Pages

Friday, 4 January 2019

PiVPN

Simple OpenVPN installer, designed for raspberry pi.

About

Visit the PiVPN site for more information. This is a set of shell scripts that serve to easily turn your Raspberry Pi (TM) into a VPN server using the free, open-source OpenVPN software.
Have you been looking for a good guide or tutorial for installing openvpn on a raspberry pi or ubuntu based server? Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default.
The master branch of this script installs and configures OpenVPN on Raspbian Jessie, Stretch, Devuan and has been tested on Ubuntu 14.04 and 16.04 running from an Amazon AWS image. Personally, I'd recommend using the Stretch or Jessie Lite image on a raspberry pi in your home so you can VPN into your home from unsecure remote locations and safely use the internet. However, the scripts do try to detect different distributions and make adjustments accordingly. They should work on the majority of Ubuntu and Debian based distributions including those using UFW by default instead of raw iptables.
This scripts primary mission in life is to allow a user to have a home VPN for as cost effective as possible and without being a technical wizard. Hence the design of pivpn to work on a Raspberry Pi ($35) and then one command installer. Followed by easy management of the VPN thereafter with the 'pivpn' command. That being said...
This will also work on a free-tier Amazon AWS server using Ubuntu 14.04 - 16.04. I don't want to support every scenario there but getting it to run and install successfully on a free server in the cloud was also important. Many people have untrustworthy ISP's so running on a server elsewhere means you can connect to the VPN from home and your ISP will just see encrypted traffic as your traffic will now be leaving out the amazon infrastructure.

Prerequisites

To follow this guide and use the script to setup OpenVPN, you will need to have a Raspberry Pi Model B or later with an ethernet port, an SD or microSD card (depending on the model) with Raspbian installed, a power adapter appropriate to the power needs of your model, and an ethernet cable or wifi adapter to connect your Pi to your router or gateway. It is recommended that you use a fresh image of Raspbian Stretch Lite from https://raspberrypi.org/downloads, but if you don't, be sure to make a backup image of your existing installation before proceeding. You should also setup your Pi with a static IP address (see either source 1 or 2 at the bottom of this Readme) but it is not required as the script can do this for you. You will need to have your router forward UDP port 1194 (or whatever custom port you may have chose in the installer) (varies by model & manufacturer; consult your router manufacturer's documentation to do this). Enabling SSH on your Pi is also highly recommended, so that you can run a very compact headless server without a monitor or keyboard and be able to access it even more conveniently (This is also covered by source 2).

Installation

curl -L https://install.pivpn.io | bash
The script will first update your APT repositories, upgrade packages, and install OpenVPN, which will take some time. It will ask which encryption method you wish the guts of your server to use, 1024-bit, 2048-bit, or 4096-bit. If you're unsure or don't have a convincing reason one way or the other I'd use 2048 today. From the OpenVPN site:
For asymmetric keys, general wisdom is that 1024-bit keys are no longer sufficient to protect against well-equipped adversaries. Use of 2048-bit is a good minimum. It is wise to ensure all keys across your active PKI (including the CA root keypair) are using at least 2048-bit keys.
Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide.
After this, the script will go back to the command line as it builds the server's own certificate authority. The script will ask you if you'd like to change the certificate fields, the default port, client's DNS server, etc. If you know you want to change these things, feel free, and the script will put all the information where it needs to go in the various config files. If you aren't sure, it has been designed that you can simply hit 'Enter' through all the questions and have a working configuration at the end.
Finally, the script will take some time to build the server's Diffie-Hellman key exchange. If you chose 1024-bit encryption, this will just take a few minutes, but if you chose 2048-bit, it will take much longer (anywhere from 40 minutes to several hours on a Model B+). The script will also make some changes to your system to allow it to forward internet traffic and allow VPN connections through the Pi's firewall. When the script informs you that it has finished configuring OpenVPN, it will ask if you want to reboot.
I have it where you do not need to reboot when done but it also can't hurt.

