Above the culprit/rogue file giving you unexpected behaviour.
Try run below one before and after you change "Interface listening behavior" to see difference:
Yes, when Listen All is used then there is no need to specify an interface. But the tun0 locks everything to that specific interface. Our (Pi-hole) config is overriden.
Ahhh!
That explains exactly why it works when I connect via the VPN.
So in your opinion, is there now a case to modify the settings behaviour so the config file explicitly states the allowed interfaces if the 'all interfaces' option is selected?
It's not something I've come across in any of the guides which recommend using PiHole and PiVPN together.
Thanks again to everyone. I've now got it running with all interfaces selected. Had a bit of a false start by me just renaming the etc/dnsmasq.d/02-ovpn.conf file in the dnsmasq.d directory. Hadn't realised it would scan and process any filename in that folder. Deleting it completely did the trick.
About that:
PiVPN adds this file (and line to listen for tun0) automatically during installation if you have Pi-Hole set to "Listen only on eth0". However having Pi-Hole set to "Listen on all Interfaces" will make PiVPN Installer ommit this line in the file.
I've come across this as I read up on the whole thing yesterday as I was trying to understand it. So what you are saying would only be true if Pi-Hole is indeed set to "Listen on all Interfaces" where it doesn't need to specify the new interface explicitely or am I wrong?
Isn't this just the lazy approach, security wise? Instead of having it only listen to eth0 and explicitely allowing another Interface (for VPN) just permitting everything in dnsmasq? Even if the PI isn't exposed to the Internet.
I think any guide that recommends this just assumes you have your Pi-Hole set to only listen on eth0 because thats the default option, isn't it (haven't installed it for a long time so I'm not sure).
I dont know if PiVPN is aware of how Pi-hole is configured.
But this added PiVPN directive is cripeling the ability to set listening behavour on the Pi-hole web GUI.
What if you have a third or fourth interface eg. eth0, wlan0, tun0, wg0 etc. ?
I know its security practice to restrict to whats only needed.
But Debian, and many others, dont restrict interfaces for the dnsmasq package as its just forwarding DNS upstream.
I run the v4 setup yesterday and currently default is "Listen on all interfaces".
I believe it used to be "Listen only on interface eth0" or whatever interface was set during setup.
EDIT: ow and Pi-hole already got a guide to setup OpenVPN without the need of a full distro to do that:
Bottom line: As you are also saying, in the past Pi-Hole set it to eth0 only while Pi-VPN needed to add this line to function. As that seems to have changed it might not be necessary anymore. However PiVPN for example doesn't have Upgrade Functionality so that might contribute that problems arise due to mismatching configuration because it was installed in the past where the PiVPN installer handled it differently.
Interface configuration is dynamic. Dropping a configuration file during installation is not sufficient. PiVPN should not add the file. If that configuration line is required for PiVPN to work then their users need to be told to add that. Adding the file without users knowing it causes problems as they have no idea (like in this case) that the file was added.
Edit: I can update the debugger to search for that file specifically and flag if it exists. Our instructions to users will be to remove that file.
Yes, I see that this can problematic when users don't know about that file.
So going forward if I Understand you correctly, your suggestion when using PiVPN would be:
set Pi-Hole to listen to all Interfaces
remove the interface line from the file PiVPN creates. Because actually the file serves another purpose if I understand that correctly (show the Hosts correctly), for example my file looks like that for now:
Best would be to read Redirecting... and understand our guide for OpenVPN integration. That should answer any question you have on what we suggest and what we rely on.
