Skip to content

Instantly share code, notes, and snippets.

@tuan

tuan/openvpn-azure-steps.md

Last active December 27, 2021 16:25
Show Gist options
  • Save tuan/deefd37d190bc9e8fe8453f73a226279 to your computer and use it in GitHub Desktop.
Save tuan/deefd37d190bc9e8fe8453f73a226279 to your computer and use it in GitHub Desktop.
Download ZIP
OpenVPN + Pihole on Azure
Raw
openvpn-azure-steps.md

Create VM

  1. Azure > Marketplace > Ubuntu

Configure VM

  1. Autoshutdown Disabled
  2. Networking: Add inbound rule for port 1194 (TCP and UDP)

Install OpenVPN

wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.sh

Install Pihole

curl -sSL https://install.pi-hole.net | sudo bash Choose tun0 as the interface and 10.8.0.1/24 as the IP address

Set up OpenVPN Server

This guide: https://docs.pi-hole.net/guides/vpn/setup-openvpn-server/ For Ubuntu 18LTS, restart server using sudo /etc/init.d/openvpn restart

Add new client cert

./openvpn-install.sh

Firewall configuration

Clear out iptables

v4

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

v6

sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -P FORWARD ACCEPT
sudo ip6tables -P OUTPUT ACCEPT
sudo ip6tables -t nat -F
sudo ip6tables -t mangle -F
sudo ip6tables -F
sudo ip6tables -X

Rules

sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT
sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT -i lo -j ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable

sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo ip6tables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --destination-port 22 -j ACCEPT
sudo ip6tables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
sudo ip6tables -A INPUT -p udp --destination-port 1194 -j ACCEPT
sudo ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -I INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp6-port-unreachable
sudo ip6tables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
sudo ip6tables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp6-port-unreachable
sudo ip6tables -P INPUT DROP

Verificaton

sudo iptables -L --line-numbers
sudo ip6tables -L --line-numbers

Save iptables

sudo sh -c "iptables-save > /etc/pihole/rules.v4"
sudo sh -c "ip6tables-save > /etc/pihole/rules.v6"

Restore iptables

sudo iptables-restore < /etc/pihole/rules.v4
sudo ip6tables-restore < /etc/pihole/rules.v6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment