First of all, thank you for building and maintaining Pi-hole. Very usefull, thank you.
Expected Behaviour:
Pi-hole installation would not have an impact on the existing vpn connection
Actual Behaviour:
This VPN gateway lost vpn connection permanently and no internet connection was possible anymore:
I setup an openvpn gateway on a raspberry pi as per the instructions by
SuperJamie (Raspberry Pi VPN Router · GitHub), including the dnsmasq dns server. I used the firewal rules out of the comments by Dumpster99. The only change I made is that I added the local dns server from my network to the dnsmasq.conf file. This vpn gateway setup has been rock solid for several years, and only needed the pi-hole filtering to be added.
I installed Pi-Hole with the curled script.
The script asks a several questions which I don't really know how to answer:
1-choose an interface: At this moment I had the physical interface eth0 and the virtual tun0 interface up and running. Not sure which one to choose, I chose eth0.
2-Do you want to use your current network settings as static settings: In my network all network interfaces are set to DHCP. I have a local (dns and) dhcp server that assigns ip address based on mac address. I wanted to say no but thought to install first with fixed addresses to get it going. I added the ip address that the dhcp server assigns anyway, and added the physical gateway of my network, instead of the virtual gateway of the vpn tunnel.
3-Choose upstream DNS server: I did not want that either, as the dns servers are assigned by the dhcp server, however I selected google for the time being, thinking I could replace that if needed later.
4-A firewall has been found, do you want to replace that: No. I knew what my firewall was doing, and had no idea what I was replacing it with. And I did not want to add another complexity
After installation and reboot no tunnel could be established anymore. And no dns query worked, even with the firewall turned of.
Step by step I eliminated the changes made by the installation script until I had a working vpn connection again.
In the end I found out that I had to
1: remove the fixed ip addresses from /etc/dhcpcd.conf (not sure how to get it working with fixed ip address)
2: add back my local dns server to /etc/dnsmasq.conf to re-allow local dns lookup (was overwritten by the installation, but this is not critical.)
I further had to make a number of changes to the 01-pihole.conf file:
3: comment out "no-resolv" from /etc/dnsmasq.d/01-pihole.conf, otherwise the vpn client can not resolve the vpn server to establish the connection, see also iptables firewall referred to above)
4: remove the two server lines with google dns servers (handled by the local dhcp server), otherwise dns lookups don't work
5: add a second "interface=tun0" next to the interface=eth0, with only either one no tunnel is setup.
Once this was done the vpn tunnel came up. The management interface did not.
All my logfiles reside on a ram disk, to protect the memory card. This means that after every reboot all logfiles must be newly created. Pi-hole does not do this for all logfiles, had to
6: Change permissions on pihole.log, (permission 644, owned by dnsmasq:root), create pihole-FTL.log (permission 644, owned by pihole:pihole) and create lighttpd/ directory (owned by www-data:root) to /etc/log.
The installation further failed to install the pihole-FTL service in /etc/init.d. pi-hole -r did not help, but I found an instruction to remove sudo rm /usr/bin/pihole-FTL and run pi-hole -r afterwards, which installed the service properly. And although the repair function should not overwrite configuration, the file /etc/dnsmasq.d/01-pihole.conf is overwritten every time you run the repair option.
I tested the system with various log add-ridden sites and it seems to work well. I also tested if my vpn and dns-leak was still secure. And apparently it is.
But I don't understand the changes in the installation I had to make to get this to work, so maybe my setup is not as secure/reliable as I think it is. I would therefore like to know
-
how should the questions during the installation be interpret/filled out for my case?
-
why would I have to list the real and virtual network interface for the vpn to work, and how does this further impact pihole
-
why would I have to comment out "no-resolv", and what would be the impact
-
why can I not comment out "localise-queries", which I did not use in my previous netmasq configuration.
And further: -
How could I make these changes (reversals) persistent, just add a conf file starting with 02?
-
what is the function of the parameters in /etc/pihole/setupVars.conf
when I understand this all a little bit better I would want to write this into a howto, currently I think there are a few to many unknowns.
Thanks
Debug Token:
5ocgso3jrb