When a device on my network uses a private VPN (like IPVanish, NordVPN, etc.) to connect to the internet, it uses the PiHole for DNS rather than the private VPN’s DNS service.
Actual Behaviour:
When connected to a private VPN, clients bypass the PiHole and use the VPNs DNS service. As a result, ads are present.
Summary of setup:
Router --> Tomato
PiHole --> RPI3, connect to the Tomato router via eth0
VPN --> Paid service provider, NordVPN. On Linux clients, the VPN connection is established using NetworkManager and static OpenVPN config files downloaded from NordVPN to /etc/openvpn. AND
dhcp-option DNS ###.###.###.### (e.g., 192.168.0.2) appended to the OpenVPN setup file on the client, which is found in /etc/openvpn/ovpn_tcp/....ovpn
NOTE: I could not "reopen" the question I posted here after I learned that the accepted answer stopped working.
Thanks @Mcat12. Great question. And one I'm not sure about; I think so, but not positive. I've pasted the entire text of the file except for the certificate and key.
client
dev tun
proto tcp
remote 98.143.145.253 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
remote-cert-tls server
#mute 10000
auth-user-pass
comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
dhcp-option DNS 192.168.0.2
@TheRoarkster,
I've had trouble, too, with this, esp with Macs, which my daughter uses. In case you're using Viscosity with OpenVPN, here's an image showing the settings within Viscosity that seem to have eliminated the DNS problem with the Mac:
Thanks @RamSet. That seems to have worked in terms of blocking ads when using my paid VPN. I'm not sure I did it correctly though, as sites seem to take about 5-20 extra seconds to load, some don't load completely (i.e., the page appears loaded but on Chrome the tab keeps spinning), and some don't load at all. Is that expected?
For example, one site simply won't load completely: boston.com. I use to that to test Pi-Hole, as it has a ridiculous number of ads. The weird part is that now with the VPN on, boston.com half loads -- with no ads. But with the VPN off, boston.com fully loads -- and the ads are there; they are not blocked.
What is the correct DOMAIN to use? I put in the domain name from my Tomato router at Basic>Identification>Domain Name. Is that right?
I found out that boston.com in chrome is not the best test. Chrome seems to inject Ad-Sense ads, even with Pi-hole enabled.
See this:
What is your internal IP assigned by the VPN when connecting?
You are probably experiencing delays either due to routing issues or possibly you have the wrong DOMAIN set-up in your ovpn file.
Make sure it matches what your router/DHCP server is broadcasting.
I am running the VPN server locally and the response (either for the DNS only instance of the VPN server or the full VPN instance - traffic masking + dns) i don't experience any delays.
I think you're right about boston.com. I quit Chrome a few times and tried again; each time was different.
So it appears the VPN is assigning 192.7.7.132 as my internal IP (and 192.168.0.23 is the LAN IP for computer I am using to check), but I'm not sure I am checking it correctly (I used ifconfig on a computer with the VPN running and reported the IP for inet under tun0).
@RamSet if you don't mind, can you please reply with the best way to determine and/or set (A) the internal IP assigned by the VPN; and (B) the DOMAIN?
Just to repeat, the PiHole is called via DNSMasq in my Tomato router. The VPN is a paid VPN, which is run on each individual computer (all running a Linux distro) using NetworkManager and static OpenVPN config files downloaded from NordVPN to /etc/openvpn.
This is automatically assigned to you by the VPN server (you are connecting to) on your interface used to connect to VPN (in this case tun).
Iptables performs a MASQUARADE between packets. It's basically an algorithm dependent on the iptables implementation that allows one to route traffic without disrupting the original traffic.
You did find the right information (ips) when you looked it up.
Should be under Basic > Identification on your Tomato .
Take a look here, maybe there's something that helps:
I can't figure out the problem. I have the DOMAIN set in the Tomato router as home. This setting is at Basic>Router Identification>Domain Name.
With the VPN from the private service and initiated from GNOME Network Manageron, I bypass the PiHole and get ads. With the VPN off, I go through the PiHole and get no ads.
Are any of these Advanced>DHCP / DNS Server (LAN) settings necessary to turn off/on:
Use internal DNS
Debug Mode
Use received DNS with user-entered DNS
Prevent DNS-rebind attacks
Intercept DNS port
Use user-entered gateway if WAN is disabled
Ignore DHCP requests from unknown devices
Maximum active DHCP leases
Static lease time
Announce IPv6 on LAN (SLAAC)
Announce IPv6 on LAN (DHCP)
Mute dhcpv4 logging
Mute dhcpv6 logging
Mute RA logging
