Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Explain to noobs that you need to port forward vpn, and make a disclaimer on iptables-legacy #409
Conversation
A noob like me didn't realize you have to portforward. It would help if it was written somewhere.
|
Deploy preview for pihole-docs ready! Built with commit 2c26a47 |
|
|
Well it seems I'm also a noob at coding but I think you get the point why it would be nice to explain how to port forward and how to use iptables-legacy. Also, for the raspberry pi users this seems like a great script that would save some time, and it also supports wireguard. |
|
I don't know if pivpn has been fixed, but in the recent past it broke Pi-hole. I don't have a pro/con for this particular Pull Request, I just linked to the reasons the required tests failed, the formatting needs to be cleaned up and then the tests will pass. |
|
I'll try to fix up my formatting |
|
Great! |
|
Yay I figured out how to add a line between my text and a header! |
|
Don't sell yourself short, you figured out how to read the error message, understand what it meant, understand how to fix it and then actually fix it. |
|
Thank you. So do you think this could be added to the docs? |
|
I don't like adding instructions to forward ports, that usually is a security problem but I don't have much input for this. @RamSet might have some input though. |
|
Oh, ok. Just maybe make a disclaimer somewhere that it may be necessary since it is not mentioned anywhere and it took me about 20 minutes to figure it out (wait, it is necessary right? I assume so unless you find someway to route the vpn through another tunnel). Oh, and when I was trying to fix the error in the code it showed an X next to firewall.md so i thought that was the error and I found that the first line on that page started with ** but did not end with it, making it unbolded. At first I thought it was my issue but it is present in the official doc as well. https://docs.pi-hole.net/guides/vpn/firewall/ Not sure if that's intentional or not. |
|
I agree with the disclaimer. The original guide had IPTABLES instructions for the default port (or any port for that matter) but did not instruct the user that port forwarding needs to be set-up. I think we all assumed it is self understood that port forwarding is needed (experience) but indeed this would puzzle someone totally new to this. The changes above are a welcome addition to the guide. |
|
Thank you. What is your opinion on the other two changes.
|
This takes it out of the realm if Pi-hole. IPTABLES, especially in the “hands” of an unexperienced user is a deeeeep rabbit hole.
I suppose... it will pop an error if sudo is not used
Bold |
|
Ok, I understand that iptables is something a lot more advanced but the openvpn script installs an iptables-openvpn service which fails on my system because of an error that will make no sense. It will say invalid argument and trying to change it up will fail. After a couple hours of research I found out the rules provided are for the old iptables and so I manually need to update the service with replacing iptables with sudo iptables-legacy. I know this is an issue on the side of the openvpn script side but after making an issue they have not responded in a couple of days (after looking it seems they have been unactive for a month), so for now a little disclaimer that if you see an error after installing openvpn about openvpn-iptabiles then try replacing the lines in the service with iptables-legacy, or use the firewall guide and do the same, skipping the service entirely.
Sent from ProtonMail mobile
…-------- Original Message --------
On Oct 27, 2020, 10:40 PM, RamSet wrote:
> Thank you. What is your opinion on the other two changes.
>
> - Either adding a disclaimer for newer dists to use iptables-legacy, or use the iptables-convert tool to convert your old rules into nftb rules that can be used on the new iptables and display them on the same page. You would ask users to do iptables -v to check their version, and if it says iptables (nf_tables) they would need to use one of the two options listed above.
This takes it out of the realm if Pi-hole. IPTABLES, especially in the “hands” of an unexperienced user is a deeeeep rabbit hole.
A fresh system, takes default clean IPTABLES rules, no need for conversion or adaptation.
> (And maybe clarify you may need to use root, but that is something really basic and probably doesn't need to be mentioned)
I suppose... it will pop an error if sudo is not used
> - Is the ** on the first line of firewall.md done on purpose, or were you trying to bold it?
Bold
|
|
The RoadWarrior is something we recommend using as it does everything for the user, including setting (as up to date as the install script is) IPTABLES rules. I agree, our guide needs review as most of the instructions do not apply (since the new OpenVpn was released half a year ago -or so-). I just didn’t have the time to review the outdated information but I set up a personal note to do that ASAP. I will review the guide and remove/edit irrelevant/outdated information. |
|
Sounds good!
Sent from ProtonMail mobile
…-------- Original Message --------
On Oct 27, 2020, 10:54 PM, RamSet wrote:
The RoadWarrior is something we recommend using as it does everything for the user, including setting (as up to date as the install script is) IPTABLES rules.
I agree, our guide needs review as most of the instructions do not apply (since the new OpenVpn was released half a year ago -or so-). I just didn’t have the time to review the outdated information but I set up a personal note to do that ASAP.
I will review the guide and remove/edit irrelevant/outdated information.
—
You are receiving this because you authored the thread.
Reply to this email directly, [view it on GitHub](#409 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AD6Q7CLQGRMTETNIJW6Y47DSM6BXZANCNFSM4S77C7CQ).
|
|
I'll merge the changes in here - regardless of a possibly happening edit of the guide or not (it would be in a separate PR anyway). Note that this Pi-hole recommendation is to move away from OpenVPN towards using WireGuard (see #376) because it is a lot easier to set up and understand + gives much higher throughput and an overall better performance, especially on lower-end hardware. In addition, it also saves data volume (considering always-connected mobile devices) so it seems to be preferential in virtually all aspects. |
By submitting this pull request, I confirm the following:
please fill any appropriate checkboxes, e.g: [X]
git rebase)Please make sure you Sign Off all commits. Pi-hole enforces the DCO.
What does this PR aim to accomplish?:
A detailed description, screenshots (if necessary), as well as links to any relevant GitHub issues
Better explain that you need to port forward your vpn. Also, another thing I didn't include in this PR but would be nice to include is a disclaimer that in newer linux dists you need to use iptables-legacy instead of iptables (iptables by itself uses nf tables spits out error messages left and right). When I was setting up openvpn it gave me an error about the openvpn-iptables.service. I finally figured out you have to edit the service file and replace iptables with iptables-legacy. Alternatively, (what I ended up doing afterwards) is just setup the firewall using the firewall guide you included, but replacing iptables with iptables-legacy (or in my case sudo iptables-legacy, as I didn't have root). It would be nice to include a disclaimer of sorts (or alternative commands using iptables-legacy), but I'll also be contacting the creator of the "road warrior" script to find a solution.
How does this PR accomplish the above?:
A detailed description (such as a changelog) and screenshots (if necessary) of the implemented fix
Added a sentence to both installation.md and firewall.md explaining that you need to portforward your openvpn port.
What documentation changes (if any) are needed to support this PR?:
A detailed list of any necessary changes