Connection Problem after 4.3.3 & 4.3.5 update with PiVPN

Yes the docs are correct. We reverted that hiccup a while back :slight_smile:

2 Likes

Thanks again to everyone. I've now got it running with all interfaces selected. Had a bit of a false start by me just renaming the etc/dnsmasq.d/02-ovpn.conf file in the dnsmasq.d directory. Hadn't realised it would scan and process any filename in that folder. Deleting it completely did the trick.

2 Likes

About that:
PiVPN adds this file (and line to listen for tun0) automatically during installation if you have Pi-Hole set to "Listen only on eth0". However having Pi-Hole set to "Listen on all Interfaces" will make PiVPN Installer ommit this line in the file.

I've come across this as I read up on the whole thing yesterday as I was trying to understand it. So what you are saying would only be true if Pi-Hole is indeed set to "Listen on all Interfaces" where it doesn't need to specify the new interface explicitely or am I wrong?
Isn't this just the lazy approach, security wise? Instead of having it only listen to eth0 and explicitely allowing another Interface (for VPN) just permitting everything in dnsmasq? Even if the PI isn't exposed to the Internet.

I think any guide that recommends this just assumes you have your Pi-Hole set to only listen on eth0 because thats the default option, isn't it (haven't installed it for a long time so I'm not sure).

I dont know if PiVPN is aware of how Pi-hole is configured.
But this added PiVPN directive is cripeling the ability to set listening behavour on the Pi-hole web GUI.
What if you have a third or fourth interface eg. eth0, wlan0, tun0, wg0 etc. ?
I know its security practice to restrict to whats only needed.
But Debian, and many others, dont restrict interfaces for the dnsmasq package as its just forwarding DNS upstream.

I run the v4 setup yesterday and currently default is "Listen on all interfaces".
I believe it used to be "Listen only on interface eth0" or whatever interface was set during setup.

EDIT: ow and Pi-hole already got a guide to setup OpenVPN without the need of a full distro to do that:

https://docs.pi-hole.net/guides/vpn/overview/

1 Like

Yes, I get what you are saying, however I still believe a lot of people (including myself) will use PiVPN.
PiVPN should at least be able to tell how Pi-Hole is configured in that regard according to that Fix Pi-hole support when dnsmasq is set to listen on all interfaces ยท pivpn/pivpn@87cf243 ยท GitHub

Bottom line: As you are also saying, in the past Pi-Hole set it to eth0 only while Pi-VPN needed to add this line to function. As that seems to have changed it might not be necessary anymore. However PiVPN for example doesn't have Upgrade Functionality so that might contribute that problems arise due to mismatching configuration because it was installed in the past where the PiVPN installer handled it differently.

Interface configuration is dynamic. Dropping a configuration file during installation is not sufficient. PiVPN should not add the file. If that configuration line is required for PiVPN to work then their users need to be told to add that. Adding the file without users knowing it causes problems as they have no idea (like in this case) that the file was added.

Edit: I can update the debugger to search for that file specifically and flag if it exists. Our instructions to users will be to remove that file.

Yes, I see that this can problematic when users don't know about that file.
So going forward if I Understand you correctly, your suggestion when using PiVPN would be:

  1. set Pi-Hole to listen to all Interfaces
  2. remove the interface line from the file PiVPN creates. Because actually the file serves another purpose if I understand that correctly (show the Hosts correctly), for example my file looks like that for now:
addn-hosts=/etc/pivpn/hosts.openvpn
interface=tun0

Correct?

Best would be to read Redirecting... and understand our guide for OpenVPN integration. That should answer any question you have on what we suggest and what we rely on.

1 Like

K, got it, so this is basically the only way it should be done.

It's the only way that Pi-hole will provide support for.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.