Can't reach pihole from VPN, port 53 blocked?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
ovni82
DD-WRT Novice


Joined: 19 Jan 2022
Posts: 5

PostPosted: Wed Jan 19, 2022 16:21    Post subject: Can't reach pihole from VPN, port 53 blocked? Reply with quote
Router Model: Netgear R7800
Firmware Version: DD-WRT v3.0-r47822 std (12/09/21)

I am trying to have all my vpn clients use my pihole as the DNS server. However all DNS requests get a timeout.

Pihole is running on a raspberrypi on 192.168.1.149 and is also the DHCP server. I have set my router (192.168.1.1) as DHCP Forwarder.

Code:
Router IP
Local IP Address 192.168.1.1 / 24
Gateway: 0.0.0.0
Local DNS: 192.168.1.149

Network Address Server Settings (DHCP)
DHCP Type: DHCP Forwarder
DHCP Server: 192.168.1.149


Clients can connect to the VPN server and are able to access the internet if I set the DNS server to (e.g.) 9.9.9.9
However when I change the DNS server to 192.168.1.149 I get DNS errors.
Additional Config
Code:

verb 5
push "dhcp-option DNS 192.168.1.149"


Telnet from my normal network (br0) to pihole over port 53 works
Telnet from vpn (tun2) to the pihole over port 53 gives a timeout.
Telnet from my normal network (br0) to pihole over port 80 works
Telnet from vpn (tun2) to the pihole over port 80 works.

So traffic from my client can reach my pihole over port 53 when not connected to the vpn. When connected to the vpn traffic to my pihole over port 53 is not allowed. So my conclusion is the firewall is blocking traffic from my VPN to the pihole.

I am a Iptables novice and have tried a lot of suggestions, but none seem to work.
latest I have tried is:

Code:
iptables -I FORWARD -i tun2 -o br0 -p udp -d 192.168.1.149 --dport 53 -j ACCEPT
iptables -I FORWARD -i tun2 -o br0 -p tcp -d 192.168.1.149 --dport 53 -j ACCEPT


iptables -L shows that rules are set, but I keep getting timeouts.

Code:
ACCEPT     tcp  --  anywhere             pi.hole              tcp dpt:dns
ACCEPT     udp  --  anywhere             pi.hole              udp dpt:dns

what do I need to do to be able to reach my pihole from my vpn over port 53?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 18:34    Post subject: Reply with quote
There's NO need for DHCP forwarding. You should disable the router's DHCP server completely.

Realize that when the remote OpenVPN clients are accessing the pihole, they are doing so from the OpenVPN server's IP network on the tunnel. Is the RPi's firewall (assuming it has one) configured to allow access from 10.8.0.0/24 (or whatever you used for the tunnel)? The firewall on some platforms will NOT allow access from anything but the same IP network on which it is running (e.g., Windows), at least not by default. Also, did you push the local network (192.168.1.0/24) to the OpenVPN clients so they know to route 192.168.1.149 over the tunnel (only necessary if you do NOT route all traffic over the VPN)?

Code:
push "route 192.168.1.0 255.255.255.0"


P.S. Well now I see you've posted an image of the OpenVPN server config, and redirect gateway is enabled, so that answers that question.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 18:41    Post subject: Reply with quote
Also, there's no need for specific FORWARD rules for the DNS server's IP if you otherwise have access to any other IPs on that same network.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
ovni82
DD-WRT Novice


Joined: 19 Jan 2022
Posts: 5

PostPosted: Wed Jan 19, 2022 19:34    Post subject: Reply with quote
Ok, I've disabled DHCP Server & rebooted the router, settings are now like this:

Code:
Router IP
Local IP Address: 192.168.1.1 / 24
Gateway:0.0.0.0
Local DNS: 192.168.1.149

Network Address Server Settings (DHCP)
DHCP Type: DHCP Server
DHCP Server: Disable

following settings are greyed out:

Start IP Address:192.168.1.100
Maximum DHCP Users: 70
Client Lease Expiration: 1440 min
Static DNS 1: 192.168.1.149
Static DNS 2: 0.0.0.0
Static DNS 3: 0.0.0.0
WINS: 0.0.0.0
Use DNSMasq for DNS: unchecked
DHCP-Authoritative: unchecked
Recursive DNS Resolving (Unbound): unchecked
Forced DNS Redirection: unchecked


I've cleared all the iptables firewall rules on the router. (not everything, just the manually added rules in router GUI)

still not able to connect to the pihole over port 53. I can reach it over port 80 (when on the vpn), just not over port 53. The pihole is listening on 53. I can reach it, just not when on the vpn.

The raspberrypi with pihole has no firewall

Code:
pi@raspberrypi:~ $ ufw status
-bash: ufw: command not found
pi@raspberrypi:~ $ iptables
-bash: iptables: command not found
ovni82
DD-WRT Novice


Joined: 19 Jan 2022
Posts: 5

PostPosted: Wed Jan 19, 2022 19:49    Post subject: Reply with quote
I also tried running a small webserver on port 53 on my windows laptop with windows firewall disabled. outside the vpn I can reach it from another client. When on the vpn, I get timeouts again. So it seems it's nothing on the pihole that is blocking the connection. Only thing between the client and my pihole is the router.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 19:51    Post subject: Reply with quote
Well if you can reach it over port 80, but just not port 53, then it's definitely not a routing problem. That would suggest it is a personal firewall issue, but you say the RPi has no firewall at the moment.

