VPN Usage Questions

#1

Hi, I am looking for advise on using my new Pi-Hole Setup on my phone efficiently.

First, my network:

  • Google Fiber Network Box (main router and DHCP, not WiFi)
  • Multiple ASUS Routers (in AP-Mode linked with AI-MESH)
  • FingBox (just one of a ton of devices on my network, but it says to turn off IPv6)
  • Raspberry Pi (raspbian stretch lite, pi-hole, openvpn, script for case button/fan)

Second, my config:

  • PiHole is running on 192.168.1.6 static IP.
  • Google box (DHCP server) is set to one custom DNS: 192.168.1.6
  • ASUS APs are also set to one custom DNS: 192.168.1.6
  • I have disabled IPv6 on Windows machines so they only use PiHole
    (without that, they sometimes use the IPv6 DNS and bypass PiHole. I am told you cannot disable IPv6 nor set a custom one for DNS on the Google Network Box like you can IPv4)
    -Every device on my network has a static IP, configure through the Google Network Box, so I would really rather not switch to using PiHole for DHCP.

Third, Android background:

  • It is not possible to disable IPv6 on an unrooted Android
  • Rooting Android disables Google Pay and HD NetFlix (otherwise I would, and have for all previous phones, but I want Google Pay functionality now, and rooting is not as necessary as it used to be for me)
  • There is a “Private DNS” feature with “Off”, “Automatic”, and “Private DNS provider hostname”. The lest one has an input box that needs a domain, not an IP (won’t save x.x.x.x)… so I bought a domain, pointed it to my public IP, and forwarded port 53 to PiHole on the Google Network Box (I know, DDNS attacks, just testing)… but when I try to use that domain as my Private DNS host, it still says “couldn’t connect”. Obviously I need to leave this turned Off for PiHole to work.
  • There is a built in VPN feature, allowing you to add a VNP that is PPTP, L2TP, or IPSec… but I think you have to install OpenVPN app to add it… and it does showup in the list when you do… but it would be nicer to be able to add my VPN through settings without the app. This is why I don’t like OpenVPN, why use 3rd party software when the OS has VPN functionality built-in… I want to setup a server that is compatible with the VPN built-in to Android/Windows… oh, well. I forwarded port 1194 on the Google Box to the PiHole/OpenVPN server (as well as 53… plus FYI the ASUS-router is DMZ, and the domain I purchased points to the Google Box’s public IP).

How it works for me now:
0) All DHCP leases include DNS entries for 192.168.1.6 as well as an IPv6 one I can’t change/get-rid-of.

  1. Windows machines with IPv6 and auto-DNS still have ads.
  2. Windows machines with IPv6 disabled (or custom DNS set to 192.168.1.6) work without ads!
  3. Wifes Android phone, on WiFi, with Private DNS disabled, has no ads!
  4. My Android phone, on WiFi, with Private DNS disabled, has ads :frowning:
  5. My Android phone, on WiFi, running DNS Changer to 192.168.1.6, has no ads!
    (DNS Changer works by making a local VPN and having the phone VPN to itself with a new DNS server set to 192.168.1.6)
  6. My Android phone, on 4G, running DNS Changer… doesn’t work at all.
  7. My Android phone, on 4G, running OpenVPN, has no ads :slight_smile:
  8. My Android phone, on WiFi, running OpenVPN… doesn’t work at all.

To put it another way, here are my use cases:
A) Leave off all VPNs, get Ads.
B) On WiFi: Enable DNS Changer VPN, no ads.
(must remember to disable when I leave home, or no phone internet)
C) Away from home: Enable OpenVPN, no ads.
(must remember to disable when I get home, or no phone internet)

So… what is the proper way to fix this?

QUESTION 1: Can I get it so OpenVPN will work even when I am on my WiFi? Then I could just leave it on all the time. Seems silly to VPN from home to home… but not sillyer then disconnecting that VPN, and then VPN from phone to phone so that I can force IPv4 DNS… what a joke!

QUESTION 2: OpenVPN is icky… is there a different way to do standard VPN so I add it on my wifes phone without installing any App? Username and Password is fine, I don’t want to install an app and generate a key. I did it for my phone, but wife don’t want that.

QUESTION 3: Am I SOL on that, and I just need to make a Tasker script to manage which VPN I connect to depending if I am on home WiFi or not? Has anyone posted such a script? Do other people really switch VPNs like I am to get this all to work?

QUESTION 4: Isn’t there just a way to get the Private DNS feature to work without using a VPN at all? (I know… port 53… bla bla bla… Google runs a public DNS, why can’t I? …will research more I guess)

QUESTION 5: Do you think it is a bad idea to have ASUS as DMZ? That allows AI-Net and the Router config app to work when I am away from home (just as it normally would if I could use ASUS as my router… but forced to use Google Network Box in order to go full speed [I hacked ASUS to work as main router, but it tops out at 300mbps instead of 1000mbps due to the work in signing each packet])

QUESTION 6: Do you think it is a bad idea to point a sub.domain.com to my home IP? It would allow crawlers to discover my network, along with its port 53, port 1194, and ASUS as DMZ.

TIA for any advice on any of the questions above. Thanks.

assigned RamSet #2
#3

Yes. One thing you need to keep in mind. all your log entries will reflect the VPN assigned IP.

Also, from my own experience, some ssh connection programs might not like that and will disconnect you a few seconds into the connection.

OpenVPn allow user+paasword type of login.

Worst case scenario, you can create an instance (secondary OpenVPN) like that for her.

I personally don’t disconnect from the public facing OpenVPN server when i get home. I don’t see any difference in speed or behavior.

You sure can. It’s highly not recommended due to this (huge) implication:

You risk your connection being shut down by your ISP …
You could configure it tighter but it will still be an open resolver.

