Combination of Pihole, Wireguard and Unbound only work sometimes

derTomGER · 2 July 2022 13:42

Hello everyone,

I am running Pihole, Unbound and PiVPN (Wireguard) on my RPI3 on latest Dietpi 8.5.1 (Debian 11.3) and Linux DietPi3 5.15.32-v8+ #1538 SMP PREEMPT Kernel

I changed from OpenVPN to Wireguard because I wanted to benefit from net-roaming features, especially on smartphones.
The problem is, that sometimes VPN works, sometimes not.
Not only after nightly internet reconnects but also during daytime.

Portforwarding on my fritzbox is set to UDP 51820 and I only use IPv4.

I tried to view the log via “journalctl -f wg-quick@wg0”
but it’s always empty.
Using the kernel module does not work because the path does not exist
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

So I can only use the smartphone log

06-28 21:18:37.126 28365 22882 E WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Failed to send data packet: write udp4 0.0.0.0:51267->192.168.10.50:51820: sendto: network is unreachable
06-28 21:18:39.682 28365 28365 I ViewRootImpl@d19ea0b[MainActivity]: Relayout returned: old=(0,0,1080,2340) new=(0,0,1080,2340) req=(1080,2340)8 dur=2 res=0x5 s={false 0} ch=false fn=-1
06-28 21:18:51.529 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Retrying handshake because we stopped hearing back after 15 seconds
06-28 21:18:51.529 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Sending handshake initiation
06-28 21:18:56.819 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Handshake did not complete after 5 seconds, retrying (try 2)
06-28 21:18:56.819 28365 28422 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Sending handshake initiation
06-28 21:19:02.102 28365 28427 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Handshake did not complete after 5 seconds, retrying (try 3)
06-28 21:19:02.102 28365 28427 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Sending handshake initiation
06-28 21:19:06.930 28365 28427 D WireGuard/GoBackend/TomsNetz: peer(RVu4…61gE) - Retrying handshake because we stopped hearing back after 15 seconds

I can see that requests from my android smartphone reach unbound

I did several reinstalls of pihole, unbound and pivpn without changing any defaults.
Somedays it works, somedays not.

What is different to all internet-howto’s is, that the installer does not change pihole settings from “allow only local requests” to “permit all origins”

pihole blocks fine from local net.

Hereafter my settings:
Pihole:
Upstream DNS Server: 127.0.0.1#5335
permit all origins
never forward nonFQDN A AAAA and reverse lookups
conditional forwarding: 192.168.10.0/24 192.168.10.254 fritz.box

System:
nameserver 9.9.9.9
nameserver 149.112.112.112

/etc/systemctl.conf
net.ipv4.ip_forward=1

Wireguard:

[Interface]
PrivateKey =
Address = 10.239.187.2/24
DNS = 10.239.187.1

[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
Endpoint = dyndns-ip:51820
AllowedIPs = 0.0.0.0/0, ::0/0

[Interface]
PrivateKey =
Address = 10.239.187.1/24
MTU = 1420
ListenPort = 51820
— begin Handy —
[Peer]
PublicKey = XXXXX
PresharedKey = XXXXX
AllowedIPs = 10.239.187.2/32
–# end Handy --#

debug output:
:::: e[4mPiVPN debuge[0m ::::
:::: e[4mLatest commite[0m ::::
Branch: master
Commit: f8cb945af15a1ca0cf063475c6e1557c6e8da06c
Author: 4s3ti
Date: Fri Jun 10 16:10:57 2022 +0200
Summary: Merge branch ‘test’

:::: e[4mInstallation settingse[0m ::::
PLAT=Debian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.10.50/24
IPv4gw=192.168.10.254
install_user=dietpi
install_home=/home/dietpi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.239.187.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=1
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.239.187.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS=“0.0.0.0/0, ::0/0”
UNATTUPG=0
INSTALLED_PACKAGES=()

