Skip to content

Instantly share code, notes, and snippets.

@JonasBernard

JonasBernard/OPEN-VPN-AND-PIHOLE.MD

Last active March 16, 2024 07:27
Show Gist options
  • Save JonasBernard/c167d0734f603add15c125c43a7befb4 to your computer and use it in GitHub Desktop.
Save JonasBernard/c167d0734f603add15c125c43a7befb4 to your computer and use it in GitHub Desktop.
Download ZIP
Docker compose setup for openVPN server with own pihole dns server.
Raw
docker-compose.yml
version: '2'
services:
openvpn:
image: kylemanna/openvpn
cap_add:
- NET_ADMIN
ports:
- "1194:1194/udp"
restart: always
volumes:
- ./openvpn-data/conf:/etc/openvpn
networks:
openvpn-net:
ipv4_address: 172.16.238.2
ipv6_address: 2001:3984:3989::2
pihole:
container_name: pihole_dockerized
image: pihole/pihole:latest
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
ports:
# For me these ports are also exposed to the public internet even if this is commented out.
# Make sure you block port 53 if you want pihole to only be accessible thought the vpn.
# For example execute "sudo ufw deny 53" on the docker host machine.
# - "53:53/tcp"
# - "53:53/udp"
# - "67:67/udp"
# Only required if you are using Pi-hole as your DHCP server
- "8100:80/tcp"
# This exposes the web interface of pihole to the host machine.
# Make sure you have a reverse proxy to localhost:8100 from any domain.
# If you dont have one, look for https://caddyserver.com/
networks:
openvpn-net:
ipv4_address: 172.16.238.10
ipv6_address: 2001:3984:3989::10
environment:
TZ: 'Europe/Berlin'
WEBPASSWORD: 'insert-random-string'
volumes:
- './etc-pihole:/etc/pihole'
- './etc-dnsmasq.d:/etc/dnsmasq.d'
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
#cap_add:
# - NET_ADMIN # Recommended but not required (DHCP needs NET_ADMIN)
restart: always
networks:
openvpn-net:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 172.16.238.0/24
gateway: 172.16.238.1
- subnet: 2001:3984:3989::/64
gateway: 2001:3984:3989::1
Raw
OPEN-VPN-AND-PIHOLE.MD

OpenVPN and PiHole in one standalone docker-compose setup

Set up a VPN server that pomotes a pihole DNS server that is only acessible throught the vpn network.

Steps to setup the server

Edit the docker-compose.yml file

You have to replace 'insert-random-string' with a real password. Also read throught the docker-compose.yml and see if you need to make any changes to the ip adresses and ports.

Read more about pihole here:

See: https://github.com/pi-hole/docker-pi-hole/#installing-on-ubuntu

Disable ports

Even if not specified in the docker-compose.yml, the pihole image will publish the DNS Server to the public internet. If you do not want this, you have to block port 53 in the firewall on the host system. For example, use:

sudo ufw deny 53

Initialize the configuration files and certificates

docker-compose run --rm openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker-compose run --rm openvpn ovpn_initpki

Fix ownership (depending on how to handle your backups, this may not be needed)

sudo chown -R $(whoami): ./openvpn-data

Add the DHCP Setup to the openVPN conf

You need to paste the content of the openvpn.conf file in this gist at the end of the file ./openvpn-data/conf/openvpn.conf

Start server process

docker-compose up -d

You can access the container logs with

docker-compose logs -f

Configure the clients

Generate a client certificate

export CLIENTNAME="your_client_name"
# with a passphrase (recommended)
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME
# without a passphrase (not recommended)
docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME nopass

Retrieve the client configuration with embedded certificates

docker-compose run --rm openvpn ovpn_getclient $CLIENTNAME > $CLIENTNAME.ovpn

Revoke a client certificate

# Keep the corresponding crt, key and req files.
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME
# Remove the corresponding crt, key and req files.
docker-compose run --rm openvpn ovpn_revokeclient $CLIENTNAME remove

Some content is from: https://github.com/kylemanna/docker-openvpn/blob/master/docs/docker-compose.md

Raw
openvpn.conf
###### HERE YOU HAVE SOME MORE CONTENT GENERATED BY THE OPENVPN IMAGE #######
### Push Configurations Below
push "block-outside-dns"
### IP Adress of container pihole in the docker network. See docker-compose file
push "dhcp-option DNS 172.16.238.10"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment