DNS not working over OpenVPN

rujmaxeyi · August 14, 2019, 10:52pm

Expected Behaviour:

Devices connected to Pi-Hole via OpenVPN should use Pi-Hole as their DNS server.

Actual Behaviour:

I have set up OpenVPN server on my Pi as described on the official documentation.

OpenVPN on Android falls back to Google DNS when connecting to Pi-Hole:

23:02:13.520 -- EVENT: ASSIGN_IP

23:02:13.524 -- Error parsing dhcp-option: [dhcp-option] [DNS] [127.0.0.1]  : tun_prop_dhcp_option_error: tun_builder_add_dns_server failed

23:02:13.525 -- Google DNS fallback enabled

My Pi-Hole uses cloudflared running on port 5053 as the upstream DNS and listens on all interfaces (up to 1 hop away). It is also the DHCP server for my home network.

Relevant lines of my server.conf (all IPs are LAN IPs):

# push "redirect-gateway def1 bypass-dhcp" # Commented out so it only routes DNS requests via the VPN
push "route 100.120.42.1 255.255.255.224"
push "dhcp-option DNS 100.120.42.30"

Output of sudo ufw status:

Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
VNC                        ALLOW       Anywhere                  
67/udp                     ALLOW       Anywhere                  
1194                       ALLOW       Anywhere                  
DNS                        ALLOW       Anywhere                  
80/tcp (v6)                ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
VNC (v6)                   ALLOW       Anywhere (v6)             
67/udp (v6)                ALLOW       Anywhere (v6)             
1194 (v6)                  ALLOW       Anywhere (v6)             
DNS (v6)                   ALLOW       Anywhere (v6)

Debug Token:

https://tricorder.pi-hole.net/k29cl8bmr7

RamSet · August 14, 2019, 11:06pm

It seems that your configuration is either sending 127.0.0.1 as DNS (loopback) and the client fails because of that.

Your server.conf should push 10.8.0.1 or whatever the tun range IP is for the DNS to work.

Try changing server.conf to that and re-try.

rujmaxeyi · August 14, 2019, 11:33pm

I've changed the IP to 10.8.0.1 (my tun0 IP) and restarted the OpenVPN server, but the same error shows up.

Thanks for the quick reply anyway.

RamSet · August 14, 2019, 11:35pm

Are you experiencing this on all connecting clients?

If yes, can you share your server.conf ?

If no, then your issue is isolated to that one device that's playing tough to get.

Android is known to force/bypass VPN DNS settings and (still) force google.

rujmaxeyi · August 14, 2019, 11:59pm

I have just rebooted the Pi and that seems to have solved the issue.

Sorry for wasting your time!

Now there is a new error, though it's probably unrelated to Pi-Hole:

00:54:27.772 -- EVENT: ASSIGN_IP

00:54:27.775 -- Error parsing IPv4 route: [route] [100.120.42.1] [255.255.255.224]  : tun_prop_error: route is not canonical

00:54:27.790 -- Connected via tun

RamSet · August 15, 2019, 12:03am

You should comment out this line as it's not relevant to your tunnel.

rujmaxeyi · August 15, 2019, 12:12am

Thanks a lot. That solved it.

rujmaxeyi · August 15, 2019, 12:29am

I found the root cause for the "route is not canonical" error. I was following this guide but put the IP of the router instead of the network address (e.g. 192.168.1.0) on the "route" line of server.conf.

Thanks again for the help.

system · September 5, 2019, 12:32am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.