I’ve been trying to make this work a lot of time, and know that I’ve achieved, I let you know how to do this.
AlgoVPN is a VPN solution to make your own VPN. It’s mainly oriented to deploy it to a cloud service, like DigitalOcean, but it also supports a local installation in Ubuntu 16/18. I think that it also works with debian, but haven’t tested yet. If someone tries it please comment about how it’s going.
In the PiHole documentation there’s a How-To having in the same machine PiHole and OpenVPN. It’s a so convenient solution, but I prefer Algo due to the paranoia about the OpenVPN security holes and the option of using it on Android, iOS, Linux and Windows natively, without any third party software in the client.
AlgoVPN has the option of installing an AdBlocking DNS automatically, but I don’t like it at all because you can’t manage it like PiHole.
This has been done in a Ubuntu Server 18.04.1 machine. Posibly it works along other debian based systems, but you’ll have to try in order to know.
The main problem was that after installing PiHole and AlgoVPN (order doesn’t matters, but in the final test AlgoVPN was installed first), PiHole only worked when using the VPN, but DNS queries were not attended from outside.
I found several work arounds involving dnsmasq, that were tedious and didn’t work, mainly because were concieved for OpenVPN. This solution has been made up with iptables. It took me a long time to figure it out because deleting all rules didn’t work. AlgoVPN always worked, however PiHole worked only after installing and before rebooting the machine. After rebooting, 4 rules dissapered form iptables, and adding them again solved the problem. Let’s start with the proccess:
Installing Algo
1.- Install dependencies
sudo apt-get update && sudo apt-get install \
build-essential \
libssl-dev \
libffi-dev \
python-dev \
python-pip \
python-setuptools \
python-virtualenv -y
sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible
sudo apt-get update && sudo apt-get install ansible python-pip build-essential python-dev
pip install virtualenv
pip install --upgrade pip
git clone https://github.com/trailofbits/algo
2.- Modify Algo files
2A.- Configure users and local DNSs
Modify the file “/algo/config.cfg”
At the top, change the users Dan and Jack to whatever you want, and add more if you need.
In line 48, change dns_encryption to false
In line 54, change dns_servers 1.1.1.1 to 127.0.0.1 and remove the second entry if you want to use PiHole when connected to VPN. Change IPv6 servers just if your machine supports it.
2B.- Using a domain instead a fixed IP (Optional)
Algo only officially supports using a fixed IP, but modifying this, you can use a domain name without problem.
In file “/algo/roles/vpn/defaults/main.yml” modify the line
subjectAltName_IP: "IP:{{ IP_subject_alt_name }}
to
subjectAltName_IP: "DNS:{{ IP_subject_alt_name }}
Personally I recommed duckdns.org, free and so convenient
3.- Execute Algo Installer
cd algo
python -m virtualenv env && source env/bin/activate && python -m pip install -U pip && python -m pip install -r requirements.txt
./algo
If you’re installing Algo to a local machine like me, select option 7, press enter in the following 2 options, write nothing.
Now write your domain name/fixed IP. The following options are in your hands, select what you need and/or want.
Wait AlgoVPN to finish installation, and copy the final message that is like this
"\"#----------------------------------------------------------------------#\"",
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.16.0.1 #\"",
"\"# The p12 and SSH keys password is XXXXXXXX #\"",
"\"#----------------------------------------------------------------------#\"",
You’ll need the p12 password in order to configure your clients.
Installing PiHole
Execute the following command. It’s the easy but a bit risky way (because an unlikely man in the middle attack)
curl -sSL https://install.pi-hole.net | bash
The PiHole installer is so intuitive. You just have to be sure that when selecting the PiHole interface for listening, you choose wlan0/eth0 and not wg0.
Reboot your machine
Fixing the mess
Now, AlgoVPN works perfectly, and PiHole only when you’re using it connected to the VPN. To make it usable from outside, just introduce the following commands.
sudo iptables -A INPUT -p tcp --dport domain -j ACCEPT
sudo iptables -A INPUT -p udp --dport domain -j ACCEPT
sudo iptables -A INPUT -p tcp --dport http -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 4711:4720 -j ACCEPT
sudo dpkg-reconfigure iptables-persistent
The End
Just hoping this helps people save the time I have spent trying to figure out this solution.
Credits for @notDavid and @hduarte github users that helped me here to be able to use a domain name instead a fixed IP.
Thanks to PiHole for having such an awesome DNS solver that is versatile, configurable and easily usable.
Also thanks to AlgoVPN for providing this very well documented VPN solution.
Finally, sorry for my English, I’ve been a while without writing anything longer than 3 lines