Asus VPN server and Pi-hole

[eastavin]

Hi. A friend with next to no networking experience has configured his asus-pro ax86u router to use Pihole for ad-blocking, DNS (unbound) and DHCP. I said congratulations. amazing what you can learn at youtube college. As far as I can tell everything works ok when I am using a pc on his LAN. The pi-hole is at 192.168.3.50. This has been assigned on the WAN page for DNS and the DHCP on the router turned off. He now wants to access his router remotely, so he configured wireguard using the default settings and scanned the code with his android smartphone. At this point he finds he can surf the net and log into his router at x.x.3.1. However he is also running a server with proxmox and wants to be able to access the admin page. I can access it from the PC on the lan just fine. The internal address for this is something like proxmox.myurl.online However when he goes there from the web using wireguard he gets a 403. I have never used Pihole or proxmox and so my ability to advise is nonexistent.

I am suspecting the issue might be with the wireguard config that has default to a DNS of 10.6.0.1. Literature I scanned suggests this needs to be set to the pihole at 192.168.3.50. dont know if this is correct advice or not. Exporting the conf file from the router and editing the config for the smartphone results in the same issue 403.

I tried openVPN server with advertise DNS to clients YES. Also no go. Tried NO, no go. Tried setting the DNS on the openVPN client for Android under IP and DNS to 192.168.3.50 and got worse results than wireguard. The browser just freezes.

So either I am missing something basic (very likely) on the router or the client settings or the issue is elsewhere as in Pihole. Can anyone suggest if the wireguard or openVPN needs anything other than the default settings? And does this also depend on a matching setting of somekind in Pihole? If one needs to put the IP address of a wireguard client into Pihole, what would that be looking from Pihole out? 10.6.0.2/32 as in the default config wireguard spits out? One setting giving permission to all wireguard clients would be preferable in my thoughts so we dont have to repeat this. If you think openVPN is easier to make work... good with that too.

Many thanks for any hints.

Ed

 

[bennor]

One may have to configure their proxmox server to allow for connections from other IP address subnets if the proxmox server (or the server's firewall) is configured to block IP address access other than those from it's own IP address subnet range.

For the Asus router OpenVPN server and Wireguard server, you will likely need to add the Pi-Hole IP address to the VPN server configuration. The following settings seems to work for my RT-AX86U Pro 3006.102.5 firmware VPN server setup. Remember to apply/save the changes.

OpenVPN Server Settings Example:
Client will use VPN to access: Both
Advertise DNS to clients: No
Custom Configuration field: push "dhcp-option DNS 192.168.50.100"
(change the IP address 192.168.50.100 to match your PiHole device IP address)

WireGuard VPN Server Settings Example:
Access Intranet: Enabled
Allow DNS: Enabled
Edit the WireGuard Tunnel configuration on the client device to include the PiHole DNS server in the configuration's Interface section. Example:

[Interface]
PrivateKey = <redacted - do not change>
Address = 10.6.0.2/32
DNS = 192.168.50.100

On the PiHole one will likely have to configure the System > Settings > DNS Settings > Interface Settings to Respond only on interface xxx. Where xxx is the interface used by the PiHole for local network connection (ex: eth0 or wlan0). If one leaves Pi-Hole configured for Allow local requests only that causes the PiHole to only respond to requests from the same IP subnet as the PiHole device's IP address and not from other IP address subnet ranges.

As the PiHole Interface section indicates using Respond only on interface option is potentially dangerous if the PiHole is not properly firewalled by the network router/gateway. So ensure the PiHole is properly firewalled from the internet before making a change to the Interface Setting section.

 

[eastavin]

One other side question where does the current default wireguard DNS setting point to? It says DNS=10.6.0.1 but I am unaware of what is there? With this setting things on the web do get resolved.

 

[bennor]

One other side question where does the current default wireguard DNS setting point to? It says DNS=10.6.0.1 but I am unaware of what is there? With this setting things on the web do get resolved.

If you want to use Pi-Hole on Wireguard, change the DNS from 10.6.0.1 to what ever the IP address is of your Pi-Hole device, then test if it works to block ads. As indicated in my post above I had to manually edit the Wireguard configuration on the client side to add the IP address of my Pi-Hole to the Wireguard configuration file. PS: The 10.6.0.1 address is pointing to the Wireguard server itself where it gets handled by the Wireguard server service.