PiVPN (OpenVPN + WireGuard) Pi-hole and ZeroTier

PiVPN, Pi-hole and ZeroTier

This recently updated blog entry started off back in 2019 as a simple comment on the amazingly useful PiVPN with OpenVPN and has branched out a lot since then – now covering the (now default) WireGuard option) and the completely unassociated ZeroTier VPN solution.

Before we start, here is a link to the various sites for PiVPN, Pi-hole and ZeroTier for those who like to dive straight in and need no introduction. Personally before I started all of this, the idea of a VPN terrified me. Along the way, this blog entry by Marc Stan helped me a lot.

PiVPN

PiVPN is a Raspberry Pi installer for OpenVPN (and more recently – in addition, WireGuard), whereas Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Like many people I find the subject of secure VPNs to be torturous. I’ve covered backups elsewhere since discovering the absolute importance of being able to do them easily but only recently have I discovered the fun and security relevance of having my own domain blocker to stop some of the ads coming in (Pi-hole). as well as a secure VPN so I can access my stuff at one location, securely when I and my non-existant support team are not there.

After months of casual investigation into VPNs I stumbled across PiVPN. For the majority out there who are turned off by the subject… this is REALLY, REALLY easy and the PI does a great (though not stunningly fast on OpenVPN) job of being a VPN server while doing other jobs like home control. It also easily handles Pi-hole and hence can do blacklisting and whitelisting for your whole network.

While out in Spain for the summer back in 2018 I originally (easily) installed PiVPN onto the Raspberry Pi 3 board (using Raspbian Stretch ) I used to control my home (and which was hence active 24-7) and more recently I’ve moved to Raspberry Pi 4 – after upgrading all my Raspberry Pi kit in Spain and the UK to Raspbian Buster. Go to the “Marc Stan” link above and you’ll see this is a no-effort-or-skill install. Oh, your router, you need to direct ONE port to the RPi – there is a “normal” default port but you can use any port you like. The link also describes Pi-hole – here it is.

PiHole

Pi-hole is very easy – PiVPN needs a “client” on your phone, Android TV or PC for OpenVPN. This needs a “certificate” but you can forget that as it is handled by the installer (don’t know why I even mentioned it).

Once PiVPN is installed on the RPi with OpenVPN, type (as user pi) “openVPN add”, add a password and a certificate is automatically generated. This is just a text file which you can copy to your mobile phone, computer etc. for the OpenVPN client. There really is nothing more to it than that.

When in Spain, I had previously communicated with my kit in the UK on the mobile using lots of open ports – hardly secure and no good for acessing the BBC iPlayer while away from the UK… so next I put the OpenVPN “client” on my UK RPi so I could access it from any of my machines in Spain with only one port redirection on the router. Sorted.

I then did the reverse and installed PiVPN in Spain. So now, instead of having a shedload of open ports for various control and monitoring systems remotely, I only needed the one port open. All of this software is free – PiVPN is a great project as is Pi-hole!

Pi-hole

Putting PiVPN together with Pi-hole makes the investment in a Raspberry Pi a no-brainer – especially if that same RPi is running the home control and (for example) heating control etc. No reason you could not do ALL of this on a Pi3 but I’m playing safe as I want the controller to do a LOT so today I use RPi4. As I update this blog on my Windows 10 PC – Pi-hole has reduced the incoming traffic on the web by a large margin without me noticing any missing stuff. While on the road one day in the UK, late winter, I had the VPN client running on my mobile and watched the stats as Pi-hole protected my phone, reliability 100% – check out this YouTube video – oh, and updating Pi-hole is as simple as typing “pihole -up” without the quotes.

How things change – July 2020 and I was back in Spain – and after many months of reliable operation, I found myself unable to reliably VPN to either my Spanish or UK installations thanks to PiVPN changes. To cut a LONG story short, at some point the OpenVPN setups had updated automatically and would no longer work.

On a hunch I uninstalled PiVPN on my Pi here in Spain and reinstalled, adding new ovpn clients files to my phone and elsewhere. Worked a TREAT. Sadly this would not work for my UK installation thousands of miles away.

Thankfully, before I’d left the UK earlier in July (MUCH later than planned thanks to the pandemic) I’d installed the device-to-device VPN Zerotier on advice from Mr Shark. This led me to a very early start two mornings in a row to access my UK PC which only stays on for a very short time every day. Once in, I could update PiVPN on my UK Pi and was once again in business. Beats taking a flight (especially right now – at the time of updating, the UK government has implemented new quaranteen restrictions on people coming in from Spain)!

In the process we realised that, as the RPi4 is active 24-7, a great idea would be to run a VNC session on the Pi (I use Mobaterm as I’ve detailed elsewhere) to access my IOT gadgets by name – using their web interfaces (which are not exposed to the outside world). Good but I’ve not used TightVNC for some time – and while having that available on the RPi4 constantly is simple to implement – I noted that SEVERAL guides out there are either out of date, incomplete or just WRONG – and that prompted me to update this blog entry.

Mr Shark pointed me to THIS guide without which I could have wasted many hours – that got me up and running. THIS guide for example is incomplete and while it gets TightVNCServer running it does NOT correctly set it up to run automatically from power-up – some other guides are worse, using utterly outdated methods of setting up services which no longer work.

I am using PiVPN – and having recently replaced a decent Draytek router here in Spain (thanks to lightning) with a rubbish TP-Link V7 (which does not handle mDNS or internal domains) – I found I needed to use Pi-hole to handle all DHCP in here as it DOES handle mDNS. Why? I need to access my Tasmota and other devices by name rather than IP address for ease of use.

So, now I was up and running I checked out the previously unused VPN server (again OpenVPN) on my Synology Diskstation back in the UK and after disconnecting from PiVPN, turned on the DS version. That worked but was no good for watching the BBC iPLAYER in Spain as it did not force all traffic through the UK (hence no iPlayer and Netflix shows more movies in Spanish than English – all of this applies to those of you who spend their time split between any two or more countries). A quick call to Synology support led to a slight setting change which sorted that.

Result… the Synology VPN server is much faster than the Raspberry Pi OpenVPN VPN as you can imagine – which, while not important generally, means faster i-Player access on limited bandwidth – but of course you have to have a Synology Diskstation for that. I have an inexpensive one (DS14+) with 2 hard disks operating as one (RAID) all of which has operated reliably for several years. As for the photo – I’ve no connection to Synology – I’m just greatful for their support for an old device.

Diskstation

So now, I had two VPN solutions – but what about this ZeroTier? Well, that is just for device to device access, isn’t it? Erm, no. I’ve not yet figured out how to access the i-Player in the UK using ZeroTier but thanks to comments from helpful readers in here, a little work and this link, I’m starting to take a liking to ZeroTier because (as well as device-to-device use) it give me remote access to my devices in a “device to network” configuration – see comments – and makes a great backup for the full VPN solutions – again (with in this case the limit of up to 100 devices) free to use.

WireGuard update November 20, 2020

Things change and I’ve now updated PiVPN to use WireGuard (no effort involved) which is not only smaller than OpnVPN but much FASTER – so although the Diskstation is still king, PiVPN using WireGuard is fast enough that I can justify bringing the Synology here to Spain while leaving a decent VPN on the Pi in the UK. I’ve been checking out the BBC iPlayer, YouTube and other stuff and I’m no longer getting  indecipherable Spanish ads on YouTube and both iPlayer and YouTube produce decent HD when running back to the UK with WireGuard.

WireGuard

Following information on the web, I simply took my existing PiVPN installations and updated as such:

curl -L https://install.pivpn.io | bash

I left dhcp settings as before. I left the user as before. I selected the (now default) WireGuard option

I noted the default port of 51820 and added a port forward on my router. I left the dNS provider as PiVPN-is-local-provider to make good use of Pi-hole.

Now, the instructions I found for adding a client file were out of date and (using “boris” as a client file name) suggested:

pivpn add
boris

Not quite!

It is now:

pivpn wg add
boris

As you have a choice of WireGuard or OpenVPN!

As user pi I discovered a boris.conf had been placed into /home/pi/configs (a new folder). You can then use that boris.conf with WireGuard clients which are freely available for PC, MAC, Android etc

You CAN edit the config file – removing IP6 config for example or changing the name or port. The SERVER config master file can be found in /etc/wireguard.wpg0.conf and that can be edited by user ROOT.

WireGuard really is that easy – easier than OpenVPN in fact and most importantly, FASTER.

The guy who’s videos I watched to get to grips with WireGuard is called SPACEREX. I suggest subscribing to his video channel. Interesting chap, humble and to the point without the usual annoying “hi guys how are you doing” and other introductions seen on so many videos. Best investment of a couple of hours I’ve made in ages.

December 1, 2020 Update

Of course – there are alternatives to hosting your own VPN – you could for example pay for one of the many inexpensive VPN services out there. A BBC-licence-paying friend of mine (just like me – here in Spain right now) asked me to help out. I spotted a Cyber-Monday deal and put him onto it.

PrivateInternetAccess.com claim to offer “19538+ servers in 76 countries” for a stunningly low €1.84 a month on a special offer. Bargain, right? If you think this is an ad for them – read on…

BBC iPlayer - or NOT?

I’m now feeling quite sheepish about having suggested this offering to said friend. When his BBC iPlayer responded with a warning about not being in the UK, together with complete refusal to work, I contacted the company above who responded…”Hello Peter, thank you for contacting us here at Private Internet Access. I am sorry you are experiencing issues with accessing the BBC iPlayer. This is currently a known issue with PIA and we currently do not have an estimated time for when a resolution will be available”.

FAT load of use that is. Basically if you are in Australia or the UK you are all out of luck. Wish I’d seen this earlier. Very annoying and we’re now looking for a refund. I wonder how many other VPN services this applies to.

Meanwhile, I’m having no issues with iPlayer at all on my own Wireguard, or Synology VPN setups (OpenVPN is also working a treat but a tad slower than the other two).

January 2021 – issues with Wireguard on the RPI – with the updated 64 bit RPI operating system – Wireguard no longer works (thankfully it still works on my UK Diskstation). I’m hoping someone will soon come up with an EASY universal fix.

July 2021 – Wireguard working on the RPi – I don’t think I put the 64 bit op Sys on this one – so it’s fine – it also looks like there is NO chance of getting Wireguard on the DS214+ – too old apparently despite working utterly perfectly.

117 thoughts on “PiVPN (OpenVPN + WireGuard) Pi-hole and ZeroTier

  1. Good Steve, but I don’t use Home Assistant – quite happy using Node-Red to control everything directly via Mosquitto (in fact there’s no reason I could not use the MQTT node . I can’t imagine that Wireguard will be left to rot on Pi… 32 bit would be fine but I have no idea how to downgrade back to the 32 bit version without losing my substancial installation – any thoughts welcome – I only ugraded because it seemed the right thing to do 🙂

  2. Can’t speak as to the issues with the 64 bit version of Raspberry Pi OS and if the 32 bit version is not suitable another alternative is the 64 bit Pi version of Home Assistant – I can confirm that wireguard works fine on that and the install and upgrades are extremely simple.

  3. “January 2021 – issues with Wireguard on the RPI – with the updated 64 bit RPI operating system – Wireguard no longer works”
    Can you be more specific about this? I just bought a RPI to dabble in the whole networking thing and wanted to install PiVPN on it with Wireguard.

    1. Nope, I’ve no idea but I can confirm that in January I checked and there is an issue with Wireguard now and the RPi – unless anyone has any later information. Apparently comments in here https://www.reddit.com/r/WireGuard/comments/kbb5r5/raspberry_pi_cant_start_wireguard/ helped some folk but not others. I’ve not had time to progress this but Wireguard is still working on my now 8 months-since-updated RPI4-based Raspbian installation back in the UK, but on my local Pi 4, updated to the latest 64 bit “Raspberry Pi OS” in December, no such luck. PiVPN and OpenVPN continue to work but not Wireguard. If anyone knows better – please do comment.

  4. Hi Pete –

    My first post here. I found my way to your site a year or so ago when I was looking for a backup power supply for my Ubiquiti Cloud Key. I was very intrigued to follow the progression of what you were working on (“Kitchen Sink” etc) that I decided to hang out for a bit. Ended up looking through the entirety of your posts and reading about 1/3 of them. Really good stuff which have inspired me to buy a few trinkets (from BangGood naturally) or try some new things – – including the present topic: ZeroTier.