Sure sounds to me as if the DNS server itself is refusing to respond to the OpenVPN server's IP network on the tunnel (10.8.0.0/24).

Try adding the following to the firewall (just use SSH for the moment to copy/paste, no need to make it permanent yet via the firewall script).

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o br0 -j SNAT --to 192.168.1.1

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed Jan 19, 2022 19:56    Post subject: Reply with quote
Another idea, are you using a Windows client?

Windows clients have a habit of using their own DNS servers instead of the pushed ones

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 20:02    Post subject: Reply with quote
Good point by @egc. We're all assuming the OpenVPN client is actually attempting to access the DNS server over the VPN. But we know nothing about that client, and whether this is necessarily true. It's one thing to push the DNS server to the OpenVPN client, but it has no way of forcing the client to use it. For all we know, the OpenVPN client is ignoring push DNS servers in its config file.

Code:
pull-filter ignore "dhcp-option DNS"


Or something else on the client won't accept it.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 20:10    Post subject: Reply with quote
Another thing you could do is add the following firewall rules to see if any port 53 traffic is coming through the OpenVPN server.

Code:
iptables -I FORWARD -i tun2 -p udp --dport 53
iptables -I FORWARD -i tun2 -p tcp --dport 53


If it is, you should see some packet counts when you dump the FORWARD chain.

Code:
iptables -vnL FORWARD | head

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 20:19    Post subject: Reply with quote
I was just revisting the following statement you made.

"So traffic from my client can reach my pihole over port 53 when not connected to the vpn. When connected to the vpn traffic to my pihole over port 53 is not allowed. So my conclusion is the firewall is blocking traffic from my VPN to the pihole."

Is this a case of you accessing the OpenVPN server from *inside* the same IP network on which the server is running? IOW, NAT loopback? Because if it is, that is NOT a valid test. You must be *outside* the local IP network, on the internet side of the WAN.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
ovni82
DD-WRT Novice


Joined: 19 Jan 2022
Posts: 5

PostPosted: Wed Jan 19, 2022 22:15    Post subject: Reply with quote
thank you so much, your last reply sent me in the right direction. I tried connecting one windows laptop through a hotspot as the vpn client (on the internet side of the WAN) and then using telnet to connect to the other windows laptop (connected on my local network) with the webserver on port 53, and it connected. So then it must be the pihole blocking the traffic. looking into the logging of pihole it was full of messages saying it had blocked traffic:

Quote:
Ignoring query from non-local network

https://docs.pi-hole.net/ftldns/dnsmasq_warn/

apparently the default setting on pihole is to
Quote:
Allow only local requests


setting it to allow all origins solved the issue. Again, thank you! It was driving me crazy Wink
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 23:32    Post subject: Reply with quote
Glad you got it working. I had a feeling it was an application-level configuration problem given the behavior. But I don't know the first thing about pihole.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Jan 19, 2022 23:44    Post subject: Reply with quote
BTW, this is why I recommend most users install the following firewall rule whenever using OpenVPN server.

Code:
iptables -t nat -I POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o br0 -j SNAT --to $(nvram get lan_ipaddr)


What this does is mask the OpenVPN client's IP on the tunnel w/ that of the router's LAN ip, thus avoiding these type of personal firewall issues!

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
ovni82
DD-WRT Novice


Joined: 19 Jan 2022
Posts: 5

PostPosted: Thu Jan 20, 2022 9:08    Post subject: Reply with quote
excellent, that also works. Setting Pihole to only accept local requests and your firewall rule also does the trick.

Only small downside is that pihole now sees the requests as coming from 192.168.1.1, so in the activity graphs (graph with number of DNS requests per client over time) you can no longer distinguish between clients and it's also not directly clear that these requests are coming from vpn clients.

without the firewall rule and setting pihole to 'permit all origins' the activity graph shows the different clients (10.8.0.2, 10.8.0.3, etc). Downside to this option might be that it's a potential security risk depending on the setup.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Jan 20, 2022 10:21    Post subject: Reply with quote
ovni82 wrote:
excellent, that also works. Setting Pihole to only accept local requests and your firewall rule also does the trick.

Only small downside is that pihole now sees the requests as coming from 192.168.1.1, so in the activity graphs (graph with number of DNS requests per client over time) you can no longer distinguish between clients and it's also not directly clear that these requests are coming from vpn clients.

without the firewall rule and setting pihole to 'permit all origins' the activity graph shows the different clients (10.8.0.2, 10.8.0.3, etc). Downside to this option might be that it's a potential security risk depending on the setup.


True. Although you could at least reasonably infer it's coming from those OpenVPN clients.

For most ppl, I just don't think they care. Esp. when they're say a small business and learn they now have to run around and update all their Windows machines. Or may discover new devices down the road that have the same problem. For them, they just rather avoid the headaches and use the rule.

Even in your own case, you could make an exception.

Code:
iptables -t nat -I POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o br0 ! -d 192.168.1.149 -j SNAT --to $(nvram get lan_ipaddr)


Anyway, that's what we do around here, offer options. Ultimately YOU have decide on what works best.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum