Pihole + openvpn = no internet

jayray · September 23, 2017, 10:28pm

I've got pihole running on a raspberry pi no problem, but unlike the tutorials, I've put openvpn on an Intel NUC running Ubuntu for increased throughput. The plan is that the pihole should work whether or not a device is connected to openvpn, and it should work for both internal vpn connections and external vpn connections via a ddns service. An even larger plan is to have openvpn connect to a paid VPN service, but one step at a time.

This used to work on the same hardware but broke after reinstalling. I've been struggling for weeks to rebuild this setup with no luck. Whenever I connect to openvpn, internally or externally, I lose connectivity to the internet on that device. I'm novice with linux so please bear with me as I try to remember the changes I made. I primarily followed this tutorial and this post as my starting points and altered IP addresses where I thought appropriate to allow for two devices.

The pihole's IP is 192.168.17.3:53, the NUC openvpn is 192.168.17.4:1101.

Openvpn is running on TUN0 and I've added this line to /etc/dnsmasq.d/99-overrides.conf.

interface=eth0
interface=tun0

This didn't work so I also tried both of the "listen on all interfaces" options in the pihole GUI to no avail. Currently the GUI is set to listen on all interfaces at most one hop away.

I start to really lose the shape of the networking puzzle when configuring openvpn on the NUC. The tutorial section for LAN & VPN at the same time (which is what I'm aiming for) had me push a route and a dns IP in openvpn/server.conf. I presume that this is in addition to the routes that already exist, so here's that entire section of the file:

topology subnet
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "route 10.8.0.1 255.255.255.255"
push "route 10.8.0.0 255.55.255.0"
push "route 0.0.0.0 "
#push "dhcp-option DNS 208.67.222.222"
#push "dhcp-option DNS 208.67.222.220"
#push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 192.168.17.3"
push "redirect-gateway def1"

I don't yet understand what routes are all about so I hope those are correct at their defaults. I also hope one of those two DNS IPs is the right one. The LAN+WAN tutorial directs me to use the pihole IP, but neither seems to work. Note that I commented out the default opendns servers since the pihole should be handling that on its own.

That tutorial finishes up by telling me to change the pi-holes interfaces from eth0 to tun0. I deviated from the instructions here since tun0 is on the openvpn device and left it alone at eth0.

I'm probably forgetting some change I made while following along in various tutorials and posts and I apologize in advance for any complications.

I'm at my wits end here. Please, if you can, help me put this puzzle together.

Mcat12 · September 23, 2017, 11:41pm

Run pihole -d for a debug token.

jayray · September 24, 2017, 12:42am

Here's a token created without being connected to the vpn.

kwxxzhxb8z

I note that it says there's no ipv4 or v6 stack on eth0. It also reports that eth0 does not exist. Yet the pihole works as normal as long as I am no connected to the VPN.

jayray · September 24, 2017, 1:08am

Okay, I don't know when THIS happened, but ifconfig reports the pihole's ethernet interface named as enx00e04c68039d. This is a new development I haven't seen before. Odd that the pihole still works at all.

DanSchaper · September 24, 2017, 3:27am

Are you running Raspbian Stretch with a USB Ethernet adapter?

jayray · September 24, 2017, 3:52am

Yeah. Its an headless pi zero w. pihole > usb2ethernet adapter > cat5 cable > router.

And I royally screwed up. I went to rename the Interface Formerly Known as Eth0. Took it down first with sudo ifconfig embunchofcharacters down, while completely forgetting to first bring up wlan0. Now I'm foolishly unable to get to the terminal.

Sorry about this digression, but is there a command I can add to a file to bring it back up on boot? I can access the pihole's files here on my laptop via a sd card reader. Actually, I think I'll have to bring up wlan0 first, then once I have access, figure out how to rename it back to eth0.

Ugh, this is embarassingg. Thank you for your help.

jayray · September 24, 2017, 5:11am

Actually, if it helps, lets skip the interfaces down part. Its an unnecessary diversion. I'm using a back up pihole running raspbian jesse with all the same relevant settings (minus the oddball interface) anyway so we can troubleshoot it instead. I'll fix the old pihole later.

Here's the token I took while connected to the VPN on the backup pihole.

5w4fz2munu

Mcat12 · September 24, 2017, 3:19pm

So, to clarify, the VPN is running on the NUC and client's don't have internet access when connected to it?

jayray · September 24, 2017, 6:12pm

Yes, that's right. Webpages, etc. all time out when connected to the VPN from within or without my network.

Mcat12 · September 24, 2017, 7:06pm

Are you able to ping IP addresses? 8.8.8.8?

jayray · September 24, 2017, 8:50pm

Pings are unsuccessful from vpn-connected devices. Pings from the nuc work just fine.

Mcat12 · September 24, 2017, 10:07pm

Sounds like they don't have the gateway set correctly then, since they can't even reach IP addresses.

jayray · September 24, 2017, 10:57pm

Acutally it must be somewhere on my side. I'm not yet ready to connect the nuc to a paid vpn. Right now I'm trying to get the vpn and the pihole to play nice with each other.

So you say the gateway might not be set correctly. Given that it has to be on my device, do you think that the VPN isn't configured with a gateway? The pihole+pivpn wiki only mentions a gateway once on the dns only page.

But I want to eventually use the VPN to its full potential by connecting it to a paid service, and the dual operation page doesn't mention gateways at all.

The server.conf has two mentions of gateway that I can see. Here is that section of the file.

#Override the client default gateway by using 0.0.0.0/1 and
#128.0.0.1/1 rather than 0.0.0.0/0. This has the benefit of
#overriding but not wiping out the original default gateway.
push "redirect-gateway def1"

As far as I can tell, there is no mention of a gateway anywhere else in server.conf or in my client configs.

deHakkelaar · September 25, 2017, 5:04pm

If you want the VPN client devices to have all traffic run through the VPN tunnel and use your Pi Intel NUC as a router for them to get onto the internet or LAN, you might want to check this:

jayray · September 25, 2017, 8:18pm

I appreciate you devs making an effort here, but please don't feel obliged. This looks like its shaping up to be an openvpn configuration issue, not one from the pihole. Therefore its pretty far out of scope for this forum and I'll seek answers from others. Thank you.

LOVE this pihole, btw.

jayray · October 17, 2017, 7:28pm

I thought I'd let future googlers know that the problem ended up being in iptables. What caused the problem in the first place is still mysterious to me. But I figured out how to flush the all of the tables, rebooted and then openvpn began to work as expected.

sudo iptables -F

Cleaned them out and then it was repopulated by ovpn after the reboot. This may be a bit of overkill if you've modified your iptables much, but since I hadn't it was worth the risk.