Solved VPN server + pihole connected to a VPN Client with policy rules, is it possible?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

SanPe

Occasional Visitor
With the help of @xtv I found what did I do wrong. But my issue is still not solved :(

Original post title: Pihole + VPN, what do I do wrong?

Hi,

I have a device running unbound+pihole (on 192.168.0.11).
I set up my router - AC86U running latest stable merlin (on 192.168.0.1) - according to this post by dave14305 http://www.snbforums.com/threads/me...ccurate-device-names-how-to.69096/post-649388
Everything is working great.

But I want to use my pihole as my DNS on my android phone. So, I set up a VPN server on the router and I'm running in a issue I cannot understand...
If I advertise DNS to clients, or if I include push "dhcp-option dns 192.168.0.11" on the custom config field, pihole is answering requests but I cannot access to the pihole GUI (nor ssh to the server or access any other services I host on this machine) ; still I can access to any other local machine.

Of course, if I stop advertise DNS to clients, everything is working fine except that pihole is not answering DNS requests...

What did I do wrong guys?

Thanks for your help!

Edit: screenshots
 

Attachments

  • Screenshot_20210409-123625_Fennec.png
    Screenshot_20210409-123625_Fennec.png
    360.9 KB · Views: 63
  • Screenshot_20210409-123639_Fennec.png
    Screenshot_20210409-123639_Fennec.png
    250.2 KB · Views: 51
  • Screenshot_20210409-123658_Fennec.png
    Screenshot_20210409-123658_Fennec.png
    384.5 KB · Views: 50
  • Screenshot_20210409-123719_Fennec.png
    Screenshot_20210409-123719_Fennec.png
    319.1 KB · Views: 58
Last edited:

xtv

Occasional Visitor
Hi,

I have a device running unbound+pihole (on 192.168.0.11).
I set up my router - AC86U running latest stable merlin (on 192.168.0.1) - according to this post by dave14305 http://www.snbforums.com/threads/me...ccurate-device-names-how-to.69096/post-649388
Everything is working great.

But I want to use my pihole as my DNS on my android phone. So, I set up a VPN server on the router and I'm running in a issue I cannot understand...
If I advertise DNS to clients, or if I include push "dhcp-option dns 192.168.0.11" on the custom config field, pihole is answering requests but I cannot access to the pihole GUI (nor ssh to the server or access any other services I host on this machine) ; still I can access to any other local machine.

Of course, if I stop advertise DNS to clients, everything is working fine except that pihole is not answering DNS requests...

What did I do wrong guys?

Thanks for your help!

Edit: screenshots

One thing that is wrong is in the general DNS configuration.
I see that you set 2 WAN DNS server (upstream servers): one is external, and one is internal.
This is wrong since the 2 DNS will be queried either in round robin, or depending on the volume of queries, or another logic to optimize response time. However this means that you don't know which one will respond. If you want to put there the internal DNS, unless you have 2 internal DNS (one primary/master and one secondary/slave) should should only put one DNS address (in your case the pi-hole). Otherwise if you want to use external DNS you can put i.e. 8.8.8.8 and 8.8.4.4 (just an example with google primary and secondary DNS), but do not mix internal and external.

Concerning pi-hole answering DNS requests (since it seems all other hosts are working properly), I would double check the Pi-hole host firewall configuration and ssh / apache configuration. It might be configured to allow ssh access only from the local network (the "ontheroad" clients are NOT in the local network). Same goes for apache/pi hole.
Also check the routing table of your pi-hole. Assuming that pi-hole has a static address, that would mean it might not know the route to your "ontheroad" network (however this would be weird since you say the pi-hole DNS is responding).
 

SanPe

Occasional Visitor
One thing that is wrong is in the general DNS configuration.
I see that you set 2 WAN DNS server (upstream servers): one is external, and one is internal.
This is wrong since the 2 DNS will be queried either in round robin, or depending on the volume of queries, or another logic to optimize response time. However this means that you don't know which one will respond. If you want to put there the internal DNS, unless you have 2 internal DNS (one primary/master and one secondary/slave) should should only put one DNS address (in your case the pi-hole). Otherwise if you want to use external DNS you can put i.e. 8.8.8.8 and 8.8.4.4 (just an example with google primary and secondary DNS), but do not mix internal and external.
Well, that's why I added the config to dnsmasq acording to @dave14305 post...
I thought it was meant to prevent that.

