Can't use internet with Wireguard Pi-Vpn

nothing, i’ve also reinstalled everything to have all plain and clean.

dig +cdflag @127.0.0.1 -p 5335 dietpi.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +cdflag @127.0.0.1 -p 5335 dietpi.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52935
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dietpi.com.                    IN      A
;; Query time: 96 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Feb 11 12:57:02 GMT 2025
;; MSG SIZE  rcvd: 39

also, i’m not able to update to dietpi v 9.10.0

│ Downloading update archive                                                                                           │                      
                     │  - Command: curl -sSfLO https://github.com/MichaIng/DietPi/archive/master.tar.gz                                     │                      
                     │  - Exit code: 6                                                                                                      │                      
                     │  - DietPi version: v9.9.0 (MichaIng/master) | HW_MODEL: 4 | HW_ARCH: 3 | DISTRO: 7                                   │                      
                     │  - Error log:                                                                                                        │                      
                     │ curl: (6) Could not resolve host: github.com   

I guess you set local DNS on the DietPi device to Pihole? Something you should not do. I recommend using a STATIC ip address and a global public DNS provider. Maybe thats one of the issues?

Can you check

ip a
cat /etc/resolv.conf

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether dc:a6:32:d2:b3:e7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.87/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::dea6:32ff:fed2:b3e7/64 scope link 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.245.65.1/24 scope global wg0
       valid_lft forever preferred_lft forever

cat /etc/resolv.conf

nameserver 192.168.1.2
nameserver 192.168.1.2

You are using STATIC IP?
You set your router as DNS server inside DietPi?
And your router is using Pihole as upstream DNS?

I would recommend setting a different DNS server in DietPi (Quad9, Cloudflare or Google DNS) if all question has been answered with yes.

I have two routers: one is the main and the second one is in bridge mode (my house have two floors). The Pi4 is connected to the latter.

Dietpi have a static IP: 192.168.1.87

My main router is using 192.168.1.87 as primary DNS.

In dietpi-config i see that the static DNS is set to 192.168.1.2 (my bridge router)

And what does the bridge router uses as upstream DNS? I guess the main router? Which points you back to PiHole? You see the loop? Again I highly recommend using a public DNS inside DietPi own network configuration. This has no impact on PiHole or any AdBlock blocking inside your network.

done what you said, successfully updated dietpi, but still no luck with wireguard

Forgot about Wireguard for the moment. First you would need to fix unbound.

Reboot your system and check following again

dig @127.0.0.1 -p 5335 dietpi.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @127.0.0.1 -p 5335 dietpi.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18932
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dietpi.com.                    IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Feb 11 21:40:46 GMT 2025
;; MSG SIZE  rcvd: 39

looks the same

Still something wrong with DNSSEC validation. Does this file has an up-to-date date?

ls -la /var/lib/unbound/root.key

-rw-r--r-- 1 unbound unbound 431 May 21 2024 /var/lib/unbound/root.key

Lets try updating the file

mv /var/lib/unbound/root.key /var/lib/unbound/root.key.old
systemctl restart unbound
ls -la /var/lib/unbound/root*

Does the file has an up-to-date date now?

-rw-r--r-- 1 root    root    3313 Feb  8 18:46 /var/lib/unbound/root.hints
-rw-r--r-- 1 unbound unbound  431 May 21  2024 /var/lib/unbound/root.key
-rw-r--r-- 1 unbound unbound  431 May 21  2024 /var/lib/unbound/root.key.old

What is the content of the file

cat /var/lib/unbound/root.key

.       86400   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]

the file looks complete different to me. Let’s try another way

mv /var/lib/unbound/root.key /var/lib/unbound/root.key.old
apt install unbound-anchor
sudo -u unbound unbound-anchor -va /var/lib/unbound/root.key
cat /var/lib/unbound/root.key
systemctl restart unbound
cat /var/lib/unbound/root.key

/var/lib/unbound/root.key does not exist
fail: the anchor is NOT ok and could not be fixed

hmm something strange happen on your system. Actually I don’t know why Unbound is not able to update the file

For me this is working without issue

root@DietPiProd:~# mv /var/lib/unbound/root.key /var/lib/unbound/root.key.old
root@DietPiProd:~# sudo -u unbound unbound-anchor -va /var/lib/unbound/root.key
/var/lib/unbound/root.key does not exist
success: the anchor is ok
root@DietPiProd:~#

For testing, can you move the RPi device directly behind the ISP router? Just to exclude more components. And do you use any specific firewall that could block some sort of requests?

still, the same, i’ve also tried a fresh new dietpi install on a new usb stick.

No firewall at all.

I’ve found some threads on reddit, maybe is my ISP (Vodafone, main router) intercepting DNS queries?

My ISP (Vodafone) is the culprit - to be more specific: their router! (EasyBox 804)
Another thread lead me to this conclusion: Is my router intercepting DNS queries?
After reading that, I checked Unbound with another router (unbranded) and there it just works as it should! Problem is sadly, that I can’t use this other router as it is really old and can only get 50% of my normal internet-speed >_<°
I called Vodafone and they can/will not say anything concrete about the issue at hand and only said that I should ask online again and that maybe I need to open some special ports for it to work, but that’s just their ‘guess’/official statement. Could there be some special ports that Unbound needs to work? I tried to find any but nothing special came up - furthermore on the old router it just works without any open (special) ports…
TL;DR: Seems like Vodafone is intercepting my DNS queries and therefore Unbound can not open a secure connection and always fails with SERVFAIL .

If you feel like it, you could test this further and run your RPi4 via a WLAN hotspot on your cell phone, for example. (Cell phone not connected to home WLAN )

As an alternative you can switch off DNSSEC in Unbound. This would then bypass the problem.