    Long story short… After struggling with it for the last few weeks and reading nearly 100 web pages on the topic, I finally found two different step-by-step ZeroTier install guides which are excellent and require almost zero networking knowledge to implement: One guide is for configuring a client on Raspberry Pi; The other is for configuring a Digital Ocean Cloud Droplet running Ubuntu and with Zero Tier configured as a VPN exit point. Here are the links:

    Pi Guide: https://peyanski.com/raspberry-pi-into-vpn-video-how-to/
    Droplet Guide: https://www.digitalocean.com/community/tutorials/getting-started-software-defined-networking-creating-vpn-zerotier-one

    You can simply combine the guides in order to configure your Pi as the VPN exit point back in UK. I have configured two DO Droplets: one to exit in SFO (California); and one to exit in London. Similar to the experience of others, the London VPN exit point will not allow me to access BBC. This is due to BBC’s use of detection algorithms that more or less assume that traffic exiting a known cloud data center IP address is tunneled / VPN and therefore verboten. 🙁

    I think the solution for those seeking BBC access is to go the Raspberry Pi route as its exit point IP address would be that of your UK-based home router and therefore escape detection by BBC’s algorithms.

    Anyway, I hope the links above are helpful for you and for your other readers here. Thanks again and Happy Holidays and Happy New Year to you all.
    Rgds…
    – John in Switzerland
    PS: Did you ever finalize the backup power supply project? I’d love to build my own if you have plans or instructions to do so.

    1. Hi John and WELCOME. As you may have gathered I do this blog for fun and for knowledge sharing – not for business – so feedback is immensely helpful to me as I don’t have a “team” behind me. What DOES help me is when people buy from links on my blog which are often personalised. That does NOT mean that companies get good reviews for the sake of it.

      I’m fortunate enough to not NEED any of this so my reviews are always 100% honest (I don’t do commission butI do insist they send me kit so I have first hand experience with which to write), it would not be the first time I’ve slagged off a product because it turned out to be no good… and feedback from subscribers helps me find both good points and faults in various designs – often long-term. You may have noticed the odd IP camera review – not all came out unscathed and several of those cameras end up either on my own home here in Spain or the UK, on on those of friends and/or neighbours. I mention that as I’m just about to put up two new solar camera reviews – at this point I’ve no idea how they’ll work out but I’m hopeful. Look in maybe mid-week.

      Thank you for the links above – I’m really enamoured with Zerotier – and also PiVPN, originally using OpenVPN – which works perfectly but is a tad slow – and now with Wireguard – a lot faster. They all have their uses. Clearly PiVPN+Wireguard if using the VPN to get TV from another country like the UK… my high speed Voda broadband there gives me 20Mbps upload hence in Spain I can get iPlayer etc eithout paying for a third party VPN service – in future I’m hoping for even higher upload speeds but at both locations I’m in rural areas. I will read both of your above links later this evening.

      AH, I’ve just read the rest of your response… yes, ZeroTier – I could NOT get the BBC with ZeroTier – PiVPN – no problems – now, I also have a special case in that I left my Synology NAS in the UK and put Synology VPN with Wireguard on THAT – improves the iPlayer here even more but at first THAT would not work – until I took the plunge and simply emailed Synology support – unbelievable – several years ago I was the IT director of the UK’s FSB (Federation of Small Businesses) and as I’m a hands-on type, they bought me the Synology NAS which has been flawless 24/7/365 for years now – I’ve had no dealings whatsoever with Synology since then yet I asked for help to get Synology VPN running so I could get iPlayer here in Spain – a VERY helpful young guy there had me up and running in no time (they should take over Vodaphone’s customer service!!). In case it isn’t obvious, VPNs are not my strongest point – but PiVPN got me started without breaking a sweat.

      Yes, in short, your feedback is most welcome – keep it up – any time – appreciated – and Happy New Year to you over in Switzerland. Power supply – no – Aidan Ruff, I believe, did more with power supplies after that but I think we both got sidetracked. My RPi4s currently run off large desktop UPSs along with the PC (but not monitors) (I got one for the UK and one for Spain – £65 each from Amazon I think… Salicru…) well, they just work…

      Thanks again..

      Pete

      1. Sincerest Thanks Pete –

        It makes me happy to contribute something back to you and the family here. 🙂

        I found the ZeroTier instruction links quite easy to follow. Nonetheless I would like to have feedback about your (or others’) experience using them together to configure their Pi. If merging the two separate instruction sets isn’t intuitive enough, I wouldn’t mind doing a write-up here to merge them. Properly done, it should trivialize the process to setup a Pi server / VPN exit point using ZeroTier. Please let me know what you think?

        As for the Pi UPS, I’m quite interested to see what Aidan has done with it. Does he have a website or blog where I could follow or contact him?

        Wishing you all happiness and health on Silvester (Swiss New Year’s Eve).

        Mit freundlichen Grüßen von der Schweiz…
        (With Friendly Regards from Switzerland)

        – John

        1. Hi John
          I have one back power supply running on my bench. Unfortunately, it doesn’t quite have the capacity to run a Pi and melted the buck converter!

          However, fortunately, I did a better design and I’ve received an updated PCB with a much more meaty buck converter.

          I’m waiting for some parts, but I’ll get it built and pass Pete the details. It’s designed to be able to handle both charging of the batteries and running a load, unlike everything else we’ve looked into. I’ve put it into a DIN rail case (available from RS components) so that it’s easy to mount. I’ve started using DIN rail cases for my RPis as it makes the final solution much more professional looking.

          1. Hi Aidan / Hi Pete –

            Are either of you familiar with this Pi UPS? I ran across it at a Swiss Pi vendor and looks promising as it ticks a lot of boxes for me:

            1) Automatically shut-down if there is a power failure
            2) Can monitor & reboot once power is restored.
            3) 5V 3A output
            4) Powered by and the battery pack charged via the GPIO pins, so no additional cabling required.

            I have just ordered one to see if it lives up to the claims. Compulsory links follow:

            https://www.pi-shop.ch/ups-pico-uninterruptible-power-supply-i2c-control-hat

            https://www.pi-shop.ch/downloads/dl/file/id/316/product/998/manual_ups_pimodules.pdf

            Please let me know what you think. Sincerest Rgds…
            – John in Switzerland

            1. Hi there John

              Thanks for that – well, converting that to Euros – around 40 Euros – I’m guessing plus tax and duty which could be significant? And they’re ad claims “5V 3A output, designed for use on the latest Raspberry Pi 3B+” suggesting an old design as there is nothing new about the Pi 3B+.

              I took a brief look to see if Pi-Shop is part of an international chain but didn’t get anywhere.

              5v3A…. sounds about right, would perhaps need a connector rethink for Pi4? (USB-C). That price looks ok but not stunning – I’ll leave it to others to decide but the spec at first glance seems up to the job.

              1. Definitely pricey but given the prices I see on Amazon and elsewhere for Pi UPS’s of any flavor or quality (typically 25-35 Euros)… I don’t think 40 Euros is out of line. Once I receive my unit I will test it on my Pi3b (my original reason for buying it) and also on my Pi4. I will of course report back my findings. My only fear is that it will be too complicated to configure. The operating manual is ~150 pages long and my goodness there appears to be options for anything and everything configuration-wise.

                One potential benefit of purchasing could be to further advance the Dog’s Breakfast and Kitchen Sink efforts. 🙂

                Will report back once I’ve had a chance to play with it.
                Rgds…
                – John in Switzerland

                  1. Good news!

                    My shiny new Pi3 UPS arrived early yesterday morning.  Turns out this item comes from a company called PiModules http://www.pimodules.com (no affiliation).  Seems they only market to industrial users – – which explains why I never ran across a UPS of this calibre before despite 2 years of searching.  Although the unit I got is “Designed for the Pi3 series”, it will work with the Pi2 and the PiZero (and although not yet tested, I suspect on the Pi4 as well. Stay tuned for that as I’m going to try it on my Pi4 in the next few days.

                    For now, though, I’m writing about my experience installing and configuring the UPS on my Pi3b. Right…

                    So the Pi3 UPS I received seems an impressive piece of kit.  Not only is it a UPS, it also has user three programmable buttons, programmable LED’s, has POE available, can perform fan control, works with various sensors (temp, humidity, etc), has three A/D converters, can receive IR signals, can programmatically control an onboard relay, can change its charging profile based on battery chemistry, and seemingly much more.  Of course I didn’t need any of those features.  I just needed a plain vanilla UPS that would gracefully power down my Pi3b on power outage and then re-start the system on power restore.  So, that is what I’m reporting on here: The “Plain-Jane” UPS features.

                    For those interested, I reproduce below links to the user manual PDF (150+ pages) and product page where I purchased mine here in Switzerland:

                    https://www.pi-shop.ch/downloads/dl/file/id/316/product/998/manual_ups_pimodules.pdf

                    https://www.pi-shop.ch/ups-pico-uninterruptible-power-supply-i2c-control-hat

                    So on to my high-level impressions of the PiModules UPS:

                    1) Functionality. So far (after 36 hours) the unit works very well as a UPS. Shuts down and re-starts when it’s supposed to.

                    2) Documentation. The docs from PiModules are a train wreck. No quick start guide. The user guides are verbose (150+ pages), outdated, and overly complex (you’d benefit having an EE degree or Coding experience to understand them). The first use guide starts on page 73. Why?!!!

                    3) Support. Their Github site, company website support, docs, and instructions are lacking. It appears that support is an afterthought for these guys… which is unfortunate as their UPS seems to be quite a feature-rich piece of kit.

                    5) Feedback. Various forum threads have mixed feedback. Some love them. Others not. I read some posts from industrial users who walked away in 2016/2017 due to lackluster support or buggy firmware from PiModules.

                    6) Recommendation. If you’re not put off on the price, buy one. The feature that was priceless to me is that the UPS HAT doesn’t require a separate power source like … well like almost all of the others I’ve seen.

                    Some additional random thoughts and guidance for those thinking to buy/install/configure one of these on their Pi3…

                    The notes below were assembled in hopes of saving someone from 5+ hours of reading, researching, and experimenting on their first time install. With 150+ pages in the user guide, I would have welcomed such help. Hope you do too! 🙂

                    – Before installing the unit onto your PI…Be sure to solder in the gold plated reset pin (page 43).  This is shown as optional but I already found the need to reset my unit manually a couple of times as I was figuring out how it works.  Not sure what I would have done without it.  If using a non Pi3, I think you could solder a wired connection to the “Run” pad appropriate for your particular Pi.  But I caution that I have only used this on my Pi3b but I will try it with my Pi4 in the next few days.  I will report my findings here after.

                    – I don’t recommend you to solder the “magic switch” on to the board as there are known complications that can result if you accidentally set the switch to the wrong setting when powering up.  As I just needed basic features I left this off.

                    – Install the buzzer (page 48).  If you want audible alerts, of course (this is otherwise optional).

                    – OK.  Getting now to the actual install…

                    – Install the UPS hat on top of your PI’s GPIO pins, power up your Pi, and then advance to the bottom of page #63 of the manual.

                    – Closely or blindly (if you’re a linux newb like me) follow the software install instructions from page 63-67.

                    – Wait for battery to fully charge.

                    – Road test it.

                    – Take note of the usage instructions on page 73.  Yes.  You have to suffer through 70+ pages before figuring out how to use the bloody thing.    Arggghhhh. A quick start guide would definitely have been appreciated here!

                    – Take note of LED indicator explanations on page 83.

                    – Take note of button usage outlined on page 85.  Understanding how these work is critical so be sure to invest some time reading this part.

                    – And if you get yourself into trouble, kindly take note of the factory reset procedure on page 138. Yep. From usage instructions to reset guide took 50+ pages. Again: Why??? #PalmHitsForehead

                    – Generally speaking the install was fairly straight forward and although it took ~5 hours to get it working, the next one will likely take me 30 minutes. 

                    – User Guide: Although the user guide is lengthy, it is poorly written and poorly organized.  As mentioned no Quick Start Guide available.  Having said that, it does contain a wealth of technical info with pages and pages of registers and such that a programmer would need to exploit the true power of this thing.  So again the guide is long and detailed but not easy to follow for simply setting one up.  So again…. I hope the notes here are of help to others.

                    – My unit is working fine after ~36 hours of various testing modes.  Disconnect power.  Disconnect battery.  Re-Apply power whilst powering down, etc. etc.  Everything seems to be working as expected.

                    – Regarding Firmware:  If you surf the PiModules website, you’ll see that they have some firmware updates available including one that doesn’t tie up any of the GPIO pins.  They called this “GPIO FREE” firmware and apparently it works by sensing voltage and other electrical characteristics to assess the health of the PI without needing to reserve GPIO pins for the UPS.  This didn’t matter to me but it might be important for others who are looking to stack other HAT’s on top.  Well needless to say I didn’t bother to update the firmware as I had no need for any of the fancy features. 
                    !!! UPDATE !!! – – I ended up needing to update my firmware to fix a bug where the UPS hangs when power is re-applied during the shutdown process. I will report later if this actually fixes the problem or not.

                    With so many features (and with many of them beyond my skill set), I couldn’t possibly provide a proper review of all of them. But as I said before, I just needed a UPS that will gracefully power down and then restart once power is restored.  In this regard, it looks like this one does do the trick. 🙂

                    As I was wrapping this post up, I just noticed on the PiModules website that they now have “Designed for Pi4” units in pre-production with first deliveries expected in March/April.  I will likely pick up a few of those once they’re available.

                    In the meantime, I will continue to assess operation on my Pi3b and will try my current “Designed for Pi3” UPS with my Pi4 in the next week or so. Keeping my fingers crossed that she works. If not, I’ll just have to wait until the “Designed for Pi4” units are in stock here locally.

                    Stay tuned !

                    Rgds…
                    – John in Switzerland

  5. “Sadly this would not work for my UK installation thousands of miles away”

    I know It seems a long flight but ?

  6. Zerotier is just a management layer for WireGuard (also a part of PiVPN now as you say).

    With PiVPN running on a pi in each country (or on your Synology, say) there’s no reason why you couldn’t just have two non-overlapping subnets – one in the UK (192.168.0.x say) and one in Spain (192.168.1.x), both connected to each other full-time via a WireGuard link such that when you’re present on either network you would be able to access the devices on both as if they were all local. That is to say, you could just as easily hit a UK product web interface whilst in Spain and vice-versa. No need for VNC sessions (unless you want them to manage the Pi, say).

    You could also add your phone into the mix such that it could connect to either pi and access both subnets regardless.

    The main selling point of Zerotier is the simplified management of a large number of devices, and making sure every node connects to all others, but in the case of just two ‘sites’ and a mobile there’s no reason to involve them given how WireGuard will run natively on your existing kit.

    Moving the ‘site-to-site’ aspect from OpenVPN to WireGuard will also yield big performance improvements – it’s more much efficient both in terms of routing speed and CPU load.

    Useful search terms to go this route (pun intended): ‘site-to-site WireGuard’

    1. I’ll come back to this – looks very useful – I’m still slightly terrified of VPNs. Right now I’m updating blog theme files to keep my service provider happy. What a way to spend a sunny day. So, clearly I have Zerotier running on device to device and now device to site… you’re saying I can go the whole hog and do site to site just like pivpn (which is running openvpn)?

      1. Sorry Peter, threw you a swerveball there – when I said ZeroTier was a wrapper of WireGuard I was thinking of another product, TailScale. Regardless, the featureset of ZeroTier and TailScale are commensurate so shouldn’t affect the gist of my message. Just wanted to clarify for any other readers! TailScale uses WireGuard, ZeroTier uses it’s own tech. Feature-wise they deliver the same thing.

        Right, on to your feedback. I think we’ve got two distinct things at play here.

        1. Creating a site-to-site connection such that devices on either one can see the entire set of device as if they were colocated. I normally do this just with the VPN itself but whereas getting the VPN connection up is trivial, the *routing* isn’t if you’re not used to it. However with ZeroTier you simply set both Pi’s as nodes and have them route between them. First Google hit (not mine) was:

        https://mangolassi.it/topic/19493/zerotier-site-to-site

        So upshot is you need to make sure UK and Spain have different subnets so there’s no duplicates between Spain/UK, have the Pis both join ZeroTier and let Zerotier handle passing the data via it’s link when you want to talk to devices in the ‘remote’ subnet. As per that link there is a bit of config going to be needed on your router(s) too. Basically it is to say to pass traffic for the remote subnet over the the local Pi (where the ZeroTier routing takes over and passes it to the remote Pi).

        2. How to get devices to exit from one specific node (iPlayer). To be honest I’ve never looked into it. Although it seems silly if you have a full site-to-site setup in place I’d probably still resort to having that android box do a bog-standard VPN back to the UK using OpenVPN. I’m certain it could be accomplished but you’d be getting into setting up specific routing for certain devices. As I’m not using ZeroTier day-to-day not sure what that would be but if I get a bit of time I’ll have a play.

          1. Surely you don’t need aircon in the NE Peter! Has there been a weather aberration? Or perhaps you have an office in Spain too? That would be nice.

            1. Hi Bob – as of mid-July we have finally escaped the frozen Northeast of England and are settled in Southern Spain for a long as possible – months at least. Quite the opposite problem – keeping cool but this (reversible) aircon seems to do the trick. Hopefully is will keep the temperature stable so I can catch up on my blog and videos in between trips to the lake (until they lock it down).

    2. Hi SC

      We just spotted this in the Android ZeroTier – by clicking on the row – it looks like, by clicking the checkbox you can force routing by ZeroTier… BUT as I have a pi in the UK and a Pi in Spain buth on the ZeroTier network, how would an Android box in Spain know which country it is supposed to be in (important for iPlayer)? Sorry if this is obvious?

  7. I use OpenVPN (manually configured years ago, before PiVPN existed). I have my holiday home Pi devices “phone home” via OpenVPN and they check the tunnel and if it drops, they try reconnecting (in case of a network drop at home or at the coast).

    Anyway… for Pi devices and other ‘Debian’ linux boxes, I have a backup/alternate “adhoc VPN” option which I have used happily for over 4 years now – “remot3.it” (recently renamed “remote.it”)…that’s the web url.

    It temporarily opens up weird ports and redirects…but only when you initiate a connection.

    https://remote.it/developers#features

    No affiliation to these guys, just a long term satisfied user. And its free (for what I need, anyway).

    1. Darren – thanks for that – will keep this comment handy for future reference. Right now, it looks like ZeroTier snd PiVPN are doing a great job – see updates coming this morning.

  8. Hi Pete, glad to hear you made it to Spain. Since I posted in 2018 Zerotier has been working perfectly between here(Greece) and the UK. After the election result we decided to move out here permanently but keep UK property for now, so actually using Zerotier even more over its 10.x.x.x subnet, inc VNC into various devices. Greece has decided to automatically give an EU biometric residence permit to any british citizens residing here legally before 31/12. You’ve got 5 months left to make the decision! PS in a village in a fairly remote area but we now have 50Mb fibre to the cabinet…. and COSMOTE rolling out fibre to the home in nearby town.

    1. My goal would be to put ZeroTier on My Synology DS214+ but I’ve no idea how to get it on there – if anyone does, please chip in. I have PiVPN but that’s a tad slow. I’m also experimenting with the Synology VPN sever. In the UK I have high speed connectivity (75 Mbps and 20Mbps up) – in Spain 30Mbps down…. uf I use PiVPN I only get 10Mbps here in Spain – which is OK but on the edge for 4K TV, if I use the Synology VPN I get more like 16 Mbps.

      Also my very limited knowledge of ZeroTier puts it as device to device VPN, not overall system VPN. The Synology VPN just took a great leap forward thanks to support from Synology themselves.

      Pete (admin)

      1. zerotier has official packages for synology on his own site, info here: https://github.com/zerotier/ZeroTierNAS/tree/master/Synology

        but you’ll get just your nas in your ZT network… so, a host to host vpn, while what you need is a host to network type, and i don’t know how to do… the destination device, your nas in this example, should act like a router, redirecting stuff to the other devices near the destination device…

        some links, before i loose’em all… the bridging one i think could be useful…:
        https://zerotier.atlassian.net/wiki/spaces/SD/pages/7110693/Overriding+Default+Route+Full+Tunnel+Mode

        https://zerotier.atlassian.net/wiki/spaces/SD/pages/7438339/Layer+2+Bridging+with+LEDE+OpenWRT

        https://www.zerotier.com/manual/#3

        maybe playing with the MANAGED ROUTES zerotier config on its site… no idea, i need to do tests, and you’re the only one in a good setup to test this, having different lan segments on your 2 sites, NEVER change them to have them the same or you will have way more problems (how to decide if a device is local or remote if they’re on the same network range on both sites?)… but i’ve a very unstable network connectivity at the moment, and you’re missing a mango like router on the uk site…

          1. Thankss Craig – this was sitting in spam – off shopping will digest when I get back tonight.

            This gets better by the minute

            Regards

            Pete

            1. No worries – Pete,

              The other thing to think about is to get a router that runs OpenWrt as your main router/firewall and you can then run ZT directly on it

              I am just in the process of doing this with OpnSense firewall and it looks good

              Craig

              1. yup, i told him, but problem is setting it up the uk one while he’s in spain now… if aidan can help, maybe we can try… other good thing Pete has, is that he has different subnets on the 2 sites, so easier to create routes… if it all was standard 192.168.1.x, that could have been a problem, to detect which host is on 1 side and which on the other…

                1. Sounds like he has some internal access to a PC in the UK – maybe setup an outbound temporary solution (such as teamviewer in Host mode). We could then – regardless of config of router access that box through remote control under teamviewer and mess around with configs until it was right. As long as someone has physical access to the property to take a new Router in there and hookup the relevant cables etc.

                  Presumably he currently has access to the live router so could get the config out of that and prepare the barebones new unit offsite until it was ready to install.

                  Not sure how much interest he has – but if he wants a decent router/firewall he could look at one of the QTOM mini PC units – they are great with pfsense or OPNSense – i am just setting up a couple with OPNsense at the moment and can then natively install ZT

                  Craig

                  1. Craig – see updates later this morning – Zerotier has come up trumps along with OpenVPN.

          2. Craig – your lin for device-to-network ZeroTier – along with a little help from Antonio – and all is well. I’m about to update the blog.

            1. No worries Peter – glad i could give back a little !!

              Suggest if you want a rock solid, fast firewall you look at one of the QTOM appliances – they are silent, run all of the major firewall distros (Pfsense, OPNSense, Untangle etc) and have a range of options for whatever speed you need. I am using the Core i5 unit on a gigabit link with no issues and the Celeron unit on my home 100/40 link and it does not break a sweat !

        1. As you know Antonio, Zerotier works – but getting to working with thw Synology didn’t work out.. the Official package solution you mentioned above wasn’t quite that straightforward. Still, other solutions worked – and now I’m about to update the blog.

  9. “The law of unintended consequences, often cited but rarely defined, is that actions of people—and especially of government—always have effects that are unanticipated or unintended.”

    Many thanks for the guidance once again Pete and all your supporters, I recently replaced a very old Raspberry Pi Model B (from the original wait-list pre-order batch) which was very slow serving Node-RED UI pages and such like but worked superbly running Pete’s script, running MQTT at the heart of my IoT and automation.

    Time for some newer and more robust hardware invited a fresh script install on a Pi Model 3 B+ that had become redundant elsewhere. The extra grunt inspired me to put PiHole ad blocker and PIVPN servers on the new SBC. Pete’s blogs once again inspirational.

    The law of unintended consequences…. oh yeah, that!
    I watched with amazement as the hundreds of requests became thousands and PiHole started logging all the blocked requests… from analytics servers on phone app platforms that are banned in our household, then the trail points to analytics servers on “app launchers” used to conceal said banned phone apps… Not the intended purpose of the add blocker AT ALL! I just wanted to block ads !!!

    Just think “Meet the Fockers” and the circle of trust…

    Thanks again Pete and team for a seamless upgrade even if it did push out a few extra grey hairs!

  10. Dear Peter and Antonio,

    Have you tried remote.it ? I am very pleased to use it, super easy installation, no fiddling with a router, port opening etc. A free version is enough for my needs, but maybe in the future will go for the pro as number of devices I am monitoring is spreading around the globe and I moved to NZ 🙂 , Been using it for half a year – no issues at all, very easy to set different ports for MQTT, VNC and SSH.

  11. I’ve been running Mosquitto and Pi-hole on a Pi2 for several years. Now looking to upgrade to The Script…is/can Pi-Hole be installed/integrated with The Script, in particular eliminating HTTP server clashes? Any guidance would be appreciated. If PIVPN, or alternative, is integrated too that would be a bonus.

