41

GitHub - rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-...

 5 years ago
source link: https://github.com/rajannpatel/Pi-Hole-PiVPN-on-Google-Compute-Engine-Free-Tier-with-Full-Tunnel-and-Split-Tunnel-OpenVPN-Configs
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

README.md

Pi-Hole and PiVPN on Google Compute Engine Free Tier with Full Tunnel and Split Tunnel OpenVPN Configurations

data-privacy-risk.svg?sanitize=true

The goal of this guide is to enable you to safely and privately use the Internet on your phone without intrusive advertisements, and blocking your ISP, mobile carrier, or public Wi-Fi hotspot provider from gaining insight into your usage activity.

upfront-cost.svg?sanitize=true

Run your own privacy-first ad blocking service within the Free Usage Tier on Google Cloud. This guide gets you set up with a Google Cloud account, and walks you through setting up a full tunnel (all traffic) or split tunnel (DNS traffic only) VPN connection on your Android Phone.

The benefit of a Split Tunnel VPN is that you can still interact with devices on your Local Network (such as Chromecast) and still have DNS based ad-blocking over an encrypted connection to the cloud.

Tunnel Type Data Usage Security Ad Blocking full 10% more data usage 100% encryption yes split least data usage DNS encryption only yes

TO-DO List:

  • Add instructions for full tunnel on iOS. Split Tunnel on iOS is not supported at this time.
  • Add instructions for a full tunnel on Android.

It may take me another 24 to 48 hours from today (Dec 29, 2018) to get these things on the TO-DO List addressed. Help is welcome :-)

cloud.svg?sanitize=true

Google Cloud Login and Account Creation

Go to https://cloud.google.com and click Console at the top right if you have previously used Google's Cloud Services, or click Try Free if it's your first time.

Account Creation

  • Step 1 of 2
    Agree to the terms and continue.
    5.png
  • Step 2 of 2
    Set up a payments profile and continue
    5.png

Project & Compute Engine Creation

  • Click the Hamburger Menu at the top left:
    1.png
  • Click Compute Engine:
    2.png
  • Select VM instances:
    3.png
  • Create a Project if you don't already have one:
    4.png
  • Enable billing for this Project if you haven't already:
    6.png
  • Compute Engine will begin initializing:
    7.png

computeengine.svg?sanitize=true

Compute Engine Virtual Machine Setup

  • Create a Virtual Machine instance on Compute Engine:
    8.png
  • Customize the instance:
    8.png
  • Name your Virtual Machine pi-hole.
    Your Region selection should be any US region only (excluding Northern Virginia [us-east4]). I have used us-east1 and the us-east1-b zone because it is closest to me.
    Choose a micro Machine Type in the dropdown.
    Change the Boot Disk to be 30GB if you plan on keeping your DNS lookup records for any reason, otherwise the default 10GB disk allocation is adequate.
    Allow HTTP traffic in the Firewall (add a checkmark).
    Allow HTTPS traffic in the Firewall (add a checkmark).
    9.png
  • Expand Management, Security, disks, networking, sole tenancy and click the "Network" tab. Click the Pencil icon under "Network Interfaces".
    10.png
  • Reserve a Static Internal IP Address for your Primary Internal IP.
    11.png
    12.png
  • The External IP Address should not be Ephemeral. Reserve a New Static IP Address
    13.png
    14.png
  • You can log into your Virtual Machine via SSH in a Browser by clicking the SSH button. Make note of your External IP (it will be different from the screenshot below).
    15.png
  • Click the Hamburger Menu at the top left, click VPC Network and click Firewall Rules.
    firewall.png
    Click Create Firewall Rule at the top center of the page. The name of your rule should be allow-openvpn, change the Targets dropdown to All instances in the network. The Source IP Ranges should be 0.0.0.0/0. The udp checkbox should be selected, and the port number next to it should be changed from all to 1194. Then click the Create button.

debian.svg?sanitize=true

Debian Update & Upgrade

Once you log into your Virtual Machine via SSH, you want to update and upgrade it.

sudo su
apt-get update && apt-get upgrade -y

pihole.svg?sanitize=true

Pi-Hole Installation

sudo su
curl -sSL https://install.pi-hole.net | bash

You will flow into a series of prompts in a blue screen.

  • Choose OK or answer positively for all the prompts until the "Select Protocols" question appears. IPv6 needs to be deselected as shown below:
    16.png

Choose OK or answer positively for all the other prompts.

Set a strong password that you will remember for the Web Interface

pihole -a -p

  • Log into the web interface using the External IP that you noted down earlier at http://your-external-ip/admin

  • Click Settings, and navigate to DNS.
    Set your Interface Listening Behavior to Listen on All Interfaces on this page:
    18.png

  • Click the Save Button at the bottom of the page.

pivpn.png

PiVPN Installation

sudo su
curl -L https://install.pivpn.io | bash

You will flow into a series of prompts in a blue screen. All of the default values are appropriate. Choose OK or answer positively for all the prompts until you have to choose an upstream DNS provider. The default answer is Google. Choose Custom and set an IP Address of 10.8.0.1

The default answer to reboot is No at the end of the installer. It is fine to say No, we have a few more things to edit while we're logged in as root.

openvpn.svg?sanitize=true

OpenVPN Configuration

Get into the openvpn directory:

sudo su
cd /etc/openvpn

Server Configuration for Split Tunnel VPN over UDP on Port 1194

Edit server.conf. I prefer to use nano, so the command would be:

nano server.conf

Comment out the line which reads push "redirect-gateway def1" so it reads as follows:

# push "redirect-gateway def1"

The longer the keep-alive interval the longer it will take either end of the openvpn connection to detect whether the connection is no longer alive. Because mobile devices often lose connectivity and regain it, lower values are desirable.

Comment out keepalive 1800 3600 and add keepalive 10 60 below it, so it appears as follows:

# keepalive 1800 3600
keepalive 10 60

Comment out the line which reads cipher AES-256-CBC and add cipher AES-128-GCM below it, so it reads as follows:

# cipher AES-256-CBC
cipher AES-128-GCM

At the bottom of the file add the following lines:

# performance stuff
fast-io
compress lz4-v2
push "compress lz4-v2"

Press CTRL O to bring up the save prompt at the bottom of Nano, press Enter to save. Then press CTRL X to exit

Server Configuration for Split Tunnel VPN over TCP on Port 443

To accept incoming OpenVPN connections over TCP on port 443:

sudo su
cd /etc/openvpn/
cp server.conf server_tcp443.conf

Edit server_tcp443.conf. I prefer to use nano, so the command would be:

nano server_tcp443.conf

Replace the proto udp and port 1194 lines with:

proto tcp
port 443

Edit the server 10.8.0.0 255.255.255.0 line to reflect an IP address of 10.9.0.0, so it reads as follows:

server 10.9.0.0 255.255.255.0

Above the line push "dhcp-option DNS 10.8.0.1" add push "route 10.8.0.1" so it reads as follows:

push "route 10.8.0.1"
push "dhcp-option DNS 10.8.0.1"

Comment out keepalive 10 60 and add keepalive 10 120 below it, so it appears as follows:

# keepalive 1800 3600
keepalive 10 120

Comment out fast-io so it looks like this:

# fast-io

Press CTRL O to bring up the save prompt at the bottom of Nano, press Enter to save. Then press CTRL X to exit

Add the OpenVPN service on Port 443 by running this at the command prompt in your BASH shell:

systemctl enable openvpn@server_tcp443.service

Finishing Steps for Split Tunnel VPN Confgurations

Reboot the server with this shutdown command:

shutdown -r now

pivpn.png

Managing the PiVPN

Connect to the Pi-Hole server and set up an OpenVPN Client Profile

pivpn add nopass

Give your client a name. I like to use an alphanumeric string composed of the user's first name, and their device's make and model (no spaces and no special characters).

This command will output a success message which looks like this:

========================================================
Done! mypixel3xl.ovpn successfully created!
mypixel3xl.ovpn was copied to:
  /home/myusername/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================

To get the mypixel3xl.ovpn file to your phone it is easiest to maximize your SSH window and print the file to the terminal window, to copy & paste the output:

cat /home/myusername/ovpns/mypixel3xl.ovpn

Press CTRL - until the screen zooms out to a point where you can see the entire ovpn file printed on the screen. The first line will have the word client and the last line is </tls-crypt>. Highlighting this entire chunk with a mouse will cause a scissor icon to appear in the middle of your SSH window, this means this selection has been copied to your clipboard.

Paste this into your favorite Text Editor and save the file with an .ovpn extension.

Around Line 12, edit the line which reads cipher AES-256-CBC and change it to read:

cipher AES-128-GCM

E-mail the file to yourself, upload in Google Drive, or use whatever secure method you prefer to transfer this file to your phone. This file can be downloaded to your phone.

openvpnforandroid.svg?sanitize=true

OpenVPN for Android

Get it on F-Droid Get it on Google Play

Client Configuration for Split Tunnel VPN over UDP on Port 1194

When the app opens you are in the Profiles Tab.

  • Import your Profile, click the + at the top right.

  • Then click Import at the bottom left of the modal that appears.

  • Click the Hamburger Menu at the top left to choose Google Drive, or your Downloads folder, depending on what method you used to get the .ovpn file to your phone.

  • Click the pencil icon next to the VPN profile you imported.

    • Click the Routing Tab.
      • Click Excluded Networks under IPv4 and add this: 
        10.0.0.8/8 172.16.0.0/12 192.168.0.0/16
      • Bypass VPN for local networks should NOT have a checkmark. Uncheck it.
      • Under the Authentication/Encryption Tab
        • The Encryption Cipher should be AES-128-GCM
      • Under the Allowed Apps Tab
        • the Drive, Duo, Gmail, Google Play Store, Phone, Phone and Messaging Storage and Phone Services apps should have a checkmark.

  • Click the back button a couple times until you are at the Profiles Tab again.

Click the Settings Tab:

  • OpenVPN 3 Core should have a checkmark
  • click Default VPN and choose the VPN you have imported
  • Connect on Boot should have a checkmark

Click the back button a couple times until you are at the Profiles Tab again.

  • Clicking the name of the VPN profile you imported should trigger a connection.

Client Configuration for Full Tunnel VPN

This is a work in progress. Full Tunnel VPN instructions will be coming soon.

Contributions Welcome

If there is something that can be done better, or if this documentation can be improved in any way, please submit a Pull Request with your fixes or edits. Discussions regarding Issues are welcome as well.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK