Pi-hole works great until VPN turns on

Rflewelling · March 8, 2020, 4:59pm

Please follow the below template, it will help us to help you!

I used This guide to install everything on my new pi4. Everything works great until VPN is turned on. The connection stops working once I have enabled the VPN. I have set the " Listen on all interfaces, permit all origins " option and rebooted but that doesn't seem to help.

I am using ExpressVPN, but if I need to refund it and get something different I will.

Expected Behaviour:

When ExpressVPN is connected with command "expressvpn connect" Everything should be behind the VPN like how everything is behind the adblock

Actual Behaviour:

Pi-hole works perfectly when VPN is off. When VPN is connected I get Bad_DNS_blahblahlblah and cannot dig to test websites

Debug Token:

e26e9z9hky

DanSchaper · March 8, 2020, 5:59pm

The debug log shows everything functioning with Pi-hole.

I would check with the author of the guide or ExpressVPN to see what they suggest since the problem happens outside of Pi-hole.

MichaIng · March 11, 2020, 4:11pm

When Pi-hole and the VPN connection are up, please check the following:

cat /etc/resolv.conf # should still contain "nameserver 127.0.0.1"
cat /etc/hosts # should contain "127.0.0.1 localhost"

As long as the VPN client does not do some strict DNS override or forces all outgoing packets (including the ones to localhost/127.0.0.1) through the VPN, this should then work.

And when VPN connection is up, as well try to ping the upstream DNS IP(s) that you configured in Pi-hole. Since Pi-hole is forced to use the VPN as well, those much be reachable.

RamSet · March 11, 2020, 4:34pm

I believe that this is indeed the cause.

The provider pushes and forces (by definition) the VPN connection parameters (different sub net and a whole new set of IPs for the VPN interface).
Not only that, routing between your local LAN and the VPN, is contained to that client (that connected to the VPN service).

So when the Client connects, it automatically gets all the connection parameters (including the DNS) from the VPN provider.

This is normal (VPN Provider) behavior as they are looking to contain everything network traffic related, to the tunnel (hence full privacy - well for everybody but them, that is).

This will be the case with the majority of them out there, as I don't think any of them will allow you to override their parameters for the tunnel.

Unless you force a setting in your connection profile (on the client), but that might be a dud and it's definitely provider server allowing (depending on what they use for the server).

It's doable, but one needs some serious "fireworks" that add a new level of (high) complexity to the equation.

It's a paid service never the less so reach out to them and ask them if there's a way that allows you to bypass their DNS tunnel setting.

MichaIng · March 11, 2020, 4:47pm

Okay, yes you are right, to prevent DNS leak, a proper VPN client must provide/force the DNS nameserver through the VPN connection as well.

So yeah, as long as there is no self-explaining config file or CLI available to configure the client, i.e. the DNS nameserver, asking the VPN provider is a chance.

Long live open-source WireGuard and OpenVPN. If VPN providers provide config files for those to connect to their servers, those could be manually configured according to ones needs, including of course the risk of misconfiguration . So this is another chance, to check if the VPN provider offers alternatives to their own VPN client software. I know this at least from one famous provider.

deHakkelaar · March 11, 2020, 5:14pm

With Windows as a VPN client, using "administrator" privies, you can set DNS server IP like below (change name and addr to match your VPN interface name/subnet):

netsh interface ip set dns name="Local Area Connection" source=static addr=10.0.0.1

Validate with ipconfig /all

Probably Linux network-manager can do the same.

EDIT: need some more tinkering as the VPN subnet is probably a different one as Pi-hole is running on (the tunnel).

Rflewelling · March 11, 2020, 9:29pm

I appreciate this info. Is there a better VPN? should I go with what the tutorial suggests?

Thanks!

RamSet · March 11, 2020, 9:36pm

Well, it depends.

What exactly are you trying to achieve with the use of VPN ?

I personally use a self hosted VPN, combined with Pi-hole and Unbound.

This allows me to connect to it and manage it fully, without paying anybody anything.

When I need IP masking, I go through the full blown server, however, I do run a separate instance that serves as Ad-block only on all my mobile devices.

The mobile device relies on the same VPN rules as the one that's giving you a hard time and I literally bypass the provider's DNS and use my Pi-hole for it, blocking the unneeded stuff even on cell connection.

Our tutorial(s) can help you with having that set-up.

VPN:

DNS only VPN:

Dual VPN server (full and DNS only):

Unbound:

Rflewelling · March 11, 2020, 9:41pm

I'm just trying to get everything behind a VPN on my network.

RamSet · March 11, 2020, 9:45pm

Obfuscate outbound traffic or to hide it from the ISP ?

Or use the VPN as means of accessing your network (and its benefists) from anything remote ?

Rflewelling · March 11, 2020, 9:48pm

Right now it's to stop the ISP from seeing what I do. Forgive me for being so rusty at this. I understand the theory and concepts but my Linux is dusty

RamSet · March 11, 2020, 10:00pm

Oh I understand, this comes up quite a lot.

Your ISP sees your traffic (no matter what).

Granted, if through a VPN tunnel, encrypted, but still "visible".

I would recommend using Unbound as your upstream DNS resolver and ditch anything else you might use as your upstream. Make sure your router is NOT using those either and it queries via Pi-hole (and by extension Unbound).

As for the traffic, I can guarantee you that your ISP is not analyzing your packet contents (unless, you are a high "profile" customer that's on the "list" at which point, no VPN will help you anyways).

They can recognize patterns (know what's a file download, a torrent) but unless the "high profile" thing above, what you do, is your own business.

Unless you go for dark web stuff that can trigger red flags (via outside reports), the ISP doesn't give a hoot about you.

No matter what VPN you chose, there is always a trail back to YOU and your ISP assigned IP (recorded with timestamps, equipment ID and all that can incriminate you in the court of law).

Maybe TOR but man oh man that stuff is slow

Let me get back to the DNS thingy.

If you don't use the ISP's DNS they will have a hard(er) time knowing WHERE you went. They will know WHEN and if they really really want to look at it, what it was.

In conclusion, a simple deterrent for browsing patterns at any level is to use your own resolver (unbound) and Pi-hole.

Rflewelling · March 12, 2020, 12:28am

Thank you so much for the clarification. I'll just cancel that subscription then.

I was looking to torrent again. Nothing super crazy but maybe here and there.

Unbound and Pi-Hole are working flawless aside from Hulu's Ads.

Is there a way to block Youtube ads? or is it similar to Hulu regarding ads?

system · April 2, 2020, 12:28am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.