Managing the PiVPN

After the installation is complete you can use the command 'pivpn' to manage the server.
"pivpn add" You will be prompted to enter a name for your client. Pick anything you like and hit 'enter'. You will be asked to enter a pass phrase for the client key; make sure it's one you'll remember. The script will assemble the client .ovpn file and place it in the directory 'ovpns' within your home directory.
If you need to create a client certificate that is not password protected (IE for use on a router), then you can use the 'pivpn add nopass' option to generate that.
"pivpn revoke" Asks you for the name of the client to revoke. Once you revoke a client, it will no longer allow you to use the given client certificate (ovpn config) to connect. This is useful for many reasons but some ex: You have a profile on a mobile phone and it was lost or stolen. Revoke its cert and generate a new one for your new phone. Or even if you suspect that a cert may have been compromised in any way, just revoke it and generate a new one.
"pivpn list" If you add more than a few clients, this gives you a nice list of their names and whether their certificate is still valid or has been revoked. Great way to keep track of what you did with 'pivpn add' and 'pivpn revoke'.
You can run just 'pivpn' to see all the options.

Importing .ovpn Profiles on Client Machines

To move a client .ovpn profile to Windows, use a program like WinSCP or Cyberduck. Note that you may need administrator permission to move files to some folders on your Windows machine, so if you have trouble transferring the profile to a particular folder with your chosen file transfer program, try moving it to your desktop. To move a profile to Android, you can either retrieve it on PC and then move it to your device via USB, or you can use an app like Turbo FTP & SFTP client to retrieve it directly from your Android device.
To import the profile to OpenVPN on Windows, download the OpenVPN GUI from the community downloads section of openvpn.net, install it, and place the profile in the 'config' folder of your OpenVPN directory, i.e., in 'C:\Program Files\OpenVPN\config'. To import the profile on Android, install the OpenVPN Connect app, select 'Import' from the drop-down menu in the upper right corner of the main screen, choose the directory on your device where you stored the .ovpn file, and select the file.
After importing, connect to the VPN server on Windows by running the OpenVPN GUI with administrator permissions, right-clicking on the icon in the system tray, and clicking 'Connect', or on Android by selecting the profile under 'OpenVPN Profile' and pressing 'Connect'. You'll be asked to enter the pass phrase you chose. Do so, and you're in! Enjoy your ~$50 USD private VPN.

Removing PiVPN

If at any point you wish to remove OpenVPN from your Pi and revert it to a pre-installation state, such as if you want to undo a failed installation to try again or you want to remove OpenVPN without installing a fresh Raspbian image, just run 'pivpn uninstall'

Feedback & Support

I am interested in making this script work for as many people as possible, so I welcome any feedback on your experience. If you have problems using it, feel free to post an issue here on github. I'll classify the issues the best I can to keep things sorted.
[[DISCONTINUED APRIL 17]] You can also post on the Google Space I created for PiVPN, especially suited for general questions or discussions.
You can also join #pivpn ircs://freenode/pivpn on freenode in IRC for community support or general questions.

Related Projects

StarshipEngineer/OpenVPN-Setup Shell script to set up a OpenVPN server.
InnovativeInventor/docker-pivpn A secure docker container that sets up PiVPN and SSH.

Contributions

I'm also interested in improving this script, please check the current issues to see where you can help. If you have any feature ideas or requests, or are interested in adding your ideas to it, testing it on other platforms, please comment or leave a pull request. If you contribute often I can add you as a member of the PiVPN project. I will be happy to work with you!
  1. I began this as a rough merger of the code at OpenVPNSetup who you can donate to at this PayPal link
  2. And the code at pi-hole.net
  3. Of course there is OpenVPN.NET
  4. And as always the ever vigilant EFF
from https://github.com/pivpn/pivpn
--------------------------------

PiVPN:贼易用的VPN管理工具

这两天在折腾着搭建一个VPN,看了一下OpenVPN的搭建流程还挺繁琐的,搜寻一番之后找到一个开源项目 PiVPN,可以非常简单的进行搭建和管理。

PiVPN

官网:https://www.pivpn.io/

顾名思义,PiVPN 是专门为树莓派而设计的,不过粗略看了一下安装脚本,其就是将openvpn及诸多工具进行整合以方便使用,因此我们理论上在 Ubuntu 或 Debian 上也能进行部署。

PiVPN有几个明显的特点和优势:

  • 简单:无论是安装部署,亦或后期管理,PiVPN都帮我们搞定了一切;
  • 灵活:部署一个VPN,我们势必会想进行各种定制化,比如端口、秘钥长度、客户端DNS等;
  • 管理:PiVPN提供了一个命令 pivpn,可以方便地让我们进行各种操作,比如为客户端生成证书、销毁证书、安装移除等;
  • 安全:虽然PiVPN很简单,然而客户端和服务器之间的一切安全配置都会得到有效保证。

安装

只需一个命令便可以开始我们VPN的部署:

PiVPN需要使用静态的IP地址,如果我们使用的不是树莓派进行配置,那么我们将需要自己手动为系统配置好静态IP。

然后我们需要选择一个用户来存放vpn的配置文件,有特殊需求的话可以新建一个用户。

之后 pivpn 会从 https://github.com/pivpn/pivpn.git  clone 到本地的 /etc/.pivpn

接着,我们可以选择 OpenVPN 或 WireGuard 两种安装模式。

WireGuard

PiVPN推荐使用全新的 WireGuard 来部署VPN,选择该选项后便开始下载相关依赖软件。由于添加WireGuard软件源,如果因为网络环境导致安装失败,可以尝试使用代理进行安装:

  1. WireGuard 默认使用 51820 端口,如果有需要可以在安装过程中进行修改。
  2. 然后配置 DNS Provider,我们可以选择 Custom,然后填写 114.114.114.114 即可。
  3. 接着配置客户端如何连接到我们的VPN,可以填写公网IP或者是域名。
  4. 最后开始生成服务器秘钥。

搞定后重启服务器让所有配置都生效即可。

客户端

我们可以从 WireGuard 官网下载各个平台和操作系统的客户端 ,不过目前 iOS 和 macOS 需要使用美国苹果商店下载,这个稍微麻烦一点。

对于每一个客户端,我们需要使用 pivpn 来生成独立的证书:

默认生成的证书保存在 ~/config 目录中,将其复制到所需设备中即可,移动设备还可以使用二维码来识别:

OpenVPN

我们也可以在部署过程中选择传统的 OpenVPN。

  1. 安装过程中我们默认使用UDP协议,端口使用1194;
  2. 然后配置 DNS Provider,我们可以选择 Custom,然后填写 114.114.114.114 即可;
  3. 接着是否使用Custom Search Domain,这个我们可以先不管;
  4. 继续配置客户端如何连接到我们的VPN,可以填写公网IP或者是域名;
  5. 接着ECDSA证书大小,我们选择默认的256bit即可,当然你可以可以选择更长的证书大小,不过生成证书过程将会花费更长的时间(尤其注意在树莓派上需要等待的时间将会更长,我在树莓派2B上部署,生成证书耗时一小时;而在PC上则只需几秒);

安装完毕后重启服务器使配置生效。

客户端

Windows可以直接从OpenVPN的官网下载客户端,macOS可以使用开源的 TunnelBlick,iOS需要去美国苹果商店下载 OpenVPN Connect。

然后使用pivpn命令生成客户端证书:

生成的证书默认保存在 ~/ovpns 目录下。

内网VPN

如果我们的PiVPN是部署在局域网内部,并且没有公网IP,但是我们又想从外部访问回去,那么就可以参考《frp:一个内网穿透神器》,简单配置一下客户端的端口转发即可:

需要注意这里的 server_addr 就是我们前面部署PiVPN填写的公网IP或域名。

参考:

------------------------------------

Set up a Pi-Hole Ad Blocking VPN Server with a static Anycast IP on Google Cloud's Always Free Usage Tier

Configure Full Tunnel or Split Tunnel OpenVPN connections from your Android, iOS, Linux, macOS, & Windows devices

The goal of this guide is to enable you to safely and privately use the Internet on your phones, tablets, and computers with a self-run VPN Server in the cloud. It can be run at no cost to you; shields you from intrusive advertisements; and blocks your ISP, cell phone company, public WiFi hotspot provider, and apps/websites from gaining insight into your usage activity.
Run your own privacy-first ad blocking service within the Free Usage Tier on Google Cloud. This guide gets you set up with a Google Cloud account, and walks you through setting up a full tunnel (all traffic) or split tunnel (DNS traffic only) VPN connection on your Android & iOS devices, and computers.
Both Full Tunnel and Split Tunnel VPN connections provide DNS based ad-blocking over an encrypted connection to the cloud. The differences are:
  • A Split Tunnel VPN allows you to interact with devices on your Local Network (such as a Chromecast or Roku).
  • A Full Tunnel VPN can help bypass misconfigured proxies on corporate WiFi networks, and protects you from Man-In-The-Middle SSL proxies.
Tunnel TypeData UsageServer CPU LoadSecurityAd Blocking
full+10% overhead for vpnmoderate100% encryptionyes
splitjust kilobytes per dayvery lowdns encryption onlyyes
The technical merits of major choices in this guide are outlined in REASONS.md.

Google Cloud Login and Account Creation

Go to https://cloud.google.com and click Console at the top right if you have previously used Google's Cloud Services, or click Try Free if it's your first time.

Account Creation

  • Step 1 of 2
    Agree to the terms and continue.
  • Step 2 of 2
    Set up a payments profile and continue

Project & Compute Engine Creation

  1. Click the Hamburger Menu at the top left:
  2. Click Compute Engine:
  3. Select VM instances:
  4. Create a Project if you don't already have one:
  5. Enable billing for this Project if you haven't already:
  • Compute Engine will begin initializing:

Compute Engine Virtual Machine Setup

  1. Create a Virtual Machine instance on Compute Engine:
  2. Customize the instance:
  3. Name your Virtual Machine pi-hole.
    Your Region selection should be any US region only (excluding Northern Virginia [us-east4]). I have used us-east1 and the us-east1-b zone because it is closest to me.
    Choose a micro Machine Type in the dropdown.
    Change the Boot Disk to be 30GB if you plan on keeping your DNS lookup records for any reason, otherwise the default 10GB disk allocation is adequate.
    Allow HTTP traffic in the Firewall (add a checkmark).
    Allow HTTPS traffic in the Firewall (add a checkmark).
  4. Expand Management, Security, disks, networking, sole tenancy and click the Network tab. Click the Pencil icon under Network Interfaces.
  5. The External IP Address should not be Ephemeral. Choose Create IP Address to Reserve a New Static IP Address

  6. You can log into your Virtual Machine via SSH in a Browser by clicking the SSH button. Make note of your External IP (it will be different from the screenshot below).
  7. Click the Hamburger Menu at the top left, click VPC Network and click Firewall Rules.

    Click Create Firewall Rule at the top center of the page. The name of your rule should be allow-openvpn, change the Targets dropdown to All instances in the network. The Source IP Ranges should be 0.0.0.0/0. The udp checkbox should be selected, and the port number next to it should be changed from all to 1194. Then click the Create button. You can disable the default-allow-rdp rule which Google set up with a default action of Allow, but because our server does not run any service on Port 3389 it is harmless to leave this rule alone. Do not disable the default-allow-ssh firewall rule, or you will disable the browser-based SSH from within the Google Cloud Console.

Debian Update & Upgrade

Once you log into your Virtual Machine via SSH, you want to update and upgrade it.
Ensure you have elevated root privileges by running this command in the bash shell:
sudo su
Update and upgrade by running this command in the bash shell:
apt-get update && apt-get upgrade -y

Pi-Hole Installation

Pi-Hole is a DNS based adblocker.
Ensure you have elevated root privileges by running this command in the bash shell:
sudo su
Install Pi-Hole by running this command in the bash shell:
curl -sSL https://install.pi-hole.net | bash
You will flow into a series of prompts in a blue screen.
  • Choose OK or answer positively for all the prompts until the "Select Protocols" question appears. IPv6 needs to be deselected as shown below:
  • Choose OK or answer positively for all the other prompts.
Set a strong password that you will remember for the Web Interface
pihole -a -p
  • Log into the web interface using the External IP that you noted down earlier at
    http://your-external-ip/admin/settings.php?tab=dns
  • Click Settings, and navigate to DNS.
    Set your Interface Listening Behavior to Listen on All Interfaces on this page:
  • Click the Save Button at the bottom of the page.

PiVPN Installation

PiVPN is an OpenVPN setup and configuration tool.
Ensure you have elevated root privileges by running this command in the bash shell:
sudo su
Install PiVPN by running this command in the bash shell:
curl -L https://install.pivpn.io | bash
You will flow into a series of prompts in a blue screen. All of the default values are appropriate.
  • Choose OK or answer positively for all the prompts until you have to choose an upstream DNS provider. The default answer is Google. Choose Custom and set an IP Address of 10.8.0.1

The default answer to reboot is No at the end of the installer. It is fine to say No, we have a few more things to edit while we're logged in as root.

OpenVPN Configuration

Ensure you have elevated root privileges by running this command in the bash shell:
sudo su
Get into the openvpn directory by running this command in the bash shell:
cd /etc/openvpn

Server Configuration for VPN over UDP on Port 1194

Edit server.conf. I use nano to edit by running this command in the bash shell:
nano server.conf
Comment out the line which reads push "redirect-gateway def1" so it reads as follows:
# push "redirect-gateway def1"
The longer the keep-alive interval the longer it will take either end of the openvpn connection to detect whether the connection is no longer alive. Because mobile devices often lose connectivity and regain it, lower values are desirable.
Comment out keepalive 1800 3600 and add keepalive 10 60 below it, so it appears as follows:
# keepalive 1800 3600
keepalive 10 60
Comment out the line which reads cipher AES-256-CBC and add cipher AES-128-GCM below it, so it reads as follows:
# cipher AES-256-CBC
cipher AES-128-GCM
At the bottom of the file add the following lines:
# performance stuff
fast-io
compress lz4-v2
push "compress lz4-v2"
Press CTRL O to bring up the save prompt at the bottom of Nano, press Enter to save. Then press CTRL X to exit

Server Configuration for VPN over TCP on Port 443

Ensure you have elevated root privileges by running this command in the bash shell:
sudo su
Get into the openvpn directory by running this command in the bash shell:
cd /etc/openvpn
To accept incoming OpenVPN connections over TCP on port 443 we need a separate configuration file. We can clone our existing configuration as a starting point, by running this command in the bash shell:
cp server.conf server_tcp443.conf
Edit /etc/iptables/rules.v4. I use nano to edit by running this command in the bash shell:
nano /etc/iptables/rules.v4
Below the line which reads -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, add the following on a new line:
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
Press CTRL O to bring up the save prompt at the bottom of Nano, press Enter to save. Then press CTRL X to exit
Edit server_tcp443.conf. I use nano to edit by running this command in the bash shell:
nano server_tcp443.conf
Replace the proto udp and port 1194 lines with:
proto tcp
port 443
Edit the server 10.8.0.0 255.255.255.0 line to reflect an IP address of 10.9.0.0, so it reads as follows:
server 10.9.0.0 255.255.255.0
Edit the push "dhcp-option DNS 10.8.0.1" line to reflect an IP address of 10.9.0.1, so it reads as follows:
push "dhcp-option DNS 10.9.0.1"
Comment out keepalive 10 60 and add keepalive 10 120 below it, so it appears as follows:
# keepalive 10 60
keepalive 10 120
Comment out fast-io so it looks like this:
# fast-io
Press CTRL O to bring up the save prompt at the bottom of Nano, press Enter to save. Then press CTRL X to exit
Add the OpenVPN service on Port 443 by running this command in your bash shell:
systemctl enable openvpn@server_tcp443.service

Finalize VPN Confgurations on Server

Reboot the server by running this command in your bash shell:
shutdown -r now

Managing the PiVPN

Connect to the Pi-Hole server and set up an OpenVPN Client Profile. (You do not need to have elevated root privileges to do this.)
pivpn add nopass
Give your client profile a name. I like to use an alphanumeric string composed of the user's first name, and their device's make and model (no spaces and no special characters).

NOTE

Make a new client profile for every device. DO NOT share a client profile between two different devices.
This command will output a success message which looks like this:
========================================================
Done! mypixel3xl.ovpn successfully created!
mypixel3xl.ovpn was copied to:
  /home/myusername/ovpns
for easy transfer. Please use this profile only on one
device and create additional profiles for other devices.
========================================================
To get the mypixel3xl.ovpn file to your phone it is easiest to maximize your SSH window and print the file to the terminal window, to copy & paste the output:
cat ~/ovpns/mypixel3xl.ovpn
Press CTRL - until the screen zooms out to a point where you can see the entire ovpn file printed on the screen. The first line will have the word client and the last line is 
. Highlighting this entire chunk with a mouse will cause a scissor icon to appear in the middle of your SSH window, this means this selection has been copied to your clipboard.

Saving a Split Tunnel VPN Client Profile for UDP VPN Connections on Port 1194

Paste this into your favorite Text Editor and save the file with a name that is clear: mypixel3xl-udp-1194-split-tunnel.ovpn
Around Line 12, edit the line which reads cipher AES-256-CBC and change it to read:
cipher AES-128-GCM

Saving a Full Tunnel VPN Client Profile for UDP VPN Connections on Port 1194

Copy the contents of mypixel3xl-udp-1194-split-tunnel.ovpn and paste it into your favorite Text Editor, save the file with a name that is clear: mypixel3xl-udp-1194-full-tunnel.ovpn
Below cipher AES-128-GCM add this line:
redirect-gateway def1

Saving a Split Tunnel VPN Client Profile for TCP VPN Connections on Port 443

Copy the contents of mypixel3xl-udp-1194-split-tunnel.ovpn and paste it into your favorite Text Editor, save the file with a name that is clear: mypixel3xl-tcp-443-split-tunnel.ovpn
Change proto udp on Line 3 to proto tcp
proto tcp
Change the 1194 at the end of Line 4 to 443, do not change the IP address on this line (it is your Google Compute Engine Virtual Machine's external IP address):
remote YOUR-EXTERNAL-IP-IS-HERE-LEAVE-THIS-AS-IT-IS 443

Saving a Full Tunnel VPN Client Profile for TCP VPN Connections on Port 443

Copy the contents of mypixel3xl-tcp-443-split-tunnel.ovpn and paste it into your favorite Text Editor, save the file with a name that is clear: mypixel3xl-tcp-443-full-tunnel.ovpn
Below cipher AES-128-GCM add this line:
redirect-gateway def1

Make these .ovpn files available on your phone or tablet

E-mail these files to yourself, upload in Google Drive, or use whatever secure method you prefer to transfer this file to your device. It is safe to download this file to your device.

WARNING

Anyone that gets one of these .ovpn files can connect to your server.

Full & Split Tunnel VPN on Android & iOS Devices

"OpenVPN for Android" on Android for Split Tunnel VPN

This is open source software.
Get it on F-Droid Get it on Google Play
Install the "OpenVPN for Android" application on your Android device.
When the "OpenVPN for Android" opens you are in the Profiles Tab. You will have to perform the following steps for mypixel3xl-udp-1194-split-tunnel.ovpn, and again for mypixel3xl-tcp-443-split-tunnel.ovpn
  • Import your Profile, click the + at the top right.
  • Then click Import at the bottom left of the modal that appears.
  • Click the Hamburger Menu at the top left to choose Google Drive, or your Downloads folder, depending on what method you used to get the .ovpn file to your phone.
  • Click the pencil icon next to the VPN profile you imported.
    • Click the Server List Tab.
      • Connect Timeout should be 60 for UDP VPN Profiles and 120 for TCP VPN Profiles.
    • Click the IP AND DNS Tab.
      • No local binding should be enabled
      • Override DNS Settings by Server should be enabled
        • searchDomain should be empty
        • DNS Server should be 10.8.0.1
        • Backup DNS Server should be empty
    • Click the Routing Tab.
      • Bypass VPN for local networks should be enabled.
      • Block IPv6 (or IPv4) if not used by the VPN should be enabled.
      • Click Excluded Networks under IPv4 and add this:
        10.0.0.8/8 172.16.0.0/12 192.168.0.0/16
        
    • Under the Authentication/Encryption Tab
      • The Encryption Cipher should be AES-128-GCM
    • Under the Allowed Apps Tab
      • The first Toggle should be disabled, and will read VPN is used for only for selected apps.
      • the Android System WebView, your preferred web browser, and any other apps you wish to block ads in, should have a checkmark.
  • Click the back button a couple times until you are at the Profiles Tab again.
Click the Settings Tab:
  • OpenVPN 3 Core should have a checkmark
  • click Default VPN and choose the VPN you have imported
  • Connect on Boot should have a checkmark
  • Pause VPN connection after screen off should be enabled if you wish to save your battery and reduce data usage, and only want to block things while you're actively using your phone.
Click the back button a couple times until you are at the Profiles Tab again.
  • Clicking the name of the VPN profile you imported should trigger a connection.

"OpenVPN Connect" on Android for Full Tunnel VPN

This is open source software.
Get it on Google Play
Install the "OpenVPN Connect" application on your Android device.
Download the mypixel3xl-udp-1194-full-tunnel.ovpn and mypixel3xl-tcp-443-full-tunnel.ovpn files from your E-mail or your Google Drive to your Android Phone or Tablet. These files will be saved to your device's "Download" folder by default.
When the "OpenVPN Connect" application opens up, in its home screen you will see 3 options, Private TunnelAccess Server, and OVPN Profile. Click on OVPN Profile.
Import and Add an .ovpn client profile by tapping your .ovpn filename, and then tapping Import on the top right, and then tapping Add. If you have already imported a client profile already, you can import more client profiles by pressing the + button at the bottom right.
Click the Hamburger Menu at the top left and click Settings
  • Under IPv6, the IPv4 Only Tunnel button should be selected. (The default selection is No Preference)
  • Under Connection Timeout, the Continuously Retry option should be selected. (The default selection is 1 Min)
  • Under Compression, the Downlink Only button should be selected. (The default selection is Full)
  • Under DNS Fallback the checkbox should be deselected/empty. (By default the checkbox is ticked)
Click Save at the top right.

"OpenVPN Connect" on iOS for Full & Split Tunnel VPN

This is open source software.
Get it on the App Store
Install the "OpenVPN Connect" application on your iOS device.
Import and Add all of your .ovpn files using one of the following two methods:
  1. Using iTunes Sync, select your device, go to OpenVPN under the apps tab, and drop your .ovpn files into the file sharing window.
  2. Using Google Drive or your e-mail you can open the .ovpn files with OpenVPN.
Click the Hamburger Menu at the top left and click Settings
  • Under Connection Timeout, the Continuously Retry option should be selected. (The default selection is 30 Sec)
  • Under Compression, the Downlink Only button should be selected. (The default selection is No)
  • Under DNS Fallback the checkbox should be deselected/empty. (By default the checkbox is ticked)

Full & Split Tunnel VPN on Computers

NOTE

Due to the amount of bandwidth a computer could use, it is recommended to use the Split Tunnel .ovpn profiles on computers, and not Full Tunnel.

"Viscosity VPN" on macOS or Windows

This is commercial software.
Import the Split Tunnel .ovpn files once Viscosity VPN is installed and running.
To enable Split Tunnel VPN with Viscosity on Windows, once you import the connection to Viscosity, Edit Connection and click the Networking Tab. Under the DNS Mode dropdown, choose Full DNS (Use VPN DNS for all traffic).

"OpenVPN GUI" on Windows

This is open source software.
Import the Split Tunnel .ovpn files once the OpenVPN GUI is installed and running.

"Tunnelblick" on macOS

This is open source software.
You can install Tunnelblick with Homebrew:
brew cask install tunnelblick
If you don't have Homebrew, you can get alternate installation instructions on the Tunnelblick website.
Import the Split Tunnel .ovpn files once Tunnelblick is installed and running.

"gnome-manager" on Ubuntu (and its variants)

This open source software is baked into Ubuntu's OS
Enable the option which reads Use this connection only for resources on its network in the IPv4 Tab

Split Tunnel VPN on Routers with AsusWRT & AsusWRT-Merlin Firmware

Activate the OpenVPN Client Profile

  • Go to http:///Advanced_OpenVPNClient_Content.asp
  • Select an unused client instance (usually Client 1).
  • Beside Import .ovpn File, click Browse
  • Browse to your OpenVPN Client Profile (e.g. asuswrt-udp-1194-split-tunnel.ovpn)
  • Click Upload
  • Set Accept DNS Configuration to STRICT
  • Click the Service State toggle to activate the client
  • Scroll to the bottom and click Apply

Set Pi-Hole as the DNS provider

  • Go to http:///Advanced_WAN_Content.asp
  • Under WAN DNS Setting, set Connect to DNS Server automatically to NO.
  • Set DNS Server1 to 10.8.0.1
  • Scroll to the bottom and click Apply

Use AsusWRT Firewall to force all DNS traffic to Pi-Hole

  • Go to http:///Advanced_Firewall_Content.asp
  • Set Enable Network Services Filter to YES
  • Add the following rules to the Network Services Filter Table
    • Port Range = 53, Protocol = UDP
    • Port Range = 53, Protocol = TCP
    • Destination IP = 10.8.0.1, Port Range = 53, Protocol = UDP
    • Destination IP = 10.8.0.1, Port Range = 53, Protocol = TCP
  • Scroll to the bottom and click Apply

Verify Everything Works

Test your Full Tunnel VPN

You will see your IP address displayed very prominently at the top above the label: Your public IP address
If you see anything other than the External IP Address of your Google Compute Engine Virtual Machine, then you do not have a Full Tunnel VPN.
If you see an IPv6 address while connected to the VPN, then you have a big problem.
Example of an IPv6 address:
You can do some further troubleshooting by visiting: https://www.whatismyip.com
If you see no IPv4 address, and a public IPv6 address identical to the one from the Google search result earlier, it means your tunnel is not processing any IPv4 traffic, and you are going out to the Internet over IPv6 directly.
This typically means you have a problem with your server configuration and client configuration files.

Test for a DNS Leak

If DNS lookups are not happening exclusively over the VPN connection to the Pi-Hole server, then you have a DNS leak. A DNS leak will result in ads appearing.
In the Pi-Hole Web Interface at http://your-external-ip/admin/settings.php?tab=dns choose just one DNS provider. The two Google IPv4 DNS servers will give you the highest performance. For our test, we will deselect the Google IPv4 DNS servers and choose the 2 Cloudflare DNS servers.
On your device, go to https://www.dnsleaktest.com/ and click the Extended test button. On the table in the next page, every single row must say "Cloudflare". If you see any IPs that do not belong to Cloudflare, you have a DNS leak. This typically means you have a problem with your server configuration and client configuration files.
Turn your VPN off and try the Extended test again, you will see your default DNS servers as defined by your Internet provider or your Router.
Once you are done testing, only use the Google IPv4 Upstream DNS Servers if you want the fastest DNS resolvers for your Pi-Hole. You can use any of the other Upstream DNS servers if speed is not your number one requirement.

Test the Ad-blocking

A quick test page to verify if your ad blocking is working: https://blockads.fivefilters.org/?pihole
The Pi-Hole project also maintains a list of excellent advertising-littered pages that you can test: https://pi-hole.net/pages-to-test-ad-blocking-performance/

Firewall

You may not be comfortable leaving the Pi-Hole web interface accessible on a Public IP
If you do not wish for the Pi-Hole web interface to be accessible publicly, disable Port 80 in your Google Cloud Firewall.
  1. Log into Google Cloud Console: https://console.cloud.google.com/
  2. Ensure your Project is selected in the blue bar at the top (next to the words "Google Cloud Console); by default it should be
  3. Click the Hamburger Menu at the top left, click VPC Network and click Firewall Rules
  4. Click default-allow-http in the table
  5. Click Edit at the top of the page
  6. Click Disable Rule above the "Save" button to reveal a radio button group
  7. Select Disabled
  8. Click the Save button
To access your Pi-Hole web interface once you do this, you will have to connect via VPN, and then go to http://10.8.0.1 if you are using a UDP profile (desirable), or http://10.9.0.1 if you are using the TCP profile (less desirable).
Other Firewall rules you can safely disable:
  • default-allow-rdp is not necessary, because your Pi-Hole is not running on a Windows server and there is no service running on Port 3389
Firewall rules that are inconvenient to disable:
  • default-allow-ssh should really only be open to Google's private network, alas they leave it open to the whole world by default. Nobody can successfully brute force their way into your server on Port 22, because it's not secured with passwords. It is secured with keys. If you disable this rule, you will not be able to use the browser based SSH interface in the Google Cloud Console until you re-enable this rule.

Configure automated Pi-Hole updates and scheduled reboots

PiVpn enables automated security updates of your Pi-Hole, but it won't restart the VM if the update requires it. Restarting the VM would require SSH'ing into it and restarting it if required. To remove that step, let's use a daily cron job to check to see if a restart is required and restart the VM as necessary.
To do that, let's add a new file to /etc/cron.daily/ called zz-restart-if-required using the following command sudo nano /etc/cron.daily/zz-restart-if-required. In nano, add the following lines of code which check to see if the reboot-required token file is present, restarting the VM if so:
#!/bin/sh
if [ -f /var/run/reboot-required ]; then
  /sbin/shutdown -r now
fi
Files stored in /etc/cron.daily/ will only run if the permissions are configured to allow that, so we need to change the permissions to allow that file to run. To do that, execute sudo chmod 755 /etc/cron.daily/zz-restart-if-required.
Similarly, Pi-Hole gets updated from time to time. Let's automate installing those updates as well. To do that, let's create a file using sudo nano /etc/cron.daily/update-pi-hole and add in the following chunk of code:
#!/bin/sh
/usr/local/bin/pihole -up
We need to change its permissions so it is executible sudo chmod 755 /etc/cron.daily/update-pi-hole.
If you're curious when they will run, Stack Exchange has a great Q&A for you.

Cloud Console Mobile App

Get it on Google Play
Get it on the App Store
Install the "Cloud Console" app on your Android or iOS device.

Manage and monitor Google Cloud Platform services from your Android or iOS device.
--------- 

相关帖子:
https://briteming.blogspot.com/2019/09/raspberry-pi-vpn-router.html
https://briteming.blogspot.com/2016/03/raspberry-pi-vpn.html
https://briteming.blogspot.com/2017/07/openvpnopenvpn-installopenvpnopenvpn.html