Comments (5)
-
128 is fine from a security standpoint, 256 doesn't provide anything beyond 128 other than it is an arbitrarily chosen standard for a number of implementations. The real world implications of this are discussed here: https://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit - I am sure with some additional googling we can find more official sources of information to further confirm some of the points made here.
-
Google's Firewall explicitly blocks everything by default. So you have to enable connection capabilities purposefully with your firewall configurations. Your deny rule would be redundant, since it is denying everything (except SSH and RDP ports) by default anyway.
-
To truly benefit from IPv6, you need IPv6 end to end. Attempting to reap the benefits of an IPv6 connection inside of a tunnel that is essentially running on IPv4 is a pointless exercise. The Google Cloud server is set up to use an Anycast IPv4 address. They don't have this Anycast network available on IPv6 inside the free tier. Outside the free tier it is pretty cost prohibitive.
-
I have noticed this 128-GCM and 256-GCM anomaly as well. I believe this is due to something in deep in the belly of PiVPN and how it configures things. Sadly, PiVPN is not going to receive any further updates. I am in the process of rewriting instructions for end users to configure this sort of system using Wireguard. This will likely come to fruition once Wireguard is incorporated into the Linux kernel.
I am glad this guide was helpful; I appreciate you asking these questions. Undoubtedly, others have similar concerns, and hopefully they find the clarifications they are looking for in this exchange.
If your questions have been addressed feel free to mark this as closed, I'm happy to answer any follow up questions if you have any.
from pi-hole-pivpn-on-google-compute-engine-free-tier-with-full-tunnel-and-split-tunnel-openvpn-configs.
Thank you very much for your detailed answers :)
1 and 2. I guess I'll leave 128-bit encryption and remove the deny-udp rule if it's redundant.
-
As for IPv6, can I still use it on my network? I mean, my router and ISP support IPv6 and I've had my router configured for it for a while now, it seems to work fine. Will that impact Pi-Hole in any way? What will happen with DNS requests to IPv6 servers, they will be ignored because Pi-Hole is only configured for IPv4, correct? Could a workaround be that I configure IPv6 on my network but do not specify any IPv6 DNS servers, would that force all DNS requests through IPv4 or it would default to my ISP's IPv6 DNS servers?
-
Is this really a problem with PiVPN and not OpenVPN itself? I mean, PiVPN is just some sort of frontend for easy OpenVPN configuration, right? AFAIK, I have OpenVPN updated to the latest stable version on my GCP VM:
root@hyperhole:/home/master# openvpn --version OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.08
P.S: My questions are mostly address, I have another one that doesn't fit this issue and it's actually related to the reddit message I sent you some days ago. Perhaps this is a better place to make questions so they are publicly displayed for anyone?
from pi-hole-pivpn-on-google-compute-engine-free-tier-with-full-tunnel-and-split-tunnel-openvpn-configs.
-
yes, you can certainly use IPv6 on the rest of your network. When you connect to your Pi-Hole via VPN from a device which has both an IPv6 and IPv4 address, your IPv6 address will not be used to carry any traffic. The communication will run exclusively over IPv4 to the cloud, and outwards from there.
-
Configuring OpenVPN to work over IPv6 is possible. But to get the sort of IPv6 address that you need (a public facing one, not a private IPv6 address) to realize the performance gains in a web browser requires extensive configuration steps that would ultimately be very specific to you. Simply configuring OpenVPN to issue an IPv6 address to connected clients is not sufficient to recognize the full benefits of IPv6.
from pi-hole-pivpn-on-google-compute-engine-free-tier-with-full-tunnel-and-split-tunnel-openvpn-configs.
@rfgamaral I am curious if I have answered all of your questions; if yes perhaps we can close this issue? If not, happy to clarify anything further if needed.
from pi-hole-pivpn-on-google-compute-engine-free-tier-with-full-tunnel-and-split-tunnel-openvpn-configs.
Yes, thank you :)
from pi-hole-pivpn-on-google-compute-engine-free-tier-with-full-tunnel-and-split-tunnel-openvpn-configs.
Related Issues (20)
- Question - Mikrotik support
- VPN Works Fine But Ads Still Show
- Following steps for PiVPN install leads to Entering Cutom Domain HOT 2
- Ubuntu 18.04 Gnome config issues HOT 1
- Unable install app or download Gmail attachments while connected to VPN HOT 2
- I could not get the full vpn to work from windows unless I recreated the google VM with a new network interface with "Forwarding = ON" HOT 5
- guide how to setup Split Tunnel VPN on DD-WRT ROUTERS
- Suggestion: Fees warning for users outside North-America.
- Updated install guide with Wireguard since PiVPN now supports it. HOT 2
- split tunnel not working HOT 1
- TCP 443 Full Tunnel and TCP 443 Split Tunnel does NOT work from Windows 10 HOT 1
- Guide feedback HOT 5
- Non-working tcp443 profile HOT 2
- Can't install since Pi-hole v5 HOT 2
- how to delete/disable a client from the server? HOT 1
- systemctl enable openvpn@server_tcp443.service HOT 1
- throttled... HOT 2
- CN Verification fails out-of-the-box
- How to set Google cloud instance as a DNS Server & VPN HOT 2
- This guide nerver works with Google Cloud platform anymore !!! HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pi-hole-pivpn-on-google-compute-engine-free-tier-with-full-tunnel-and-split-tunnel-openvpn-configs.