I've been following the wiki for installing Pi-hole alongside with OpenVPN with dual operation and i find it rather confusing. Anyway, after following the instructions ads-blocking works on LAN, but not via the VPN. When i connect through VPN i can see Pi-hole is correctly receiving and answering DNS requests, but i can't load any webpage (Chrome gives error ERR_NAME_NOT_RESOLVED). I've also tried with pihole -a -i all but with no luck.
Pi-hole machine has IP address 192.168.100.6 (static)
This is my server.conf:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.100.0 255.255.255.0"
#push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.100.6"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
crl-verify crl.pem
This is the log when i connect a client to the OpenVPN server:
16:41:24.218 -- ----- OpenVPN Start -----
16:41:24.219 -- EVENT: CORE_THREAD_ACTIVE trans=TO_DISCONNECTED
16:41:24.223 -- OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26
16:41:24.224 -- Frame=512/2048/512 mssfix-ctrl=1250
16:41:24.230 -- UNUSED OPTIONS
3 [sndbuf] [0]
4 [rcvbuf] [0]
6 [resolv-retry] [infinite]
7 [nobind]
8 [persist-key]
9 [persist-tun]
13 [block-outside-dns]
15 [verb] [3]
16:41:24.231 -- EVENT: RESOLVE trans=TO_DISCONNECTED
16:41:24.716 -- Contacting REDACTED:1194 via UDP
16:41:24.717 -- EVENT: WAIT trans=TO_DISCONNECTED
16:41:24.731 -- Connecting to [REDACTED]:1194 (REDACTED) via UDPv4
16:41:24.809 -- EVENT: CONNECTING trans=TO_DISCONNECTED
16:41:24.812 -- Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
16:41:24.814 -- Creds: UsernameEmpty/PasswordEmpty
16:41:24.814 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
16:41:24.933 -- VERIFY OK : depth=1
cert. version : 3
serial number : REDACTED
issuer name : CN=ChangeMe
subject name : CN=ChangeMe
issued on : 2019-08-26 18:37:56
expires on : 2029-08-23 18:37:56
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
16:41:24.945 -- VERIFY OK : depth=0
cert. version : 3
serial number : REDACTED
issuer name : CN=ChangeMe
subject name : CN=server
issued on : 2019-08-26 18:37:59
expires on : 2029-08-23 18:37:59
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
16:41:25.267 -- SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
16:41:25.269 -- Session is ACTIVE
16:41:25.272 -- EVENT: GET_CONFIG trans=TO_DISCONNECTED
16:41:25.281 -- Sending PUSH_REQUEST to server...
16:41:25.344 -- OPTIONS:
0 [redirect-gateway] [def1] [bypass-dhcp]
1 [route] [192.168.100.0] [255.255.255.0]
2 [dhcp-option] [DNS] [192.168.100.6]
3 [route-gateway] [10.8.0.1]
4 [topology] [subnet]
5 [ping] [10]
6 [ping-restart] [120]
7 [ifconfig] [10.8.0.2] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]
16:41:25.345 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA512
compress: NONE
peer ID: 0
16:41:25.347 -- EVENT: ASSIGN_IP trans=TO_DISCONNECTED
16:41:25.394 -- Connected via tun
16:41:25.395 -- EVENT: CONNECTED info='REDACTED:1194 (REDACTED) via /UDPv4 on tun/10.8.0.2/ gw=[10.8.0.1/]'
I can confirm that Pi-hole is indeed replying to the client by looking at pihole -t:
16:45:12 dnsmasq[1163]: query[A] www.trenitalia.com from 10.8.0.2
16:45:12 dnsmasq[1163]: forwarded www.trenitalia.com to 8.8.8.8
16:45:12 dnsmasq[1163]: reply www.trenitalia.com is <CNAME>
16:45:12 dnsmasq[1163]: reply trenitalia.com.edgekey.net is <CNAME>
16:45:12 dnsmasq[1163]: reply e17136.b.akamaiedge.net is 104.83.136.153
I believe something is wrong with my server.conf, but i can't figure out what. Thanks in advance!
From the looks of it, the OpenVPN server DHCP service is working as expected. It should work based on what I see there, unless your Pi-hole, is not properly set-up or it's not on the same machine.
If it's not on the same machine (192.168.100.6), then you definatelly have IPTABLES related errors.
They are on the same machine. Do suggest reinstalling everything? I'm using a SBC specifically for Pi-hole so even wiping everything would not be a problem. Also, what steps would be needed to achieve the dual functionality after a fresh install of OpenVPN (via the road warrior installer) and Pi-hole (via the standard piping to bash), provided that the wiki page is outdated?
Ok so i've cleaned up the system from any OpenVPN previous installations and ran your script. I set 10.8.0.1 as the IP address and installed everything. I set the Pi-hole to "Listen on all interfaces, permit all origins", but the client connected through the VPN still can't resolve hostnames (nslookup times out).
This is the current server.conf contents:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
Sadly it's not working. To clear my mind on this, I'd like to try the dual VPN+LAN method on a fresh OS install. Since you said the information on the wiki page is outdated, do you have an updated method to set it up? I could not find anything in the development branches of pi-hole over on Github...
Yes. The updated version is that script
Do a fresh install of the OS, install Pi-hole, OpenVPN via that script, or OpenVPN and then Pi-hole (doesn’t matter which one is installed first) and if it doesn’t work, let us know and we’ll look at it again.
It should work though because i have the exact same setup on more than 5 nodes ...
chmod 755 openvpn-install.sh && sed -i -e 's/\r$//' openvpn-install.sh (it has DOS-style CRLFs!!)
run the script and use 10.8.0.1 as the IP to listen on, UDP on port 1194, use system resolvers
edit /etc/openvpn/server.conf so that i comment out one line of push "dhcp-option DNS 8.8.8.8" and modify the other line so that it reads push "dhcp-option DNS 10.8.0.1"
install Pi-hole by piping into bash
accept all defaults (except for IPv6 blocking)
pihole -a -i all
reboot the SBC for good measure
LAN blocking works, VPN doesn't. Chrome gives ERR_CONNECTION_TIMED_OUT error, nslookup google.com says connection timed out and ping 8.8.8.8 reports 100% packet loss. dig google.com @10.8.0.1 works correctly, dig google.com just hangs up.
I'd be very grateful if you could keep help me with the troubleshooting.
You need to make it listen to 192.168.100.6 (assuming you kept the same IP for Pi-hole and OpenVPN device) as making it listen to 10.8.0.1 breaks the whole IPTABLES rules.
You shouldn't have to to this manually as the installer checks and takes care of this aspect automatically.
Can you please also upload a debug log with pihole -d and provide the token so that I can take a look ?
Oh, ok. I re-did the whole thing once again and it still doesn't work. It works if i edit /etc/openvpn/server.conf and use Google's DNS servers, but it doesn't work when i use 10.8.0.1 as the DNS server. So OpenVPN is good on its own, Pi-hole too, it must be something in the middle...
When you first login as root on the machine it is mandatory to create another account, with a password and that will be sudo-enabled, so i gave it username "pihole". I did not do this manually.
)