Related
Like many other people, my carrier filters all my GPRS through their HTTP Proxy.
- POP/SMTP email can't be polled
- Windows Live Messenger won't connect
- Streaming whatever is obviously impossible
- Whatever other network you want won't work
- All you can do is browse web pages and update RSS news
I wrote a very unpopular thread in the past about how to bypass your carrier's GPRS Proxy server
in order to access blocked ports for emails & other services. It was unpopular probably because
it only worked on a PC
http://forum.xda-developers.com/showthread.php?t=314757
Now I made it work ON your phone.
Basic Guide - This post
Tip to autoload everything once setup - Bottom of first post
Make a SSH server - Second Post
Setup your email settings - Third Post
~~~~~~STEP BY STEP GUIDE ~~~~~~~~~~
1 - Setup a SSH server to listen to port 443. Port 443 being opened to the internet OBVIOUSLy.
Linux users will have no issue with this.
However, Windows XP users need to install a SSH server, so please see my second post for how to do this.
2 - Download Pocketputty for your phone
3 - In your phone, go to: settings / system / About / Device ID (tab) | Write something unique, but in a single word, such as your username.
4 - Go in Settings / Connections / Connections / Advanced / Select Networks | Select "My Work Network" for both options.
It might not be named "My work Network" but it has to be the network which you can add a proxy server to the settings.
5 - Add your GPRS information for the "My Work Network".
6 - Go to "Edit my proxy server"
7 - Check the two boxes in proxy settings, then click on "Advanced"
HTTP : add your carrier's HTTP proxy address. Pocket IE cannot work any other way.
WAP : Useless (unless you NEED this working, add your carrier's proxy, or the same information SOCKS proxy under)
Secure WAP : useless
SOCKS : write your phone's "about" name from step 2, port is 1080
8 - Click Ok,Ok,Ok etc until you get back to "today"
9 - Load PocketPutty
TAB - Session
Hostname : your SSH server's external IP address
Port : 443
TAB - Tunnel
Source : 1080
Destination : (nothing)
Check circle "Dynamic"
Click Add (top right)
Go back to Tab - Session
Stored Session : proxy
Click Save
Click Cancel
10 - Use a registry editor & Edit the following Values (MAKE SURE IT IS DECIMAL VALUES)
HKEY_CURRENT_USER / SOFTWARE / SIMONTATHAM / PUTTY / SESSIONS / PROXY
LocalPortAcceptAll = 1
ProxyHost = (your cellphone carrier's HTTP proxy server)
ProxyPort = (Your cellphone carrier's HTTP Proxy server port, should be 80 or 8080)
ProxyMethod = 3
RemoteCommand = top
12 - Initiate a GPRS connection (Settings / Connections / Connections / Manage Existing Connections /
Select your GPRS connection, Tap & hold, click on connect)
13 - Load Putty
14 - Load settion "Proxy"
15 - Click Open & A black terminal window will appear
16 - go back to the "today" screen as soon as possible (it's the only way it will connect, while in the background,
I think it's a bug or something)
17 - Wait a few seconds, suddenly a window will appear asking you if you wish to save an encryption key. Click yes
(note : this will only happen on the first time you connect)
18 - Go back into Putty (DO NOT LOAD A NEW PUTTY WINDOW, use the task manager to bring back the ongoing session)
19 - It should ask your username then password, fill in the obvious information requirements.
20 - Once you are logged into your SSH server, type "top" and press enter, it will allow you to keep your connection alive.
21 - Go back to the "Today" screen and try loading Windows Live Messenger, for the first time, while using the proxy, it should connect!
~~~~~~TIP~~~~~
With Total Command, you can make a shortcut that will load putty and log you in AUTOMATICALLY
Find Putty.exe
Click on File, then >>>>>>>>>>>>> (A) >
Create Shortcut
Place it in \windows\start menu\programs\
Then browse to that folder with total command
find Putty.exe.ink
Tap/Hold and open properties
tab SHORTCUT
Assuming putty.exe is located in "\" write this in target:
\PUTTY.EXE" -load proxy -l yourusername -pw yourpassword
Then click on ok, tadaa, simply start up Putty fro that shortcut and go back to the today screen.
It will log you on automatically without your intervention.
You still need to initate a GPRS connection first though.
For running a SSH server in Windows
Part 1
1 - Download & Run http://www.cygwin.com/setup.exe
2 - Click - Install from the Internet / NEXT
3 - Root directory : c:\cygwin / NEXT
4 - Local Package Directory : c:\cygwin / NEXT
5 - Direct Connection / NEXT
6 - Select any download site / NEXT
7 - Click on "VIEW" on top right
8 - Click on the column title "Package" (to sort alphabetically) and find "Openssh: The OpenSSH server and client programs"
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
9 - Click on Skip on the far left column, on that row.
http://img59.imageshack.us/img59/4001/sshdpackage2xp2.gif[/IMG}
10 - Repeat step 8 & 10 for packages tcp_wrappers, procps & zlib (might already be selected)
11 - Click NEXT & wait (about 40-50MB download)
12 - Click on Finish (check or uncheck Create Icon & Add Icon to your discretion)
Part 2
1 - Go to your Control panel, then go into System (This is in Windows XP, not cygwin)
2 - Click on "Advanced" tab, then click on Environment Variables at the bottom
3 - Under "System Variables" click on "New"
4 - Name = CYGWIN / Variable Value = ntsec tty CLICK OK
5 - Back into "Environment Variables", look for the variable "Path"
6 - Click on EDIT, then WRITE EXACTLY at the END of the line: ;C:\cygwin\bin
7 - Here is my complete value for example: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\cygwin\bin
8 - Click OK,OK,OK etc until you get out completely of the Control Panel and System
Part 3
1 - Go in your C:\cygwin\ folder
2 - Double-click: cygwin.bat | You'll see this window appear (with your computer name instead of alk)
[IMG]http://img182.imageshack.us/img182/273/terminalki1.gif
3 - type "ssh-host-config" then press enter
4 - "privilege separation", answer yes (not just "y")
5 - "create local user sshd", answer yes
6 - "install sshd as a service", answer yes
7 - When the script stops and asks you for "CYGWIN=" your answer is ntsec tty
8 - Type "chmod 0777 /etc/shhd_config" and enter
9 - In Windows, go to the file C:\cygwin\etc\sshd_config
10 - Open it with NOTEPAD
11 - Where it says "Port 22", replace it so it says "Port 443" and save the changes
12 - Back in the terminal, type "chmod 0644 /etc/sshd_config" and enter
13 - type "net start sshd"
14 - It should say the SSHD service has started
15 - Test out your server by connecting to your server with putty
httpp://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
16 - In putty, enter "127.0.0.1" as hostname and "443" as port, then click on "Open"
17 - It will ask you if you want to save the key, click "Yes"
18 - Enter your windows XP username, enter, then your XP password, enter.
19 - You should then see something like [email protected]:
20 - Success, you have a running SSH server for your phone to connect to.
Notice - Make sure that if your Windows machine is behind a router or firewall, that the port 443 is
forwarded to your computer. Otherwise, nobody on the internet would be able to connect to your
SSH server on port 443, including your phone.
POP/SMTP EMAIL SERVER ACCESS
Im going to write an example for using GMAIL. You can guess the rest for different services.
1 - Load your Proxy session, but dont connect yet.
2 - Go to the Tunnel tab
Local : 35553 (or any big unused port number)
Remote : pop.googlemail.com:993
Select "local"
Click add
Again
Local : 35554 (different from above)
Remote : smtp.googlemail.com:465
Click add
Go back to session and save the new settings
Now connect to your SSH server
Go to your Messaging
Add a new Email account
Email address : [email protected]
UNCHECK : Try to get your email settings directly from the internet
Select Provider : Internet Email
Fill everything yourself until "Incoming Mail Server"
Incoming mail server : alkizmotytn:35553 (that's MY PHONE's name, type in YOURS!!!)
Account type : pop3
Enter your gmail username & password
Outgoing Mail Server : alkizmotytn:35554 (dont be an idiot)
Check box : Outgoing server requires authentification
Click "Advanced Settings"
Check box : Require SSL for incoming
Check Box : Require SSL for outgoing
Network Connections : Work
It should be able to download/send emails now, while using Putty.
ok, so I can connect but when it does it says
Fatal error....
in the terminal it says
Bash: Top: Command not found
BTW! Thanks for this, If this works your my hero. If not well. Your still my hero. lol
Ohhh I know exactly what's wrong.
Here's how to fix it :
1 - Run "setup.exe" that you downloaded from cygwin
2 - Repeat the same steps of installation (you'll notice, it's taking your previous settings already)
3 - Find "Procps" package, click on "skip" just like you did with OpenSSH, Zlib, etc.
4 - Click next, and it will install "procps" on top of your SSH server.
5 - Reconnect, TOP will now work.
Here's WHY this happened
"top" command is a command that is sent automatically. It is added in Step 10.
"top" is ALWAYS part of a Linux system, but aparently not for the SSH server for windows.
I didnt think to check this since I run a small linux server.
now it should work
GOOD NEWS THOUGH : YOU HAVE PASSED THE HARDEST PART! TOP WAS A TINY ISSUE!!!
edit - I edited the SSH Server setup to include "procps" in the package installation list. I hope people read this thread. This is a major improvement for those stuck behind a HTTP proxy.