    1. I didnt integrate opivpn into the script as they are simple to add separately. Could do though as options.

        1. Hi Pete,
          there was a notification on the site several months ago that work was being stopped but then a few months later someone else took up work on it again. These notices appear to have been taken down as I can’t find them now.

        1. I cant speak for it working on a NEW Buster installation but emphatically does work on my UPGRADED Buster installation.

  12. There are a number of things that may be the cause, Debian (in whatever current form) and DNS services are what I’m looking into now.

    The rpi I had running on Raspbian Jessie, ran without any issues at first for a considerable time. I installed that with the install scripts and it ran in one go. Later I also did the same for a friend, on a rpi running Raspbian stretch. That also ran fine initially without any special settings or issues.

    Both instances of openvpn have stopped working, that is, any connection attempt hangs on authentication. No errors, just forever waiting.

    A while ago I upgrade Jessie to Stretch on my rpi and at first I thought that might be the cause, however the one at my friends house already was Stretch. Then, I thought it could be because I changed DNS in the pihole settings from google to cloudflare but going back did not solve anything (restarted everything, pi & modem/router – both pis).

    Off Topic: Currently I am setting up a fresh pi booting from an ssd via usb as the sdcards tend to have flaws after a while. This setup is fine but I run into an issue as I cannot get the d***n thing to use a static IP. I know I am doing this the correct way because I have done this maybe a dozen times already and checking various resources on internet confirm my settings. The only variable that has changed between now and what is used to do is Raspbian so for now I blame that.

    BTW- also off topic; “fresh setup” means download current Raspbian lite, etch to sdcard & ssd, startup, setup the ‘boot from ssd flag’, power down, remove sdcard, power up.

  13. Hi all,

    @Peter: Thanks for a great resource on pi’s and home automation 🙂 New here but wanted to add my 2 cents, hope it’s useful…

    I’ve been using pi3+pihole+pivpn for more than a year now. Worked flawslessly up to some time ago, more on that later. The reason for me was 2 ways. 1. I wanted my kids (and myself) to be able to use the vpn when using public wifi. 2. To access my home network (with just that one port forward).

    I installed pihole on a fresh raspbian install and after that pivpn. Then some tinkering to tell pivpn to use pihole as dns. This way the vpn traffic is also ad-filtered, specifically foor point 2 above. I’m not sure if this https://discourse.pi-hole.net/t/pihole-with-openvpn-the-easy-way-use-pivpn/7912 is the source I used then but it was the 1st as a result on searching pi3 + pivp + pihole and it seems familair 🙂

    I am able to set my pihole as dns in my ISP modem/router so that solves all for my home network. Not sure if other ISP’s allow that.

    Not to tell anybody what to do but I donated to both, well deserved IMO.

    Also, I tried DietPi which has pivpn and pihole as optional installs. It looks great and have tinkered with it a lot but the promises made are not fullfilled, alas. Abandonded that…

    On YouTube https://youtu.be/gyatgrlqFtE is a description on using the pi with openvpn to route traffic through to a public VPN service. I have not tried this yet and also he does not use pivpn but openvpn install. Lots to learn though if you see the trickle of commands he gives 🙂

    Now to the current moment, it all aint workin’ anymore 🙁 At some point, probably after an update, I was no longer able to connect to the pi though pihole is still working. Tried lots of stuff, no success. I am working my way up to starting afresh, but it is a daunting task as I also have a lot of other stuff running on that pi…

    Rgeards,
    Fozzie

    1. Thanks for that info. I’ve not integrated the two yet but the plan is to route everything through PiHole at router level – right now it is optional while I check reliability. Just completed apt-get and npm updates and all is well. I have Voda fast broadband here in the UK and when I’m back in Spain in Spring, I want UK access without paying for a service, may as well have that extra protection as well. The PI is running the heating anyway so it may as well serve that extra function.

    2. Not sure if this is specifically what is stopping your pivpn working but I have had no luck in getting this running despite trying on 2 different pi’s and with fresh installs of raspbuan stretch lite. The first problem is that as pivpn is a script to automate the openvpn install it only handles issues it anticipates. There is a dig command at line 910 that tries to establish your external IP which fails on my setup due to a problem in resolving the openvpn server. The backup call to eth0.me also fails and because the problem is not picked up by the script it will announce that install has completed. .if you check the log it will confirm the problem. Not sure what causes this given it seems to work for others maybe my ISP (virgin) or my router (Netgear). I resolved this issue by changing the dig to point to Google servers rather than openvns and install completes but I still cannot get port forwarding to work which may be a linked problem with the install. Bottom line is if you are installing pivpn check the log and don’t rely on the install successful message.

  14. Ideas guys.. I installed PIHOLE – I have nginx so didnt need a webserver. I told it my DNS is the address of my router as that is the only thing that has the actual dns provider. The admin page is up…. but I’m getting “lost connection to API” across the coloured panels and the dns service is apparently not running. Also the FTL service whatever that is, is not running, so it says.

    1. I ran into the FTL issue as well on my first attempts on an RPI3+Stretch setup.
      Eventually I installed PiHole onto a fresh Debian9 install on a VM and it ran straight away.

        1. i’ll install on same rpi3+ with stretch tomorrow and see how to solve… too tired now to focus on this, out for work for 11 hours…

          p.s.: you can show statistics on oled, too 😉

        2. On second attempt, I told it about Google DnS – made no difference… I’ve sent my install debug log off to them as requested (I joined the pihole forum).

          1. Hi
            just tried on a raspi 3b+ with latest raspbian stretch: flawless victory, no problems at all… i run setup and the only option i deselected was the last one, about logging queries, as searching yesterday evening i’ve found some suggesting this could have been the problem of what’s happening to Peter’s setup… other then this, i installed lighttpd as i ran all of this on the rpi i’m using for docker, so no other services at all, pretty virgin… and don’t think that using an other http server could cause problems, that’s used only for admin interface… os, try rerunning setup deselecting that option, i think this sw is a must and seems to work fine 🙂

            1. Ah, nice one.
              Integrated it in no time in my favourite Home Automation system (Jeedom)
              And I see there are also API functions to enable/disable the service through HTTP calls

              1. Its griping about BC not being found, but installing anyway. Asking me which DNS provider I’m using. The PI is using my router. The router is the only devide that knows the real DNS provider… so I’ve put “custom” and now it wants the address so I guess I’ll put my router address

                1. Ok, admin panel is running, but it says the DNS service s not running.. across the 4 boxes it says lost connection to API…

          1. in the article about pi-hole on orange pi, you’ll find 1 way to use it: by just changing your pc’s DNS to the ip of the pi-hole server… this way you’re not passing all your traffic through the pi-hole server, but just filtering out ads via dns… otherwise you can use the pi-hole server as your gateway, and all traffic will go through it…

      1. it’s very useful for filtering out those banners, ads, malware, too…
        and i think it can work on those boards with just 256mb, too, so finally some use for them…

        but my deviated mind thinks to other stuff when reading “pi hole”, lol

    1. Yes! PiHole! Cannot live w/o PiHole.
      Whenever (rarely) it is down my wife notices it immediately due to the annoying ads suddenly appearing on her tablet.
      Best invention since sliced bread.

      1. “Yes! PiHole! Cannot live w/o PiHole.”
        i can’t stop “double thinking” and laughing reading this 😀
        sorry for my bad mind 😀

        p.s.: in italy we read the “i” as a “ee”… add a “p”… 🙂

    1. Changing the port does not add any security whatsoever, you might as well stay at default setting.
      Within 48 hours of creating DNS records the whole world will know you are running some sort of server. Bots will start scanning port range immediately and will find yours.
      Yes, by changing port you will avoid all stacks from amateurs, but it’s not who you should worry about.
      I’m kind of paranoid (I was hacked twice before) when it comes to server security and here is my solution:
      I run multiple rpi servers in (openwrt as a firewall router, web server, mqtt/nodered, domoticz, vpn client to work network, nas, plex, syslog, openvpn server) each dedicated to do its own task. All of them are On 24/7 except Vpn server which is connected through a relay, controlled by gpio in domoticz, with on/off by telegram bot.
      Any time there is for need remote access to my lan I would send a message to Telegram, wait a minute for Vpn server to start, connect, do what has to be done, shutdown the server.
      Ones cracked Vpn server has unrestricted access to your lan, it should be well secured, but since I don’t posses skills to customize iptables keeping it off is my way of securing it.

        1. That’s another package to install, configure and maintain. Since it’s not part of PiVpn it wouldn’t get any updates automatically and potentially might be broken if pivpn updates a service it depends on.
          Here is my logic, if someone decides to use pivpn script it means they are not fluent in Linux to configure openvpn themself and shouldn’t be messing with any additions.
          I prefer to run pivpn on separate machine to minimize the risk of braking dependencies.
          By the way, what are the use cases for home automation that require Vpn to be on 24/7 ?

            1. Pivpn is just a script to help you write openvpn config files and create certificates. Ones installed it’s using standard repositories for updates, there are no additional packages it depends on.

                1. Thanks for the advise, but I’ll stick with openvpn.
                  Zerotier is the same old Vpn except it requires a third party to run.
                  Unless you have more than 2 sites to connect, there are no benefits of using it

  15. hi peter,

    check softether vpn out! it is great. I have on my NUC at home a softether server docker image and multiple pi clients with softether client on. Works likes a charm!

    oh yeah, KUTGW :p

    Mario

  16. Well that was extremely easy Pete, apart from me assigning port forwarding on the router and forgetting to enable it! Caused a blood pressure F#+@ moment!

  17. Definitely no ports open, I’ve probed our WAN address with various tests. The encrypted tunnel is originated by the local clients at each end, initially to a central Zerotier server. The firewalls see the tunnel setup as originating from the “inside”, so no open ports needed. Also no need for dynamic DNS, as the clients send their WAN addresses during setup. When we changed to fibre broadband in Greece, I was surprised to find the COSMOTE fibre network is all IPv6 up to the router, with 4 in 6 tunnelling – a benefit of being a late adopter, but more hassle to set up dynamic DNS. I can’t give it a full workout until our next visit, will report back.

      1. Yes agreed, but you could say the same about whichever dynamic DNS service you’re using – really don’t want to pay more for static WAN IPs! Testing from a friend’s house in the UK seems fine, I can SSH or web browse to home devices from my laptop using their individual 10.147.1.x addresses. I’ll give it a better try when I go away.

        I was speculating this morning, as it’s effectively layer 2 device-to-remote-device, could I join them both to a second Zerotier network and cause an old-fashioned broadcast storm? I assume Zerotier have some equivalent of spanning-tree protocol built into the clients. (hands up if you remember the days of LAN broadcast storms)

    1. I’ve seen and used a few things like this in the past. Invariably they soon switch to a paid model hoping that the seamless experience will be enough to get the users to start paying. An open source system on your own hardware is going to be more reliable and cheaper in the long run.

    2. How are you getting on with Zerotier? I am a late arrival but think it’s brilliant so far, being able to update a node-red strategy anywhere, anytime, from anywhere and totally secure with NO OPEN PORTS. I just haven’t worked out how to access the dashboard yet. Have you?

    3. I only discovered zerotier a couple of months ago and I find it truly the best. I have several devices on a cellular internet connection and most mobile networks do not support port forwarding, so zerotier for me is the only way.

      1. Hi Chris

        Well, I’ve been happy with PiVPN but recently put ZeroTier on various machines in our two locations – firstly – used on a Synology NAS it is WAY faster than PiVPN on the RPI – which means I can watch iPlayer in Spain without hassle and without losing much speed from my UK location – I am very happy with it, so much so I leave the Android TV box here permanently connected to the UK by ZeroTier.

        Works a treat.

  18. Hi Pete, we live our lives in a similar manner, homes in 2 countries with various RasPis etc online at both ends. We use Nord VPN for iplayer etc, but I really don’t want to leave any router ports open. I’ve been experimenting with the free version of ZeroTier, which creates an encrypted virtual layer 2/3 link across the internet. A bit more complicated to install, but it means each device can have a tunnel address on the same subnet, 10.144.1.0/24 for me. The secure central admin page can add/delete devices as you want. Works fine between home and a mobile device, will report back on distant use in a month or so…..

  19. Very interesting Pete, it might be worth posting the link on the node red forum as well, a LOT of people are having problems with malware due to exposing their instances insecurely to the Internet.

  20. I’m a fan of it as well! It’s nice that you can edit the “client” ovpn file if you need to (if you change a router port, IP, etc). Android and iPad OpenVPN Connect apps work great and I use Tunnelblick on OS X.

Comments are closed.