Long story short:

  1. Install OpenVPN on Pi (where Pi-hole is residing i’m assuming).
  2. Either go the cert route and/or User and password (via a second OpenVPN instance).
  3. Enable Pi-hole to allow queries answered on all interfaces.
  4. the end (I’m running it like this for a couple of years now …)

No other software, fireworks, dnschangers and who knows what …

If traffic and data allowance on the home connection is an issue, you can actually run OpenVPN as a DNS resolver only, no data encryption via the home network.

Simple Pi-hole filtered DNS via VPN.

https://docs.pi-hole.net/guides/vpn/overview/

In this day and age, having ANYTHING in the DMZ is a risk :slight_smile:

Unless it’s a honeypot … and even then :slight_smile:

Not really.

I’m doing it …
The only thing I would recommend is to move everything on non standard ports.
These crawlers, scanners and script kiddies out there are looking for standard ports/vulnerabilities.

It’s rare that a host/ip gets a full scan (and that’s usually targeted).

As for that 53 … just don’t :slight_smile:

OpenVPN traffic can be also moved on non standard ports …

If you do run some sort of home website thingy, then I’d recommend nginx as a reverse proxy …

unassigned RamSet #4
#5

Awesome! Thanks so much for the detailed reply. So these are the questions that remain for me…

  1. This is the solution then… but how do I do it? If I have the phone connected to OpenVPN, and then I turn WiFi on, my phone doesn’t work. I think it is a “loop-back” issue? …wait??? I just went to test it and get more info, and it works now. I am on WiFi, I connected to OpenVPN, and my phone still works. I swear that was not the case last night. Weird.

  2. Awesome, I will test out making a user/password for OpenVPN and connecting to it through the phones native settings… but what server type do I choose? PPTP?

  3. No issue

  4. So say I just wanted to try it… why does Private DNS feature in Android Settings say “couldn’t connect” when I have given it a domain that points to my IP which has port 53 forwarded to PiHole (just for testing, I will not keep it this way… but why don’t it work?)

  5. I figured ASUS has its own firewall and everything as it expects to be the router… but maybe that is disabled with in AP mode… so yeah, DMZ might be a bad idea here… and unnecessary now with OpenVPN. I will remove DMZ and 53 forwards, so OpenVPN is my only port-forward now.

  6. Thanks for the advice.

So in the end, I will just leave OpenVPN always-on my phone, and it should work anywhere on 4G or WiFi (including my own WiFi… now that that seems to have fixed itself).

I am pretty happy having all data go through my Google Fiber 1gb line even when away from home, so I am not going to worry about the DNS only mod. I have enabled logging to RAM so the SDCard should last. My next mission: Add OpenHAB to the mix. Wish me luck. :slight_smile:

#6

I spoke too soon. OpenVPN if connected on WiFi seems to work. But if I leave it connected for a time, it stops working. If I then leave my house it starts working, and when I return to home I get a message saying I can’t connect…

NOTE: If I then OPEN APP and connect via OpenVPN, it starts working on WiFi again… for a time, untill it stops working and then I have to turn it off to use my phone (or turn it off and back on to use my phone without ads [or turn on the other DNS Changer app’s VPN which will work until I leave the house])

#7

I have enabled it to “turn off VPN when screen is off (to save battery)”, and it reconnects when the screen is on. This mostly works all the time at home or away now, though it is a bit annoying with all the messages about it re-connecting and all.

I wish everything could “just work” behind the scenes without by phone looking any different (key in status bar only, no constant messages, no issues with it stopping working until I disconnect and re-connect - rare now that it auto disconnects on screen off and reconnects on screen on… but it has still happened a couple of times).

For all things that stay in my home and don’t use IPv6 it is automatic and awesome. I just wish it was that easy and seamless on a phone, even if always VPN’ed… but ALWAYS without any issues. Does it work that way for others? If so, what am I missing here? Can I get logs that will help me figure out how to fix this? Thanks for any help.

PS: I modded the homepage :slight_smile: that was fun. Will spend more time on it later.

#8

@RamSet

So you just use OpenVPN, installed on Android as an App, and you leave it always connected even when on home WiFi… and you don’t have any issues with annoying Notifications and Toast messages and needing to disconnect and reconnect it? It is really to annoying for me to use. I am about to just leave it off, and only turn it on when I am reading a lot of news or something. I would rather have 24/7 pi hole, but it is way too frustrating to have my phone not work sometimes unless I mess with it.

Is there some step I am missing? To make this work smoother and fully behind the scenes? I can block all notifications I guess, but then when it stops working it would be an even bigger pain to fix it without the notifications.

What are your setting in terms of “always on vpn” in Android, and “battery saver” / “notifications” in the OpenVPN app?

#9

Sorry I should have specified … I’m on iOS and ll devices are on iOS.

BUT!

I use the official OpenVPN app and what I have is

Reconnect On Wakeup: enabled
Seamless Tunnel: enabled.
VPN Protocol: Adaptive
Connection timeout 10sec
Allow compression No
Connect via: Any network

I think your problem is not with VPN or Pi-hole. I believe it’s the way the VPN app on your device behaves …

No issues… Ok maybe once in a while, I’d say once every… 2-3 days the connection hangs and all I have to do is toggle it on and off… But other than that, nothing …

#10

Ug… thanks for the reply.

I am having it 2-3 times per day (I work from home, and just leave the house a bit, some days not at all).

While once every 2-3 days would be much better, it will still bother me. I think I must give up on this and just toggle it on when I want it, but keep Pi-Hole off normally so I know there is no chance of encountering an issue when I expect my phone to work (by voice… without having to turn on the screen and fix the broken internet even if it is just a toggle)