-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Lisa Seelye <lisa@users.noreply.github.com>
- Loading branch information
Showing
9 changed files
with
246 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
TUNNEL_ENDPOINT=10.100.0.1 | ||
TUNNEL_INTERFACE=tun1 | ||
PIHOLE_WEBPW=changeme |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,66 @@ | ||
# docker-compose-openvpn-pihole | ||
OpenVPN + Pi-Hole +Docker-Compose | ||
|
||
Projects Used: | ||
|
||
* https://github.com/kylemanna/docker-openvpn | ||
* https://github.com/pi-hole/docker-pi-hole/ | ||
* For Inspiration: https://github.com/rabbl/OpenVPN-PIHole | ||
|
||
## Setup / Initialization | ||
|
||
There is setup the user must do prior to using this, as follows: | ||
|
||
* Pi-Hole | ||
* OpenVPN | ||
* Server | ||
* Client | ||
|
||
### Pi-Hole | ||
|
||
I came to this with a pre-configured pi-hole, so you'll want to go through that inside an Ubuntu container (note: you may need to hack up its install script to work around some containerization limitations) or outside. Copy the configuration to [./pihole/pihole](./pihole/pihole) directory. Note that the provided [seupVars.conf](./pihole/pihole/seupVars.conf) and [01-pihole.conf](./pihole/dnsmasq.d/01-pihole.conf) are for reference only. | ||
|
||
Next, edit [.env](./.env) file, such as the `PIHOLE_WEBPW` setting. | ||
|
||
### OpenVPN | ||
|
||
There are two things to do for OpenVPN, the server settings and then clients. | ||
|
||
The server can follow the setup for the [upstream](https://github.com/kylemanna/docker-openvpn) docker-openvpn project for both client and server. | ||
|
||
In brief, however the steps are to configure the server and then clients. By way of disclaimer, @lisa came to the containerization of her configuration with a "bare metal" installation so the steps are not guaranteed. Refer to the [upstream](https://github.com/kylemanna/docker-openvpn) project for more thorough explanation. | ||
|
||
In the documentation the VPN endpoint (that is, where clients connect) is `vpn-endpoint.example.com`. The client will be called `client`. The VPN client range will be `10.100.0.0/24` with the inside-docker network device as `tun1`. | ||
|
||
#### OpenVPN Server | ||
|
||
**WARNING: This configuration will route _ALL_ traffic over the VPN.** | ||
|
||
1. Initialize the configuration with | ||
|
||
docker-compose run --rm openvpn ovpn_genconfig -u vpn-endpoint.example.com -N -z -d -s 10.100.0.0/24 -p "remote-gateway 10.100.0.1" -n 10.100.0.2 | ||
|
||
2. Initialize the server's crypto (PKI) and when prompted, provide passphrases and then the VPN endpoint, `vpn-endpoint.example.com` (for "Common Name"). | ||
|
||
docker-compose run --rm openvpn ovpn_initpki | ||
|
||
#### OpenVPN Client | ||
|
||
1. Create a client certificate, providing the passphrases as appropriate during server configuration. | ||
|
||
docker-compose run --rm openvpn easyrsa build-client-full client | ||
|
||
2. Obtain the client configuration | ||
|
||
docker-compose run --rm openvpn ovpn_getclient client > client.ovpn | ||
|
||
The client configuration can be distributed to the client at this time. | ||
|
||
|
||
## Controlling the Composition | ||
|
||
Start the stack with `docker-compose up -d` once all configuration steps are complete, and stop via `docker-compose down`. | ||
|
||
## DISCLAIMER | ||
|
||
This repository is provided "as-is" and without any warranty. It may cause data loss, or due to misconfiguration cause your software to be exposed to the Internet. By using the software you assume all risks. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
version: '3' | ||
services: | ||
openvpn: | ||
image: kylemanna/openvpn | ||
cap_add: | ||
- NET_ADMIN | ||
container_name: openvpn | ||
expose: | ||
- "80/tcp" | ||
- "53/tcp" | ||
- "443/tcp" | ||
- "53/udp" | ||
ports: | ||
- "1194:1194/udp" | ||
restart: always | ||
volumes: | ||
- ./openvpn:/etc/openvpn | ||
command: [ "/etc/openvpn/start.sh"] | ||
|
||
pihole: | ||
depends_on: | ||
- "openvpn" | ||
image: pihole/pihole:latest | ||
cap_add: | ||
- NET_ADMIN | ||
container_name: pihole_compose | ||
network_mode: "service:openvpn" | ||
restart: always | ||
volumes: | ||
- ./pihole/pihole:/etc/pihole | ||
- ./pihole/dnsmasq.d:/etc/dnsmasq.d | ||
environment: | ||
- ServerIP=${TUNNEL_ENDPOINT} | ||
- TZ="UTC" | ||
- WEBPASSWORD=${PIHOLE_WEBPW} | ||
- INTERFACE="${TUNNEL_INTERFACE}" | ||
- DNSMASQ_LISTENING="single" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
server 10.100.0.0 255.255.255.0 | ||
verb 3 | ||
key /etc/openvpn/pki/private/vpn-endpoint.example.com.key | ||
ca /etc/openvpn/pki/ca.crt | ||
cert /etc/openvpn/pki/issued/vpn-endpoint.example.com.crt | ||
dh /etc/openvpn/pki/dh.pem | ||
tls-auth /etc/openvpn/pki/ta.key | ||
key-direction 0 | ||
keepalive 10 60 | ||
persist-key | ||
persist-tun | ||
|
||
proto udp | ||
# Rely on Docker to do port mapping, internally always 1194 | ||
port 1194 | ||
dev tun0 | ||
status /tmp/openvpn-status.log | ||
|
||
user nobody | ||
group nogroup | ||
comp-lzo | ||
|
||
### Push Configurations Below | ||
push "dhcp-option DNS 10.100.0.2" | ||
push "remote-gateway 10.100.0.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
declare -x OVPN_AUTH= | ||
declare -x OVPN_CIPHER= | ||
declare -x OVPN_CLIENT_TO_CLIENT= | ||
declare -x OVPN_CN=vpn-endpoint.example.com | ||
declare -x OVPN_COMP_LZO=1 | ||
declare -x OVPN_DEFROUTE=0 | ||
declare -x OVPN_DEVICE=tun | ||
declare -x OVPN_DEVICEN=0 | ||
declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=1 | ||
declare -x OVPN_DNS=1 | ||
declare -x OVPN_DNS_SERVERS=([0]="10.100.0.2") | ||
declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh | ||
declare -x OVPN_EXTRA_CLIENT_CONFIG=() | ||
declare -x OVPN_EXTRA_SERVER_CONFIG=() | ||
declare -x OVPN_FRAGMENT= | ||
declare -x OVPN_KEEPALIVE='10 60' | ||
declare -x OVPN_MTU= | ||
declare -x OVPN_NAT=1 | ||
declare -x OVPN_PORT=1194 | ||
declare -x OVPN_PROTO=udp | ||
declare -x OVPN_PUSH=([0]="remote-gateway 10.100.0.1") | ||
declare -x OVPN_ROUTES=() | ||
declare -x OVPN_SERVER=10.100.0.0/24 | ||
declare -x OVPN_SERVER_URL=vpn-endpoint.example.com | ||
declare -x OVPN_TLS_CIPHER= |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/bin/bash | ||
|
||
source /etc/openvpn/ovpn_env.sh | ||
|
||
NATDEV=${OVPN_NATDEVICE:-eth0} | ||
|
||
iptables -C FORWARD -i "${OVPN_DEVICE}${OVPN_DEVICEN}" -o ${NATDEV} -s ${OVPN_SERVER} -m conntrack --ctstate NEW -j ACCEPT || \ | ||
iptables -I FORWARD -i "${OVPN_DEVICE}${OVPN_DEVICEN}" -o ${NATDEV} -s ${OVPN_SERVER} -m conntrack --ctstate NEW -j ACCEPT | ||
|
||
iptables -C FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || \ | ||
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | ||
|
||
iptables -C POSTROUTING -t nat -o ${NATDEV} -s ${OVPN_SERVER} -j MASQUERADE || \ | ||
iptables -I POSTROUTING -t nat -o ${NATDEV} -s ${OVPN_SERVER} -j MASQUERADE | ||
|
||
mkdir -p /dev/net | ||
if [ ! -c /dev/net/tun ]; then | ||
mknod /dev/net/tun c 10 200 | ||
fi | ||
|
||
pihost=$(getent hosts openvpn | cut -d ' ' -f 1) | ||
|
||
echo "Setting pi-host to $pihost" | ||
|
||
sed -i -e "s/push \"dhcp-option DNS .*\"/push \"dhcp-option DNS $pihost\"/" /etc/openvpn/openvpn.conf | ||
|
||
exec openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# Pi-hole: A black hole for Internet advertisements | ||
# (c) 2017 Pi-hole, LLC (https://pi-hole.net) | ||
# Network-wide ad blocking via your own hardware. | ||
# | ||
# Dnsmasq config for Pi-hole's FTLDNS | ||
# | ||
# This file is copyright under the latest version of the EUPL. | ||
# Please see LICENSE file for your rights under this license. | ||
|
||
############################################################################### | ||
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. # | ||
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE # | ||
# # | ||
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: # | ||
# /etc/pihole/setupVars.conf # | ||
# # | ||
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE # | ||
# WITHIN /etc/dnsmasq.d/yourname.conf # | ||
############################################################################### | ||
|
||
addn-hosts=/etc/pihole/gravity.list | ||
addn-hosts=/etc/pihole/black.list | ||
addn-hosts=/etc/pihole/local.list | ||
|
||
user=pihole | ||
group=pihole | ||
|
||
|
||
localise-queries | ||
|
||
|
||
no-resolv | ||
|
||
|
||
|
||
cache-size=10000 | ||
|
||
log-queries | ||
log-facility=/var/log/pihole.log | ||
|
||
local-ttl=2 | ||
|
||
log-async | ||
server=8.8.8.8 | ||
server=8.8.4.4 | ||
domain-needed | ||
bogus-priv | ||
interface=tun1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
DNS_FQDN_REQUIRED=true | ||
DNS_BOGUS_PRIV=true | ||
DNSSEC=false | ||
CONDITIONAL_FORWARDING=false | ||
QUERY_LOGGING=true | ||
INSTALL_WEB_SERVER=true | ||
INSTALL_WEB_INTERFACE=true | ||
LIGHTTPD_ENABLED= | ||
IPV4_ADDRESS=10.100.0.1 | ||
IPV6_ADDRESS= | ||
WEBPASSWORD=761f684ec725d03ee4899464c02a5166b86f17498f12076bf8091da736f41680 | ||
PIHOLE_DNS_1=8.8.8.8 | ||
PIHOLE_DNS_2=8.8.4.4 | ||
PIHOLE_INTERFACE="tun1" | ||
DNSMASQ_LISTENING="single" | ||
BLOCKING_ENABLED=true |