help with pihole over openvpn

[Andy1932]

I'm running stock firmware on a 86u with pihole adblocking. When I'm home, all works great, but when I'm away on my phone, computer, etc, the adblocking doesn't work. What do I need to change?

Here's my config.

Router:

I'm using cleanbrowsing adult dns on the WAN/Internet Connection page.
My pihole ip address under LAN/DHCP Server.

Pihole:

 

[ColinTaylor]

I'm using cleanbrowsing adult dns on the WAN/Internet Connection page.
My pihole ip address under LAN/DHCP Server.

Check the VPN logs for both the client and the server. Look to see what DNS address is being pushed to the client. I suspect the "Advertise DNS to clients" option pushes the router's IP address. You'll need to push the PiHole address in the Custom configuration section of the VPN server.

So for example if your PiHole address was 192.168.1.9 you would set "Advertise DNS to clients" to No and add the following to the configuration:

push "dhcp-option DNS 192.168.1.9"

 

[Andy1932]

Check the VPN logs for both the client and the server. Look to see what DNS address is being pushed to the client. I suspect the "Advertise DNS to clients" option pushes the router's IP address. You'll need to push the PiHole address in the Custom configuration section of the VPN server.

So for example if your PiHole address was 192.168.1.9 you would set "Advertise DNS to clients" to No and add the following to the configuration:

push "dhcp-option DNS 192.168.1.9"

Thanks. I tried unchecking "Advertise DNS to clients" and putting this into the custom config, but it didn't work.

dhcp-option DNS 192.168.1.60

 

[ColinTaylor]

What do you see in the logs?

 

[Andy1932]

What do you see in the logs?

Nothing really. Although, I did change the log level to hide all the WLCEVENTD messages.

nvram set log_level=5;nvram commit;reboot

I'll change it back and see if I notice anything.

 

[ColinTaylor]

You should be able to see the "PUSH_REQUEST/PUSH_REPLY" message in both the client's and the server's logs when the client connects.

 

[Andy1932]

You should be able to see the "PUSH_REQUEST/PUSH_REPLY" message in both the client's and the server's logs when the client connects.

Is this helpful?

Jan 13 13:18:15 vpnserver1[1350]: client/174.193.2.83:43489 PUSH: Received control message: 'PUSH_REQUEST'
Jan 13 13:18:15 vpnserver1[1350]: client/174.193.2.83:43489 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)

 

[Andy1932]

Check the VPN logs for both the client and the server. Look to see what DNS address is being pushed to the client. I suspect the "Advertise DNS to clients" option pushes the router's IP address. You'll need to push the PiHole address in the Custom configuration section of the VPN server.

So for example if your PiHole address was 192.168.1.9 you would set "Advertise DNS to clients" to No and add the following to the configuration:

push "dhcp-option DNS 192.168.1.9"

I didn't see this edit. Let me try...



EDIT—It worked! Thanks!

 

[ColinTaylor]

EDIT—It worked! Thanks!

Glad to hear it's working now. Although that's the same as what you said you did in post #3.

 

[Andy1932]

Glad to hear it's working now. Although that's the same as what you said you did in post #3.

My post #3 that didn't work:

dhcp-option DNS 192.168.1.60

Your post #2 that did work:

push "dhcp-option DNS 192.168.1.9"

 

[ColinTaylor]

My post #3 that didn't work:


Your post #2 that did work:

That makes no sense. The address in my post #2 was (as I stated) just an example because you didn't say what your PiHole's address was.

I can't see how you would now have a functional DNS if you're directing the client to a fictitious IP address that (presumably) isn't even running a DNS server.

 

[Andy1932]

That makes no sense. The address in my post #2 was (as I stated) just an example because you didn't say what your PiHole's address was.

I can't see how you would now have a functional DNS if you're directing the client to a fictitious IP address that (presumably) isn't even running a DNS server.

Sorry
Just a copy and paste. I changed your example to 192.168.1.60.

 

[SomeWhereOverTheRainBow]

iptables -t nat -D PREROUTING -i tun21 -p udp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14 2>/dev/null
iptables -t nat -D PREROUTING -i tun21 -p tcp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14 2>/dev/null
iptables -t nat -A PREROUTING -i tun21 -p udp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14
iptables -t nat -A PREROUTING -i tun21 -p tcp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14


iptables -t nat -D PREROUTING -i tun22 -p udp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14 2>/dev/null
iptables -t nat -D PREROUTING -i tun22 -p tcp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14 2>/dev/null
iptables -t nat -A PREROUTING -i tun22 -p udp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14
iptables -t nat -A PREROUTING -i tun22 -p tcp ! --source 192.168.1.14 ! --destination 192.168.1.14 --dport 53 -j DNAT --to 192.168.1.14

there is always good'ol fashion ip table rules where you would replace 192.168.1.14 with whatever your piholes IP is, btw this is what i use, with this i don't even need to push custom dns options i can just leave the vpn server as default settings. it will also work with whatever tun interface you specify. the only down side is since you are on stock it would have to be rerun after each reboot.