OpenVPN + PiHole + DigitalOcean Ubuntu, blacklist domains getting through on OSX & iPhone

rrrrrraul · August 26, 2019, 3:45am

Hi. Today I installed OpenVPN and PiHole on a fresh ubuntu 18.04 LTS VPS on DigitalOcean - I used the instructions here : Redirecting...

I created my .ovpn profiles and loaded them on my macbook pro (OSX) and iPhone (iOS). The blacklisted domain (google.com) loads without a problem on both devices when connected to OpenVPN. My guess was that I had screwed something up during install. I deleted VPS and spun up a new VPS, installed OpenVPN+PiHole again and I got the same results.

This time, on OSX, I forced computer to use PiHole address as DNS - when I did this, I was indeed blocked from google.com.

Has anyone experienced this issue too or did I miss something?

https://tricorder.pi-hole.net/2efoj8rfyx

technicalpyro · August 26, 2019, 3:53am

likely you are not forcing your VPN to use its pi-hole instance Redirecting...

rrrrrraul · August 26, 2019, 4:58am

thanks for the heads up.

I looked over the page you linked. I think what you're referring to is the line :

push "dhcp-option DNS 10.9.0.1"

I had already included that equivalent line in my openvpn server.conf file. I have it set to the IP address listed under tun0 when entering console command (within ubuntu VPS) :

ifconfig

were you referring to the next instruction in the page you linked, the next instruction is to comment out a line :

# push "redirect-gateway def1 bypass-dhcp"`

that, I haven't done as it indicates my web traffic will not go through VPN.

technicalpyro · August 26, 2019, 5:04am

if you want web traffic and DNS traffic to go through leave that line uncommented

perhaps it would help us if you are willing to share your config files? redact anything you feel like IP addresses

rrrrrraul · August 26, 2019, 6:00am

Good idea.

OpenVPN configuration file ...

/etc/openvpn/server/server.conf

port 1194
proto udp
dev tun0
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

And PiHole configuration file ...
/etc/pihole/setupVars.conf

PIHOLE_INTERFACE=tun0
IPV4_ADDRESS=10.8.0.1/24
IPV6_ADDRESS= 
PIHOLE_DNS_1=208.67.222.222
PIHOLE_DNS_2=208.67.220.220
QUERY_LOGGING=false
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
WEBPASSWORD=asdf
BLOCKING_ENABLED=true

And from VPS console, command ifconfig returns

root@ubnt-ovpn-pihole2:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet xxx.yyy.145.94  netmask 255.255.240.0  broadcast xxx.yyy.159.255
        inet6 fe80::7843:e3ff:fee1:1b0e  prefixlen 64  scopeid 0x20<link>
        ether 7a:43:e3:e1:1b:0e  txqueuelen 1000  (Ethernet)
        RX packets 680132  bytes 819872725 (819.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 901405  bytes 812196705 (812.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 58806  bytes 4687253 (4.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58806  bytes 4687253 (4.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::3849:b60d:48ad:aec9  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 314252  bytes 30471818 (30.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 576137  bytes 733258711 (733.2 MB)
        TX errors 0  dropped 8045 overruns 0  carrier 0  collisions 0

my understanding is that tun0 address needs to match server.conf and setupVars.conf, which it does ... so i'm not sure what else i'm missing.

rrrrrraul · August 26, 2019, 6:03am

Also, when I connect to OpenVPN from either one of my clients/devices, doing a google search on "what is my ip address" does in fact return the IP address of the VPS I've spun up.

rrrrrraul · September 8, 2019, 11:14pm

update - I've been trying to get PiHole to work on Ubuntu 18 + OpenVPN with no luck (only worked if I manually updated the DNS server on the client). My understanding is that Ubuntu 18's introduction of Netplan (https://www.linuxincluded.com/install-pi-hole-on-ubuntu/) disrupts PiHole.

I've since spun up an instance of Ubuntu 16 + PiHole + OpenVPN and all works as intended without having to manually set DNS address on client.

system · October 3, 2019, 2:52pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.