A few questions about this guide and Pi-Hole setup
rfgamaral opened this issue · comments
Hi there,
After setting Pi-Hole and PiVPN on Google Cloud Platform and testing everything, I have few questions/doubts that I can't find answered anywhere. Would love it if you could clarify this for me:
-
I understand the one of the reasons for 128-bit encryption is "128 bit encryption offers a 40% savings on CPU time over 256 bit encryption." and that's nice but is 128-bit encryption really enough for nowadays? Most VPN guides always seem to recommend 256-bit encryption.
-
What's the recommended away to completely block the Pi-Hole DNS server installed on Google Cloud Platform so that it's only accessible through the VPN? I've added this rule to my firewall:
Is this the best way to achieve that or do you recommend something else? -
In the Pi-hole installation step it's suggested to disable blocking ads over IPv6. Why? What's the reasoning for this? Does Pi-Hole not work with IPv6 ad blocking? What will happen if I enable it back?
-
I have changed both the server and client profiles cipher to
AES-128-GCM
as the guide recommends, but for some reason, OpenVPN Connect for Android seems to be forcingAES-256-GCM
(here's a logfile for my home VPN exhibiting the exact same issue). Do you have any idea why?
That's about it for now, thank you for this awesome guide :)
-
128 is fine from a security standpoint, 256 doesn't provide anything beyond 128 other than it is an arbitrarily chosen standard for a number of implementations. The real world implications of this are discussed here: https://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit - I am sure with some additional googling we can find more official sources of information to further confirm some of the points made here.
-
Google's Firewall explicitly blocks everything by default. So you have to enable connection capabilities purposefully with your firewall configurations. Your deny rule would be redundant, since it is denying everything (except SSH and RDP ports) by default anyway.
-
To truly benefit from IPv6, you need IPv6 end to end. Attempting to reap the benefits of an IPv6 connection inside of a tunnel that is essentially running on IPv4 is a pointless exercise. The Google Cloud server is set up to use an Anycast IPv4 address. They don't have this Anycast network available on IPv6 inside the free tier. Outside the free tier it is pretty cost prohibitive.
-
I have noticed this 128-GCM and 256-GCM anomaly as well. I believe this is due to something in deep in the belly of PiVPN and how it configures things. Sadly, PiVPN is not going to receive any further updates. I am in the process of rewriting instructions for end users to configure this sort of system using Wireguard. This will likely come to fruition once Wireguard is incorporated into the Linux kernel.
I am glad this guide was helpful; I appreciate you asking these questions. Undoubtedly, others have similar concerns, and hopefully they find the clarifications they are looking for in this exchange.
If your questions have been addressed feel free to mark this as closed, I'm happy to answer any follow up questions if you have any.
Thank you very much for your detailed answers :)
1 and 2. I guess I'll leave 128-bit encryption and remove the deny-udp rule if it's redundant.
-
As for IPv6, can I still use it on my network? I mean, my router and ISP support IPv6 and I've had my router configured for it for a while now, it seems to work fine. Will that impact Pi-Hole in any way? What will happen with DNS requests to IPv6 servers, they will be ignored because Pi-Hole is only configured for IPv4, correct? Could a workaround be that I configure IPv6 on my network but do not specify any IPv6 DNS servers, would that force all DNS requests through IPv4 or it would default to my ISP's IPv6 DNS servers?
-
Is this really a problem with PiVPN and not OpenVPN itself? I mean, PiVPN is just some sort of frontend for easy OpenVPN configuration, right? AFAIK, I have OpenVPN updated to the latest stable version on my GCP VM:
root@hyperhole:/home/master# openvpn --version OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.08
P.S: My questions are mostly address, I have another one that doesn't fit this issue and it's actually related to the reddit message I sent you some days ago. Perhaps this is a better place to make questions so they are publicly displayed for anyone?
-
yes, you can certainly use IPv6 on the rest of your network. When you connect to your Pi-Hole via VPN from a device which has both an IPv6 and IPv4 address, your IPv6 address will not be used to carry any traffic. The communication will run exclusively over IPv4 to the cloud, and outwards from there.
-
Configuring OpenVPN to work over IPv6 is possible. But to get the sort of IPv6 address that you need (a public facing one, not a private IPv6 address) to realize the performance gains in a web browser requires extensive configuration steps that would ultimately be very specific to you. Simply configuring OpenVPN to issue an IPv6 address to connected clients is not sufficient to recognize the full benefits of IPv6.
@rfgamaral I am curious if I have answered all of your questions; if yes perhaps we can close this issue? If not, happy to clarify anything further if needed.
Yes, thank you :)