~~~~~~ TO RUN A SSH SERVER WITHOUT A COMPUTER ~~~~~~~
If you dont like the idea of running a PC 24/7 at home, you can turn your wireless router into a SSH server.
Look at the hardware list here
http://wiki.openwrt.org/TableOfHardware
If your router's model number and revision has "SUPPORTED" under status, you might just be in luck!!!
You can install a linux based firmware operating system on your wireless router. It will replace your router's OS completely with a MUCH MUCH more powerful one.
I recommend X-WRT since it is VERY userfriendly
http://x-wrt.org/
But OpenWRT is good for advanced linux users
http://wiki.openwrt.org/OpenWrtDocs/Installing
There's also DD-WRT for the complete n00b
http://www.dd-wrt.com/dd-wrtv2/index.php
All of them, once installed, have a SSH server right out of the box.
So your server is your router.
Thanks, I will try this.
alkizmo said:
~~~~~~ TO RUN A SSH SERVER WITHOUT A COMPUTER ~~~~~~~
If you dont like the idea of running a PC 24/7 at home, you can turn your wireless router into a SSH server.
Look at the hardware list here
http://wiki.openwrt.org/TableOfHardware
If your router's model number and revision has "SUPPORTED" under status, you might just be in luck!!!
You can install a linux based firmware operating system on your wireless router. It will replace your router's OS completely with a MUCH MUCH more powerful one.
I recommend X-WRT since it is VERY userfriendly
http://x-wrt.org/
But OpenWRT is good for advanced linux users
http://wiki.openwrt.org/OpenWrtDocs/Installing
There's also DD-WRT for the complete n00b
http://www.dd-wrt.com/dd-wrtv2/index.php
All of them, once installed, have a SSH server right out of the box.
So your server is your router.
Click to expand...
Click to collapse
If I remember correctly there are FON routers on Ebay for dirt cheap that can use this DWRT thingy.
cd85233 said:
Thanks, I will try this.
If I remember correctly there are FON routers on Ebay for dirt cheap that can use this DWRT thingy.
Click to expand...
Click to collapse
I'd recommend a Linksys WRT54GL if you are going to dish out the cash for a new router. Might as well buy a POWERFUL router. The WRT54GL can be overclocked to 250mhz (mine runs at 262mhz stable) and you can mod it to add a flash SD card to it to expand the memory to install OTHER applications.
You can run a small HTTP server with 1-2GB of storage with the SD mod.
I run an Asterisk VoIP server + HTTP + the SSH tunnel thing + router can become a relay access point (the router is a WIFI CLIENT!!) and a bunch of other linux applications.
WRT54G and WRT54GS are good too, but you need to find an older revision number.
FON routers are... meh...
edit - Im out for the night, Ill check back in the morning for questions and problems.
PLEASE READ!!!!
I forgot a VERY important registry setting for PocketPutty in Step 10
LocalPortAcceptAll = 1
VERY IMPORTANT!!!! ok?
sorry for the mistakes
Me no Likey SSH
Hmm SSH server has given me lots of trouble. I think I would rather use an HTTP proxy if this made things work.
Nothing really works, and my internet connection is messed up when I use the SSH server.
I won't give up though. THIS IS A GREAT GUIDE.
If this is the way to kick T-Mo's Butt, I'm going to drive this into the ground!
Please try this, and post your results.
Alkizmo and I will hopefully get time to get this to work.
More Alkizmo than I, I'll be the guinea pig
almost working... help please ^^
Alkizmo thanks for the great guide!
I got almost everything to work.. but I guess there's something still missing..
Pocketputty correctly connects to the SSH server with the correct tunnel settings (checked many times). Registry settings for Pocketputty are set correctly as well (also checked..). By the way, Pocketputty doesn't seem to know how to start EDGE/GPRS connection on demand, so I either manually connect, or start Opera browser and go to a random website to start the connection.
The proxy settings changed under the T-Mobile Data network, with HTTP proxy pointing to the T-Mobile well-known proxy server, and the SOCKS proxy (tried both SOCKS4 and SOCKS5) pointing to the localhost:1080 (tried 127.0.0.1, tried the id of the phone).
No luck... Windows Live Messenger still cannot connect.
Let's try to find out the missing piece!
Thank you!
p.s. using AT&T Tilt, with Dutty's hybrid ROM.
sorry for the late reply. It's been a while since i've roamed these forums.
So, you should try the SSH tunnel on another computer with the PC version of Putty and see if you can tunnel through sock4, so you can eliminate the server as a fault.
Second, you can do another test to see if it's pocketputty's fault or T-Mobile's proxy being very strange.
You test it by changing pocketputty's proxy settings to be very specific with a pop3 email server as explained in the guide. Then create a pop3 email account on your phone to connect through the pocketputty proxy.
If that doesnt work, then im thinking that there's something else at work to prevent you from tunneling. I had someone else with t-mobile that couldnt SSH tunnel for some reason.
I found your MISTAKE mmoroz!
You enter in the SOCKS proxy - localhost:1080
however, as specified in the step #3, you have to first give a unique ID name to your phone. Name it : mmoroz
Settings / System / About / Device ID / Device Name : mmoroz
THEN in SOCKS proxy, you enter - mmoroz:1080
WM5/6 dont seem to understand localhost or 127.0.0.1, that's why you got to specify your phone's Device ID as the localhost address.
windows live mail on windows mobile
Does windows live mail (hotmail) works with this method? The instruction looks complicated, but I'm willing to do it if it works with live mail with push feature. By the way, do I need static ip address for the server?
Thank a lot! This is a great guide!
navy2010 said:
Does windows live mail (hotmail) works with this method? The instruction looks complicated, but I'm willing to do it if it works with live mail with push feature. By the way, do I need static ip address for the server?
Thank a lot! This is a great guide!
Click to expand...
Click to collapse
Hotmail push email will work. The moment you're connected to messenger, all the other services will follow.
You dont need a static IP, but you'd need to have a system to either update your DNS address with your new IP every time, or manually change it yourself.
I got a dynamic IP, but since im on broadband, the connection is active all the time, so my IP pretty much never changes.
alkizmo said:
Hotmail push email will work. The moment you're connected to messenger, all the other services will follow.
Click to expand...
Click to collapse
Thanks A LOT! I'm working hard to get this work (no xbox for past 48 hrs). I'm using dd-wrt router to do the SSH server, but i have to change my verizon router to bridge mode first & i'm still trying to change it. Anyway, i will keep you update w/ my progress.
Guys, I STRONGLY recommend you setup a TEMPORARY SSH server before making all this effort to setup a permanent one. You can do this on your computer directly connected to the internet.
You should TEST with your phone BEFORE making a permanent server. That way, if your carrier blocks something special prevent SSH access, then you wouldn't have wasted your time setting up the server.
problems!
Hi,
I set up a SSH server on my Buffalo router with DD-WRT firmware. Instead of just use password, I used a private key for SSH server authorization. I did load/save the private on to the client on my phone. I got this error msg. on my phone when I try to connect to the SSH server.
PuTTY Fatal Error
"Server unexpectedly closed network connection"
I check the firewall log on the router, it confirmed that it accepted the connection from my phone. I did double check the IP address of the phone and confirmed that it's the same IP address from log:
Source IP------Protocol------Destination Port Number-----Rule
66.94.XX.XX------TCP ---------------------https------Accepted
By the way, I'm using T-Mobile USA service. Please see the attached picture for the SSH setting on my router (I did exactly as show on the picture, but I copied the pic from the web). I also enabled SSH remove management on my router.
I have been reading a lot of information regarding SSH. I can't figure out the problems yet. Please offer any suggestions.
alkizmo said:
~~~~~~ TO RUN A SSH SERVER WITHOUT A COMPUTER ~~~~~~~
If you dont like the idea of running a PC 24/7 at home, you can turn your wireless router into a SSH server.
Click to expand...
Click to collapse
I wouldn't suggest leaving any router, whether it be DD-WRT, OpenWRT or etc... open to SSH for an extended period of time... you're going to open up a bad can of worms security-wise. It's cool to do it for a short amount of time for testing, but when your done... close the hole and shut it down
navy2010 said:
Hi,
I set up a SSH server on my Buffalo router with DD-WRT firmware. Instead of just use password, I used a private key for SSH server authorization. I did load/save the private on to the client on my phone. I got this error msg. on my phone when I try to connect to the SSH server.
PuTTY Fatal Error
"Server unexpectedly closed network connection"
I check the firewall log on the router, it confirmed that it accepted the connection from my phone. I did double check the IP address of the phone and confirmed that it's the same IP address from log:
Source IP------Protocol------Destination Port Number-----Rule
66.94.XX.XX------TCP ---------------------https------Accepted
By the way, I'm using T-Mobile USA service. Please see the attached picture for the SSH setting on my router (I did exactly as show on the picture, but I copied the pic from the web). I also enabled SSH remove management on my router.
I have been reading a lot of information regarding SSH. I can't figure out the problems yet. Please offer any suggestions.
Click to expand...
Click to collapse
You're not using port 443. You need to use port 443, that's one of the only ports opened by the T-Mobile proxy.
Also, im not sure if SSHD will work with my trick. I only tested with SSH
seattleweb said:
I wouldn't suggest leaving any router, whether it be DD-WRT, OpenWRT or etc... open to SSH for an extended period of time... you're going to open up a bad can of worms security-wise. It's cool to do it for a short amount of time for testing, but when your done... close the hole and shut it down
Click to expand...
Click to collapse
Make the password extra extra long and block your router from responding to ping requests and you'll be fine. SSH is a very very very secure protocol.
Ok might be being a bit think here, but how can (or is it possible) to set the WiFi identity of the phone?
When I look at my router the laptops all are listed with "name" and MAC and then IP number apart from the Hero, which just has a blank space where the "name" should be.
So can this be fixed?
A bit of background which you might already know. DHCP is used to initialise the network interface & involves a conversation between the router running a dhcp server & your device, the client. On Android, the dhcp client is dhcpcd.
You want to set the hostname used by your wifi interface prior to dhcpcd doing its stuff. This can either be done from an init script via the hostname <name> command (which by default is probably using the name localhost) or by passing the -h <name> command line option to the invocation of dhcpcd.
By default dhcpcd will use the hostname (though if it's blank or localhost, it is obviously ignored, probably by dhcpcd rather than by the dhcp server), but the -h option will override this.
This name is passed to the dhcp server early on in the conversation.
Incidentally, the same protocol allows the dhcp server to tell the device what name to use. You might be able to configure your router to assign a name based on mac address. Usually if the dhcp server does this, dhcpcd will ignore it, the exception being if the existing hostname is localhost or blank, which does seem to be the case here.
So, how to configure this? Afraid it depends on your ROM. You need to look through /init.rc & any associated initialisation configuration. See if you can find where/if hostname is defined & where dhcpcd's commandline is specified. I don't like editing files in the boot partition directly, so personally I'd see if I can find some init script onto which I could tack an overriding hostname command. Of course this relies on it being invoked after any existing hostname command & before dhcpcd is started. You might need to experiment a bit.
Oh bugger there was me hoping it was as easy as "naming the computer" like you do in Windoze, I know I know that lots of complicated thing happen for you in the background but I dont fancy hacking around in anywhere to fix/sort this, it's not that important anyway
Lol, I know what you mean. Sometimes I start to look into something which I think will probably have a simple solution & then an hour later with twenty new tabs open in my browser I find myself thinking maybe I'll let someone else have a go at this
In this case, the best place to address it would be in kitchen of the ROM builder. You could ask whoever's responsible for the ROM you use to make it easier to configure the hostname. Failing that, they might at least be able to give you the location of an existing file which you can change. If you give it a shot, do post back. Someone else with the same question is bound to stumble into this thread eventually.
No DNS Server / port forward to port 53 on Android 4.4.2 w/root & WiFi Tether Router
I tried everything I could think of before posting this. If this is the wrong location for this kind of issue please let me know.
Anyway...
I have a rooted phone (Samsung Galaxy Avant) running the stock Android 4.4.2 that came with the phone and I use WiFi Tether Router to provide my other devices with an internet connection. Everything works perfectly and I get very fast LTE service both on my desktop and laptop (using a user agent switcher on my browser). However, I need to do some custom DNS routing and I am running into some issues.
What I want:
1.) When a browser on a device that is tethered to my phone through WiFi Tether Router requests a website then the DNS should run through the default DNS I specify (either Google's 8.8.8.8/8.8.4.4 or OpenDNS or my mobile provider's DNS servers) and load the website from the public internet.
2.) When a browser on a tethered device requests my-example-domain.com or my-other-domain.com I want the DNS to resolve to an IP of my choosing. In this case (for now, but I want to be able to change it), I want it to resolve to the IP address of my phone that is providing the tethering. The local IP address of the phone is is 192.168.11.254, which is the Default Gateway address when running Wifi Tether Router. I have a web server running on the phone on port 8080 and I want it to receive the requests for my two domain names
I want nearly all traffic from tethered devices to resolve through public DNS servers, but for those two specific domains I want the DNS to be handled by the DNS server running on the phone. I want those specific requests to resolve to the same phone that is providing the tethering and to have the web server running on the phone serve the files.
I have most of this working correctly except for one issue. Here are the details.
I am using three devices:
Galaxy Avant to provide tethering "phone"
Windows Laptop "laptop"
Windows Desktop "desktop"
Scenario 1 - Using Google DNS on phone:
In WiFi Tether Router under DHCP Settings I have:
HTML:
IP Address: 192.168.11.0 (0 is disabled and can't be changed)
DNS 1: 8.8.8.8 (google)
DNS 2: 8.8.4.4 (google)
When either of the Windows computers connects via wifi they receive the following:
HTML:
Default Gateway: 192.168.11.254
IP Address: 192.168.11.1XX
The laptop has a dynamic IP and DNS assigned by the DHCP in Wifi Tether Router on the phone.
The desktop has a static IP of 192.168.11.102 with its DNS pointing to the phone at 192.168.11.254 for DNS 1 and 192.168.11.0 for DNS 2 (I know the second one is invalid, but Windows requires two)
Under this scenario both the laptop and the desktop can access live websites through their browsers.
I'm assuming that the DNS is running through Google's 8.8.8.8 since that is the primary DNS for Wifi Tether Router and both computers are getting their DNS from the phone.
Scenario 2 - DNS running on Windows Desktop:
In WiFi Tether Router under DHCP Settings I have:
HTML:
IP Address: 192.168.11.0 (0 is disabled and can't be changed)
DNS 1: 192.168.11.102 (desktop)
DNS 2: 192.168.11.102 (desktop)
Both Windows computers still receive the following:
HTML:
Default Gateway: 192.168.11.254
IP Address: 192.168.11.1XX
Since the DNS 1 and DNS 2 settings for WiFi Tether Router now point to 192.168.11.102 (desktop) instead of 8.8.8.8/8.8.4.4 (Google) the DNS is now handled by the desktop.
The desktop is running Simple DNS Plus which is configured to point my-example-domain.com and my-other-domain.com to the IP address of the phone at 192.168.11.254.
There is a web server running on the phone.
Both computers can still access live websites through their browsers and both computers can access the web server running on the phone by visiting my-example-domain.com:8080 or my-other-domain.com:8080
The only records I have defined in Simple DNS Plus on the desktop are for my two domains, so I'm assuming that the rest of the DNS requests are getting passed back to the phone to be handled by the phone's default DNS servers since WiFi Tether Router no longer knows about Google's DNS (because it is now pointing at the desktop to resolve DNS instead). The DNS settings for the wifi network adapter on the desktop are pointing at the phone's 192.168.11.254 address still (which seems like it should create some sort of loop since the phone and desktop both point at each other, but it doesn't? Maybe someone can clear this part up for me), so even though my-example-domain.com and my-other-domain.com are being redirected by the DNS server on the desktop to the IP of the phone where the web server is listening, every other DNS request must be going back to the phone and resolving there since the phone is the desktop's only source of internet and the live websites actually resolve. The desktop must be either sending the request back to the phone to resolve or using the phone's data, but either way the desktop is forwarding the domains that it is supposed and leaving the rest up to the DNS on the phone somehow. I'd like to have a better idea of how this actually works.
In my head it's doing the following:
Request for my-example-domain.com or my-other-domain.com from laptop:
Checks DNS on WiFi Tether Router on phone > Forwards all DNS to Simple DNS Plus on Desktop > Points and resolves to web server on phone
Request for any other domains from laptop:
Checks DNS on WiFi Tether Router on phone > Forwards all DNS to Simple DNS Plus on Desktop > No record found for host > Returns DNS request to WiFi Tether Router on phone > Resolved by default DNS of phone
Scenario 3 - DNS running on Phone:
I installed the "DNS Server" app from Ice Cold Apps on the phone and created a DNS server instance, but I am not allowed to choose port 53 so I chose to have it assign random port (40747). If I try to set the port for the DNS Server to 53 I receive an error saying "The port you entered is not valid, try another one (this normally happens because Android doesn't allow a server on that port or another app is using the port)."
I created a rule that points my-example-domain.com and my-other-domain.com to the IP address of the phone at 192.168.11.254. The rules are very simple, you can only provide a domain name and an IP address for the DNS Server to route it to, nothing more.
In the DNS Server settings there is a checkbox for "Use a DNS server for requests" which is checked by default with a box attached to it for "DNS Server IP" which is set to 8.8.8.8:53 by default, which is Google's DNS on port 53.
There is another checkbox (that I unchecked) which says "Use a web DNS server for requests" with a box attached to it for "Web DNS server url" that is pre-populated with a PHP url from China
There isn't much documentation for these apps, so I assumed that it was ok just to use the Google servers from the first setting and skip the unfamiliar web DNS server stuff. I'm guessing those settings are supposed determine where the DNS Server app checks for hosts you didn't explicitly define with a rule. For example, if someone types one of my two domains name it should forward, but any other name should be checked with that provided DNS server. I could be totally wrong about this, so some clarification would be nice.
In WiFi Tether Router under DHCP Settings I have:
HTML:
IP Address: 192.168.11.0 (0 is disabled and can't be changed)
DNS 1: 192.168.11.254 (phone)
DNS 2: 127.0.0.1 (phone)
There is no option for port for the DNS so it's checking port 53 on my phone, but the DNS server wasn't allowed to start on 53 so it's listening on 40747 instead. This means I need to forward port 53 to port 40747 so that the DNS requests sent to DNS Server on port 53 by WiFi Tether Router will be answered.
I installed the "Port Forward Ultimate" app from Ice Cold Apps on the phone. There is only one setting, a checkbox which says "Force using internal iptables (advanced)". I left it unchecked initially, but found that the port forwarding server will not start unless that box is checked (and it doesn't matter what ports I'm trying to forward, without that box checked it simply will not start).
I created the following rule in the port forwarding app:
HTML:
Source port: 53
Destination port: 40747
I left the "Forward to external host" box unchecked and the accompanying "Forward to host/IP" box empty.
I started Port Forward Ultimate, DNS Server, and WiFi Tether Router.
Both the desktop and the laptop connect to WiFi Tether Router, but neither of them can access live websites and neither of them resolve my-example-domain.com or my-other-domain.com
I first thought that maybe the port forwarder couldn't bind to 53, so to test I changed my port forwarding settings to:
HTML:
Source port: 53
Destination port: 8080 (the port the web server is running on the phone)
When I visit 192.168.11.254:53 in Internet Explorer 9 from the desktop or laptop it works just fine (Chrome and Firefox won't let you browse websites on port 53, they show show a security error, but IE works). I see the website from the web server that is running on port 8080 on the phone, so port 53 is bound and forwarding to 8080, but when I try to forward 53 to 40747 (the port of the DNS server on the phone) it doesn't work. I've tried the DNS server on various ports (40747, 1029, etc). I made sure the port forwarder set to forward 53 to the port of the DNS server. I also made sure WiFi Tether Router set to use the phone (192.168.11.254) as the DNS, but live websites won't load and the the rules I have in the DNS server app on the phone do not cause my-example-domain.com or my-other-domain.com to resolve to either the phone itself on 192.168.11.254 or to the desktop web server running at 192.168.11.102 (I've tried setting it to forward to both).
I can forward port 53 directly to the web server on the phone or to the web server on the desktop (by checking "forward to external host" and providing the IP of the desktop), but when I set 53 to forward to the DNS server on the phone then the DNS server never does its job, as if it isn't even receiving requests.
When I run nmap on the phone at 192.168.11.254 with DNS and port forwarding enabled on the phone I get:
HTML:
PORT STATE SERVICE VERSION
53/tcp filtered domain
With port forwarding off I get:
HTML:
PORT STATE SERVICE VERSION
53/tcp open domain dnsmasq 2.62
When I run nmap on 40747 (or 1029 or any of the ports I've tried for the DNS server) with DNS running on the phone I get:
HTML:
PORT STATE SERVICE VERSION
1029/tcp filtered ms-lsa
WiFI Tether has no problem handing off the DNS to the Simple DNS Plus running on the desktop, but when it tries to hand the DNS off to DNS Server running on the phone it doesn't resolve.
Perhaps there is some kind of conflict I don't understand, like maybe when the DNS setting in WiFi Tether Router tries to connect to 192.168.11.254 on port 53 and is supposed to get forwarded. I do know that at all times I can access 192.168.11.254:8080 from the desktop as long as the web server is running and I am tethered to my phone.
Lastly, there is a checkbox in the DHCP settings for WiFi Tether Router which says "DNS Redirect" that when checked displays two IP address boxes for DNS 1 and DNS 2 under a header that says "Redirect DNS To". I'm not sure what this is, but it could be important. The only other two options under DHCP are "Use Internal DHCP" and "Use Alternative DHCP Config".
All I want is for most requests from tethered devices to go through standard DNS while the domain names I add host records for in the DNS Server on my phone will resolve to the IP addresses I specify, whether those IP addresses are external or the IP of the phone itself where the web server is running.
I have most of this working, including being able to hand off the DNS from WiFi Tether Router to one of my computers to do the routing, but I want to have it all self-contained on my phone as a standalone setup.
The web server is working, the tethering is working, the tethering handing off the DNS is working, the DNS on the desktop correctly routes the domains to the phone and the rest of the requests to live DNS, and the port forwarding appears to be working when forwarding 53 to my web server, so I'm just kind of stuck.
I've been working on this for 12 hours and I've hit a wall.
It could have something to do with needing to forward both UDP and TCP in the port forwarding, although there's no direct option for that except a box to create custom scripts that modify iptables, which I've tried but had no luck with. Or maybe Wifi Tether Router binds port 53 and is conflicting with the port forwarding / DNS server.
I'm open to any ideas as to why running WiFi Tether Router through the DNS on my phone with port forwarding doesn't work, but running WiFi Tether Router through DNS on my desktop does (especially since the DNS on the desktop correctly points my two domain names back to the phone for the web server to answer and also resolves live websites, both tasks that are receiving and sending requests through the phone); your input will be greatly valued.
The goal of this entire effort has been to create portable and private prototypes of browser-based applications that I've developed for still-to-go-live domain names and be able to run them entirely from my phone on any device that I tether (without modifying the hosts file on the tethered device) so that I can do on-the-fly demos even in areas with spotty data service. In addition, I can load up my SD card with media assets and personal content such as images, audio, and video and have everything available instantly in the web applications when I demo. I can also ensure that the only way to see particular applications I'm developing or access demo data is if you are directly tethered to my device. I can run full database software, application servers, and everything else directly from my phone and make changes to the apps instantly. All I need now is this one little DNS fix and I'm set.
Thanks!
Hello everyone,
I'm making a IP Scanner app in Android Studio. I have successfully checked if a PC in my LAN is Alive or Dead. But I also want to show the PC name against the IP Address.
I searched on Internet and all the solutions I found just return me the IP Address but the hostname like.
Code:
InetAddress inetAddr;
inetAddr = InetAddress.getByName(host.hostname);
String hostname = inetAddr.getHostName();
String canonicalHostname = inetAddr.getCanonicalHostName();
I also tried to execute ping -a [IP Address] in Android Terminal that also returns me IP Address not Host Name.
But If I do ping -a [My Local IP] than it returns local-host but for all other IP's it doesn't work.
This is also not a DNS issue as someone suggested on Stackoverflow, because on my windows 7 machine I'm able to resolve the hostname using ping -a [IP Address]
Both my windows machine and Android phone getting their IP from DHCP and all other settings like DNS, Gateway are same for both devices.
This was fairly easy in .Net as I have created a IP Scanner in .Net, but in Java I haven't found a solution for this yet.
Hope someone will provide a solution
Thanks
ATTENTION (update on 2018-04-09): The procedures described in this thread are only working if you own an internet account with a public IPv4 address or dual stack i.e. both, public IPv4 and public IPv6 addresses. For account with only a public IPv6 address, it won't work. Please also refer to post #16.
Although I'd already read quite a lot about commercial VPN providers, reading of this article "VPN Leaks Found on 3 Major VPNs out of … 3 that We Tested" clearly established my decision to go for my own private VPN.
Thanks to Mike Kuketz who's running an excellent German blog regarding information technology security, I was able to study these two articles (https://www.kuketz-blog.de/pi-hole-schwarzes-loch-fuer-werbung-raspberry-pi-teil1/, https://www.kuketz-blog.de/pivpn-raspberry-pi-mit-openvpn-raspberry-pi-teil3/) about Pi-hole and PiVPN on/via a Raspberry Pi and immediately decided to purchase a Raspberry Pi 3 Model B+ (including an official case and charger) from an authorised Raspberry Pi dealer. Remark for German speaking XDA users: Mike also runs a very interesting forum in conjunction with his blog.
I'd be glad if this thread raises or raised your interest in a Raspberry Pi with Pi-hole and PiVPN. We are fascinated by their capabilities and glad to be able to utilise our own private VPN. If you also decide to go for it I hope that this tutorial facilitates setup and configuration. However, always be aware and remember that different scenario exist why use of a VPN might be reasonable. To anonymously browse the web via a VPN-provider certainly doesn't belong to that. The desire for anonymity and privacy in the world wide web is a reasonable wish of many users that can unfortunately hardly be implemented or only by extremely high efforts. You do not achieve anonymity while browsing the web, only because your network traffic is tunneled via a VPN-provider. This is only a promotional promise belonging into the category of modern fairy tales of the internet. However, by use of a (private) VPN you certainly enhance your privacy due to the encryption of your data traffic in this case between the Android device and the Raspberry Pi / PiVPN.
Intent of this thread is to share my experiences and procedure during the setup of the Raspberry Pi, Pi-hole and PiVPN. As client (or you might call it the companion of PiVPN) on our Android devices, I use OpenVPN for Android by Arne Schwabe. I downloaded it from F-Droid; however, it's also available via the Google Play Store. Possibly interesting to a few Android users might be that it does not require root. The whole setup is positively working on our Android Nougat ROM but I don't have any experiences with Android Oreo.
Additionally I want to clearly emphasise that I personally used Mike's two above linked articles written in German i.e. my thread is more or less only a translation of Mike's instruction into English. Therefore, I must clearly state that all credits go to Mike Kuketz.
Generally, in this thread I don't intend to discuss the reasons that induced my decision to establish my own private VPN or to create my own Network-wide ad blocking. Already brief searches of the web are providing multiple hits in this context but it's anyway a very private decision.
Additionally, I'm only focusing on our router, an AVM Fritz!Box 7390, our Android devices (Samsung Galaxy S3 LTE - i9305, all with RR-N-v5.8.5-final, Magisk v16.0, Xposed, XPrivacyLua and GApps-free thanks to microG), and Windows 10 Pro on a notebook (just started to familarise myself with Linux Mint i.e. all work in regard to this thread was conducted under Windows). I'm convinced that all interested readers of this thread are capable to translate/transfer the basic ideas to other routers, devices or Linux, iOS etc.
Content:
Post #2: Initial Installation of the Raspberry Pi
Post #3: The Pi-hole
Post #4: PiVPN
Post #5: PiVPN in Combination with the Pi-Hole
Post #6: OpenVPN for Android
Post #7: Dynamic DNS
Post #8: Customisation of the NTP-Server
Post #9: Unbound / Recursive DNS server
Remark:
In the attached screenshots, IP-addresses are blacked out for privacy reasons.
Please advise if something is not clear, incorrect or incomplete.
Off topic comments are allowed as long they are generally related to the overall topic, are in the general interest of the followers of this thread and add value to the thread. Having fun is always welcomed here. The ultimate decision rests with me as the OP!
Initial Installation of the Raspberry Pi
Updated on 2019-03-17!
********************
Initial Installation of the Raspberry Pi
As already said I'd ordered a Raspberry Pi 3 Model B+ including the official housing and AC charger. Most likely the whole setup is going to work with other Raspberry Pi models but please note that Jacob Salmela, the developer of Pi-hole, recommends a system of 512 MB RAM. Brief remark, you're unable to place the Raspberry Pi in its housing with an inserted microSD card.
Talking about microSD cards, I use a 32 GB, class 10 card to host the Raspberry Pi's OS and the Pi-hole/PiVPN. I'm convinced that a 16 GB card is also suitable, even a 8 GB one might be sufficient. I personally didn't require a keyboard or screen for the Raspberry Pi as I connect to it via a Secure Shell (SSH).
I decided to use RASPBIAN, the official OS of the Raspberry Pi Foundation; however, there're other OS' available, just search the web. I'm using Raspbian Stretch Lite, which fully meets my requirements, and downloaded it here as a zip-file. Unzipped the file and inserted the microSD into my notebook. There are multiple ways described to flash the OS image to the SD but I decided to use the way via Win32DiskImager. The Win32DiskImager utility is available via its Sourceforge Project page as an installer file. I just exactly followed the instructions as provided on the last linked Raspberry Pi page.
After the image had been flashed to the SD I had to create a simple file called "ssh" in the /boot partition in order to be later on able to access the Raspberry Pi via SSH. As a Windows user, first I'd to install Ext2Fsd driver to be able to access the system partition. The microSD was now prepared and ready to use.
The Raspberry Pi was already sleeping in its housing, I inserted the microSD into the Pi, connected the Pi by a regular network cable to LAN3 of my Fritz!Box (LAN1 is used for the connection to my Genexis Hybrid Live! Titanium-54 running in bridge mode as fiber modem, the internet radio is connected to LAN4) and finally connected the Pi to power.
For the following steps, please refer to the attached screenshots (I apologise for not havin changed Windows system language to English). Next step was to access the admin panel of our Fritz!Box. Its DHCP server is enabled; however, I don't allow the DHCP server to use the complete spectrum of IP addresses ("Home network => Home network overview => Network settings => IPv4-addresses"). On "Home network => Home network overview" I selected the details of the raspberrypi. Here, I assigned an IP to raspberrypi that is outside of the DHCP IP-range and ticked the always assign the same IP. Just for completeness, even before I installed the Raspberry Pi the DNS-servers were set to 85.214.20.141 (i.e. Digital Courage) and 213.73.91.35 (i.e. Chaos Computer Club) in the Fritz!Box ("Internet => Access credentials => DNS server"). On this German page you find other uncencored and free DNS server without tracking.
Knowing the IP-address of the Raspberry Pi, I now connected to the Pi via SSH by use of PuTTY that I downloaded from here and installed it. After start of PuTTY and entering of the Pi's IP, a terminal opens.
The default user credentials are:
- User: pi
- Password: raspberry
Now, I accessed the Pi's admin terminal, and first changed the default password by:
Code:
passwd
Changed slightly the Pi's configuration:
Code:
sudo raspi-config
Code:
Advanced Options → Expand Filesystem
Localisation Options → Change Timezone → Europe → Berlin
Finish, Reboot
My last step in the setup of the Raspberry Pi was to update the package by:
Code:
sudo apt-get update
sudo apt-get upgrade
sudo reboot
Final remark: I keep the Raspberry Pi's WiFi disabled as I don't require it.
The Pi-hole
Updated on 2019-03-18!
********************
The Pi-hole
The Pi-hole has been developed by Jacob Salmela since 2015. Pi-hole is based on dnsmasq and the webserver Lighttpd. The complete source code is available at GitHub. But what makes Pi-hole actually so special? It's a solution to block advertisement and trackers already within the network i.e. Pi-hole is theoretically able to blocks ads for all devices connected to the network. I guess this initially sounds adventurously but it proves to work in our home network.
If interested in the technical background please refer to the linked websites.
For the installation of Pi-hole on the Raspberry Pi, I connected to the Pi via SSH and opened a terminal. For a full automatic installation of Pi-hole I used the following command line:
Code:
curl -sSL https://install.pi-hole.net | bash
Attention: Please acknowledge the following statement posted on the Pi-hole webpage:
Our code is completely open, but piping to bash can be dangerous. For a safer install, review the code and then run the installer locally.
Click to expand...
Click to collapse
After completion of the installation of all packages and dependencies, the configurator opened. My personal selection is as follows:
Select Upstream DNS Provider
Custom: 85.214.20.141, 213.73.91.35 [Remark: DNS servers as already mentioned in post #2.]
Select Protocols
IPv4: Check
IPv6: Uncheck (Remark: None of our devices uses IPv6.)
Do you want to use your current network settings as a static address?
IP address: xxx.xxx.xxx.xxx (Remark: The fixed IP-addess of the Raspberry Pi.)
Gateway: xxx.xxx.xxx.1 (Remark: The IP of my router i.e. the Fritz!Box.)
Do you want to log queries?
On: Check
After the configurator's queries were completed it provided me with the address of graphical web-interface (http://pi.hole/admin or http://"IP-address of the Pi"/admin; screenshot available in the OP) and the login password for Pi-hole.
Remark: As soon as practicable I changed the initial password to my own one by following command line:
Code:
sudo pihole -a -p
In order that ads and trackers are blocked by the Pi-hole, it's necessary to point the Pi as the DNS-server to all devices. As usually, different ways and approaches exist to do so. Below I only describe the one I used.
Please refer to the attached screenshot that I already used in post #2, too. I circled the field where I inserted the IP-address of the Pi as the local DNS server.
Remark: With some routers it's possible to simply assign the IP-address of the Raspberry Pi as the new DNS-server. Advantage: Nothing is changing for the clients; they simply send a DNS-request to the router that forwards it to the Pi-hole in turn. However, this feature is not available for all Fritz!Boxes due to their integrated "DNS Rebind Protection".
Just for completeness a few useful Pi-hole commands:
pihole -h: Help that shows a list of all available commands
pihole -up: Initiates an update of the Pi-hole software
pihole -r: Relauch of the configurator e.g. to conduct changes to the DNS
pihole -g: Initiates an update of the blocklists
Pi-hole automatically updates the ad sources once a week on Sunday at a random time in the early morning. If required this "cron-job" can be changed via
Code:
sudo nano /etc/cron.d/pihole
respectively
Code:
sudoedit /etc/cron.d/pihole
Since Pi-hole version 3.x, it's no longer required to add/delete/amend blocklists via a terminal but can easily be accomplished via the Admin-web-interface.
Now some initial changes to the pi-hole settings via the Admin GUI:
Settings → DNS → DNSSEC: Enabled.
Settings → Blocklists: Set to you're own desire; I've got all default lists enabled. Personally I added the Non-crossed-list to the blocklists. Just copy and paste all lists into the text field, followed by a click onto "Save and Update".
In the dashboard, about 1M blocked domains should be indicated.
Final remark: Personally, I recognise the Pi-hole as my first line of defense, and I continue to use addons in my browser like uBlock Origin to defeat the rest.
PiVPN
Updated on 2019-03-18
*******************
PiVPN
The project PiVPN owns a webpage and additionally a Github-page, where it's source could can be examined. Basically, PiVPN is nothing else than a collection of shell scripts that facilitates installation and configuration of OpenVPN extremely.
I guess it's obvious that VPN only makes sense if the Android device is always able to reach the end of the tunnel and to connect to the Raspberry Pi. You are certainly aware that a lot of or most Internet Service Provider (ISP) assign dymnamic IPs to an Internet account - at least mine does i.e. my ISP regularly or occasionally changes the IP-address of my account. In turn, this means we need to ensure that the Android device "finds" the Raspberry Pi independent of its IP address. Two simple steps are required to achieve this and ought to be conducted prior to the installation of PiVPN on the Raspberry Pi:
Assign a static IP to the Raspberry Pi on the router as described in post #2.
Find and use a DynDNS-provider who converts the dynamic, public IP-address assigned by the ISP into a permanent domain name as described in post #7.
Remark: Ideally, use of the subnets 192.168.0.x/24 oder 192.168.1.x/24 should be avoided as they are very commonly in use, and routing conflicts might arise if trying to connect from the outside. In this context, please acknowledge a note taken from the OpenVPN-log:
NOTE: Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Click to expand...
Click to collapse
After I managed these prerequisites, I commenced installation of PiVPN that is as easily conducted by a single command line as it had been for the Pi-hole (the respective attention note I made in post #3 also applies here):
Code:
curl -L https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh | bash
At first, the script updates the APT-package sources followed by the upgrade of the packages and subsequently installs OpenVPN.
During the installation I was able to customise my configuration. Attached are a few screenshots that I explain in sequence below:
As already stated the IP-address of PiVPN respectively the Raspberry Pi ought to be static on the router. The gateway address is usually the internal IP address of the router.
Usually, I'm not one for automated updates or upgrades as I rather maintain control and prefer to be able to immediately intervene in case of issues. However, I decide to make an exception for PiVPN as in this case activation of validation and installation of security updates seems to be very reasonable especially if the solution is meant to be as "fire (i.e. install) and forget"; i.e. install once and gotta rarely care. Don't interpret rarely as never; the automated security updates merely lighten my workload.
As protocol I chose UDP and left the standard port 1194 unchanged. At this point, I don't intend to start a discussion about the pro's or con's of OpenVPN via UDP or TCP, just briefly: UDP is faster and TCP more reliable. Please allow me to quote the OpenVPN mainpage:
OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks.
Click to expand...
Click to collapse
Since OpenVPN v2.4, authentification and key exchange is possible via elliptic curves. PiVPN optionally generates either a 256-, 384-, or 521-bit-ECDSA-key pair, containing the public and private keys. 256-bit is the default setting, which is ok as it matches a 3072-bit.
The key generation on a Raspberry Pi 3 only takes a few seconds.
The striked-out lines are only valid for clients that doesn't support OpenVPB v2.4+:
For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.
Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
Click to expand...
Click to collapse
Due to the already a few times mentioned "issue" with the dynamic public IP-address issued by the ISP, I ticked "Use a public DNS".
In this window I entered my domain name as mentioned in post #7 regarding dynamic DNS.
I selected custom to use the DNS servers of my choice.
Here, I entered "my" DNS servers as already explained in post #2.
This completed installation and configuration of PiVPN. Now, I had to create profiles that in turn need to be "installed" on my clients. Personally, I decided to use a distinct profile for each client . To create a profile for an Android device the follwoing command lines apply:
Code:
pivpn add
Code:
Enter a Name for the Client: MyClientName
Enter the password for the client: MyPassword
Subsequently the profile was generated with all necessary information (certificate, encryption details, etc.) and saved at /home/pi/ovpns.
I downloaded and installed FileZilla on my Windows notebook, connected via FileZilla to the Raspberry Pi and copied the file "MyClientName.ovpn" at /home/pi/ovpns onto my notebook. I transfered this file to my Android device and imported it into OpenVPN for Android; please refer to post #6 for more information in this respect.
That was it - now I was nearly able to connect my Android via my own private VPN with PiVPN respectively our Raspberry Pi; the only missing step was to open the router's/Fritz!Box's UDP port 1194 for the Raspberry Pi / PiVPN to allow data to pass from the outside.
The procedure is pretty simple and straight forward for a Fritz!Box (please refer to the last three screenshots). Open the admin web-interface of the Fritz!Box and select "Internet => Permissions => Port permissions => New port permission" (Remark: The English web-interface might probably read different than my translation but I'm convinced it's self-explaining). The IP must be the fixed IP assigned to the Raspberry Pi, I chose to name this permission "OpenVPN", selected UDP as the protocol and port "1194". And I didn't forget to tick the "Activate permission".
Last but not least, the following command line allowed me to check if my i9305 successfully connected to my PiVPN:
Code:
pivpn list
PiVPN in Combination with the Pi-Hole
Updated on 2019-06-15.
--------------------------------------------------------------------------------------------------------------------------------------------------
PiVPN in combination with the Pi-Hole
Please allow me to mention of another great advantage of having PiVPN together with Pi-hole on one and the same Raspberry Pi:
All of our mobile devices, which connect via OpenVPN with our home network, benefit from the Pi-hole i.e. no advertisement or trackers that follow us at every turn when connected to the web via mobile data or a WiFi network other than ours.
However, in order to achieve this I was require to slightly modify two configuration files on the Raspberry Pi as described below (please refer to the screenshots) - and ok, it's self-evident that I had to first install Pi-hole and PiVPN on the same Raspberry Pi before as described in this thread.
At first, I modified the OpenVPN server configuration by nano via the Raspberry Pi's console:
Code:
sudo nano /etc/openvpn/server.conf
The file opened and I looked for those two lines showing the IP-addresses of the DNS servers of my choice and as mentioned in the posts above:
Code:
push "dhcp-option DNS 85.214.20.141"
push "dhcp-option DNS 213.73.91.35"
I deleted one line and modified the other one to read:
Code:
push "dhcp-option DNS 10.8.0.1"
As DNS-server for all of our clients I've therefore defined the IP address of the VPN interface (tun0) (originally the local IP of the eth0 interface) of our Raspberry Pi, and hence forward all DNS-requests to the local DNS-server (dnsmasq) of the Pi-hole.
With its latest release Pi-hole changed the content of dnsmasq.conf located at /etc (for details refer to DNS Resolver in the Pi-hole documentation). dnsmasq.conf now simply points to a new folder named dnsmasq.d that is also located at /etc (refer to attached screenshot 1). This folder now contains the actual configuration files and is initially only populated with one file called 01-pihole.conf, which is the configuration file of Pi-hole's dnsmasq. 01-pihole.conf is used and modified by Pi-hole itself, and no custom modification should be made to it (refer to screenshot 2). However, additional configuration files in this folder will be executed in sequence by dnsmasq / FTLDNS.
This means I created a new file called 10-general.conf with the content:
Code:
cd /etc/dnsmasq.d
sudo touch 10-general.conf
sudo nano /etc/dnsmasq.d/10-general.conf
Insert line:
Code:
interface=tun0
This means we added a line with the VPN interface (tun0) that is listening on IP 10.8.0.1 by default.
Finally, I simply rebooted the Raspberry Pi.
OpenVPN for Android
OpenVPN for Android
As already stated in the OP that also contains a few screenshots, I only use OpenVPN for Android by Arne Schwabe on our Android devices. No experiences with other OpenVPN applications and most likely never will because Arne's app is easy to configure and perfectly running and performing as expected by me.
During the installation of PiVPN and as explained in post #4 I created profiles for each of our mobile Android devices. I transfered the respective profile file (name something like "MyClientName.ovpn") to the respective device. I installed "OpenVPN for Android", opened the application, granted permission to "storage" and just imported the before mentioned file. If I correctly remember the application questions the password I created during the creation of the profile. This password is always queried when starting on OpenVPN connection. That was all; I didn't modify anything in the settings of the application.
Please acknowledge these Security Considerations provided by Arne on his FAQ page:
"As OpenVPN is security sensitive a few notes about security are sensible. All data on the sdcard is inherently insecure. Every app can read it (for example this program requires no special sd card rights). The data of this application can only be read by the application itself. By using the import option for cacert/cert/key in the file dialog the data is stored in the VPN profile. The VPN profiles are only accessible by this application. (Do not forget to delete the copies on the sd card afterwards). Even though accessible only by this application the data is still unencrypted. By rooting the telephone or other exploits it may be possible to retrieve the data. Saved passwords are stored in plain text as well. For pkcs12 files it is highly recommended that you import them into the android keystore."
Click to expand...
Click to collapse
Dynamic DNS
EDIT (2018-06-15)
--------------------------------------------------------------------------------------------------------------------------------------------------
Dynamic DNS
You are certainly aware that a lot of or most Internet Service Provider (ISP) assign dymnamic IPs to an Internet account - at least mine does i.e. my ISP regularly or occasionally changes the IP-address of my account. You can easily retrieve the IP address currently assigned to your account by e.g. IP/DNS Detect (and which additionally offers a lot of other useful information about your current footprint in the web - or how well they are disguised by your browser addons).
However, with Dymnamic DNS it's possible to connect to my Fritz!Box respectively the Raspberry Pi despite the changing IPs by use of an unchanging domain name. In order to actually achieve this, a dynDNS-provider is required. I personally went with Two-DNS that offers an account with up to five free hosts and to choose from a wide collection of domains. Below I try to explain how I configured our Fritz!Box for the use of Two-DNS.
By default, the Fritz!Box already cooperates with a lot of dynDNS-providers but not with Two-DNS; however, via the option "user defined/customised" it's pretty easily achieved.
Create your Two-DNS account.
After you created the account, a "New Host" is created by Two-DNS.
You can choose any host name you want unless it's already in use. The dropdown box offers you different possibilities for the domain (part).
Just as an example; it's not my actual domain name (in blue the host name; in green the domain): "myfritzbox.my-wan.de". The Fritz!Box respectively the Raspberry Pi can later be called up by this domain name.
This completed the setup of the account/host at Two-DNS. Now we need to access the web-interface of the Fritz!Box.
Via "Internet => Permissions => Dynamic DNS" (I hope the settings translate this way to English but I'm convinced you're figuring it out) the following settings were assigned:
Dynamic DNS-Provider: User defined/customised
Update-URL: https://update.twodns.de/update?hostname=<domain>&ip=<ipaddr>
Domain name: your domain (e.g. myfritzbox.my-wan.de)
User name: the email address you registered with Two-DNS
Password: your Two-DNS password
Apply - and that's it. On "Internet => Online-Monitor" it should read (refer to screenshot):
DynDNS active, "your domain name", IPv4-status: successfully logged in.
Attention: Due to the limited number of IPv4-addresses, a lot of new internet account have been connected to the internet via Dual Stack Lite (DS-Lite). If this is the case for your internet account, above mentioned procedure is unusable. Please acknowledge following AVM post on their website in this respect.
Customisation of the NTP-Server
I've customised the NTP-server to synchronise the time with the German Physikalisch-Technische Bundesanstalt (PTB).
Code:
sudo nano /etc/systemd/timesyncd.conf
NTP=ptbtime1.ptb.de ptbtime2.ptb.de
Unbound / Recursive DNS server
Updated on 2019-03-18
******************
Unbound / Recursive DNS server
I decided to install Unbound in order to operate the Pi as my own (tiny) recursive DNS server.
Via the Pi-hole admin GUI, I disabled DNSSEC in Settings => DNS, as Unbound is handling that later on.
As we require for the very last step , the local root zone, a new version of Unbound than the one currently available via the default sources of Raspbian Stretch we need to play tricky via Apt-Pinning to allow to retrieve the software from the testing branch of Debian.
We install dirmngr and fetch a GPG key to verify the downloaded packages from the testing branch:
Code:
sudo aptitude install dirmngr
sudo apt-key adv --receive-keys 0x7638D0442B90D010
Now we edit the sources.list and add the link to the package.
Code:
sudo nano /etc/apt/sources.list
#Testing
deb http://ftp.de.debian.org/debian/ testing main non-free contrib
Now we give the testing branch a lower priority than stable:
Code:
sudo nano /etc/apt/preferences
Package: *
Pin: release a=stable
Pin-Priority: 600
Package: *
Pin: release a=testing
Pin-Priority: 400
Update of the database and installation of Unbound:
Code:
sudo aptitude update
sudo aptitude install unbound/testing
During the installation, Raspbian provides suggestions how to resolve the dependencies. First suggestion is to simply not install Unbound what we deny by "N". In the second suggestion, all current dependencies ought to be updated from the testing branch what we confirm by two times "Y". And we allow the services to be automatically re-started during the installation. Don't care about possible red error messages; we'll take care of that later.
During the installation you'll see following message:
Configuration file '/etc/lighttpd/lighttpd.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
Click to expand...
Click to collapse
Please answer with "N" in order to keep the Lighttpd configuration that was installed by Pi-hole.
In order to avoid network issues per DHCP during a network re-start to add to following file:
Code:
sudo nano /etc/network/interfaces
Code:
[FONT=Verdana] auto lo[/FONT]
[FONT=Verdana]iface lo inet loopback[/FONT]
[FONT=Verdana]
[/FONT]
[FONT=Verdana]auto eth0[/FONT]
[FONT=Verdana]iface eth0 inet dhcp[/FONT]
Now we provide Unbound with a file containing name and address of the root server.
Code:
wget -O root.hints https://www.internic.net/domain/named.root sudo mv root.hints /var/lib/unbound/
We adapt the additional config-file for Unbound provided by Pi-hole:
Code:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
server: # If no logfile is specified, syslog is used # logfile: "/var/log/unbound/unbound.log" verbosity: 0 port: 5353 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # Use this only when you downloaded the list of primary root servers! root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the servers authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # TTL bounds for cache cache-min-ttl: 3600 cache-max-ttl: 86400 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines num-threads: 1 # Ensure kernel buffer is large enough to not lose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8 private-address: fd00::/8 private-address: fe80::/10
Re-start Unbound and let's test functionality, commencing with a simple DNS request followed by DNSSEC:
Code:
sudo systemctl restart unbound
dig kuketz-blog.de @127.0.0.1 -p 5353 dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353 dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
The second request should provide "status: SERVFAIL" while the last one a "status: NOERROR".
Now go back into the Pi-Hole admin GUI, and under Settings => DNS delele the entry in "Custom 2" and untick it.
For "Custom 1" modify the entry to:
127.0.0.1#5353
Click to expand...
Click to collapse
Pi-hole lighttpd Workaround
The upgrade of Debian Buster Packages (Testing) of Unbound (v. 1.9.0-2) also upgrades the Lighttpd-Webserver-Package from version 1.4.45-1 (now, stable) -> 1.4.53-3 (testing). Currently, Pi-hole isn't yet compatible with the new Lighttpd-Syntax. After an upgrade to the new version, the Lighttpd webserver doesn#t start and the Pi-hole web interface can't be reached. In order to solve this issue, here's the follwoing work-around:
Code:
sudo nano /etc/lighttpd/lighttpd.conf
Comment the following line
Code:
#include_shell "/usr/share/lighttpd/create-mime.assign.pl"
and insert this line:
Code:
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
Start or re-start the lighttpd service:
Code:
service lighttpd start
service lighttpd restart
Some users, including me, complained about starting issues of the lighttpd webserver, therefore I also commented the following line:
Code:
#include_shell "cat external.conf 2>/dev/null"
In order to spare us the first DNS request by Unbound to the DNS root server, we provide Unbound with the respective configuration. It must occasionally be updated, as the DNS root server themselves sometimes receive changes e.g. their IP addresses. As I don't want to update everything manually, I created to things:
a mechanism that automatically notifies my about updates
and a script that eases the replacement by new configuration files.
We create a dynamic Message of the Day (MOTD). This is supposed to be a notification that always appears whenever we log into the Pi via SSH. We delete the static MOTD in order to only have our dynamic one be displayed.
Code:
sudo rm /etc/motd
We now edit a file in that folder that is analysed for the creation of MOTD's. This will ensure that we're always informed about the currentness of the Hyperlocal configuration when we log into the Pi via SSH.
Code:
sudo nano /etc/update-motd.d/20-info
The codes of this file will be executed and the resulting output transferred to the MOTD. Add the following lines but replace "NAME" with your Pi user name.
Code:
#!/bin/bash
echo
echo -e "\e[1mUptime:\e[m $(uptime)"
echo -e "\e[1mDate:\e[m $(date)"
echo -e "\e[1mHyperlocal conf:\e[m $(cat /home/NAME/.unbound/update.txt)"
echo
In the folder for user scripts we now create the new script that will provide the update notifications:
Code:
sudo nano /usr/local/bin/autoupdatelocalroot
Code:
#!/bin/bash ## VARIABLES ## DIR=$HOME/.unbound hints=/var/lib/unbound/root.hints conf=/etc/unbound/unbound.conf.d/localroot.conf infile=${DIR}/root.hints outfile=${DIR}/localroot.conf update=${DIR}/update.txt ## SCRIPT ## # check for existence of update.txt file and .unbound directory if [[ ! -d $HOME/.unbound ]]; then mkdir ${DIR} fi if [[ ! -e $HOME/.unbound/update.txt ]]; then echo "up to date" > ${update} fi # get the file with the root servers and save as "root.hints" wget --timeout=30 -O ${infile} https://www.internic.net/domain/named.root # extract name and IP addresses (A + AAAA) of root servers and nicely put them into the file for unbound awk '\ BEGIN\ { print "auth-zone:\n\tname: \".\"" } { if($0 ~ /[ ]NS[ ]/) { print "\t# "$NF } if($0 ~ /[ ]A[ ]/) { print "\tmaster: "$NF } if($0 ~ /[ ]AAAA[ ]/) { print "\tmaster: "$NF } } END\ { print "\tfallback-enabled: yes\n\tfor-downstream: no\n\tfor-upstream: yes\n\tzonefile: \"root.zone\"\n" }\ ' ${infile} > ${outfile} #update the motd update notification if neither outfile nor diff file empty if [[ -e ${outfile} && "$(diff -Niw ${conf} ${outfile})" != "" ]] || [[ -e ${infile} && "$(diff -Niw ${hints} ${infile})" != "" ]]; then echo "Update available – please run: sudo updateunboundconf" > ${update} else echo "up to date" > ${update} fi #print update status cat ${update} echo
The script will be executable for all users and be added to Crontab for regulat execution. When I was asked, which editor to use while editing Crontab, I stayed with nano.
Code:
sudo chmod 755 /usr/local/bin/autoupdatelocalroot
crontab -e
In order to e.g. execute the script on Sundays at 04:20 we add the following line:
Code:
20 4 * * 0 /usr/local/bin/autoupdatelocalroot
Now we create the second script that will ease the update of the configuration files. It won't be executed automatically but only after a manual launch for a simple reason: I won't to control this and be personally present in case of any unforeseen event.
Code:
sudo nano /usr/local/sbin/updateunboundconf
Code:
#!/bin/bash ## VARIABLES ## DIR=/home/$(logname)/.unbound hints=/var/lib/unbound/root.hints conf=/etc/unbound/unbound.conf.d/localroot.conf infile=${DIR}/root.hints outfile=${DIR}/localroot.conf update=${DIR}/update.txt PLSUPDATE="Please run 'autoupdatelocalroot' first." NOTHING="Update skipped, nothing done." ## SCRIPT ## #update root.hints file if [[ -e ${infile} ]] && [[ "$(diff -Niw ${hints} ${infile})" != "" ]]; then input=r echo "Install new root.hints file for Unbound (overwrites old file)?" echo "Yes / No / Re-Read differences?" while [[ "$input" =~ [rR] ]]; do diff -Niw ${hints} ${infile} | less read -e -p " [Default = no] (y/n/r): " input done if [[ "$input" =~ [yY] ]]; then mv -fv ${infile} ${hints} chown unbound:unbound ${hints} chmod 644 ${hints} yes1=TRUE else echo echo $NOTHING echo fi else if [[ ! -e ${infile} ]]; then echo echo $PLSUPDATE echo exit 1 else yes1=TRUE fi fi #update localroot.conf file if [[ -e ${outfile} ]] && [[ "$(diff -Niw ${conf} ${outfile})" != "" ]]; then input=r echo "Install new localroot.conf file for Unbound (overwrites old file)?" echo "Yes / No / Re-Read differences?" while [[ "$input" =~ [rR] ]]; do diff -Niw ${conf} ${outfile} | less read -e -p " [Default = no] (y/n/r): " input done if [[ "$input" =~ [yY] ]]; then mv -fv ${outfile} ${conf} yes2=TRUE else echo echo $NOTHING echo fi else if [[ ! -e ${outfile} ]]; then echo echo $PLSUPDATE echo exit 1 else yes2=TRUE fi fi #update motd update notification if [[ "$yes1" == TRUE ]] && [[ "$yes2" == TRUE ]]; then echo "up to date" > ${update} echo echo "Unbound's local root config is up to date!" echo else echo echo "Entire or partial Update still pending." echo fi
This script also gets the permissions to be executable; however, only for root users (in case you use multiple users).
Code:
sudo chmod 744 /usr/local/sbin/updateunboundconf
Let's perform a test run and hereby simultaneously create the effective configuration files.
Code:
sudo autoupdatelocalroot
For the second script we're using the toll diff that illustrates the diffences betwenn the files. The symbol "<" at the beginning of a line shows that this line is removed in the second file (i.e. the new, updated configuration), while ">" means this line will be added. To visit all differences, navigate with the arrow keys and terminate with the key "q".
For final installation of the new files confirm with "Y".
Code:
sudo updateunboundconf
All credits go to Mike Kuketz and Max Tschaeggaer for their German speaking tutorial.
reserved #9
reserved #10
Congratulations on putting together this great and well-written guide :good:
I was thinking about something similar to Pi-hole, but never thought about the possibility to combine ad-blocking with my own VPN. Thank you for bringing this to my attention, I surely have some things left to read on the security blog by Mike Kuketz.
Portgas D. Ace said:
Congratulations on putting together this great and well-written guide :good:
I was thinking about something similar to Pi-hole, but never thought about the possibility to combine ad-blocking with my own VPN. Thank you for bringing this to my attention, I surely have some things left to read on the security blog by Mike Kuketz.
Click to expand...
Click to collapse
Congratulations to your 4,000th post.
I was in contact with Mike and he granted me permission to more or less translate his tutorials and to post on XDA. Already a long time ago I realised that's really worth to monitor his blog closely.
Nice work and as always precise in your instructions :good:
Sent from my Pixel 2 XL using XDA Labs
Meanwhile, I also have a fixed public IPv4-address. I found a company that corporates with my ISP, and they provided my with the fixed IPv4 for a small monthly fee. All procedures described above (especially in post #4 and post #7) remain the same with one exception: I did not enable respectively setup DynDNS in the Fritzbox.
Important also, you need to find a DynDNS-provider that allows you to manually insert an IPv4-address into your DynDNS-account; not all providers do, e.g. the in post #7 mentioned Two-DNS doesn't. These providers simply take the IPv4-address that they read, and that one is a non-public dynamic IPv4 address. I'm now with ddnss.de, Here, I was allowed to manually override and save the read nun-public IPv4 by my new fixed IPv4-address.
The reason why you must not enable DynDNS in the Fritzbox is pretty easy: If it is enabled it will initiate updates of your DynDNS and hence overwrite the fixed public IPv4-address by a dynamic non-public IPv4 through that the Pi can't be accessed.
PiVPN is fantastically running, and I've OpenVPN on all of our devices now, which have access to the internet. Now, and doesn't matter where, or if mobile data, an unsecure public WiFi network or a secure WiFi network other than ours is used, I'm able to initiate my own private secure VPN tunnel to my router respectively my RaspberryPi.
Having this working now, I'm going to stick with my current ISP-provider.
EDIT (2018-06-24): Just for completeness - while on mobile network with the Android, the VPN with my RaspberryPi is established in about 3 seconds on WiFi and 5 seconds on mobile data (even if only on 2G). To establish the VPN between the PC and the Pi it takes 7 seconds (see attached log). Additionally, use of the Pi as DNS-server works seamlessly.
Hi! I followed your guide and everything is working properly. I have just one issue. I would like to route only DNS via VPN. I tried doing what this article in Pi-hole documentation suggested. I couldn't find
HTML:
push "redirect-gateway def1 bypass-dhcp"
so I commented out
HTML:
push "redirect-gateway def1"
But doing this stops the internet connection on the client device though the openvpn profile is succesfully connected.
Any suggestions on how I can route only DNS via VPN? Any help would be much appreciated. Thanks
Ex-Hunter said:
Hi! I followed your guide and everything is working properly. I have just one issue. I would like to route only DNS via VPN. I tried doing what this article in Pi-hole documentation suggested. I couldn't find
HTML:
push "redirect-gateway def1 bypass-dhcp"
so I commented out
HTML:
push "redirect-gateway def1"
But doing this stops the internet connection on the client device though the openvpn profile is succesfully connected.
Any suggestions on how I can route only DNS via VPN? Any help would be much appreciated. Thanks
Click to expand...
Click to collapse
I couldn't find the line mentioned in the linked turorial either; my server.conf file also only contains
Code:
push "redirect-gateway def1"
, a line that is not commented out.
I apologise I've no clue at all. You certainly have your reasons to go the way you describe, and I'm not questioning it. Before I used OpenVPN with my Pi, I used the DNS changer I mentioned in about the middle of this post. I can confirm this application is working even with mobile data by just establishing a VPN in order to only use DNS servers of your desire.
In order to keep this thread up-to-date, I like to share my latest and new experiences. Till last Friday and as I already mentioned within this thread my internet connection was via fibre-optics. My data plan with the fibre-optics ISP was 100 MBit/s down- and upload, and as this ISP only offers public dynamic IPv6 addresses, I additionally had to book a public static IPv4 address from another commercial provider. Overall, my monthly charges for this setup were about 55 €.
Since last Friday, my new internet connection via VDSL by a different ISP is online. The data plan I ordered is for 50 MBit/s download and 10 MBit/s upload, which I assumed to fulfill my requirements. If I realise this to be insufficient I can upgrade to 100/40 anytime but after only three days I already doubt I have to. This ISP offers public dynamic IPv4 addresses i.e. I don't require the additional contract for a static IPv4 anymore (and it has already been cancelled). For this data plan, my new ISP charges me about 35€ a month i.e. I'm now saving 20€ per month.
With this change of ISP (and type of connection) I had to perform three changes in the settings of my FritzBox: Enter the new credentials for the different internet connection, enter the new credentials for VoIP, and re-enable the dynDNS that I did setup when I initially established the Pi in our home network.
Overall: My own private secure VPN between OpenVPN for Android and the PiVPN is continuing to work flawlessly and perfectly! DynDNS is always immediately updated when the public IPv4 address changes. I'm still extremely satified with the complete setup described in this thread.
Can you write on how to forward only DNS requests to the VPN via OpenVPN? I couldn't get it to work. Also, forwarding port 53 and using the pi as a public DNS is not recommended.
MikeTheGamer said:
Can you write on how to forward only DNS requests to the VPN via OpenVPN? I couldn't get it to work. Also, forwarding port 53 and using the pi as a public DNS is not recommended.
Click to expand...
Click to collapse
A few month ago, @Ex-Hunter asked a very similar question here. I'm unable to answer you're question. I've achieved my primary goal with my setup to be able to connect to my PiVPN via my own secure VPN if I'm connected to a network other than our home one. Additionally, I wanted to use the Pi-hole in our home network. All is working great! And I absolutely trust Mike Kuketz whom I mentioned in the OP and whose instructions I followed.