13
F1973
23d

Update on dream project: https://devrant.com/rants/3451433/...

Fucking achieved it. Fuck yeah!

I Googled for some guiding tuts and found this marketplace link: https://marketplace.digitalocean.com/...

This straightup created a droplet on DigitalOcean and installed both, Pi-Hole and OpenVPN in 55 seconds.

Then I found a Medium article (https://medium.com/acm-gazi/...), where I stumbled upon few bugs/issues (because of my lack of ability to read patiently and you cannot blame me for that) and at the end of the day I sorted things out.

I setup the VPN, configured the profile, logged into Pi-Hole admin panel, set the DNS locally and system is up and running.

I tested and it works fine for now.

I have some noob level queries so would appreciate if anyone can help me on those. I am drafting the questions right after posting this.

And big shoutout to @Condor, @Linuxxx, and everyone else who assisted my dumb ass to achieve this.

Comments
  • 2
    1. Can I install this on another Cloud service provider the same one cllick6way given the Github?

    2. How will DO or any other VPC provider charge me? Fixed monthly charges or based on data transfer? For example: does it matter if I transfer 10GB or 100GB or will it only consider the OpenVPN and Pi-Hole hosting?

    3. Why am I not able to access OpenVPN via multiple devices at the same time? One disconnects when other connects.

    4. How can I access OpenVPN admin panel via UI like Pi-Hole has?

    5. For my Windows machine, Automatic DNS works fine and detects Pi-Hole DNS. Do I have to manually point my machine's DNS to Pi-Hole? If yes, then when I disconnect the VPN, internet does not work and to fix that I had to give Google DNS as Alternative DNS.
  • 1
    6. How can I configure this on my router to have network wide VPN access without individual client having to setup the client and profile?

    7. Mostly important, I see a minute drop in internet speed. I am in India and server is in Frankfurt. Does internet speed gets affected?

    8. Will continuous usage of VPN on phone/machine drain the battery?

    9. Can I setup a domain/subdomain to access the console and admin portals from anywhere without IPs or logging into my DO account always?
  • 2
    @F1973 2. They will charge you monthly based on your usage - it's a fixed date where you get charged monthly but it's only for the amount that the VM was actually created (so that you aren't charged, for example, 10+50 for the past month if you had a Droplet for 10$ running the whole billing period and only started up a 50$ droplet just a week before the billing date but instead will be charged something like 10+8).

    When it comes to bandwith, each droplet has a fixed bandwith which is free of charge (included in the plan) limit specified somewhere in the description on plans. For every GB over that you get charged some amount per GB. It's 0.10$/GB according to this https://digitalocean.com/pricing/
  • 2
    @F1973 6. Many routers now offer built-in OpenVPN client - that would probably be the easiest way ... connect it to VPN and set the DNS in the router DHCP / LAN config and point the connected clients to use the router as DNS.
  • 2
    @F1973
    7. Yes, especially latency
    8. By some amount yes, but probably not too much.
  • 1
    @F1973 8. Yes (it does on my devices as I have seen), even more if the VPN client keeps running (it's an option in the OpenVPN client on Android) in the background, note - if it doesn't it would result all the traffic going over unencrypted network to the default DNS outside your VPN when the phone is locked.
  • 1
    @theKarlisK thanks. While I understand the concept of Bandwidth, I will try to understand the difference between Bandwidth and Transfer.

    The BD is 1GB and Transfer is 1TB. So if I watch or download a movie of 6GB, then that'll impact transfer or bandwidth? Will I be notified if I am being billed or crossing the limits?

    Thanks for your other answers. Make sense.

    @electrineer thanks. I think what you said makes sense.
  • 2
    Tagging so you don't miss it.

    @Condor @Linuxxx
  • 1
    @F1973 Usually hosting service providers (or at least they used to) just slap a vague "bandwith limit" to imply that both Download and Upload traffic amount was not limited to a certain amount in GB or TB. In case of Digital Ocean the Upload is not officially limited/capped but they will raise their eyebrow and reach out to you if you start pumping up something in very large quantities of many TB. Meanwhile the download, as mentioned basically means all the outgoing traffic (in this case everything that is sent from your OpenVPN server to all the clients), so yes - downloading a 6GB movie through your VPN would consume the outbound transfer amount (which, as I remember is tallied somewhere in the DO Dashboard statistics). As for avoiding amassing any big bills you could set up alerting whenever Droplet costs are reaching high costs (you might get a warning for reaching the transfer cap but you will definetly get email alerts if costs have reached a limit you've set).
  • 1
    @theKarlisK so basically browsing and upload/download both fall in bandwidth category.

    I am on $5 plan which has 1TB bandwidth.

    I don't think I'd ever cross that limit no matter how much my consumption at least for next few years.
  • 1
    @F1973 yeah, additionally, OpenVPN offers you the ability to enable compression (dunno if you've already enabled it or not) which could decrease the consumed amount.
  • 1
    @theKarlisK

    1. I wonder how is OpenVPN Open Source when they have a pricing plan on their website.

    2. As per my 4th and then 3rd question, I am not able to access the admin panel where I am currently stuck.

    3. Won't compression affect the quality?
  • 3
    @F1973

    1. If it's a shell script and you run it on a Linux system, most probably, yes.

    2. Depends on the provider. Usually you can see this at their pricings/product page. I chose Contabo and OneProvider because I fucking hate bandwidth limits.

    3. Because it's setup to only work with one profile per connection probably. Just create more profiles for more devices! (or configuration files or however you call them)

    4. Is there actually a working openvpn admin gui...? No clue 😅

    5. You can choose any dns provider really. I personally use OpenDNS a lot but switching to BlahDNS soon!

    6. Depends on the router/os it's running. Just ddg it or search through other search engines, all routers/systems have documentation on this if it exists on that device/os.

    7. What do you mean with a minute drop?

    8. On your phone, probably yes. I'm using a VPN full-time and it affects my battery a lot. But, for me, the drain is worth the gain.

    9. As long as the interfaces are on a port or something, sure! Hmu if you need more info, I do stuff like this a lot with NGINX as webserver.
  • 2
    @F1973 Last comment to Karlisk; the management software (GUI) seems to be paid, the openvpn software is FOSS.
  • 1
    @linuxxx

    1. Need to check if it is a Shell script. If yes, then I move asap.

    2. No limits? While I read it last time you guys shared them, but thought it must be with terms and conditions. Wonder how can they afford unlimited bandwidth and data transfer. Another reason to migrate.

    3. Alright, will read the documentation or something to set that up.

    4. Lol yeah. I Googled and found some images of admin panel. I think it must be under paid plan as per your latest comment.

    5. In that case, I'd prefer to keep it dynamic so as that system picks it up automatically without manual hassle and constant switching in case I connect to a network outside VPN (which I'll rarely do once I setup the infra)

    6. Yeah need to check. I have 1 main and other as AP so will have to configure it.

    7. IDK man. I have 25Mbps plan and after multiple speed tests it showed me a fluctuation between 18Mbps to 23Mbps. Never touched 25. Maybe due to geography.

    8. True.

    9. I didn't get this but let me set it up
  • 2
    @F1973 Indeed, as @linuxxx pointed it out - the software itself is FOSS but they offer a paid service for those who don't want to set up and administer their own VPN server, this was more feasible about 5 years ago when the internet wasn't littered with install/deploy scripts that allowed you to have everything ready in under 10min.

    Also the free FOSS OpenVPN version does not come with any Admin GUIs - this must be some 3rd party solution or maybe I've missed /haven't heard of these changes.

    As for compression - no... it's not the same kind of compression like with jpeg images, the process works on lower levels that some googling or better informed people than me could shed light into. The one thing it does is increase CPU usage compared to default config. Tho, I'm guessing that just about every config example out there uses the lowest setting to give you something like 10-15% transferred data reduction.
  • 1
    @F1973 if you have full redirect on (all client data is sent through VPN server) speed fluctuations could be because of the connection quality between you and the DO server (geography as you mentioned). It could also be because of the server load (network transfer speeds still have to battle HW limits and I'd like to point out this is a shared not dedicated/isolated VM host and noisy neighbours could be at fault).
  • 2
    @F1973 They have FUP's but that's reasonable
  • 2
    @F1973 Oh and got a link to the script? I can check it for you :)
  • 1
    @theKarlisK fair points on latency. Lol noisy neighbours.

    Oh so some advanced level compression. Sounds interesting. LMC.

    What's full redirect though?

    @linuxxx FUP is better than complete limit. Until the limit is crossed one can utilise the resources and then on lower speed but be completely mind free of the worry.

    Thanks bro for checking out, very kind of you.

    I thought the Github was linked in the post but then I checked, it was the market place link which leads to Github.

