Clients can connect to the VPN server and are able to access the internet if I set the DNS server to (e.g.) 9.9.9.9
However when I change the DNS server to 192.168.1.149 I get DNS errors.
Additional Config
Code:
verb 5
push "dhcp-option DNS 192.168.1.149"
Telnet from my normal network (br0) to pihole over port 53 works
Telnet from vpn (tun2) to the pihole over port 53 gives a timeout.
Telnet from my normal network (br0) to pihole over port 80 works
Telnet from vpn (tun2) to the pihole over port 80 works.
So traffic from my client can reach my pihole over port 53 when not connected to the vpn. When connected to the vpn traffic to my pihole over port 53 is not allowed. So my conclusion is the firewall is blocking traffic from my VPN to the pihole.
I am a Iptables novice and have tried a lot of suggestions, but none seem to work.
latest I have tried is:
There's NO need for DHCP forwarding. You should disable the router's DHCP server completely.
Realize that when the remote OpenVPN clients are accessing the pihole, they are doing so from the OpenVPN server's IP network on the tunnel. Is the RPi's firewall (assuming it has one) configured to allow access from 10.8.0.0/24 (or whatever you used for the tunnel)? The firewall on some platforms will NOT allow access from anything but the same IP network on which it is running (e.g., Windows), at least not by default. Also, did you push the local network (192.168.1.0/24) to the OpenVPN clients so they know to route 192.168.1.149 over the tunnel (only necessary if you do NOT route all traffic over the VPN)?
Ok, I've disabled DHCP Server & rebooted the router, settings are now like this:
Code:
Router IP
Local IP Address: 192.168.1.1 / 24
Gateway:0.0.0.0
Local DNS: 192.168.1.149
Network Address Server Settings (DHCP)
DHCP Type: DHCP Server
DHCP Server: Disable
following settings are greyed out:
Start IP Address:192.168.1.100
Maximum DHCP Users: 70
Client Lease Expiration: 1440 min
Static DNS 1: 192.168.1.149
Static DNS 2: 0.0.0.0
Static DNS 3: 0.0.0.0
WINS: 0.0.0.0
Use DNSMasq for DNS: unchecked
DHCP-Authoritative: unchecked
Recursive DNS Resolving (Unbound): unchecked
Forced DNS Redirection: unchecked
I've cleared all the iptables firewall rules on the router. (not everything, just the manually added rules in router GUI)
still not able to connect to the pihole over port 53. I can reach it over port 80 (when on the vpn), just not over port 53. The pihole is listening on 53. I can reach it, just not when on the vpn.
The raspberrypi with pihole has no firewall
Code:
pi@raspberrypi:~ $ ufw status
-bash: ufw: command not found
pi@raspberrypi:~ $ iptables
-bash: iptables: command not found
I also tried running a small webserver on port 53 on my windows laptop with windows firewall disabled. outside the vpn I can reach it from another client. When on the vpn, I get timeouts again. So it seems it's nothing on the pihole that is blocking the connection. Only thing between the client and my pihole is the router.
Well if you can reach it over port 80, but just not port 53, then it's definitely not a routing problem. That would suggest it is a personal firewall issue, but you say the RPi has no firewall at the moment.
Sure sounds to me as if the DNS server itself is refusing to respond to the OpenVPN server's IP network on the tunnel (10.8.0.0/24).
Try adding the following to the firewall (just use SSH for the moment to copy/paste, no need to make it permanent yet via the firewall script).
Good point by @egc. We're all assuming the OpenVPN client is actually attempting to access the DNS server over the VPN. But we know nothing about that client, and whether this is necessarily true. It's one thing to push the DNS server to the OpenVPN client, but it has no way of forcing the client to use it. For all we know, the OpenVPN client is ignoring push DNS servers in its config file.
I was just revisting the following statement you made.
"So traffic from my client can reach my pihole over port 53 when not connected to the vpn. When connected to the vpn traffic to my pihole over port 53 is not allowed. So my conclusion is the firewall is blocking traffic from my VPN to the pihole."
thank you so much, your last reply sent me in the right direction. I tried connecting one windows laptop through a hotspot as the vpn client (on the internet side of the WAN) and then using telnet to connect to the other windows laptop (connected on my local network) with the webserver on port 53, and it connected. So then it must be the pihole blocking the traffic. looking into the logging of pihole it was full of messages saying it had blocked traffic:
excellent, that also works. Setting Pihole to only accept local requests and your firewall rule also does the trick.
Only small downside is that pihole now sees the requests as coming from 192.168.1.1, so in the activity graphs (graph with number of DNS requests per client over time) you can no longer distinguish between clients and it's also not directly clear that these requests are coming from vpn clients.
without the firewall rule and setting pihole to 'permit all origins' the activity graph shows the different clients (10.8.0.2, 10.8.0.3, etc). Downside to this option might be that it's a potential security risk depending on the setup.
excellent, that also works. Setting Pihole to only accept local requests and your firewall rule also does the trick.
Only small downside is that pihole now sees the requests as coming from 192.168.1.1, so in the activity graphs (graph with number of DNS requests per client over time) you can no longer distinguish between clients and it's also not directly clear that these requests are coming from vpn clients.
without the firewall rule and setting pihole to 'permit all origins' the activity graph shows the different clients (10.8.0.2, 10.8.0.3, etc). Downside to this option might be that it's a potential security risk depending on the setup.
True. Although you could at least reasonably infer it's coming from those OpenVPN clients.
For most ppl, I just don't think they care. Esp. when they're say a small business and learn they now have to run around and update all their Windows machines. Or may discover new devices down the road that have the same problem. For them, they just rather avoid the headaches and use the rule.
Even in your own case, you could make an exception.
Code:
iptables -t nat -I POSTROUTING -s $(nvram get openvpn_net)/$(nvram get openvpn_tunmask) -o br0 ! -d 192.168.1.149 -j SNAT --to $(nvram get lan_ipaddr)