Setup WireGuard client on Windows

Reading Time: 4 minutes

In my blog post here I showed you how to setup and configure WireGuard VPN Server side. I that blog post I also tell you what WireGuard is and what the benefits are. If you want to know more about WireGuard or how to configure WireGuard VPN server, check my blog post here. In this blog post I will show you how to setup WireGuard client on Windows. The Windows installation package is the same for all current Windows operating systems including Windows Server.

Requirement for this blog: Setup WireGuard VPN server by me.

First we need to download WireGuard for Windows. The download is the same for server or client and can be downloaded from here. Choose the latest version under Windows:

Setup WireGuard client on Windows - vikash.nl

The installation is very simple. Dubbleclick on the MSI package and WireGuard will install itself and start automatically:

Setup WireGuard client on Windows - vikash.nl

The next part is to download the client configuration (wg0-client.conf) file from the DietPi server. You can do this using a program called WinSCP. You also need to install OpenSSH Server on DietPi for WinSCP to work. Installing OpenSSH on DietPi requires the same steps as WireGuard but instead search for OpenSSH and then select OpenSSH Server:

Setup WireGuard client on Windows - vikash.nl

DietPi default comes with Dropbear SSH server which is a lightweight SSH server. The downside is that it does not support Secure Copy Protocol (SCP) and we need that to download our client configuration file. Just follow the steps on screen to install OpenSSH Server on DietPi. Then install WinSCP on your Windows 10 client and connect to your DietPi server with the following session settings:

You will get a prompt for a Unknown Certificate.Click on Yes to add it:

Once WinSCP is connected to your DietPi server browse to the folder /etc/wireguard. Download the wg0-client.conf file to a location on your Windows 10 machine:

Setup WireGuard client on Windows - vikash.nl

Go back to the WireGuard window and click on Import tunnel(s) from file to import the wg0-client.conf file:

Setup WireGuard client on Windows - vikash.nl

Select the wg0-client.conf file:

Now you will see that WireGuard has created the tunnel on your Windows 10 machine at it is ready to connect. If you click on Activate it will connect the tunnel and you are good to go:

Setup WireGuard client on Windows - vikash.nl

After connecting the tunnel you will see that all traffic from you Windows 10 client now goes trough your WireGuard server:

You can check the status of WireGuard on your DietPi with the following command:

sudo wg show

You will see a screen like this showing the Windows 10 client connected:

That is basically it for running WireGuard client on Windows 10.

Performance tests

In the blog post where I talk about setting up WireGuard server I also said I would do performance tests. I am impressed with WireGuard and as I mentioned in my previous post I am running WireGuard server on a Raspberry Pi 3B:

Setup WireGuard client on Windows - vikash.nl

Check out the load while copying a file over the WireGuard tunnel between my Windows 10 client and the WireGuard server:

It is pulling almost the maximum of 100Mbit without breaking a sweat. It is a beast :).

Setup WireGuard client on Windows Read More

Setup WireGuard VPN server

Reading Time: 8 minutes

What is WireGuard VPN?

I’m sold on WireGuard and I hope that it get used more and more in the future. That’s why in this post I will show you how to setup WireGuard VPN server and clients running on iOS and Windows.

WireGuard is another Virtual Private Network (VPN) tech. It is fairly new. Now do we actually need another VPN? Well I think we do if you look at the specs and performance of WireGuard. It literally puts the old guard in the shade in terms of performance. It is build from the bottom to be fast, modern, secure and at the same time lightweight on resource usage. For example when I run OpenVPN on my iPhone my battery drains real quick so I cannot leave it running the whole day. With WireGuard on my iPhone I don’t need to worry about battery drain and I can leave it running the whole day! Recently I just forgot to disable WireGuard and it was running for a couple of days on my iPhone without me noticing it. I benefit from the added security and privacy as it seamlessly switches between mobile data and WiFi. And it is fast too in switching the VPN tunnel between mobile data and WiFi. I know that OpenVPN takes some time to activate when you switch from network and sometime you have to manually restart the process. If you want to read more about WireGuard check out their website here.

In this blog post I only show you how to configure the Server side. For the client configuration check my other blog post:

Where can you use it?

I will show you how to setup WireGuard on you home network. This will be the server side of WireGuard. Then I will show you how to setup a client on Windows 10 and on iOS. With WireGuard server running at home and your computer and mobile phone running the client you can safely connect to you home network when away from home. And for me the most important benefit from connecting to my home network when I am away is that I can benefit from the added security I have from my Pi-Hole. Check my blog post here about setting up a Pi-Hole on your home network.

Having WireGuard and connecting back to home also means that I don’t have to worry about being tracked or my data leaked when I am on another WiFi network like at a restaurant or in a hotel. Because everything goes trough my WireGuard VPN tunnel to my own network no one will be able to see what is going on because the traffic is completely end-to-end encrypted. That is security and privacy away from home in your pocket right there :).

Requirements

WireGuard is so lightweight that it can even run on a Raspberry Pi. I am running it on a Raspberry Pi 3 Model B and it can easily max out the network speed without breaking a sweat. The max network speed of that type of Raspberry Pi is 100Mbit/sec and I have it pulling about 90Mbit/sec. Wow!

Meet DietPi

On my Raspberry Pi I am using DietPi as my operating system. DietPi is a lightweight Linux distribution aimed at single board computers. Check out their website here. It is optimized for Raspberry Pi, lightweight and it has a software repository which makes it very easy to setup several software packages on the Raspberry Pi. DietPi also takes care of system settings and NAT rules on the local system required for WireGuard. Hey I am all up for automation. I will show you later on how those look.

For this blog post I will use a Hyper-V DietPi version (for demo purposes) but the performance tests I will show you how my production Raspberry Pi performs. It is a beast!.

Install and configure WireGuard server

Start by downloading the correct version of DietPi for your hardware. As you can see in the screenshot below DietPi offers an image for a variety of hardware:

Setup WireGuard VPN server - Vikash.nl

If you download the image for one of the single board computers like the Raspberry Pi, you can use Rufus (or similar software) to write that image on your SD-card and boot the system. Basically that is all you have to do to get DietPi running.