Concerning pi-hole answering DNS requests (since it seems all other hosts are working properly), I would double check the Pi-hole host firewall configuration and ssh / apache configuration. It might be configured to allow ssh access only from the local network (the "ontheroad" clients are NOT in the local network). Same goes for apache/pi hole.
Also check the routing table of your pi-hole. Assuming that pi-hole has a static address, that would mean it might not know the route to your "ontheroad" network (however this would be weird since you say the pi-hole DNS is responding).
I'll check the firewall and keep you informed.
 

xtv

Occasional Visitor
Well, that's why I added the config to dnsmasq acording to @dave14305 post...
I thought it was meant to prevent that.
The issue here is that when you configure multiple DNS servers, when you try to resolve an address you don't know which server will be used.
When you need to resolve a local address you can have 2 different scenarios:
  • if by chance the query is forwarded to the local DNS server you will be lucky and you will get the local IP (and the result will be cached for a few time, thus, apparently, the DNS setup will be working correctly - until the TTL in the cache expires),
  • however, if the query is forwarded to the public DNS the answer will be something like "unknown" (and depending on the configuration of the DNS on the router this negative answer could be cached or not).

I'll check the firewall and keep you informed.
Don't limit your check to the Firewall, since in some applications it's possible to set in their configurations a limitation to what addresses are allowed to use the service.
E.g:
Apache config:
<Directory /var/www/html>
    Order Allow,Deny
    Deny from all
    Allow from 192.168.0.0/24
</Directory>

The very first thing to do is to check if you can "ping" your Pihole via IP address from an "ontheroad" vpn client. (e.g.: "ping 192.168.0.11")
If that works it means that routing should be ok.
Then ping using the address (e.g. "ping pi-hole.your_local_domain"). If also this works also the DNS should work.
If the DNS doesn't work or you want to try to do some more tests on dns, try to do some queries with "dig" (e.g. "dig pi-hole.your_local_domain" or "dig -x 192.168.0.11" to get the reverse address - this last one works only if you have configured reverse addresses - however I'm not sure about how to do that in pi-hole, I prefer to use bind9 to serve my local network).
 

SanPe

Occasional Visitor
Ok, I changed the configuration. And I still have the same issue: DNS queries answered, I can ping my other devices (router, desktop, etc.), but the device running pihole doesn't answer to ping, I cannot ssh to it, and every services hosted on it is unreachable.
As soon as I stop advertising the DNS to client on the VPN server, the pihole stop answering DNS queries, but I can ping it...

I don't know what to do :confused:

Here's my DHCP :
DHCP.jpg

DietPi is Pihole+unbound

DNSFilter:
DNSFilter.jpg


WAN Settings:
WAN.jpg

And VPN Server:
VPNServer.png
 

xtv

Occasional Visitor
Ok, I changed the configuration. And I still have the same issue: DNS queries answered, I can ping my other devices (router, desktop, etc.), but the device running pihole doesn't answer to ping, I cannot ssh to it, and every services hosted on it is unreachable.
As soon as I stop advertising the DNS to client on the VPN server, the pihole stop answering DNS queries, but I can ping it...

Hmm... by any chance, does the pi-hole run on a static address while the other devices IPs are assigned by the router?

It could be a routing-table problem on the pi-hole, which does not how to reach the vpn-clients-nework (the subnet 10.8.0.0/24), or even the routing on the router (but this should be configured automatically configuring the vpn via interface).

Can you trace route to the pihole from a vpn-client and/or vice-versa?

E.g.:
=> from pihole (assuming that your client got address 10.8.0.1)
Bash:
traceroute 10.8.0.1
=> from client
Bash:
traceroute 192.168.0.11

On the pihole you can print the routing table running the following command without parameters:
Bash:
route
 

SanPe

Occasional Visitor
Damn.

I found it thanks to traceroute...
There's something else I forgot about. The device running pihole in behind a vpn itself...
The router is connected to VPN server and the internet traffic is forced through the tunnel for this device with policy rules. If I deactivate the VPN client connected to the router, everything is working fine...

I feel stupid.

But, is there a workaround to access my server, and still have its internet traffic forced through the VPN?
 

xtv

Occasional Visitor
Damn.

I found it thanks to traceroute...
There's something else I forgot about. The device running pihole in behind a vpn itself...
The router is connected to VPN server and the internet traffic is forced through the tunnel for this device with policy rules. If I deactivate the VPN client connected to the router, everything is working fine...

I feel stupid.

But, is there a workaround to access my server, and still have its internet traffic forced through the VPN?
Excellent. Networking is made of a low of small pieces that need to work with each other, so it's never trivial... ;)

Concerning the access to the "server" (what server exactly, the RPi?), depends on what subnet the server is in and how the connection is made.
Your network topology is not very clear to me at the moment.

So far I've understood this:
  • router
    • local net 192.168.0.0 - 192.168.0.0/24
    • WAN 192.168.1.10 - 192.168.1.0/24
    • default gw 192.168.1.1
    • VPN server 10.8.0.0 - 10.8.0.0/24
  • Pihole server 192.168.0.11 - connected to the local network (or not...)
So there is also a VPN client on the router?
How is the PiHole connected through a VPN on a subnet that is the same as the local network? Is it a bridged network?
 

SanPe

Occasional Visitor
First of all, thanks for the help :)
Let me try to be as clear as possible:
  • router
    • local net 192.168.0.1 - 192.168.0.0/24
    • WAN 192.168.1.10 - 192.168.1.0/24
    • default gw 192.168.1.1 (that's my modem, Router is the only device connected, and is in DMZ)
    • VPN server 10.8.0.0 - 10.8.0.0/24
    • Also connected to a VPN server (ProtonVPN)
  • Pihole server
    • Rock64 headless server on DietPi (debian)
    • Running some services I use for self-hosted solutions (banking, music streaming...)
    • 192.168.0.11
    • Connected to the router via ethernet, connected to the LAN
    • Traffic is redirected through the VPN tunnel by the router (policy rules)
Here's a screenshot for the VPN client:
Screenshot_2021-04-11 ASUS Wireless Router RT-AC86U - OpenVPN Client Settings.png


But, is there a workaround to access my server, and still have its internet traffic forced through the VPN?
Let me rephrase that:
Is it possible for the router to reply to connected VPN clients (10.8.0.X) that 192.168.0.11 = 192.168.0.11, despite the fact that 192.168.0.11 is connected to a third-party VPN server with policy rules enabled on the router?
 

Attachments

  • Screenshot_2021-04-11 ASUS Wireless Router RT-AC86U - OpenVPN Client Settings.png
    Screenshot_2021-04-11 ASUS Wireless Router RT-AC86U - OpenVPN Client Settings.png
    203.6 KB · Views: 26
Last edited:

xtv

Occasional Visitor
First of all, thanks for the help :)
Let me try to be as clear as possible:
  • router
    • local net 192.168.0.0 - 192.168.0.0/24
    • WAN 192.168.1.10 - 192.168.1.0/24
    • default gw 192.168.1.1 (that's my modem, Router is the only device connected, and is in DMZ)
    • VPN server 10.8.0.0 - 10.8.0.0/24
    • Also connected to a VPN server (ProtonVPN)
  • Pihole server
    • Rock64 headless server on DietPi (debian)
    • Running some services I use for self-hosted solutions (banking, music streaming...)
    • 192.168.0.11
    • Connected to the router via ethernet, connected to the LAN
    • Traffic is redirected through the VPN tunnel by the router (policy rules)
Here's a screenshot for the VPN client:
View attachment 33051


Let me rephrase that:
Is it possible for the router to reply to connected VPN clients (10.8.0.X) that 192.168.0.11 = 192.168.0.11, despite the fact that 192.168.0.11 is connected to a third-party VPN server with policy rules enabled on the router?
Ahh now it's more clear.

Actually VPN clients should already send packets for 192.168.0.11 toward the router (which should route them correctly - you say that other devices are responding). I suppose the issue is on the routing tables that are pushing back the packets from 192.168.0.11 toward the subnet 10.8.0.0/24.

I'm afraid that the issue is in the limited configuration allowed by the interface: there you can only say forward all non local traffic to VPN, which includes also traffic toward 10.8.0.0/24 (that is not local network).

If this is the case, it gets tricky since it's not possible to specify that kind of configuration from the UI and it seems that adding the Force Internet traffic through tunnel doesn't take into account other networks (e.g.: the "ontheroad" VPN net).

This is not a simple network setup ;)

What comes to my mind is to avoid using the Force Internet traffic through tunnel option and to setup the firewall on the router to perform the required routing... however it's not possible to do that in a simple way from the UI...

You could try to skip direct VPN "Force Internet traffic" and to use x3mRouting (see documentation) which should allow to define selective routing by client.
 

SanPe

Occasional Visitor
You could try to skip direct VPN "Force Internet traffic" and to use x3mRouting (see documentation) which should allow to define selective routing by client.
...
My god...
I took a look at that. It's incredibly complex to me :eek:

I don't understand at all what I am doing!

That leave me with two options:
  • Read a bunch of stuff just to understand what exactly this addon does
  • Install pihole on another machine, only for my VPN clients
I'll try a little bit of both.

Thanks @xtv :)
 

SanPe

Occasional Visitor
Damn.

I did it. It was as simple as selecting "disabled" with "Accept DNS configuration" on VPN client :oops:

Everything is working fine. I'll have to run some more tests, but I think it's solved.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top