:::: e[4mServer configuration shown belowe[0m ::::
[Interface]
PrivateKey = server_priv
Address = 10.239.187.1/24
MTU = 1420
ListenPort = 51820
–# begin Handy --#
[Peer]
PublicKey = Handy_pub
PresharedKey = Handy_psk
AllowedIPs = 10.239.187.2/32
–# end Handy —
–# begin TabletHuawei -
[Peer]
PublicKey = TabletHuawei_pub
PresharedKey = TabletHuawei_psk
AllowedIPs = 10.239.187.3/32
–# end TabletHuawei --#
–# begin Notebook --#
[Peer]
PublicKey = Notebook_pub
PresharedKey = Notebook_psk
AllowedIPs = 10.239.187.4/32
–# end Notebook --#
:::: e[4mClient configuration shown belowe[0m ::::
[Interface]
PrivateKey = Handy_priv
Address = 10.239.187.2/24
DNS = 10.239.187.1

[Peer]
PublicKey = server_pub
PresharedKey = Handy_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0

:::: e[4mRecursive list of files ine[0m ::::
:::: e[4m/etc/wireguard shown belowe[0m ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
Handy.conf
Notebook.conf
TabletHuawei.conf
clients.txt

/etc/wireguard/keys:
Handy_priv
Handy_psk
Handy_pub
Notebook_priv
Notebook_psk
Notebook_pub
TabletHuawei_priv
TabletHuawei_psk
TabletHuawei_pub
server_priv
server_pub

:::: e[4mSelf checke[0m ::::
:: [OK] IP forwarding is enabled
Done
Done
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
[INFO] Run e[1mpivpn -de[0m again to see if we detect issues

iptables
------------#
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere 10.239.187.0/24 ctstate RELATED,ESTABLISHED /* wireguard-forward-rule /
ACCEPT all – 10.239.187.0/24 anywhere / wireguard-forward-rule /
ACCEPT all – anywhere 10.93.235.0/24 ctstate RELATED,ESTABLISHED / wireguard-forward-rule /
ACCEPT all – 10.93.235.0/24 anywhere / wireguard-forward-rule */
ACCEPT all – anywhere anywhere

Any hints?
Thanks

trendy · 2 July 2022 15:49

If you are trying to connect from the internet, this will not work.
Was there ever a handshake? wg show

derTomGER · 2 July 2022 16:14

Yes, i am trying to connect from internet.
Stupidly it works just now

root@DietPi3:/etc/wireguard# wg show
interface: wg0
public key:
private key: (hidden)
listening port: 51820

peer:
preshared key: (hidden)
endpoint: 80.187.xxx.yyy:8570
allowed ips: 10.239.187.2/32
latest handshake: 17 seconds ago
transfer: 13.69 MiB received, 195.56 MiB sent

trendy · 2 July 2022 16:32

Long shot and sounds crazy, but I think that your ddns script is updating the hostname with the internal lan IP of the dietpi. You should never see the address 192.168.10.50 when you resolve the ddns.

Joulinar · 3 July 2022 07:43

as stated by @trendy, your DDNS seems to be updated with your local network IP 192.168.10.50 instead if your external internet IP. If I try to simulate an access using my Wireguard installation, I get following error on an unsuccessful access try.

WireGuard/GoBackend/ZuHause: peer(DwVU…y7y8) - Failed to send data packet: write udp4 0.0.0.0:37610->93.x.x.x:51820: sendto: network is unreachable

You see WireGuard cleint app is trying to connect to my external IP starting 93. and not the local network like shown on your error message.

derTomGER · 3 July 2022 13:24

Thank you both.
I added my dyndns-name with the internal IP in the DNS settings of Pihole to avoid the certificate errors when accessing the pihole interface in the browser.
I removed the entry and today it works so far. I’ll give it a longer try, because as I said before, sometimes it worked anyway

Joulinar · 3 July 2022 13:37

Usually you should be able to reach DDNS systems as well from inside your network. Or does it not work? Otherwise your F!B should be able to update your DynDNS as well. This way you could avoid using the incorrect IP