Login using SSH with your favorite program. I am using Putty. You will be greeted with some information about DietPi and some stats. In the screenshot below you can see that I am using a virtual machine for this blog:

Setup WireGuard VPN server - Vikash.nl

Run the following command to start the software selection tool:

dietpi-software

You will see the DietPi-Software utility. Because there are a lot of packages we will search for WireGuard. Select the Search option and hit enter:

Setup WireGuard VPN server - Vikash.nl

Enter wireguard in the search field and select OK:

You will see that is has found wireguard server. Select the package with your spacebar and the hit OK like in the screenshot below:

You will be back at the start screen for the software install utility. Now select the Install option and hit enter:

Setup WireGuard VPN server - Vikash.nl

DietPi will ask you if you would like to begin the installation. Select OK and hit enter:

The setup will start and DietPi will automatically install the required package. Then a screen will popup asking you if you want the machine to be setup as VPN server or client. We will choose Server and hit OK.

The next screen is very important. The setup will ask you to enter the public IP address or domain. That means you WAN IP address or public DNS name. If you WAN IP address is using DHCP (check your internet provider for this) you will want to setup some kind of dynamic DNS name and use that here. There are some free services on the internet like DynDNS or No-IP where you can set this up. If your WAN IP address is static use that. For this blog I will use a LAN IP address and for testing purposes this is fine. So enter your WAN IP address or internet dns name in the screen and hit OK:

Setup WireGuard VPN server - Vikash.nl

Nest the setup will ask you the port number to run WireGuard server on. I leave this at default, which is port 51820 and hit OK.

Now WireGuard server is basically setup. The finish the installation the system will need a reboot. Hit OK to do that now:

Server configuration

After the reboot reconnect again using SSH to your DietPi. DietPi generates the basic configuration for the server and also for one client. The configuration of all those components can be found in the location /etc/wireguard/. There you can see the configuration and the keys used for authentication and traffic encryption. See screenshot below:

Let’s take a look at the server configuration. Open the file wg0.conf (the server file) with nano and you will see that DietPi software installation script has configured everything on the server side for us. It does the iptables rules as well as enabling forwarding of network traffic and it also has generated the configuration for our first client:

Setup WireGuard VPN server - Vikash.nl

The Address 10.9.0.1/24 is automatically added and will be used for WireGuard Server. So the server will be on 10.9.0.1 and the first client will get 10.9.0.2 as you can see in the screenshot above. You can change those but that is beyond the scope of this blog post. If you change those keep in mind that it will affect the WireGuard server setup and you may have to do some troubleshooting there. My advise is to just leave it as is. This works.

Client configuration (first client)

My first client will be my Windows 10 laptop and I will use the automatically generated client configuration wg0-client.conf. Navigate to /etc/wireguard and open this file with nano your favorite terminal editor. You will need to change some setting here like DNS server and enable KeepAlive. My DNS server is my Pi-Hole and that is what I want to use when connecting to my WireGuard server. This setting should point to the IP address of the DNS server you are using in your network. The KeepAlive option is required because my WireGuard server is using NAT and is sitting behind my pfSense firewall. This will be also the case for most of you out there so enable this by uncommenting the line. Note that the WireGuard installer has created the public and private keys for the first client with the names client_private.key and client_public.key.

Setup WireGuard VPN server - Vikash.nl

While you are here make sure that Endpoint is your public IP address or public DNS name.

Client configuration (second client)

The second client I will use WireGuard on is my iPhone. There are some steps involved in generating key pairs and then the client configuration file. Navigate to /etc/wireguard and enter the following commands:

umask 0077 
wg genkey > iphone_private.key 
wg pubkey < iphone_private.key > iphone_public.key 
umask 0022

You can change the names as you like. I named my with the prefix “iphone”. You will see that the private and public key files for my iphone client have been generated:

Setup WireGuard VPN server - Vikash.nl

The next step is to generate the client configuration file using those keys. We will use the wg0-client.conf as base file and clone it with the correct keys. Execute the following commands:

cp -a wg0-client.conf iphone.conf
G_CONFIG_INJECT 'Address = ' 'Address = 10.9.0.3/24' iphone.conf
G_CONFIG_INJECT 'PrivateKey = ' "PrivateKey = $(<iphone_private.key)" iphone.conf

Make sure to use the names correct like in my example above. You can see that I am using iphone.conf as name for my iPhone client and also using iphone_private.key. The IP address part here is also very important. The server is using 10.9.0.1, my Windows 10 client is using 10.9.0.2 and so my iPhone client will use 10.9.0.3. If you add more clients you need to up the IP address every time because WireGuard doesn’t have DHCP yet. If all the commands are ok you should see something like this:

Check to make sure all the information is correct in the configuration file of the iPhone (iphone.conf in my case). See the arrows for the important parts:

If you need to add more clients just follow the same steps as above and make sure you use the next available IP address in the network range of the WireGuard server, so in this case a third client would get 10.9.0.4 as IP etc etc.

Add the clients to the server

After creating the clients keys and configuration files we need to tell WireGuard server what clients are authorized to connect. Login via SSH on your WireGuard server (the DietPi here) and navigate to /etc/wireguard. Open the wg0.conf file and add the clients at the bottom of the file. Add the lines like this:

# Client Windows 10
[Peer]
PublicKey = +BHgcDav+hHohafj6KXXXXXXXXXXXUUUUUUUUUUUUUUU
AllowedIPs = 10.9.0.2/32

# Client iPhoneXS
[Peer]
PublicKey = qpGqnnSJzRSqsOuXXXXXUUUUUIIIIIXXXXXXXXXIIIII
AllowedIPs = 10.9.0.3/32

Make sure that you use the correct corresponding PublicKey for the clients! It should look like this:

Close the file and reboot the server. That’s it for the server part! For the client configuration check my other blog post:

Setup WireGuard VPN server Read More

Setup Pi-Hole to protect your network and privacy

Reading Time: 10 minutes

In a previous blog post of mine here I showed you that I am using Pi-Hole to protect my network and moved away from pfBlockerNG. In this blog post I will show you how to setup Pi-Hole to protect your network and privacy.

What is Pi-Hole?

“Pi-Hole is is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.” That is a quote from the documentation website of Pi-Hole and that basically says it all. If you want to know all the details Pi-Hole is then check you their website. Now there is the term “DNS sinkhole”.

DNS sinkhole…what now?

To be able to understand what a DNS sinkhole is you have to first understand what DNS is and does. DNS is short for Domain Name System and it basically does the same thing phonebook does. It translates numbers to names because numbers are a lot harder to memorize. When you want to visit www.vikash.nl your computer will put that request out to a DNS server on your network which will translate that name to the IP address where www.vikash.nl is living. This is also called a DNS query. Pi-Hole is a DNS server so if you setup a Pi-Hole on your network it will answer the DNS queries for all the devices in your network and this means that you can redirect DNS lookup to anywhere you like. You now have the power to redirect DNS queries to ad-serving networks to an alternate IP address basically eliminating those from showing on any device connected to your network :). This process is called DNS sinkhole and also how Pi-Hole works. If you want to read more about it check out this Wikipedia article.

What will Pi-Hole protect you from?

What makes the Pi-Hole unique from your-basic-DNS-server is the fact that it can pull in Blocklists from the internet and based on those build a database of domains which are serving ads, tracking privacy or even serve malware and ransomware! How cool is that. Ads in general are not a problem but nowadays even ads are used to deliver malicious payloads to your computer. Of course you can whitelist websites you want to support and allow Pi-Hole not to block the ads from them.

To sum up the Pi-Hole will use Blocklists to protect your network. Those Blocklists are on the internet and most of them are free. In this blog post I will share the Blocklists I use.

Requirements

Pi-Hole is a magnificent piece of software and it even can run on a Raspberry Pi Zero (hence the name Pi-Hole). If you have a spare raspberry pi laying around set it up. The raspberry pi are running off SD card and those are limited in read and write cycles. That’s why I would suggest to run in on something more robust. I am running it on a Ubuntu 18.04 server virtual machine which is running on Hyper-V 2016 host. This has been rock-solid performance wise and it enables me to make regular virtual machine backups in case something goes wrong like with an update. So my shoppinglist is:

  • Ubuntu server 18.04 with static IP address
  • Access to your internet router to change DNS server settings

Let’s get started

I will assume you have setup an Ubuntu server with a static IP address. This static IP address should be in the same network as where the rest of your devices are. Usually this is your normal LAN. So in my case my local network range is 10.100.150.100 to 10.100.150.200. I am using pfSense as my router so for me it looks something like the screenshot below:

Setup Pi-Hole to protect your network and privacy 01

Login to your Ubuntu server using SSH and make sure everything is updated. To do this use the following commands:

sudo apt-get update
sudo apt-get upgrade

Basic configuration

Once everything is updated and running it is time to setup Pi-Hole. This process is very simple. Just execute the following command:

sudo curl -sSL https://install.pi-hole.net | bash

You will see the installation of Pi-Hole starting. Hit Enter for OK.

There will be a couple more screen where you just hit Enter for OK. Then you will arrive at the screen below asking you what upstream DNS server you are using. I choose to use Cloudflare. All my traffic is going trough my VPN provider anyway. The reason you need to enter a DNS server here is because Pi-Hole will be used as a caching DNS server on your LAN. So when the Pi-Hole receives a DNS query from a device on your LAN it will check if the hostname requested is in it’s own local DNS database (the one build using the Blocklists). If not then it will forward the request to it’s upstream DNS server which then will answer with the correct IP address. However if the hostname is in the DNS database of Pi-Hole it will sinkhole it.

Now you will be asked what default Blacklists you want to enable. I will not be using the default Blacklists but don’t disable everything here! Enable at least one of the default Blacklists because this create the necessary files for Pi-Hole to work properly. So I just select one and hit Enter for OK:

Select both IPv4 and IPv6 and hit Enter for OK:

Next step it will inform you that you should have the IP address setup as static. Note that this IP address is also the IP address which all your devices will use as their DNS server. We will set that up later. For now just hit Enter for OK:

Choose to install the admin interface. Pretty important for management and configuration. Hit Enter for OK.

On the next screen choose to install lighttpd webserver. This is the webserver where the management UI is running on. Hit Enter for OK.

In the next screen choose to log the DNS queries which will be handled by Pi-Hole. This is one of the major features for me and I think the Pi-Hole UI is way ahead of the competition on how to display what is happening in your network in a easy way. Check my blog post here about why I think that.

In the next screen choose to Show everything. This is one of the biggest features (again).

After some more default OK screen Pi-Hole will retrieve packages and start the setup. When it is finished you will be presented with a screen where the admin password is displayed and also the URL to the admin page. This password is used to login to the Admin Webpage. Just hit Enter for OK.

The first thing you want to do is change this password. At the command line enter the following command to change the password for the Admin Webpage:

sudo pihole -a -p

Advanced configuration

Let’s dive into the advanced configuration settings. Open your webbrowser and login to the Admin Page. Then go to Settings -> Blocklists. This is where the magic will happen and were we will tell Pi-Hole what Blocklists we want to use in order to build the local DNS database for domains we will sinkhole.

A word about Blocklists

Blocklists are used to build the local DNS database and based on that the Pi-Hole will sinkhole certain DNS queries. Be advised that this can (and probably will) break the internet at your home! I want to stress this very much! Depending on what Blocklists you use you will discover that certain websites or apps are not working anymore. I know for example that many Blocklists are blocking all of Facebook or Instagram for privacy reasons and after adding those Blocklists to your Pi-Hole you will not be able to open those websites or use those apps. Luckily (as I mentioned before) we are able to Whitelist certain domains on Pi-Hole. Whitelisting means that regardless of whether a certain domains appear in a Blocklist, it will not be blocked.

That’s why Whitelisting is a major part of implementing Pi-Hole in your network. Especially the first few days / weeks you will have to keep a close eye on the domains which are being sinkholed and add domains to the Whitelist as needed.

My Blocklists

Below are the Blocklists I use. Again, make sure that you understand that this is not a set-it-and-forget-it kind of feature. You will have to “babysit” the Pi-Hole configuration in order to tweak your Whitelist. Below is my Blocklist:

https://openphish.com/feed.txt
https://adaway.org/hosts.txt
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://hosts-file.net/ad_servers.txt
https://www.squidblacklist.org/downloads/dg-ads.acl
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
http://theantisocialengineer.com/AntiSocial_Blacklist_Community_V1.txt
https://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://mirror1.malwaredomains.com/files/justdomains
https://mirror1.malwaredomains.com/files/immortal_domains.txt
http://winhelp2002.mvps.org/hosts.txt
https://www.stopforumspam.com/downloads/toxic_domains_whole.txt
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
https://someonewhocares.org/hosts/hosts
https://dbl.oisd.nl/
https://pastebin.com/raw/2VKWfAqM
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://heuristicsecurity.com/dohservers.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
https://raw.githubusercontent.com/CHEF-KOCH/Audio-fingerprint-pages/master/AudioFp.txt
https://raw.githubusercontent.com/CHEF-KOCH/Canvas-fingerprinting-pages/master/Canvas.txt
https://raw.githubusercontent.com/CHEF-KOCH/WebRTC-tracking/master/WebRTC.txt

Login to the Admin Webpage and go to Settings and then select the Blocklists tab. Delete the one blocklist feed we have here from the setup earlier. Then enter all the Blocklist feeds from above and click on Save and Update. Wait for it to update.

After a successful update you will be presented with a resume of the Blocklist feeds update and then you are “in business”. Pi-Hole is now ready to protect your network and all the devices on it.

My Whitelist

Managing the Whitelist is very important as I said before. To get you started on a base-Whitelist below you have my own Whitelist. It should give you a very good basic starting point.

www.youtube.com
youtu.be
youtube.com
ocsp.digicert.com
www.howtogeek.com
feeds.feedburner.com
hosts-file.net
feeds.feedblitz.com
www.security.nl
photos-ugc.l.googleusercontent.com
ytimg-edge-static.l.google.com
codeload.github.com
cdnjs.cloudflare.com
www.cdnjs.cloudflare.com
gitlab.com
www.gitlab.com
clients1.google.com
www.clients1.google.com
clients.l.google.com
forms.office.com
prod.forms.office.com.akadns.net
office365.com
vmware.com
netatmo.com
netatmo.net
ae01.alicdn.com
www.ae01.alicdn.com
global-image.aliexpress.com
global-image.aliexpress.com.gds.alibabadns.com
us1111.alicdn.com.edgekey.net
graph.facebook.com
www.graph.facebook.com
api.facebook.com
star.c10r.facebook.com
media.licdn.com
www.media.licdn.com
graph.instagram.com
www.graph.instagram.com
instagram.c10r.facebook.com
neatocloud.com
github.com
webhook.logentries.com

To add the above domains to the Whitelist click on Whitelist in the Admin Webpage and enter the list above. When you click on Add here the list is immediately active. So any changes you make here will be immediately active and you don’t need to update anything.

How to whitelist hostnames

Check your Whitelists by clicking the menu on the left of the Admin Webpage:

Just add my Whitelist list and click on Add.

If you encounter a website or app that is not working anymore after setting up Pi-Hole chances are that something is sinkholed (blocked by Pi-Hole). If you click on the Query Log on the menu you will get a very nice overview of the DNS queries which are allowed or blocked. You can even search for queries for a specific device in your network. Very powerfull interface!

The interface explains itself basically. If you see something being blocked and you want to whitelist it, just click on the Whitelist button behind it and all is done! That simple.

Adjust router to serve Pi-Hole as DNS Server

Now you are all set with Pi-Hole and it is time to change your router settings so it tells all the clients in your LAN that Pi-Hole is the DNS server now. I will use pfSense as my example here but in general these steps should also translate to the brand router you have.

The main idea is to go into the DHCP settings in your router and change the DNS server there to the IP address of the Pi-Hole. Make sure that there are no other DNS servers entered there beside the Pi-Hole and soon you will see devices in you LAN querying Pi-Hole for DNS lookups. For pfSense go to Services-> DHCP Server-> LAN. Scroll down to the Servers section and enter the Pi-Hole in the first DNS servers field. Leave the rest blank.

Apply some tweaks

Pi-Hole updates it Blocklists every sunday. I made a change here to update is every day. I do this because domains are constantly being added and removed from several Blocklists I use and by updating them frequently I can make sure that I don’t miss some critical domain updates. When installing Pi-Hole a user is created on your server names pihole. This user has a cron job which updates Pi-Hole Blocklists.

On the command line on your Ubuntu server to edit the cron file for the pihole user:

 nano /etc/cron.d/pihole

Edit the line that contains pihole updateGravity . If you want it to run for example every day on 2 AM change the line to this:

00 2 * * * root PATH="$PATH:/usr/local/bin/" pihole updateGravity

Run systemctl restart cron for the changes to take effect. This may be changed back to default when Pi-Hole get’s a system update so you have to watch for that.

Pi-Hole version update

Once in a while Pi-Hole will release a new version. When you login to the Admin Webpage you will get a notification in the bottom of the page like so with the words Update available! glowing in red:

To apply the update you will have to login to your Pi-Hole using SSH and enter the following command:

sudo pihole -up

You will see that everything is updated and you are good to go:

Some cool stats

I have Pi-Hole running for some time now and I want to share some cool stats. Here is the overal stats page which give you a detailed overview of how my Pi-Hole is doing in my network:

Here are the top blocked domains in my network and how Pi-Hole is protecting me against leaking telemetry data to a big tech company.

Wrap up

Overall using Pi-Hole has made me more aware of privacy and gives me the ability to protect all the devices in my network from ads, privacy tracking, malware and ransomware. In order of first-line defense I think this is a valuable addition in protecting your privacy and data.

If you implement Pi-Hole in your network and break the internet I cannot be held responsible for it. I want to stress again that it is very important to keep a close eye on your Query Log to make sure that something isn’t being wrongfully blocked. Pi-Hole has a lot of more options and features but I believe with this blog post I have make sure that you have the basic configuration drilled down in order to keep your network safe and maintain your online privacy.

Setup Pi-Hole to protect your network and privacy Read More

Moved from pfBlockerNG to Pi-Hole

Reading Time: 6 minutes

The ad-free internet can exists!

For a while now I have pfSense firewall running at home. I really love the performance, stability and security pfSense provides. It is just rock-solid! But let me tell you why I moved from pfBlockerNG to Pi-Hole. What I also love in pfSense is the ability to install packages and add even more useful features to the platform. So I went ahead and installed the pfBlockerNG-devel package. At the time of writing this blog post the latest version of pfBlockerNG-devel is 2.2.5_29. Note the “devel” in the name because this is the branche of pfBlockerNG which is actively being developed.

Ads on themselves can be OK I think. It all depends on how ads are being used and in the end you need to find funding. After all this site is also using ads. Adding pfBlockerNG allows you not to only block ads but also block web tracking and ransomware. That there is added security and privacy you get when using pfBlockerNG. It will do this for your whole network using something called DNSBL (short for Domain Name System-based Blackhole List). Every device in your network will benefit from this and be protected. But pfBlockerNG does so much more like also giving you the ability to block internet traffic coming from certain IP addresses. These IP addresses translate to specific countries and regions so it can be very handy in protecting your network from all those hackers trying to get in your network.

I went ahead and set up both and for some time everything was working well. I enjoyed ad-free and tracking-free internet on all the devices in my LAN. But then something happened…

The internet broke down (well a little bit)

I have several iOT devices at home including Ikea Tradfri smart lights. Suddenly these lights because unreachable in the Apple Homekit App on my iPhone. The rest of my Homekit enabled iOT devices were doing fine. The first time this happened I thought it is probably a bug so let’s power cycle the Ikea Tradfri gateway. This was a success and the Ikea smart lights were available again. Nice!

Not so nice when I discovered an hour or so later that the Ikea Tradfri smart light were unreachable again. So now I’m thinking that maybe pfBlockerNG is blocking some hostname (the DNSBL feature). This is possible because maybe one of the DNSBL feeds I am using has got an update and some hostname which Ikea Tradfri gateway uses is bow blacklisted. Luckily pfBlockerNG gives you the ability to whitelist hostnames.

I went into the management interface of my pfSense firewall and selected the Reports tab in pfBlockerNG settings. The Reports tab shows a very nice list of hostnames which have been blocked by pfBlockerNG. There is a nice filtering option as well. See the screenshot below.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 01

My Ikea Tradfri gateway has 192.168.100.51 as IP address. This is static setup in the DHCP server on my pfSense. So I enter this IP address in the Alert filter to see if pfBlockerNG is blocking DNS requests from my Ikea Tradfri gateway. The result was 0 so according to pfBlockerNG nothing from my Ikea Tradfri gateway was blocked. See screenshot below.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 02

But still I had the same behavior. When I power cycle the Ikea Tradfri gateway all is well for a short time and then is just becomes unavailable. I continued my investigation and decided to replace the USB power adapter of the Tradfri gateway. That didn’t help. By now I was thinking that I have tried everything but to replace the unit. I went to Ikea and got a new Tradfri gateway. I set it up and went trough the painful experience of connecting all my Tradfri lights and switches to the new gateway. I was just wrapping up when I saw that all my Ikea lights were unreachable again! Imagine my frustration.

Bring on Pi-Hole!

OK now I was furious. Even after replacing the Ikea Tradfri gateway I had the same problem. I was getting more convinced that is has to be something in my network. First step for me now was that I wanted to know all the DNS queries the Ikea Tradfri gateway was making. I tried debugging that in Unbound resolver on my pfSense but there were so many DNS requests flying by that it made troubleshooting nearly impossible.

I needed another DNS server, one specifically for my Ikea Tradfri gateway. And I needed it quick. Since I had a Raspberry Pi lying around I went the Pi-Hole route. Just download the correct image from the Pi-Hole website, extract to the SD-card and startup your new DNS server. Within a couple of minutes I was up and running with Pi-Hole. I loaded the exact same DNSBL lists I was using on pfBlockNG on the Pi-Hole. Using DHCP reservation I managed to set -Pi-Hole as the DNS server on the Tradfri gateway.

Pi-Hole showed me all the DNS queries the Tradfri gateway was doing, which ones were allowed and which ones blocked. I was specifically interested in DNS queries being blocked. I saw immediately that a lot of DNS queries were being blocked to webhook.logentries.com. That DNS query did not came up when I was troubleshooting on pfBlockerNG to find out the blocked queries. I added webhook.logentries.com to the Pi-Hole’s whitelist and waiting a couple of hours. Ikea smart lights were working fine now. Even after 24 hours all my Tradfri lights were now working fine.

Now let’s remove webhook.logentries.com from the Pi-Hole’s whitelist I thought and see what happens. Within the hour my Tradfri lights were offline again. Root cause found :).

Why I made the switch to Pi-Hole

I began to investigate why pfBlockerNG was not showing the blocked DNS queries. I discovered that when I did a DNS lookup on pfSense with pfBlockerNG enabled the request for webhook.logentries.com was being “sink holed” to pfBlockerNG, but it was not showing up in the Reports tab as blocked (or allowed). Check the screenshots below what happens on pfSense.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 03

As you can see above the DNS request is blocked by pfBlockerNG because it is “sink-holed” to the DNSBL VIP pfBlockerNG is using (10.10.10.1). But when I check the Reports tab in pfBlockerNG, I don’t see the blocked DNS request.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 04

Now when I do the same DNS lookup against the Pi-Hole I can see the DNS lookup immediately in the Query Log tab:

vikash.nl - 05

The gui on the Pi-Hole makes it really easy to troubleshoot as it shows immediately which client is doing what DNS queries and which ones are being blocked. The gui is also very easy in filtering options.

Moved from pfBlockerNG to Pi-Hole - vikash.nl

And you can find very easy in which DNSBL feed a certain hostname is so you know what feed is blocking your internet traffic. It even tells you if the dns name is whitelisted. Makes management so much more easy.

This gui compared to pfBlockerNG was refreshing to me. Amazing how much time I spend troubleshooting on pfBlockerNG while the Pi-Hole showed me within minutes what was happening and where the problem was! Great tech :).

In the end

I moved from pfBlockerNG to Pi-Hole. Don’t get me wrong, I still love and use pfBlockerNG. But I now only use it to block IP addresses from certain countries and regions. It is still very useful for that.

Moved from pfBlockerNG to Pi-Hole - vikash.nl

But I don’t use the DNSBL option anymore because I have no faith in it’s reporting capabilities. And that starts to count very heavy when you are troubleshooting why something is not working in your network. Since I started using Pi-Hole I did find some other dns hostnames which were also blocked and were not reported by pfBlockerNG. One of them was to the download server of Ubiquiti for firmwares. Pretty important to know that sort of stuff.

I just can’t be bothered to make tcp dumps of my network traffic on pfSense and then use some kind of tool to analyze and try to find the needle in the haystack. So I recommend you use Pi-Hole for the DNSBL part as it is amazing at that. From the pragmatic perspective it is blazing fast and has great reporting options about what is happening in your network.

Moved from pfBlockerNG to Pi-Hole Read More

pfSense with routed IPTV and OpenVPN client for private internet access

Reading Time: 10 minutes

What I wanted was pfSense with routed IPTV and OpenVPN client for private internet access. You know that there are a lot of prying eyes who are interested in your internet traffic. I think that what you do with your internet is your business only. So I use a VPN provider to route all my internet traffic. When you do that without taking into account a couple of rules, you will break IPTV. Recently I got fiber ( Fiber to the Home – FTTH) internet at home with IPTV included. My ISP now is Xs4all (soon to be KPN). With that service comes a very nice Fritz!box and an IPTV set-op box. The Fritz!box takes care of everything. You just plug the box in and follow a few steps on the manual and you are online. Very nice :). The Fritz!box has 4 network ports. These ports can be used to connect your computer or connect the IPTV set-op box. The Fritz!box will configure the network ports automatically for internet access or tv functionality depending on what device you connect. internet access.

So I wanted to get rid of the Fritz!box for a couple of reasons:

  • use pfSense as my firewall
  • have my WAN IP address directly on pfSense (no double NAT!)
  • use OpenVPN client on pfSense to my VPN provider (for privacy reasons)
  • route all my internet traffic via my VPN provider (Mullvad)
  • be in complete control of my network at home

Getting internet to work with my fiber connection and pfSense was no issue. There is plenty of information on the internet about how to setup PPPoE and all the VLAN stuff. Maybe I will do a blog post about that some day. Routed IPTV however was a different story. I had done some research and quickly discovered that getting routed IPTV to work with pfSense is going to require more effort than the plug-and-play method the Fritz!box was using. Mullvad has a great guide on how to configure pfSense with their services here. But there are no guides out there (at least I could not find them) on how to route all your internet traffic trough you VPN provider while at the same time routing your IPTV traffic outside the VPN tunnel. Note that this is not the same as making an exception for a device in your network to access the internet outside the VPN tunnel! There is routing and IGMP and firewall rules and dhcp options in play with different networks. I will show you how to setup pfSense to route all your internet traffic trough your VPN provider and at the same time make IPTV work!

So I made a little diagram of the situation I had in mind. I decided to get a mini-pc with multiple network ports (6 in total) so I could dedicate network ports for IPTV traffic or internet traffic. There are other options you could use like managed switches but I wanted to keep things lean. The diagram below shows the setup I implemented:

pfSense with routed IPTV and OpenVPN client for private internet access - 01

So basically the layout for the network ports on my pfSense firewall is as follows:

  • NIC 0: WAN / Internet/ Xs4all
  • NIC 1: LAN – to my managed switch for all the devices in my LAN.
  • NIC 2: free (future use)
  • NIC 3: free (future use)
  • NIC 4: IPTV set-op box Bedroom
  • NIC 5: IPTV set-op box Living room

VLANs

As you can see in my diagram above Xs4all is using VLANs. VLAN 4 is used for IPTV and VLAN 6 is used for internet access. That means that I need to have two VLANs coming in on my NIC 0 (WAN) on pfSense. On pfSense management interface go to Interface -> Assignments and then click on the VLANs tab. When you add the VLANs here make sure the correct VLAN tag is entered and choose the correct network interface. Create your VLANs here and make sure they look like the picture below:

pfSense with routed IPTV and OpenVPN client for private internet access creating_vlans

As you can see in the picture below VLAN 4 and 6 are both configured to use interface igb0. igb0 is the name pfSense gave NIC 0 on the mini-pc I am using. Make sure to check the name pfSense assigns to the network interfaces on your hardware. Description is optional so use it as you see fit. In the end our configuration should look something like my config below:

pfSense with routed IPTV and OpenVPN client for private internet access - 03

WAN configuration

WAN configuration consists of 2 parts. The first part is the internet access part and the second one is for IPTV.

Internet WAN side

I am not going to deep dive in the WAN configuration part. Internet access is living in VLAN 4 and there is some PPPoE configuration involved. In the end the WAN interface will be using NIC 0 and VLAN 6. It looks like this:

pfSense with routed IPTV and OpenVPN client for private internet access - 04

As you can see my WAN is coming in on igb0.6 with PPPoE. igb0.6 stands for NIC 0 VLAN 6. That is the way pfSense is naming the interfaces combined with the VLAN tag.

IPTV WAN side

Let’s get the IPTV interface on pfSense up and running! I have named the IPTV WAN interface WAN_IPTV. This interface is on igb0 and has VLAN tag 4 assigned. You can see it in the picture above. The next step is configure some DHCP options for this interface. If we don’t do this pfSense will not be able to pick up a valid network configuration and won’t be able to pick up the IPTV feed on from the WAN side. Open the properties of the the interface. In my case it is the interface with the name WAN_IPTV. In the first part of the properties make sure that the interface is enabled and IPv4 Configuration Type is set to DHCP:

pfSense with routed IPTV 06

Now scroll down on this page because we have to make sure that we set a couple of properties here.

pfSense with routed IPTV 07

As you can see in the picture above you have to enable the Advanced Configuration option here. This will enable some options in the Lease Requirements and Requests segment of this page:

  • Send options field: in this field enter dhcp-class-identifier “IPTV_RG”
  • Request options field: in this field enter subnet-mask, routers, broadcast-address, classless-routes

Check the image below:

pfSense with routed IPTV 08

After these options you will see that the WAN_IPTV interface will get an IP address from the ISP.

pfSense with routed IPTV 09

Setup the IPTV interface (for local set-op boxes)

So let’s move on the IPTV. As I said before I am using NIC 4 and NIC 5 for my IPTV set-op boxes. That means that those set-op boxes will be directly connected to that network port. Select the interfaces you will use and assign them a static IP address. Make sure that each interface used for IPTV need to have their own subnet. In my case I will be using the following subnet:

  • 192.168.100.0/24 for my LAN (NIC 1 – igb1)
  • 192.168.112.0/24 for the IPTV set-op box in my Bedroom (NIC 4 – igb4)
  • 192.168.111.0/24 for the IPTV set-op box in my Living room (NIC 5 – igb5)

I know that the subnet I use for IPTV is a little bit big as I only have 1 set-op box on that interface :). Ah well, this works for me and maybe I will adjust it in the future to make it smaller or combine both my set-op boxes on one subnet. For now this works for me. The IPTV interface has to be assigned a static IP address. Make sure yours look something like the picture below:

pfSense with routed IPTV 10

Double check the network ports you will use for your IPTV set-op box. Below is an overview of the IPTV interfaces I will use. As you can see I have assigned the dedicated network interfaces for my IPTV set-op boxes.

pfSense with routed IPTV 11

Next step is to make sure that those set-op boxes will get an IP address when connected to those interfaces. For that to happen I will be running a dedicated DHCP server on each IPTV interface. I know that there are other options, but hey…this keeps is simple and pragmatic :). Luckily pfSense makes it easy to run multiple DHCP servers. After assigning a static IP address on a specific interface you will see that interface appear in the DHCP server configuration page. See the image below:

pfSense with routed IPTV 12

The screenshot below shows how I have setup DHCP on the interface where my IPTV set-op box for my Living room is connected. There is nothing special there. Just specify the range for DHCP here.

pfSense with routed IPTV 13

The same goes for all the set-op boxes which have their own dedicated interface on pfSense.

IGMP Proxy

We have to setup IGMP Proxy because IPTV uses multicast. The multicast traffic needs to be received by the set-op box in order to function properly. The way to get the IGMP traffic from the WAN_IPTV interface (from your ISP) to the set-op box is to let pfSense proxy it. By using IGMP proxy we also can isolate multicast traffic to only the set-op boxes in stead of flooding you whole LAN constantly with it. This in a nutshell is why we use IGMP proxy.

Go to Services and the IGMP Proxy. Enable IGMP Proxy by clicking the checkbox. Then we have to add one upstream configuration for the WAN_IPTV network and a downstream configuration for every set-op box you have.

In my case the WAN upstream interface needs to have 3 networks:

  • 217.166.0.0/16
  • 213.75.0.0/16
  • 10.0.0.0/8

These network are in use for IPTV by KPN/Xs4all. Check your ISP for what network ranges they use for upstream. See the below image:

pfSense with routed IPTV 14

We have to tell the IGMP Proxy Service also where our IPTV set-op boxes live. So for each set-op box we need to configure a downstream interface. My Living room IPTV set-op box has the network:

  • 192.168.111.0/24
pfSense with routed IPTV 15

Make sure you select the correct interface. In the end the IGPM Proxy Service settings should look like this:

pfSense with routed IPTV 16

Routing, firewall rules and NAT

Now we have to setup specific firewall rules, routing and also NAT. This blog post is about using IPTV while routing all your internet traffic trough your VPN provider in order to hide it from prying eyes. But we don’t want to route IPTV traffic trough the VPN tunnel because that will break watching old-fashoned tv using your set-op box.

My pfSense firewall is running a full-blown OpenVPN tunnel (OpenVPN client) 24/7. When my VPN tunnel is down for some reason I want to block all internet related traffic. This prevents leaking internet traffic accidentally when my VPN tunnel is down. This is also called a “kill-switch”. To achieve this I have to set my pfSense Outbound NAT mode in Manual mode and configure addition NAT rules for my IPTV set-op boxes.

NAT Mode

I will not discuss in this blog post what the consequense is in changing NAT mode to Manual. The network configuration in Manual NAT mode requires additional settings and this can be different depending on your VPN provider. If you are using Mullvad they have a terrific guide here. Go to Firewall -> NAT and click on the tab Outbound.

pfSense with routed IPTV 17

For every local network used for the IPTV set-op boxes we have to add specific NAT rules. We have to tell pfSense to send all the traffic from those networks trought the WAN_IPTV interface. In this way the traffic will not get trough the VPN tunnel.

For the IPTV set-op box in my Living room I have added a rule here with the following configuration:

  • Interface: WAN_IPTV
  • Address family: IPv4
  • Protocol: any
  • Source type: Network
  • Source network: 192.168.111.0/24 (the subnet for my IPTV in the Living room!)
  • Destination: Any

See screenshot below:

pfSense with routed IPTV 18

We have to add one very important rule here. The network 224.0.0.0/8 has to added here and also routed trough the WAN_IPTV. Again check your ISP for details on the network. Add it using the following configuration:

  • Interface: WAN_IPTV
  • Address family: IPv4
  • Protocol: any
  • Source type: Network
  • Source network: 224.0.0.0/8 (the subnet for my IPTV in the Living room!)
  • Destination: Any

See the screenshot below:

pfSense with routed IPTV 19

After adding all the rules relevant for your IPTV set-op boxes your configuration here should look something like this:

pfSense with routed IPTV 20

Routing and firewall rules

The next (and last) step is to add the correct routing and firewalling rules. Per IPTV interface we have to add two rules. One is to route the IGMP traffic and the other one is to route the IP traffic. If you go to Firewall -> Rules you should see several tabs there including the ones specifically for you set-op boxes. Select the tab for your set-op box and let’s add the IGMP rule first.

The IGMP rule should have the following configuration:

  • Action: Pass
  • Interface: IPTV_Livingroom (select your set-op box internal network here!)
  • Address Family: IPv4
  • Protocol: IGMP
  • Source: any
  • Destination: any
  • Advanced configuration: check Allow IP options

The Allow IP options is very important to allow multicast traffic. See the following screenshot:

pfSense with routed IPTV 21

The second rule must be configured with these options:

  • Action: Pass
  • Interface: IPTV_Livingroom (select your set-op box internal network here!)
  • Address Family: IPv4
  • Protocol: IGMP
  • Source: IPTVLIVINGROOM net (select the subnet where your set-op box lives in!)
  • Destination: any
  • Advanced configuration: check Allow IP options

You should end up with these rules in the tab for your set-op box:

pfSense with routed IPTV 22

As you can see I have also added some other rules. The one relevant here I think is to block all traffic from the IPTV subnet to your LAN. It’s up to you if you want this. I added that just because :).

So there you have it. You should now have a fully functional network where your IPTV traffic is routed to your ISP and all your internet traffic is seperated and routed trough your VPN provider. This setup also makes it so that when your VPN tunnel is offline your set-op boxes will still work given that your WAN is off course fully up and running. Very nice!

At the end I want to make clear that I am in no way connected or affiliated to the brands or services I named in my blog post.

pfSense with routed IPTV and OpenVPN client for private internet access Read More

Added value of Citrix Endpoint Management with Microsoft EMS/Intune

Reading Time: 4 minutes

What is going on?

As you know, that if you do anything with Enterprise Mobility Management and Office365 apps for Bring Your Own Devices (BYOD) or Company Owned Devices (COD), you can hardly do anything without Microsoft EMS/ Intune these days. We all know the most popular Office365 apps: Word, Excel, Outlook and PowerPoint. Other Office 365 apps like Microsoft SharePoint of Microsoft Dynamics 365 may be less popular but are still mission critical for organizations.

I have yet to encounter an organization that only uses Microsoft Office 365 apps on mobile devices. How about you? Mobile app deployment of most enterprise organizations these days looks like this:

  • Office 365 apps.
  • Other native mobile apps.
  • Custom build apps.
  • Web and SaaS apps.
  • Virtualized apps.

So, all these corporate apps have to be delivered to the end user on their device. It also means that you, as the company, want to have an insight in what is going on in these apps. The data in these corporate apps is yours, so you want to know how your data is being handled by the app on the user device? How is the user experience, regardless of internet being slow or even not available? Or on what platform does my app run? Your IT department wants to be able to answer all these questions.

How do we do it?

This is where Citrix Endpoint Management comes in! It allows us as IT to protect and isolate corporate data and apps from personal apps and data. Do you worry about how to deliver your corporate apps to the user? Stop worrying because with Citrix Endpoint Management comes with an app store. This is a secure and private app store specifically designed for the enterprise. In this app store you can use corporate apps and public apps. You need a public app to stay on a specific version for say compliance reasons? No problemo with the app store integrated in Citrix Endpoint Management. The Citrix Endpoint Management Appstore allows you to use apps from public app stores with your corporate policy on them! How cool is that.

Citrix Endpoint Management also delivers functionality like exchanging data and documents between Office 365 apps and corporate apps. That is not all. Because Citrix Endpoint Management can deliver per-app-micro-vpn. Your IT department can guarantee how data in motion is being handled. This is where Citrix Application Delivery Controller (ADC) comes in play. Formerly known as NetScaler, ADC can provide per-app functionality for all the corporate mobile apps. See the diagram below.

Overview Citrix Gateway for micro VPN
Overview Citrix Gateway for micro VPN (Source Citrix)

Let’s say that your employee is on the other end of the world and needs access to that very important research document? No worries. ADC will make sure that the session to deliver that document to the mobile device is fully secured and encrypted. Also, when the document is on the mobile device, Citrix Endpoint Management will secure that data at rest. How cool is that!

Micro-VPN to on-premise data (Source Citrix)
Micro-VPN to on-premise data (Source Citrix)

Security nirvana does exist!

It does when you use Citrix Endpoint Management with Microsoft EMS/ Intune. I often get the question: Vikash, why do you need Citrix Endpoint Management when you have Intune? My answer then is simple: Do you want first-class security, enhanced user experience and flexibility for apps and devices? You need Citrix Endpoint Management with EMS/Intune.

Let me explain. With Citrix Endpoint Management we can see what is going on in the communications layer for every user and every session and every app. That means we can deploy access policies based on app, user or device. And with device I mean not only mobile devices but also laptops and tablets. All these devices in the end-user space can now be made fully compliant with your corporate IT security policy! Amazing.

Interaction between Office 365 apps, ShareFile and Secure Mail (Citrix mobile apps) is seamless. Citrix makes that possible, because they use Microsoft EMS SDK. The data on the device stays in the secure enclave provided by Citrix Endpoint Management. While other vendors need to make a so-called bridge to exchange data between Office 365 apps and their corporate apps, Citrix mobile apps are “Intune-enlightened”. Below is an overview of the seamless interaction.

Secure Mail with Intune App Protection (Source Citrix)
Secure Mail with Intune App Protection (Source Citrix)

I am convinced!

Let’s face it. If you have Office 365 apps running on mobile devices, then you need an EMS / Intune infrastructure! Because you want to know what happens with your corporate data on those devices right? No questions there, if you ask me. But nowadays with security being more and more a critical aspect for enterprises you want to be at your a-game. Citrix Endpoint Management enables you just to do that. Let’s talk bullet points here:

  • Do you have Exchange on-prem? Regardless you want the higher level of security with the per-app vpn option.
  • Security for data in motion and data at rest.
  • Fine grained setup of policies for Mobile Device Management and Mobile Application Management.
  • Seamless integration of all Office 365 apps with Citrix Secure Mail. It just works.
  • Single pane of glass to manage different devices and platforms.
  • Wide range of supported devices (MacOS, ChromeOS, tvOS, Raspberry Pi, Android, iOS, Windows 10).
  • Enterprise app store for all your corporate apps.

Below is an architectural overview of how Office 365 apps can be integrated with Citrix Endpoint Management.

Architectural overview (Source Citrix)
Architectural overview (Source Citrix)
Added value of Citrix Endpoint Management with Microsoft EMS/Intune Read More