Pi-hole stopped working after openvpn set up as a VPN gateway

Help Community Help
1

The issue I am facing:
I first installed Pi-hole and this was working as expected. But after the installation and set up of openvpn it is not working anymore. When I point the DNS to the pi-hole, I can't browse the internet anymore and also the admin page is no longer available (not on the link or the internal IP)

Details about my system:
Running on Raspberry Pi OS (32-bit) Lite

What I have changed since installing Pi-hole:
After installing pi-hole I installed open vpn following these instructions : https://www.instructables.com/id/Raspberry-Pi-VPN-Gateway-NordVPN/

Now the vpn connection is working and the pi is acting as a gateway. But pi-hole is not functional anymore.
I suspect DNS issues, but I am not knowledged enough to find the problem. I hope somebody here can help me find out the issue.

My debug token: https://tricorder.pi-hole.net/lpvylne0a6

2
3

Thank you for your reply. I've already been through all the available documentation before posting here, but it was to no help for me.
Also I am running a VPN gateway rather than a VPN server. This means I am sending all the traffic from my home network through a VPN tunnel to surf anonymously.

4

Then I hope someone is able to answer your questions.

5

When I do nslookup pi-hole.net I get:


Server:         192.168.2.254
Address:        192.168.2.254#53

Non-authoritative answer:
Name:   pi-hole.net
Address: 192.124.249.118

My pi has the IP 192.168.2.22, the one listed here as 192.168.2.254 is the address of my router.
Is that not incorrect?

8

That is a critical piece of information that should be in your topic's title as well.

Usually, you'd have to add a line like dhcp-option DNS <your-pi-hole-ip-here> to the VPN configuration.
You should be aware that using a custom DNS may leak DNS requests if public DNS servers are used. You'd have to configure Pi-hole to use your VPN provider's DNS servers to avoid this.
However, this can get tricky if your VPN provider does not use a static set of DNS servers, but assigns them dynamically based on the VPN server your VPN gateway connects to. There are indications that NordVPN would do so (but I am not familiar with NordVPN at all).
You could probably mitigate this by running your VPN gateway on your router and have Pi-hole use your router as its only upstream DNS.

Your best option may be to consult NordVPN's documentation and support for instructions on how to configure a custom DNS server, and gather information on how to avoid potential DNS leakages if you do use a custom DNS.

9

Thanks for the suggestion! I updated the title of this topic.

I did not have a line like dhcp-option in the .ovpn files. I added this line at the end of the files but sadly this did not resolve the issue.

The setup as it is:

  • During installation I set up the IP address of the pi like: 192.168.2.22/24 and the gateway with the IP of the router 192.168.2.1
  • I have DHCP disabled on the pi-hole and still enabled on the router
  • I have a static IP address set in the file /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.2.22
netmask 255.255.255.0
gateway 192.168.2.1
  • I also tried to do it with the file /etc/dhcpcd.conf instead, but I am unsure of the setting for static router and the domain name server.
interface eth0
static ip_address=192.168.2.22/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.22
  • I set conditional forwarding in the DNS set up of pi-hole
  • I have 2 custom DNS set up in the DNS set up of the pi-hole, these are the DNS of NordVPN (103.86.96.100#53 and 103.86.99.100#53). Is this the only place I need to point to them?

When I only install openvpn and set it up as a gateway, it works. When I only install pi-hole it works too. But I can't get them to play nice together.

10

I'm trying to be as helpful as I can, but you seem to have read my suggestion as exact instructions, which they aren't.

Like said, I am not familiar with NordVPN at all. I cannot tell you which exact file you have to edit and or what syntax it uses. It might very well require more than just the option I hinted at, maybe a push.

That's why I recommended consulting NordVPN's documentation and support for information on custom DNS configuration.

We have users who run NordVPN gateways (I recall some of them reporting issues with DNS leakages when using Pi-hole), so you may be lucky to have a Pi-hole user with a similar configuration drop by and be able to help you. But NordVPN would probably be the best source of information on how to configure a custom DNS for NordVPN.

Similar would apply to your DNS server question:

Like said before, some reports by users here would indicate that NordVPN may assign DNS servers dynamically, based on the NordVPN server your NordVPN gateway connects to. Pointing Pi-hole to a different set of public DNS servers, even when they are owned by NordVPN, may still result in leaking DNS requests outside of your VPN tunnel.

Again, NordVPN would be the best source of information for this.

If your router would support it, configuring your router as the gateway to NordVPN may spare you some of the hassles of getting this right (and it is highly likely that your router's hardware would also be better equipped than an RPi to handle the VPN traffic load).

11

This should never happen. If it happens, I'd raise serious doubts in their (NordVPN) service and switch to a VPN provider whose software doesn't have leaks... This is not a Pi-hole problem if it leaks, it is a clear problem with their service.

12

No issue with NordVPN, or any VPN software at that: I perceive this as a possible side effect of running Pi-hole next to a VPN client gateway on the same machine. That machine has a choice of routing through the network's router or through the VPN gateway. By default, it may well use the router as gateway, hence Pi-hole's upstream request wouldn't pass through the tunnel.

It's not impossible to get that running, but it would be cleaner if the VPN gateway would be hosted on the router.

13

I have solved the issue and will post my solution here in case somebody else comes here looking for information. In my case it was adding the dhcp-option DNS to the configuration file and some extra rules on the iptables that did the trick.

A more detailed explaination of the installation is here: GitHub - blurrryy/pihole-nordvpn-dhcp: Tutorial how to setup the RaspberryPI as NordVPN Gateway with PiHole and DHCP-Server . It is written in German, so I will outline the most important parts below.

I started all over again and installed openvpn first. For this the tutorial linked in the original post can be followed for the most part (https://www.instructables.com/id/Raspberry-Pi-VPN-Gateway-NordVPN/).

Important is setting a static IP (not described in this tutorial).

sudo nano /etc/dhcpcd.conf

And in this file add the following lines:

interface eth0
static ip_address = 192.168.2.22 / 24
static routers = 192.168.2.1
static domain_name_servers = 192.168.2.1 8.8.8.8

In my case 192.168.2.22 is the desired IP of my pi, and 192.168.2.1 is the IP address of my router.

Install the NordVPN configuration files as described. The tutorial tells you to select one server and set this up as a .conf file. But I choose to let the pi choose the most suitable server of a specific country when starting the connection. How to do this is described here: Configuring Raspberry Pi as a VPN gateway using NordVPN with best server selection (Pi-hole with DoH setup optional)
Basically you get a link from the NordVPN website, paste it into a python connection script and then set this script up to run at boot.

In the instructions (the ones on zone13) it is explained how to create a python script to update all .ovpn files with the login credentials. I have modified this snipped to also add the DNS info at the end.


#!/usr/bin/env python

import fileinput
import glob
import os

os.chdir("/home/pi/vpn/test")

file_list = glob.glob("*.ovpn")

for item in file_list:
    for line in fileinput.input(item, inplace = 1):
        print (line.replace("auth-user-pass", "auth-user-pass login.txt").replace("</tls-auth>", "</tls-auth>\n\npush \"dhcp-option DNS 192.168.2.22\"")),

So replace the filename "login.txt" with the filename of your credential file. And the DNS IP with the IP of your pi.

I installed the iptables rules as explained in https://www.instructables.com/id/Raspberry-Pi-VPN-Gateway-NordVPN/. However I added some additional ones to make it work with the pi-hole:

sudo iptables -I INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --destination-port 80 -j ACCEPT

Then I did a reboot and installed pi hole. During installation the static IP and gateway IP is both set to the IP of the pi.

In the pi-hole web interface change the upstream DNS servers to the one from NordVPN. (103.86.96.100 and 103.86.99.100).
Also change the 'interface listening behavior' to 'listen on all interfaces'.

I tested the setup for DNS leaks and found none.

1 Like
14

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.