Connection Problem after 4.3.3 & 4.3.5 update with PiVPN

Please follow the below template, it will help us to help you!

Expected Behaviour:

I installed the 4.3.3 update with ‘pihole -up’. The update said that it worked. Expected behaviour was that everything would continue to work as it had prior to the update

Actual Behaviour:

All throughput graphs dropped to zero. The update was done remotely. When I got home, my wireless devices weren’t being given a valid ip address through DHCP. Restarted the router and my pihole to no effect. Updated to 4.3.5 also with no difference. Disabled the pihole DHCP server and went back to the router. All clients now connected, but no (new) internet access. Set router DNS server to point to ISP and got full access again. Pointing router again to pihole prevented internet/DNS resolution.

Raspberry Pi 4, 4GB running pihole + unbound and also PiVPN.
I have just now tried to connect to my Pi4 over VPN and to browse to a website. This has worked and I also get ad blocking. So it seems like this part is relevant.
A similar issue was raised on Reddit yesterday and I contributed to the thread there. I was advised to post here by u/-PromoFaux-

Debug Token:

https://tricorder.pi-hole.net/h533r4op84

Fixed, see my last post. I think reconfiguring PiHole, but leaving the interface set to eth0 was the key to it all. Thanks jfb!

Update for clarity. I had a setting that was wrong in my /etc/dnsmasq.d directory. If all interfaces was selected, that setting was forcing the PiHole to only listen on the VPN tun0 interface. Thanks to the developers’ persistence in not letting the matter rest half finished, I’m now back fully and correctly working.

Run pihole -r and select “reconfigure” to get your Pi-hole on the desired IP and interface.

*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the tun0 interface:
   10.8.0.1/24 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6-ula-addresses-for-pi-hole/2127)

[i] Default IPv4 gateway: 192.168.1.1
192.168.1.1
   * Pinging 192.168.1.1
192.168.1.1...
[✗] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] 203.109.101.46 is 0.0.0.0 via localhost (127.0.0.1)
[✗] Failed to resolve 203.109.101.46 via Pi-hole (192.168.1.239)
[✓] doubleclick.com is 216.58.210.46 via a remote, public DNS server (8.8.8.8)

*** [ DIAGNOSING ]: Setup variables
    DNSMASQ_LISTENING=single
   ....
    PIHOLE_INTERFACE=tun0
    IPV4_ADDRESS=192.168.1.239/24

Then, set the interface listening to all interfaces…

Thanks, I’ve done the first part, but I’m not sure how to set it to listen on all interfaces. Could you give me another pointer please?

Web admin > Settings > DNS > Interface listening behavior

Thanks for this. It’s looking good at the moment, but I can’t test it properly until I get home.
I will update the post later on tonight.

Hmm, maybe spoke too soon. I’ve changed the router DNS server settings to my pihole ip 192.168.1.239 and the router says it has no internet access and cannot run its speedtest. Changing the settings back to the DNS servers obtained from my ISP gets everything working again.
I’ve run another pihole -d command and this is the link:
https://tricorder.pi-hole.net/03k76ndy1y

I’ve read through the log and it says it fails pinging the default gateway 192.168.1.1. I’ve tried this manually from a terminal window and can ping my router fine.

Update: I think I’ve narrowed down the problem, but not found the answer. I can access the internet if I use the browser on the same device that PiHole is installed on. I can access the internet if I connect to the PiHole device via the PiVPN tunnel.
If I use a device on the same network, but have the DNS settings pointing to the PiHole device’s IP (in my case 192.168.1.239) then I cannot get any internet connectivity. My fault seems to be that local devices are unable to use/connect to the PiHole device to gain internet access.

I noticed version 4.4 became available a short while ago. I updated to this version, but I still have the same issue.
Do you have any suggestions?
Thanks in advance.

What does below output (might want to redact some):

sudo grep -v '^\s*#\|^$' -R /etc/dnsmasq.* | sort

Well persistence, if not logic has paid off.

I tried resetting the “DNS listening on” setting back to eth0 from “all interfaces”. Immediately, I could then point my DNS settings to the PiHole device. I then tried it again in stages, trying different devices and then changing the setting back in my router settings.

I’ve even managed to get the PiHole back controlling the DHCP settings - in short, I’m back where I was before I started having problems.

Thanks for all the support and things to try. Thanks especially for the patience with my basic questions.
I have no explanation why specifying eth0 works when all interfaces doesn’t, but it does. I hope this helps someone else.

Have you checked if dialing in via VPN still resolves DNS ?
I suspect rogue config files:

sudo grep -v '^\s*#\|^$' -R /etc/dnsmasq.* | sort

Hi,

Yes I checked that just before I posted that I’d got it working. I’m typing this reply on my phone connected to my Pi4 over VPN.

