Pi-Hole + Unbound + Wireguard: Home network access but no DNS

Whisky · January 28, 2021, 8:34am

Hi guys,

Since I changed my setup from DoT to recursive DNS, I have had huge headaches regarding the VPN.

It works after changes, then no DNS gets resolved after a reboot.

I have read so many posts from Reddit and here, I just cannot figure out what is wrong.
This is the best post from here I found so far.
It is exactly the same setup as mine, same device.

I uninstalled PiVPN guessing it was the problem after following so many guesses and getting nowhere.
I followed the official guide compiling WireGuard from the scratch, firewall, everything. The same result, I can access the local network but no DNS
whatsoever.
This is the guide: Overview - Pi-hole documentation

I am not sure what else to do.....

If I don't find anything else, I will just reinstall everything from scratch and set Pi-Hole as DoT with Quad9 which I know was working just fine with WireGuard, and before this Unbound mess.

Thanks guys

yubiuser · January 28, 2021, 11:03am

Please generate a debug log with pihole -d and post the token here.

Whisky · January 28, 2021, 1:05pm

@yubiuser thank you so much for your time.

As requested the token is: https://tricorder.pi-hole.net/ioxo5sf6gb

Since I created this post, I have tried again and again but without success.

You have the report now, everything works fine but when the VPN is added to the equation the client doesn't process DNS. Local network isn't affected whatsoever.
There's no local firewall, everything is set on my router OpenWRT only, no DNS leak, no SSH external, no 53 to external, it's VPN or nothing.

Thank you so much for checking this out.

Whisky · January 28, 2021, 1:14pm

@yubiuser this is the Reddit post I created where I described every single process I did.
Then, I just uninstalled PiVPN all together and I went old school following the official guide compiling everything, copy and paste.

Thank you

yubiuser · January 28, 2021, 1:42pm

Am I right that it has worked in between, but after a reboot it stopped working?

Does it work after a restart of Pi-hole FTL?

pihole restartdns

Whisky · January 28, 2021, 2:39pm

@yubiuser that's correct while running Pivpn.

It wasn't working, then coincidentally Pi-Hole had a update so after "pihole -up", it started working again. I rebooted to make sure it was indeed working and nope, it stopped.
Following one of the post I ran "pihole -r" to reconfigure and again it started working until the reboot.

Now, I'm running the official guide which I had to compile WireGuard, and no matter what I do it just doesn't work at all.

I've tried that command you suggested and its still the same.
I've tried so many things that's it might be easier to reinstall everything. My understanding is that WireGuard cannot see Pi-Hole as DNS. I'm willing to reinstall Pivpn with OpenVPN this time and see how it goes.

Again, Pi-Hole and WireGuard was running fine BEFORE Unbound recursive DNS was installed. I prefer to go back to DoT than not having VPN.

I'll reply within few hours any request you might ask, 0140AM lol

yubiuser · January 28, 2021, 3:33pm

The reason I asked to try the restart was that sometimes Pi-hole is up before the wireguard interface is ready. Pi-hole then won't bind to that interface.

As you have tried so many things and we don't know in which state your system is, this might be a good idea. I would suggest the following order (confirm working after each step)

flash your OS again
install Pi-hole
install unbound
setup wireguard as described in Pi-hole's guide

Good luck

Whisky · January 28, 2021, 10:09pm

Roger that @yubiuser ,

I might be able to do that now --- Australia Friday morning ---, otherwise, I would need to do this tomorrow morning, Saturday.

I will just follow the official guide as it is, no skipping or changing a dot this time.

Please, allow me 1 day tops.

Thank you

Whisky · January 29, 2021, 6:38am

@yubiuser ,

As requested, I have reinstalled everything following the official guide only, and everything is working this time.

It didn't at first and since everything was "default", it was easy to play around.

Also, I could access Pi-Hole dashboard, but I couldn't access the router. I didn't check this lack of access to the router before. Yes, the iptables rules from the guide were added yesterday with no success. Something isn't entirely clean yet.

Few things I would like to mention:

During IP forwarding section, It is mentioned the file:

/etc/sysctl.d/99-sysctl.conf
instead of
/etc/sysctl.conf

Every-time I played with Debian, Ubuntu, /etc/sysctl.conf is always the mentioned one in order to enable IP forwarding.
/etc/sysctl.conf didn't have net.ipv4.ip_forward enabled. Both files were changed.

Under Troubleshooting section, it is mentioned the below which doesn't exist.
ifconfig does show it but interfaces and neither dhcpcd shows it

Disable auto wg0 in /etc/network/interfaces (put

I have also added:

DELAY_STARTUP=5

I have made simple changes regarding the Address/DNS only.
This is how my wg0.conf looks like:

[Interface]
Address = 10.100.0.1/24
Address = fd08:4711::1/64
SaveConfig = true
PostUp = iptables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 47111
PrivateKey = KEY_HERE

[Peer]
PublicKey = KEY_HERE
PresharedKey = KEY_HERE
AllowedIPs = 10.100.0.2/24
Endpoint = MY_PHONE_PUBLIC_4G_IP:4378 --- This appeared automatically.

This is how my note10plus.conf looks like:

[Interface]
Address = 10.100.0.2/24
DNS = 192.168.1.3
PrivateKey = KEY_HERE

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ENDPOINT:47111
PersistentKeepalive = 25

PublicKey = KEY_HERE
PresharedKey = KEY_HERE

Speed.
Using WireGuard as DNS was quite slow so instead of setting the client DNS to 10.100.0.1, I am using 192.168.1.3 which is way faster.

Everything is still running after a reboot

Another Raspberry Pi 4 is arriving tomorrow so I can finally play without bringing down the whole network. I will repeat everything with the new one paying attention to the "possible cause" I mentioned before.

Thanks a lot for the support.

yubiuser · January 29, 2021, 8:20am

Glad it's working now. Thanks for the hints regarding the guide, we'll likely tweak it a bit.

Whisky · January 29, 2021, 10:22am

All good. I learned a lot lol

I'll redo everything tomorrow when the new raspberry pi arrives and won't stop until I get everything working 100% in the first go, from the SO to the WireGuard.

Thank you @yubiuser

Whisky · January 30, 2021, 7:43am

@yubiuser as promised, another Raspberry Pi arrived, I reinstalled everything and I finally found out why Pi-Hole + Unbound + WireGuard wouldn't work out of the box without tweaks.

https://docs.pi-hole.net/main/basic-install/: Next-next-finish. No problem whatsoever.
https://docs.pi-hole.net/guides/dns/unbound/: Next-next-finish. No problem whatsoever. DNS is resolved via 127.0.0.1 OR 127.0.0.1 -p 5335 OR 192.168.1.4
https://docs.pi-hole.net/guides/vpn/wireguard/overview/: You expected WireGuard to be working at the end of this guide which doesn't happen because of little details. Starting from the critical to low:

Critical:

DELAY_STARTUP=5 : this is only mentioned under Troubleshooting - Pi-hole documentation. Without this single line, you can access the network but there is no DNS, no internet! This should be moved to "WireGuard: Install server" section, it is the most important information. As soon as I added it to /etc/pihole/pihole-FTL.conf and rebooted Raspberry Pi, voila, I have internet.
SaveConfig = true: At no moment this is mentioned, it just appears once or twice and that is all about it. If you are not checking "the file should look like" comments section, you will skip this very easy while it seems important.

Low:

https://docs.pi-hole.net/guides/vpn/wireguard/client/: At the end of this section PLUS the details from CRITICAL, you should have access to the internet and SSH to the server only via 10.100.0.1. At this stage, you won't have access to Pi-Hole dashboard.
Speed: Using the default DNS 10.100.0.1 seems a bit slow. Changing to Pi-Hole IP Address seems to increase the speed or I am crazy. But to do that, you either need:

In my case, add to THE CLIENT CONF ONLY!! DO NOT CHANGE THE SERVER CONF!!

# /etc/wireguard/note10plus.conf
[Peer]
AllowedIPs = ......., 192.168.1.0/24

Or just tunnel everything, Tunnel all Internet traffic - Pi-hole documentation which I personally prefer:

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0

Yub, I mentioned before about the netmask /32 instead of /24. There is no influence. I read a post where someone commented about it being an issue, I couldn't identify a single one.
I also mentioned about the file used /etc/sysctl.d/99-sysctl.conf instead of the usual /etc/sysctl.conf. Debian/Ubuntu when playing with IP forwarding/SQUID Proxy, etc, uses that file.
But apparently on Raspberry Pi OS, once the file /etc/sysctl.d/99-sysctl.conf is changed, it also change /etc/sysctl.conf automatically, or I didn't know that

That is it, and there goes a Saturday
I spent more time writing this down than successfully setting up a secondary Pi-Hole + Unbound + Wireguard

Cheers

yubiuser · January 30, 2021, 7:59pm

Thanks for the detailed report, we're looking into the issues you faced and discuss how to change the guide.

system · February 21, 2021, 9:42am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.