Updated Pi hole OpenVPN server (markdown)

2025-02-28 00:12:24 +00:00 · 2016-12-18 19:39:51 +01:00 · 2016-12-18 19:39:51 +01:00 · eca225ab89
commit eca225ab89
parent 9c46b2c747
1 changed files with 52 additions and 1 deletions
--- a/Pi-hole---OpenVPN-server.md
+++ b/Pi-hole---OpenVPN-server.md
@ -71,4 +71,55 @@ Your whole network traffic will now securely be transferred to your Pi-hole.
 ![](http://www.dl6er.de/pi-hole/openVPN/VPNclients.png)

 ---
-(Optional) If your server is visible to the world, you might want prevent port 80 from being accessible from the outside. You will still be able to connect to your Pi-hole from within the VPN.
+(Optional) If your server is visible to the world, you might want prevent port 80 from being accessible from the outside. You will still be able to connect to your Pi-hole from within the VPN.
+
+Using `iptables`: First, verify that there is no rule that explicitly accepts `http` requests
+```
+sudo iptables -L --line-numbers
+```
+
+If you get something like
+<pre>
+Chain INPUT (policy ACCEPT)
+num  target     prot opt source               destination         
+<b>1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http</b>
+2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
+3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
+
+Chain FORWARD (policy ACCEPT)
+num  target     prot opt source               destination         
+
+Chain OUTPUT (policy ACCEPT)
+num  target     prot opt source               destination         
+</pre>
+you have to first explicitly delete the first INPUT rule using:
+```
+sudo iptables -D INPUT 1
+```
+
+Then you can add an explicit rule that allows `http` access from within the VPN
+```
+sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
+```
+
+And another one that prevents accessing the `http` port from everywhere else
+```
+sudo iptables -A INPUT -p tcp --destination-port 80 -j DROP
+```
+
+Your configuration should look like
+<pre>
+Chain INPUT (policy ACCEPT)
+num  target     prot opt source               destination         
+1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
+2    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
+<b>3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
+4    DROP       tcp  --  anywhere             anywhere             tcp dpt:http</b>
+
+Chain FORWARD (policy ACCEPT)
+num  target     prot opt source               destination         
+
+Chain OUTPUT (policy ACCEPT)
+num  target     prot opt source               destination
+</pre>
+while there might be other rules in your table. Note that the order of the list entries matters!