#VPN on AWS with ad blocking

Objective: Install OpenVPN or Wireguard on AWS Lightsail, then have all of the traffic via this tunnel be filtered by PiHole adblocking DNS. Lastly, block port 53 (DNS) externally so that this server cannot be used for DNS propigation attacks.

first, what you will want to do is setup your VPS. In this instance I am using the basic $3.5/month Lightsail instance with Ubuntu 18.04. Youll want to patch it and restart before starting.

Step 1 - Patching

sudo apt update -y ; sudo apt upgrade -y ; sudo reload

Step 2 - Intstall Tools

Youll want to intall the following tools as a method to block incomming ssh requests and monitor the server. sudo apt install htop nload fail2ban

Step 3 - Setup VPN

ubuntu@ip-172-26-8-126:~$ wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
--2020-07-19 03:25:16--  https://git.io/vpn
Resolving git.io (git.io)... 3.95.144.123, 34.196.154.11, 34.234.9.43, ...
Connecting to git.io (git.io)|3.95.144.123|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-07-19 03:25:17--  https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.github.com (raw.github.com)... 151.101.8.133
Connecting to raw.github.com (raw.github.com)|151.101.8.133|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following]
--2020-07-19 03:25:18--  https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.8.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.8.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23085 (23K) [text/plain]
Saving to: ‘openvpn-install.sh’

openvpn-install.sh                          100%[========================================================================================>]  22.54K  --.-KB/s    in 0s      

2020-07-19 03:25:19 (62.3 MB/s) - ‘openvpn-install.sh’ saved [23085/23085]

This installer needs to be run with superuser privileges.

Ok… try again, but add sudo ahead of the bash openvpn-install.sh

That should start running and you will be prompted with a menu, I chose the defaults except for the first client name which I use some deatils; provide-location-user-device

Welcome to this OpenVPN road warrior installer!

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [54.255.204.234]: 

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]: 

What port should OpenVPN listen to?
Port [1194]: 

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]: 1

Enter a name for the first client:
Name [client]: aws-sg-bl-iphone

OpenVPN installation is ready to begin.
Press any key to continue...

Give it a few minutes and then youll be ready to go.

Finished!

The client configuration is available in: /home/ubuntu/aws-sg-bl-iphone.ovpn
New clients can be added by running this script again.

Excellent, there are a couple ways to get the .ovpn file off the system - sftp, scp, or cat the file and then save it locally.

Next, go back to the Lightsail interface, go to your instance -> networking -> firewall -> new rule -> udp 1194 -> create. While you are there, remove port 80 (http) since our PiHole interaces uses port 80 and we do not want to expose that. We will be able to hit the interface via the VPN once it is up.

Go ahead and connect to OpenVPN via the profile that you downloaded. On the VPS, fire up nload and then run speedtest on your device. You should see inbound and outbound traffic spike. Excellent!

Pi Hole (DNS Ad Block)

After we have traffic passing through the VPN we will want to setup our ad blocker. Following the steps from https://github.com/pi-hole/pi-hole/#one-step-automated-install - we will want to run curl -sSL https://install.pi-hole.net | bash on the VPS.

You will be guided through the menu for setup.

When you get to the option of interface, select tun0 so that it will listen on our VPN interface.

Choose An Interface (press space to toggle selection)              │ 
   
( ) eth0  available 
(*) tun0  available
                                     

I prefer to use OpenDNS (Cisco) for my DNS resolver, but that is my personal choice. Feel free to use whatever you prefer.

Select Upstream DNS Provider. To use your own, select Custom.      │ 
 
Google (ECS)                      ↑               │ 
OpenDNS (ECS)                     ▮               │ 
Level3                            ▒               │ 
Comodo                            ▒               │ 
DNS.WATCH                         ▒               │ 
Quad9 (filtered, DNSSEC)          ▒               │ 
Quad9 (unfiltered, no DNSSEC)     ↓        

Next just follow the prompts and select what you want. I use all of the deafults. The script will do its thing:

--------------------------------------------------------------------------------
  [✓] Supported OS detected
  [i] SELinux not detected
  [i] Using interface: tun0
  [i] Using upstream DNS: OpenDNS (ECS) (208.67.222.222, 208.67.220.220)
  [✓] Set IP address to ....
  [i] You may need to restart after the install is complete
  [i] Unable to find IPv6 ULA/GUA address, IPv6 adblocking will not be enabled
  [i] IPv4 address: ....
  [i] IPv6 address: 
  [i] Web Interface On
  [i] Web Server On
  [i] Logging On.
  [✗] Check for existing repository in /etc/.pihole
  [i] Clone https://github.com/pi-hole/pi-hole.git into /etc/.pihole...HEAD is now at 56cd7c4 Merge pull request #3549 from pi-hole/release/v5.1.1
  [✓] Clone https://github.com/pi-hole/pi-hole.git into /etc/.pihole

  [✗] Check for existing repository in /var/www/html/admin
  [i] Clone https://github.com/pi-hole/AdminLTE.git into /var/www/html/admin...HEAD is now at d8d3f31 Merge pull request #1480 from pi-hole/release/v5.1
  [✓] Clone https://github.com/pi-hole/AdminLTE.git into /var/www/html/admin
  [i] Main Dependency checks...
  [✓] Checking for cron
  [✓] Checking for curl
  [✓] Checking for iputils-ping
  [✓] Checking for lsof
  [i] Checking for netcat (will be installed)
  [✓] Checking for psmisc
  [✓] Checking for sudo
  [i] Checking for unzip (will be installed)
  [✓] Checking for wget
  [i] Checking for idn2 (will be installed)
  [i] Checking for sqlite3 (will be installed)
  [✓] Checking for libcap2-bin
  [✓] Checking for dns-root-data
  [✓] Checking for libcap2
  [i] Checking for lighttpd (will be installed)
  [i] Checking for php-common (will be installed)
  [i] Checking for php-cgi (will be installed)
  [i] Checking for php-sqlite3 (will be installed)
  [i] Checking for php-xml (will be installed)
  [i] Checking for php-intl (will be installed)
  [i] Processing apt-get install(s) for: netcat unzip idn2 sqlite3 lighttpd php-common php-cgi php-sqlite3 php-xml php-intl, please wait...
--------------------------------------------------------------------------------

Now… you should see this on Ubuntu 18.04 and everything will grind to a halt. I think this is due to Ubuntu using 127.0.0.53 as its own DNS resolver and the system is unable to resolve since PiHole is the resolver.

  [✓] Installing latest logrotate script
  [i] Backing up /etc/dnsmasq.conf to /etc/dnsmasq.conf.old
  [✓] man pages installed and database updated
  [i] Testing if systemd-resolved is enabled
  [✓] Disabling systemd-resolved DNSStubListener and restarting systemd-resolved
  [✓] Restarting lighttpd service...
  [✓] Enabling lighttpd service to start on reboot...
  [i] Restarting services...
  [✓] Enabling pihole-FTL service to start on reboot...
  [✓] Restarting pihole-FTL service...
  [i] Creating new gravity database
  [i] Migrating content of /etc/pihole/adlists.list into new database
  [✓] Deleting existing list cache
  [✗] DNS resolution is currently unavailable
  [✗] DNS resolution is not available

To get around this, sudo nano /etc/resolve.conf and follow the same (add a # next to the 127.0.0.53) and add in your resolver.

#nameserver 127.0.0.53
namserver 208.67.220.220

After saving, go ahead and try to update pihole via pihole -g

ubuntu@ip-172-26-8-126:/etc$ pihole -g
sudo: unable to resolve host ip-172-26-8-126
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [✓] Preparing new gravity database
  [i] Target: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  [✓] Status: Retrieval successful
  [i] Received 57660 domains

  [i] Target: https://mirror1.malwaredomains.com/files/justdomains
  [✓] Status: Retrieval successful
  [i] Received 26853 domains

  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [i] Number of gravity domains: 84513 (84470 unique domains)
  [i] Number of exact blacklisted domains: 0
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 0
  [i] Number of regex whitelist filters: 0
  [✓] Flushing DNS cache
  [✓] Cleaning up stray matter

  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

Edit the DNS server to be the PiHole address (tun0 address), in this case 10.8.0.1.

cd /etc/openvpn/server/
sudo nano server.conf 

push "dhcp-option DNS 10.8.0.1"
#push "dhcp-option DNS 172.26.0.2"

All Done!

Last step! Reboot the VPS. Then give it another connect to OpenVPN once it is back up.

A few good tests to ensure that you are fully working: - Go to 10.8.0.1/admin and see if you are getting quieries to the DNS server. - Run speedtest and make sure that your testing from is the IP of your server: