initial

Signed-off-by: Lisa Seelye <lisa@users.noreply.github.com>

.env

@@ -0,0 +1,3 @@
+TUNNEL_ENDPOINT=10.100.0.1
+TUNNEL_INTERFACE=tun1
+PIHOLE_WEBPW=changeme

README.md

@@ -1,2 +1,66 @@
 # docker-compose-openvpn-pihole
 OpenVPN + Pi-Hole +Docker-Compose
+
+Projects Used:
+
+* https://github.com/kylemanna/docker-openvpn
+* https://github.com/pi-hole/docker-pi-hole/
+* For Inspiration: https://github.com/rabbl/OpenVPN-PIHole
+
+## Setup / Initialization
+
+There is setup the user must do prior to using this, as follows:
+
+* Pi-Hole
+* OpenVPN
+  * Server
+  * Client
+
+### Pi-Hole
+
+I came to this with a pre-configured pi-hole, so you'll want to go through that inside an Ubuntu container (note: you may need to hack up its install script to work around some containerization limitations) or outside. Copy the configuration to [./pihole/pihole](./pihole/pihole) directory. Note that the provided [seupVars.conf](./pihole/pihole/seupVars.conf) and [01-pihole.conf](./pihole/dnsmasq.d/01-pihole.conf) are for reference only.
+
+Next, edit [.env](./.env) file, such as the `PIHOLE_WEBPW` setting.
+
+### OpenVPN
+
+There are two things to do for OpenVPN, the server settings and then clients.
+
+The server can follow the setup for the [upstream](https://github.com/kylemanna/docker-openvpn) docker-openvpn project for both client and server.
+
+In brief, however the steps are to configure the server and then clients. By way of disclaimer, @lisa came to the containerization of her configuration with a "bare metal" installation so the steps are not guaranteed. Refer to the [upstream](https://github.com/kylemanna/docker-openvpn) project for more thorough explanation.
+
+In the documentation the VPN endpoint (that is, where clients connect) is `vpn-endpoint.example.com`. The client will be called `client`. The VPN client range will be `10.100.0.0/24` with the inside-docker network device as `tun1`.
+
+#### OpenVPN Server
+
+**WARNING: This configuration will route _ALL_ traffic over the VPN.**
+
+1. Initialize the configuration with 
+
+        docker-compose run --rm openvpn ovpn_genconfig -u vpn-endpoint.example.com -N -z -d -s 10.100.0.0/24 -p "remote-gateway 10.100.0.1" -n 10.100.0.2
+
+2. Initialize the server's crypto (PKI) and when prompted, provide passphrases and then the VPN endpoint, `vpn-endpoint.example.com` (for "Common Name").
+
+        docker-compose run --rm openvpn ovpn_initpki
+
+#### OpenVPN Client
+
+1. Create a client certificate, providing the passphrases as appropriate during server configuration.
+
+        docker-compose run --rm openvpn easyrsa build-client-full client
+
+2. Obtain the client configuration
+
+        docker-compose run --rm openvpn ovpn_getclient client > client.ovpn
+
+The client configuration can be distributed to the client at this time.
+
+
+## Controlling the Composition
+
+Start the stack with `docker-compose up -d` once all configuration steps are complete, and stop via `docker-compose down`.
+
+## DISCLAIMER
+
+This repository is provided "as-is" and without any warranty. It may cause data loss, or due to misconfiguration cause your software to be exposed to the Internet. By using the software you assume all risks.

docker-compose.yaml

@@ -0,0 +1,38 @@
+---
+  version: '3'
+  services:
+    openvpn:
+      image: kylemanna/openvpn
+      cap_add:
+        - NET_ADMIN
+      container_name: openvpn
+      expose:
+        - "80/tcp"
+        - "53/tcp"
+        - "443/tcp"
+        - "53/udp"
+      ports:
+        - "1194:1194/udp"
+      restart: always
+      volumes:
+        - ./openvpn:/etc/openvpn
+      command: [ "/etc/openvpn/start.sh"]
+
+    pihole:
+      depends_on: 
+        - "openvpn"
+      image: pihole/pihole:latest
+      cap_add:
+        - NET_ADMIN
+      container_name: pihole_compose
+      network_mode: "service:openvpn"
+      restart: always
+      volumes:
+        - ./pihole/pihole:/etc/pihole
+        - ./pihole/dnsmasq.d:/etc/dnsmasq.d
+      environment:
+        - ServerIP=${TUNNEL_ENDPOINT}
+        - TZ="UTC"
+        - WEBPASSWORD=${PIHOLE_WEBPW}
+        - INTERFACE="${TUNNEL_INTERFACE}"
+        - DNSMASQ_LISTENING="single"

openvpn/openvpn-example.conf

@@ -0,0 +1,25 @@
+server 10.100.0.0 255.255.255.0
+verb 3
+key /etc/openvpn/pki/private/vpn-endpoint.example.com.key
+ca /etc/openvpn/pki/ca.crt
+cert /etc/openvpn/pki/issued/vpn-endpoint.example.com.crt
+dh /etc/openvpn/pki/dh.pem
+tls-auth /etc/openvpn/pki/ta.key
+key-direction 0
+keepalive 10 60
+persist-key
+persist-tun
+
+proto udp
+# Rely on Docker to do port mapping, internally always 1194
+port 1194
+dev tun0
+status /tmp/openvpn-status.log
+
+user nobody
+group nogroup
+comp-lzo
+
+### Push Configurations Below
+push "dhcp-option DNS 10.100.0.2"
+push "remote-gateway 10.100.0.1"

openvpn/ovpn_env-example.sh

@@ -0,0 +1,25 @@
+declare -x OVPN_AUTH=
+declare -x OVPN_CIPHER=
+declare -x OVPN_CLIENT_TO_CLIENT=
+declare -x OVPN_CN=vpn-endpoint.example.com
+declare -x OVPN_COMP_LZO=1
+declare -x OVPN_DEFROUTE=0
+declare -x OVPN_DEVICE=tun
+declare -x OVPN_DEVICEN=0
+declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=1
+declare -x OVPN_DNS=1
+declare -x OVPN_DNS_SERVERS=([0]="10.100.0.2")
+declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
+declare -x OVPN_EXTRA_CLIENT_CONFIG=()
+declare -x OVPN_EXTRA_SERVER_CONFIG=()
+declare -x OVPN_FRAGMENT=
+declare -x OVPN_KEEPALIVE='10 60'
+declare -x OVPN_MTU=
+declare -x OVPN_NAT=1
+declare -x OVPN_PORT=1194
+declare -x OVPN_PROTO=udp
+declare -x OVPN_PUSH=([0]="remote-gateway 10.100.0.1")
+declare -x OVPN_ROUTES=()
+declare -x OVPN_SERVER=10.100.0.0/24
+declare -x OVPN_SERVER_URL=vpn-endpoint.example.com
+declare -x OVPN_TLS_CIPHER=

openvpn/start.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+source /etc/openvpn/ovpn_env.sh
+
+NATDEV=${OVPN_NATDEVICE:-eth0}
+
+iptables -C FORWARD -i "${OVPN_DEVICE}${OVPN_DEVICEN}" -o ${NATDEV} -s ${OVPN_SERVER} -m conntrack --ctstate NEW -j ACCEPT || \
+  iptables -I FORWARD -i "${OVPN_DEVICE}${OVPN_DEVICEN}" -o ${NATDEV} -s ${OVPN_SERVER} -m conntrack --ctstate NEW -j ACCEPT 
+
+iptables -C FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || \
+  iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+iptables -C POSTROUTING -t nat -o ${NATDEV} -s ${OVPN_SERVER} -j MASQUERADE || \
+  iptables -I POSTROUTING -t nat -o ${NATDEV} -s ${OVPN_SERVER} -j MASQUERADE
+
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+fi
+
+pihost=$(getent hosts openvpn | cut -d ' ' -f 1)
+
+echo "Setting pi-host to $pihost"
+
+sed -i -e "s/push \"dhcp-option DNS .*\"/push \"dhcp-option DNS $pihost\"/" /etc/openvpn/openvpn.conf
+
+exec openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd

pihole/dnsmasq.d/01-pihole.conf

@@ -0,0 +1,48 @@
+# Pi-hole: A black hole for Internet advertisements
+# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
+# Network-wide ad blocking via your own hardware.
+#
+# Dnsmasq config for Pi-hole's FTLDNS
+#
+# This file is copyright under the latest version of the EUPL.
+# Please see LICENSE file for your rights under this license.
+
+###############################################################################
+#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
+# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
+#                                                                             #
+#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
+#                      /etc/pihole/setupVars.conf                             #
+#                                                                             #
+#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
+#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
+###############################################################################
+
+addn-hosts=/etc/pihole/gravity.list
+addn-hosts=/etc/pihole/black.list
+addn-hosts=/etc/pihole/local.list
+
+user=pihole
+group=pihole
+
+
+localise-queries
+
+
+no-resolv
+
+
+
+cache-size=10000
+
+log-queries
+log-facility=/var/log/pihole.log
+
+local-ttl=2
+
+log-async
+server=8.8.8.8
+server=8.8.4.4
+domain-needed
+bogus-priv
+interface=tun1

pihole/pihole/seupVars.conf

@@ -0,0 +1,16 @@
+DNS_FQDN_REQUIRED=true
+DNS_BOGUS_PRIV=true
+DNSSEC=false
+CONDITIONAL_FORWARDING=false
+QUERY_LOGGING=true
+INSTALL_WEB_SERVER=true
+INSTALL_WEB_INTERFACE=true
+LIGHTTPD_ENABLED=
+IPV4_ADDRESS=10.100.0.1
+IPV6_ADDRESS=
+WEBPASSWORD=761f684ec725d03ee4899464c02a5166b86f17498f12076bf8091da736f41680
+PIHOLE_DNS_1=8.8.8.8
+PIHOLE_DNS_2=8.8.4.4
+PIHOLE_INTERFACE="tun1"
+DNSMASQ_LISTENING="single"
+BLOCKING_ENABLED=true