mar 13, 2021 10:01 pm
This begs the question of, where does the DCHP functionality coming into play? I do not think I took this into account. I assume that I will need to install a DCHP server as well…?
Pihole as well as AdGuard are able to act as DHCP server. There is no need to install one in addition
Doh! Forgot about that. I was overthinking this and forgot about the AdGuard Home aspect. Thanks for the reminder! 8)

I think I am about an inch away from attempting this - just need some final clarification on the questions in my last post. Once I have those answers, I will pull-the-trigger on this project. Fingers-crossed, but if it does work, I will put together a tutorial on this.
dwr - SpicyLimes.io
User avatar
MichaIng
Site Admin
Posts: 3097
Joined: Sat Nov 18, 2017 6:21 pm

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by MichaIng »

<ip_address> in /etc/network/interfaces.d/eth1.conf should be the exact IP address of the DietPi device, e.g. 192.168.1.1. The CIDR suffix /24 equals a separate netmask 255.255.255.0 line, but that would be the legacy style. Arg, dietpi-config still uses this legacy style :roll:. Rework in progress...

About the routes:
  • The gateway entry in /etc/network/interfaces for the eth0 interface will create the default route 0.0.0.0/0, which is the absolute fallback. Note the CIDR 0 which means a network mask of 0.0.0.0, hence really all IPs.
  • OpenVPN will setup two routes for tun0, 0.0.0.0/1 and 128.0.0.0/1, which together cover all IPs as well. But since each is more specific than the default route (just half of the complete network range), they have a higher priority and hence override the default route practically. The little trick that VPN clients use ;).
  • Each interface (including tun0) will have again a specific route created, according the CIDR respectively netmask of usually 24/255.255.255.0, which are due to higher CIDR/stricter mask again more specific and hence again override the OpenVPN routes. This of course is wanted to correctly answer LAN requests back to LAN etc.
User avatar
dwr
Posts: 39
Joined: Thu Feb 18, 2021 3:46 am

Re: Privacy + Router Pi: VPN Gateway/Tunnel + Ad-Block DNS Server

Post by dwr »

MichaIng wrote: Sun Mar 14, 2021 11:14 pm <ip_address> in /etc/network/interfaces.d/eth1.conf should be the exact IP address of the DietPi device, e.g. 192.168.1.1. The CIDR suffix /24 equals a separate netmask 255.255.255.0 line, but that would be the legacy style. Arg, dietpi-config still uses this legacy style :roll:. Rework in progress...

About the routes:
  • The gateway entry in /etc/network/interfaces for the eth0 interface will create the default route 0.0.0.0/0, which is the absolute fallback. Note the CIDR 0 which means a network mask of 0.0.0.0, hence really all IPs.
  • OpenVPN will setup two routes for tun0, 0.0.0.0/1 and 128.0.0.0/1, which together cover all IPs as well. But since each is more specific than the default route (just half of the complete network range), they have a higher priority and hence override the default route practically. The little trick that VPN clients use ;).
  • Each interface (including tun0) will have again a specific route created, according the CIDR respectively netmask of usually 24/255.255.255.0, which are due to higher CIDR/stricter mask again more specific and hence again override the OpenVPN routes. This of course is wanted to correctly answer LAN requests back to LAN etc.
Excellent! Thank you all for your support on this. Since the day is coming to a close, I will probably make an attempt at this project next weekend when I can wake up fresh and focus on this for a few hours. I will report back (hopefully with success) once I have gotten everything setup. I will then consolidate all of the required guidance/steps/instructions from this thread, and make a nice and clean tutorial.

Thanks again! Till the attempt...
dwr - SpicyLimes.io
Post Reply