It’s entirely possible I’m just not understanding how this works and this is expected but maybe there’s a fix.
I’m using Dietpi-VPN with PIA, a pihole and Unbound. Everything works fine UNTIL I try to enable the VPN Killswitch. Then I get “DNS Cannot be Resolved” errors for every website. I turn off the Killswitch and the errors remain until I reboot the Pi.
Is this the expected behavior? Or is there some way to have this work?
Usually the killswitch blocks all traffic which doesn’t go through the VPN. If pihole and unbound run on a different device, it is not weird that the communication is blocked, especially if the killswitch is too tight.
If pihole and unbound run on the same dietpi, then it depends on which nameservers they are using. If for example you are using the ones provided from the ISP, they won’t work through the vpn.
Which scenario is yours?
So they’re all running on the same device. I don’t know which nameservers I’m using, not sure how to check that.
Note, the pi is also my DHCP server if that matters.
Our Killswitch is blocking entire communication to the DietPi device from local network by default. Therefore DNS on local network is failing.
Settings/DNS.
It matters.
The problem with the DNS is when browsing on the dietpi or from another host in the lan? As @Joulinar mentioned, enabling killswitch cuts of all communication to the local lan.
@trendy knows it better than I, but this could open DNS port 53 from local network
iptables -A INPUT -s 192.168.x.0/24 -p udp --dport 53 -j ACCEPT
That’s right (although it is better to add tcp/53 as well), but I guess you also need to allow the responses as well, either statefully or statelessly.
Also DHCP needs to be allowed.
Ok, to follow up on the questions here:
Still having the same issue. If it’s not something that can be resolved it’s not a dealbreaker or anything, the VPN works fine and hasn’t had many disconnection issues. Just trying for that added layer of security if possible.
It is pointing to unbound. Which servers is the latter using?
On a default setup, it should be DNS root server. But I still guess it is the local network access that is cut off while the Killswitch is active.
Jep definitely, UDP port 53 incoming and outgoing packages need to be allowed from/to LAN, similar like how we do it for TCP port 22 (SSH). The respective rules could be copied and applied via post-up script in dietpi-vpn.
For DHCP again the same for UDP port 67 incoming and 68 outgoing, of I’m not mistaken.
should we extend our docs on how to allow additional services while killswitch is active? DietPi tools - DietPi.com Docs
That would save us some time. Or if @MichaIng can integrate some options in killswitch to allow certain ports.
Quite a good idea: An additional submenu to add/remove additional ports to be opened to LAN.
That I don’t know, I looked through the unbound configuration files but don’t see anything that seems to indicate that.
This has nothing to do with Unbound. It’s a feature of the killswitch to cutoff the entire local network communication towards the DietPi device.
