# VPN

## Raspberry Pi Setup

You'll need to configure systemd-networkd to not use ipv6 privacy extensions

/etc/systemd/network/05-end0.conf

```conf
[Match]
Name=end0

[Network]
DHCP=yes
IPv6PrivacyExtensions=false
IPv6AcceptRA=true
```

## Pihole

<https://github.com/pi-hole/pi-hole/#one-step-automated-install>

If you install pihole first pivpn will discover it automatically.

```bash
curl -sSL https://install.pi-hole.net | bash
```

## PiVPN

<https://www.pivpn.io/>

```bash
curl -L https://install.pivpn.io | bash

# PiVPN can sometimes have issues after install. Run debug to fix them:
pivpn -d
```

## Cloudflared (DOH)

<https://docs.pi-hole.net/guides/dns/cloudflared/>

```bash
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
sudo mv -f ./cloudflared-linux-arm64 /usr/local/bin/cloudflared
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -v

sudo useradd -s /usr/sbin/nologin -r -M cloudflared
sudo vim /etc/default/cloudflared

# Commandline args for cloudflared, using Cloudflare DNS
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

sudo vim /etc/systemd/system/cloudflared.service

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

dig @127.0.0.1 -p 5053 google.com
```

Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server by
specifying 127.0.0.1#5053 as the Custom DNS (IPv4)

```bash
sudo vim /etc/cron.weekly/cloudflared-updater

#!/bin/bash
cloudflared update
systemctl restart cloudflared

sudo chmod +x /etc/cron.weekly/cloudflared-updater
sudo chown root:root /etc/cron.weekly/cloudflared-updater
```

## IPTables

For masquerading to other networks.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

```bash
iptables -t nat -I POSTROUTING 1 -s 10.55.87.0/24 -o end0.3 -j MASQUERADE

iptables -I FORWARD 1 -i wg0 -o end0.3 -j ACCEPT
iptables -I FORWARD 1 -i end0.3 -o wg0 -j ACCEPT
```