PiVPN successful handshake but external web pages don't load

Hi all,

I’m experiencing an issue accessing external webpages whilst using pivpn (wireguard) however locally hosted pages like pi-hole admin and Homebridge web ui open fine. Based on this, it confirms port forwarding is set up correctly.

As mentioned above I’m running pi-hole, and Unbound is also configured and all software packages were installed using dietpi-software.

It might be worth noting that I think this issue started after installing Unbound which was done some time after pi-hole and pivpn were set up. Additionally, whilst reviewing the debug output below it states that the pivpnDNS1= and the client DNS is the same IP, however pi-hole is configured to use Unbound as the DNS ( Not sure if that makes a difference or not.

Any guidance is greatly appreciated, many thanks.

::: Generating Debug Output
::::		PiVPN debug		 ::::
::::		Latest commit		 ::::
commit d7771c251418fa443869397d46f93c5b0c197558
Author: 4s3ti <4s3ti@protonmail.com>
Date:   Sat Feb 6 23:04:11 2021 +0100

    Merge branch test into master
    fixes #1234
    ci/cd fixes and improvements
::::	    Installation settings    	 ::::
ALLOWED_IPS=", ::0/0"
::::  Server configuration shown below   ::::
PrivateKey = server_priv
Address =
ListenPort = 51820
### begin PackmoorVPN ###
PublicKey = PackmoorVPN_pub
PresharedKey = PackmoorVPN_psk
AllowedIPs =
### end PackmoorVPN ###
::::  Client configuration shown below   ::::
PrivateKey = PackmoorVPN_priv
Address =

PublicKey = server_pub
PresharedKey = PackmoorVPN_psk
Endpoint = REDACTED:51820
AllowedIPs =, ::0/0
:::: 	Recursive list of files in	 ::::
::::	[4m/etc/wireguard shown below	 ::::


::::		Self check		 ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp

If I remember right, IP forwarding is not automatically enabled with PiVPN. Can you check:

iptables -L FORWARD
sysctl -a | grep forwarding

This is not related to the port forwarding from the router to the VPN server, which obviously works, but to forward incoming requests (that do not address LAN-internal hosts) on the VPN server system to the internet network adapter, to effectively share the internet connection to VPN clients.

To excluded any DNS related issues, you can try opening web page for testing while connected to your VPN server. On the other hand, check inside Pihole to have it set to listen on all interfaces and permit all origin

Hi MichaIng and Joulinar,

Thanks for helping out.

For the two queires,

iptables -L FORWARD
Chain FORWARD (policy ACCEPT)

sysctl -a | grep forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wg0.bc_forwarding = 0
net.ipv4.conf.wg0.forwarding = 1
net.ipv4.conf.wg0.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wg0.forwarding = 0
net.ipv6.conf.wg0.mc_forwarding = 0

As for loads without issue, however subsequently navigating to any other external site still doesn’t load. I also checked Pi-hole as suggested and I can confirm it is set up to listen on all interfaces.

If is loading within issue, it looks like a DNS issue. On Pihole you have 2 options, listen on all interfaces and listen on all interfaces + permit all origin. Which one was set?

For testing you could change DNS server inside the Wireguard client app to a public one.

Pi-hole is set to the first option “listen on all interfaces”.

I just changed the DNS in the Wireguard client config file to and web pages are working again. Does this mean I can’t use Unbound as the DNS when connected via the VPN? I tried pointing the Wireguard client to use DNS however web pages stopped loading again.


Inside Wireguard client app you need to use the VPN server IP 10.x.x.x. Depending what your server is configured for. As well inside Pihole try to set the other option, listen on all interfaces and permit all origin.

For me this is working quite well and at the end has nothing to do with unbound as Pihole is your DNS server you are targeting :wink: for the VPN client it doesn’t matter if you use unbound or not.

Thanks for your assistance Joulinar,

Strangely, after reverting the wireguard client app settings to the original server IP ( in my instance), external site are now working and no other settings have been adjusted on pi-hole. Not sure what was going on but it’s now working.

Thanks again.

Ok perfect :blush: