hi, i hv setup a OpenVPN with Pihole on a Raspberry pi running Ubuntu 20.04 64bit on my LAN. Everything works perfectly - i can connect to the vpn and pihole does it job filtering ads. i could even manually point other pc's DNS to the Raspberry IP address to use its Pihole ad blocking. Until i apply the iptables below:
Then i could no longer use the Pihole if im not connected to the vpn. I try adding POSTROUTING from 192.168.1.13 to 10.8.0.1 but it hangs. Luckily could access to the Raspberry after cycle the power. Please advice on how we could use the Pihole's DNS even if we are not connected to the vpn.
Raspberry Pi : 192.168.1.13
OpenVPN TUN: 10.8.0.1
Thank you.
Code:
# Generated by iptables-save v1.8.4 on Thu Jul 16 13:32:36 2020
*mangle
:PREROUTING ACCEPT [142:12092]
:INPUT ACCEPT [142:12092]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [113:16556]
:POSTROUTING ACCEPT [113:16556]
COMMIT
# Completed on Thu Jul 16 13:32:36 2020
# Generated by iptables-save v1.8.4 on Thu Jul 16 13:32:36 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.13
COMMIT
# Completed on Thu Jul 16 13:32:36 2020
# Generated by iptables-save v1.8.4 on Thu Jul 16 13:32:36 2020
*filter
:INPUT DROP [3:108]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [113:16556]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun0 -o tun0 -j DROP
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Jul 16 13:32:36 2020