Can't use internet with Wireguard Pi-Vpn

Antod10 · 19 February 2025 14:03

unfortunately, still the same (i have also Vodafone for mobile data)

As an alternative you can switch off DNSSEC in Unbound. This would then bypass the problem.

how can i disable?

Antod10 · 19 February 2025 18:38

What is the content of the file

cat /var/lib/unbound/root.key

now it looks like this

. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

Joulinar · 19 February 2025 19:43

still looks very different from mine

root@DietPiProd:~# cat /var/lib/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1739979337 ;;Wed Feb 19 16:35:37 2025
;;last_success: 1739979337 ;;Wed Feb 19 16:35:37 2025
;;next_probe_time: 1740022487 ;;Thu Feb 20 04:34:47 2025
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.       86400   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1739355802 ;;Wed Feb 12 11:23:22 2025
.       86400   IN      DNSKEY  257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=17 ;;lastchange=1739355802 ;;Wed Feb 12 11:23:22 2025

Joulinar · 19 February 2025 19:51

you can try to disable DNSSEC within /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

Antod10 · 19 February 2025 20:03

i can confirm, without DNSSEC my VPN works fine

Joulinar · 19 February 2025 20:22

due to whatever reason, your root.key file is not updated correctly. Therefore DNSSEC is not working

trendy · 19 February 2025 21:40

Sorry but in which country is this done? As in EU it is illegal, maybe there is some setting in the router to enable secure DNS or browsing?

Antod10 · 19 February 2025 22:35

I’m in Italy. All settings in the router are disabled

trendy · 20 February 2025 21:09

I found some papers from 2017 how infamous is Vodafone It for DNS hijacking.
Probably a good idea to try DoH or DoT.

Antod10 · 20 February 2025 21:21

can you tell me more?

Joulinar · 20 February 2025 21:41

Antod10 · 20 February 2025 21:56

thanks. Done but still have tu turn DNSSEC off in order to have everything fully functional

Joulinar · 20 February 2025 22:22

Yes because DietPi themselves is not using PiHole or Unbound. If I’m not mistaken, we switched to a public DNS server on PiHole.

Still the issue is with the key file for DNSSEC. Something is blocking the update of this particular file

trendy · 21 February 2025 13:54

If the queries are hijacked by the provider, then the verification of the answers will fail. Hence the SERVFAILs you saw earlier.
One way to test is with dig net. SOA +dnssec and verify there is AD flag.

Antod10 · 21 February 2025 14:10

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> net. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46758
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;net.                           IN      SOA

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Fri Feb 21 15:07:00 CET 2025
;; MSG SIZE  rcvd: 32

trendy · 21 February 2025 14:43

This test was meant to use unbound on your dietpi, not GoogleDNS.

Antod10 · 21 February 2025 17:14

with DNSSEC off

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> net. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49095
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;net.                           IN      SOA

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Feb 21 18:14:02 CET 2025
;; MSG SIZE  rcvd: 32

with DNSSEC on

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> net. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46133
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;net.                           IN      SOA

;; Query time: 639 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Feb 21 18:26:00 CET 2025
;; MSG SIZE  rcvd: 32

trendy · 22 February 2025 17:43

Since you are not getting an answer, your dns packets are hijacked.

Antod10 · 22 February 2025 17:57

there’s no way i can solve this with Vodafone, right?

trendy · 22 February 2025 18:01

As mentioned earlier you may try DoH or DoT, in case they are not hijacked.
Another better idea is to subscribe to a better provider.