    Here you go: https://github.com/digitalocean/...
  • 3
    1. Yes

    2. Usually monthly, depends

    3. You cannot reuse profiles, make one for each client

    4. Paid feature, see https://askubuntu.com/questions/... and https://openvpn.net/vpn-software-pa...

    5. VPN server can push DNS servers

    6. A VPN client can act as a gateway, look into IP masquerading (iptables) and enable packet forwarding (sysctl).

    7. For latency a closer server is better, for bandwidth it doesn't matter much

    8. Yes but it's not significant IME

    9. Yes but it requires additional setup

    And congrats! :)
  • 3
    @Condor

    1, 2: Awesome

    3. Will read about it. Thanks.

    4. So will have to learn terminal management.

    5. Then I'll set to dynamic. Life is easier.

    6. Thanks. This'll help me read about terminology and fix it.

    7. Agreed but then that server it be affected on how it interacts with servers on internet to fetch content. I don't think we can relocate the server but yeah I get it.

    8. Yeah. I need a new phone anyway. Lol

    9. I'll love to do that. Let me first setup the basics and then we can figure out next.

    Thanks bro. Kudos to you, Linuxxx, Karlisk, and everyone here :)
  • 2
    @F1973 seems to be python but quite DO specific...
    Maybe search for "Angristan openvpn script"? His scripts are great and can be ran on about any Linux machine! (and built in profile generation!)
  • 2
    @linuxxx Neat. Will check. Thanks bro.
  • 1
    @F1973 full redirect is when the connected VPN client sends all the traffic through the VPN ... if you have this parameter in your server config and the client .ovpn file it's safe to assume that it's a full redirect: 'redirect-gateway def1'.

    Opposite of a full redirect would be to connect to the VPN only to be able to access other connected resources in the VPN network (say, you had a VPN to your server but wanted to only access the PiHole DNS without sending everything through your VPN server). This would mean barely any data transfer usage would be accumulated for the Droplet because only DNS lookups would be made but the actual connection would happen to the corresponding resources over the network as usual without VPN.

    Think of the first option as plugging into a virtual router while the second only provides the network resources residing on the virtual network (tho more advanced/conplicated configurations can reach out to other resources on this network too).
  • 1
    @theKarlisK woww.. I never knew this one.

    This is actually amazing. If I didn't have to worry about ISP monitoring, then partial redirect would have been great.

    Thanks for ELI5 bro.
  • 2
    @condor @linuxxx @theKarlisk

    I managed to create multiple user profiles and connect my devices to server and enjoy the ad free life.

    I found the command via Get started section: https://cloud.digitalocean.com/mark...

    However, the same section says, I will have to recreate my droplet every 90 days/3 months because certs won't be valid after that.

    Now is this some kind of manual hassle? If yes, then I would love to figure out backup mechanism because there are some override changes I have done.

    Also, as per this link (https://openvpn.net/vpn-server-reso...), they show that even on self hosted OpenVPN, one can access admin panel. Just that I am not able to find the IP to connect.
  • 1
    @F1973 certificate expiry could have been done by design since recreating the Droplet would often give you a brand new IP as well as delete any and all logs - probably a feature for more network privacy concerned people.

    It could mean that server certificate, tls certificate and client certificates have been generated with expiry dates and a certificate revocation list configured to invalidate all client certs after the 3 months. The simplest solution to bypass this would be to regenerate all the certificates by looking up any how-to guides for OpenVPN setup from scratch and doing everything related just to certificates and then updating the client ovpn configs to include the new certs.
  • 1
    @theKarlisK Makes sense. I am planning to move to a cheaper alternative where I can configure OpenVPN from scratch and then load Pi-Hole and have a permanent long term solution.
  • 1
    medium is raoidly becoming the news and more reliable stackoverflow.
  • 1
    @Wisecrack surprisingly yes.
  • 2
    @Condor I am planning to go with Hetzner. The basic level 1 web hosting plan with work, right?

    https://www.hetzner.com/webhosting

    Also, the DO droplet allows 1TB of transfer. I don't think I will ever reach that but then Hetzner looks cheaper.

    I somehow fear that using OpenVPN, someone is spying on me or te VPN is configured to leak my data.

    Lol am I being paranoid or can I trust the setup 100%? I think this might be because I used a that marketplace script but then since it's on market place it would be trusted.

    I think I shall go with Hetzner and install OpenVPN first and then configure Pi-Hole because the certificate thing will anyway make me redo everything after 3 months.

    What would you suggest?

    I plan to use this script recommended by @Linuxxx
    https://github.com/angristan/...

    I hope these script don't configure shady stuff which leak my data.
  • 2
    @F1973 careful - just at a glance it looks they offer only web hosting with those plans. No SSH access or ability to set up your own software/services whatsoever.

    I think you need to look at their "Cloud" hosting instead https://www.hetzner.com/cloud
  • 2
    @theKarlisK Ah yes!!! Since I am new to this, I got confused. Now I know that I have to look under cloud.

    Comparing DO and Hetzner, I think Hetzner is giving 20TB transfer which is literally unlimited. Only downside I see is 5GB less storage but then I don't need more than 1GB to host both those apps.

    I think I will go with this one. Thanks homie :)
  • 1
    @F1973 on the quarterly Droplet regeneration, very weird... Why would that be?

    On Hetzner you'd need to go with a VPS, I don't think that web hosting would allow much more than FTP upload for some web pages. The small ones are €2.79/m, billed by the hour but capped at the aforementioned price. For 2 instances it comes out at roughly €6/m for me. The small VPS instances have 2GB RAM, 1 CPU core and 20TB monthly traffic, with a shared 5Gbps internet connection.
  • 1
    @Condor Yes, I think those are fair rates and generous resources for someone like me.

    BTW I got the OpenVPN GUI up and running.

    I followed the documentation, ran the commands again and it gave me the IP I was looking for and now I have a UI but I cannot see the profiles I created earlier.

    One last thing, I can setup the OpenVPN and Pi-Hole on server now as after few attempts, help, and reading docs. I just want to know one thing, do I have to manually configure the VPN to point to Pi-Hole DNS? If yes, then how would that work?

    I think apart from that I have my dream project 95% completed. I will soon configure my spare router for the VPN to have network wise access :)
  • 1
    @F1973 in the server.conf you can add these options to push a DNS server to use.

    push "dhcp-option DNS 1.1.1.1"

    The DNS server address in this case would be Cloudflare, it can be any DNS service / address that the client can reach. For multiple DNS servers, you can add that option multiple times.
  • 1
    @Condor okay will do that. Thanks
  • 1
    @Condor @linuxxx @theKarlisK

    Okay guys, an update:

    1. Hetzner deleted my account due to lack of verification even when I submitted my passport. Tried reaching their support twice but no success.

    2. That said, I will be forced to continue on DO. Which else could I go for? I saw the others you folks recommended but still confused for anything below €3.

    3. If anyone of you use DO, do you also sign in every time you log in to the portal? Somehow they are not saving my credentials and I am forced to sign in. Weird bug.
  • 2
    @F1973 I mentioned Contabo as well! I don't use DO and don't use Hetzner exactly for the ID verification reason either 😄
  • 1
    @linuxxx Yes, I checked Contabo and the cheapest plan it has is €3.99 where as DO has $5, which is pretty much the same for me.
  • 2
    @F1973 You could go for arubacloud (never used it) or hostmaze (use it but it's not as stable)
  • 1
    @linuxxx damn! they look solid cheap but I prefer stability and reliability anyday.

    Let me continue DO for now as I have some spare credits to exhaust.

    But hey!! thanks for the suggestions, surely worth considering for a project like mine and with that price :)
  • 1
    @F1973 yes, DO asks me to log in frequently as well, doesn't often ask me for verification tho.

    As for alternatives, there's also upcloud, vultr and linode. Personally, I've settled on Linode because they allowed me to get the VPS set up and tweak just how I like it. I really hate when VPS hosting providers peddle "customized" RHEL/CentOS and similar RHEL-based distros with SE Linux and FirewallD disabled and/or removed altogether as if it's Debian and I spend days "untweaking" their BS and fixing errors spewing out left and right (cause is usually the said "tweaks") only to end up throwing everything out and switching to a different hosting provider.

    And I'm not even going to rant about the providers that don't allow Docker.
  • 2
    @theKarlisK Linode has same pricing as Digital Ocean.
  • 3
    @theKarlisK @Condor @Linuxxx sorry to buzz you guys again, but how do I delete a profile I created for a friend to test the Pi-Hole?

    I looked it up on internet but cannot find the command.
  • 2
    @F1973 As in a pihole profile?
  • 1
    @linuxxx no, OpenVPN profile
  • 1
    @F1973 you have set-up using client certificates? You can just revoke the certificate: https://openvpn.net/community-resou...
  • 1
    @theKarlisK yes this is what I wanted.

    I created a config/certificate and shared it with a friend.

    Now need to cancel his access.

    Perhaps, I was looking for the wrong term which is why I didn't get the results.

    Now I know. Thanks buddy :)
  • 1
    @theKarlisK I tried the approach and Googled even more on how to do it.

    Somehow all the profiles have been created in root directory and easy-rsa directory is not found.

    I tried reinstalling easy-rsa but didn't work.

    I failed and unable to proceed. Maybe I can setup another droplet and experiment there since I have some credits to burn on DO and proceed with a clean installation.
  • 2
    @F1973 I just use python rsa. works like a charm.
  • 1
    @Wisecrack What's that and how do I configure?
  • 1
    @F1973 you need to find the directory for easy-rsa, enter it and 'source' the one file to activate it like you did during setup - after this the commands should work fine.
  • 1
    @theKarlisK the mess is, I used this one-click script to set it up.

    https://marketplace.digitalocean.com/...

    I want to migrate to a clean stand alone installation so that I can manage everything via Admin UI.

    The said script expires everything after 90 days.

    So yeah I created a new droplet and tried installing OpenVPN from scratch for Ubuntu via this link: https://openvpn.net/vpn-software-pa...

    but no success.
  • 1
    @F1973 I'll have a look at the script - there are a whole bunch of them but they're all doing the same thing with few added features (or the opposite - few removed).

    P.S. did you try regenerating the certs as was suggested at some point before to avoid the 90-day expiry?
  • 1
    @theKarlisK well yes, I agree there might be many more scripts to do that. I am just yet to find those. Haha

    No, I am yet to reach the first 90 day expiry and hence did not get any chance to regenerate. However, is regeneration same as creation or is there some other command?

    I am sorry that I ask way too many lay questions for my lack of prior knowledge. If you think I am annoying you in anyway, feel free to pass this.

    I am already thankful to you and every other friend here who went out of their way to help a noob. You guys are just awesome :D
  • 1
    @F1973 Looked at the scripts. My directions might get a bit vague (been a while since I had to configure a standalone OpenVPN server).

    As per: https://github.com/digitalocean/...
    and: https://github.com/digitalocean/...

    EasyRSA is located: /etc/openvpn/server/easy-rsa/
    Certificate Revocation List (CRL) is located: /etc/openvpn/server/crl.pem

    You could try running the following to check everything is fine:
    cd /etc/openvpn/server/easy-rsa/
    crl-verify /etc/openvpn/server/crl.pem

    I think you should be fine if you ran:
    cd /etc/openvpn/server/easy-rsa/
    ./revoke-full client-cert-name-here

    After that you should check the contents of /etc/openvpn/server/crl.pem and merge or replace with the contents of the new crl.pem that got generated somewhere under /etc/openvpn/server/easy-rsa (quite possibly under secrets somewhere).
  • 1
    @F1973 after creating the CRL and reloading the OpenVPN server to apply the changes, you don't have to worry about the OVPN config you briefly handed out - the client can no longer connect to the server without providing a valid Client Certificate. If the you need to renew the access you have to generate a new client certificate/key (or as a dirty workaround - just disable checking CRL in the OpenVPN server config).
  • 1
    @theKarlisK couldn't thank you enough for this.

    However, the last part from first comment and second comment, about merging and migrating went over me.

    Why is that needed?

    I'll first try looking up stuff on that and bug you when I am stuck or have queries, if you don't mind.
  • 1
    @F1973 because according to the OpenRSA it generates the CRL within it's own directory (/etc/openvpn/easyrsa/), while the OpenVPN server has been configured to look for the file in the root directory (/etc/openvpn/) - there for if you generate a new CRL it won't necessarily be loaded into the server config.

    Reason why I mentioned about checking the existing CRL file - in case there already are entries in it you can merge that new file into the old one by simply appending the CRL file contents at the end of the old file. However, I didn't look up if it's actually a symlink from easyrsa directory to where OpenVPN looks for the CRL file (might be that no action is actually needed).
  • 1
    @F1973 in short - CRL file is what OpenVPN checks ... if a certificate is on that list OpenVPN won't accept it.
  • 1
    @theKarlisK got it.

    I think the script I used has its own command which runs on the root folder and creates profiles/certs in root directory.

    Allow me to play around a bit and get back with some results.
Add Comment