I don’t fully understand why it’s working, but for the minute I’m just glad it is.
What should I expect to see running the two grep commands you’ve suggested?

Show all settings contained in config files that the pihole-FTL binary (with dnsmasq embedded) reads at startup.
Other software are known to drop config files in the /etc/dnsmasq.d/ folder that conflict with Pi-hole.
Ps I only mentioned one and same grep command.

Cheers, thanks. I’ll have a proper look at that output tomorrow once I have more time to sort through it.

I genuinely appreciate all the time that’s being spent on my issue.

See output from the grep command below. I recognise all the static address definitions and have just left the Pi4 in for clarity.

/etc/dnsmasq.conf:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.conf.old:conf-dir=/etc/dnsmasq.d
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/black.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/gravity.list
/etc/dnsmasq.d/01-pihole.conf:addn-hosts=/etc/pihole/local.list
/etc/dnsmasq.d/01-pihole.conf:bogus-priv
/etc/dnsmasq.d/01-pihole.conf:cache-size=10000
/etc/dnsmasq.d/01-pihole.conf:dhcp-ignore-names=tag:hostname-ignore
/etc/dnsmasq.d/01-pihole.conf:dhcp-name-match=set:hostname-ignore,localhost
/etc/dnsmasq.d/01-pihole.conf:dhcp-name-match=set:hostname-ignore,wpad
/etc/dnsmasq.d/01-pihole.conf:domain-needed
/etc/dnsmasq.d/01-pihole.conf:interface=eth0
/etc/dnsmasq.d/01-pihole.conf:localise-queries
/etc/dnsmasq.d/01-pihole.conf:local-ttl=2
/etc/dnsmasq.d/01-pihole.conf:log-async
/etc/dnsmasq.d/01-pihole.conf:log-facility=/var/log/pihole.log
/etc/dnsmasq.d/01-pihole.conf:log-queries
/etc/dnsmasq.d/01-pihole.conf:no-resolv
/etc/dnsmasq.d/01-pihole.conf:server=127.0.0.1#5353
/etc/dnsmasq.d/01-pihole.conf:server=8.8.4.4
/etc/dnsmasq.d/01-pihole.conf:server=8.8.8.8
/etc/dnsmasq.d/01-pihole.conf:server=/use-application-dns.net/
/etc/dnsmasq.d/02-ovpn.conf:interface=tun0
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-authoritative
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-leasefile=/etc/pihole/dhcp.leases
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-option=option:router,192.168.1.1
/etc/dnsmasq.d/02-pihole-dhcp.conf:dhcp-range=192.168.1.2,192.168.1.254,24h
/etc/dnsmasq.d/02-pihole-dhcp.conf:domain=lan
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=<<Entries here redacted>>
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=*******
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=DC:**:**:**:**:**,192.168.1.239,Pi4
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=
/etc/dnsmasq.d/04-pihole-static-dhcp.conf:dhcp-host=

Above the culprit/rogue file giving you unexpected behaviour.
Try run below one before and after you change “Interface listening behavior” to see difference:

sudo grep '^\s*interface=\|^\s*except-interface=' -R /etc/dnsmasq.*

Ps. can you enclose code output with the “</>” button when pasting here please.
Easier to read and doesnt get mangled by discourse formatting.

OK, here are the results - not sure I understand them though.
Output from the command with listening only on eth0: All networking functions working.

sudo grep '^\s*interface=\|^\s*except-interface=' -R /etc/dnsmasq.*
[sudo] password for  
/etc/dnsmasq.d/01-pihole.conf:interface=eth0
/etc/dnsmasq.d/02-ovpn.conf:interface=tun0

Output from the command with listening on all interfaces. Internet access only via VPN

 sudo grep '^\s*interface=\|^\s*except-interface=' -R /etc/dnsmasq.*
/etc/dnsmasq.d/02-ovpn.conf:interface=tun0

It looks like the 01-pihole.conf file no longer specifies any network interface.

Yes, when Listen All is used then there is no need to specify an interface. But the tun0 locks everything to that specific interface. Our (Pi-hole) config is overriden.

Ahhh!
That explains exactly why it works when I connect via the VPN.

So in your opinion, is there now a case to modify the settings behaviour so the config file explicitly states the allowed interfaces if the ‘all interfaces’ option is selected?
It’s not something I’ve come across in any of the guides which recommend using PiHole and PiVPN together.

No, there should be no interfaces listed if you want every interface used.

Any guide that recommends adding /etc/dnsmasq.d/02-ovpn.conf is wrong.

3 Likes

Thanks for the clarity.

So going forward, would you recommend removing the etc/dnsmasq.d/02-ovpn.conf file and changing back to all interfaces?

Yes, that is what we’ve suggested with our documentation.

1 Like

https://docs.pi-hole.net/guides/vpn/overview/

@ramset That is the correct version of the docs, right?