Hi!
I have a Wireguard VPN overlay/LAN type of network running with a subnet 10.120.120.0/24. This subnet is called vpn.lan.
Within this VPN-"LAN" there are numerous VPS-es where each VPS has its own VPN-IP. This LAN and its IP's are not part of the Pi-hole/dnsmasq settings.
Question: what do I configure to make Pi-hole respond to DNS requests from these IP's?
Are DNS requests from that VPN routed to the machine hosting your Pi-hole?
How?
Yes - correct.
Those DNS requests are coming in via the VPN router.
Pi-hole is not responding to these reuests. At least that is what the message (kind-of) tells me: ignoring query from non-local network 10.120.120.14 (logged only once).
Yes, but how?
Does your router terminate the connection to your clients and forward DNS requests to Pi-hole from its own IP, or simply source nat the packets, replacing source IPs with its own, or does it simply forward packets to your Pi-hole host's IP? Or is your Pi-hole host a first class VPN citizen as well?
I see you've edited your message:
That may suggest that your Pi-hole host does not have a VPN range IP.
In that case, you'd have to switch Pi-hole's Interface settings to Permit all origins via Settings | DNS.
Correct on all counts.
The VPN's are terminated on the respective VPS-es and router - no NAT involved.
DNS requests are sent to Pi-hole direct (via the VPN router).
Is there another way? Other then permit all origines? For example something that permits only from the specific subnet?
Obviously, they are not, or else the requests would register in Pi-hole under your router's IP.
If you can guarantee that VPN DNS requests would always arrive on a specific network interface of your Pi-hole host machine, you could also switch to Bind only to interface xxxn.
As that may not work if Pi-hole is hosted via some kind of virtualisation environment, it's usually easier to use Permit all origins.
Note that Pi-hole's Interface settings handle the network interfaces that Pi-hole should monitor to receive requests from.
Traffic filtering by source IP would be a firewall's job, hence the warning in Pi-hole's UI:
These options are dangerous on devices directly connected to the Internet such as cloud instances and are only safe if your Pi-hole is properly firewalled.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.