I’m experiencing an issue accessing external webpages whilst using pivpn (wireguard) however locally hosted pages like pi-hole admin and Homebridge web ui open fine. Based on this, it confirms port forwarding is set up correctly.
As mentioned above I’m running pi-hole, and Unbound is also configured and all software packages were installed using dietpi-software.
It might be worth noting that I think this issue started after installing Unbound which was done some time after pi-hole and pivpn were set up. Additionally, whilst reviewing the debug output below it states that the pivpnDNS1=10.6.0.1 and the client DNS is the same IP, however pi-hole is configured to use Unbound as the DNS (127.0.0.1#5335). Not sure if that makes a difference or not.
Any guidance is greatly appreciated, many thanks.
::: Generating Debug Output
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
commit d7771c251418fa443869397d46f93c5b0c197558
Author: 4s3ti <4s3ti@protonmail.com>
Date: Sat Feb 6 23:04:11 2021 +0100
Merge branch test into master
fixes #1234
ci/cd fixes and improvements
=============================================
:::: Installation settings ::::
PLAT=Debian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
install_user=dietpi
install_home=/home/dietpi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnPROTO=udp
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=0
INSTALLED_PACKAGES=(wireguard-tools)
=============================================
:::: Server configuration shown below ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
ListenPort = 51820
### begin PackmoorVPN ###
[Peer]
PublicKey = PackmoorVPN_pub
PresharedKey = PackmoorVPN_psk
AllowedIPs = 10.6.0.2/32
### end PackmoorVPN ###
=============================================
:::: Client configuration shown below ::::
[Interface]
PrivateKey = PackmoorVPN_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1
[Peer]
PublicKey = server_pub
PresharedKey = PackmoorVPN_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
:::: Recursive list of files in ::::
:::: [4m/etc/wireguard shown below ::::
/etc/wireguard:
configs
keys
wg0.conf
/etc/wireguard/configs:
PackmoorVPN.conf
clients.txt
/etc/wireguard/keys:
PackmoorVPN_priv
PackmoorVPN_psk
PackmoorVPN_pub
server_priv
server_pub
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
If I remember right, IP forwarding is not automatically enabled with PiVPN. Can you check:
iptables -L FORWARD
sysctl -a | grep forwarding
This is not related to the port forwarding from the router to the VPN server, which obviously works, but to forward incoming requests (that do not address LAN-internal hosts) on the VPN server system to the internet network adapter, to effectively share the internet connection to VPN clients.
To excluded any DNS related issues, you can try opening web page 1.1.1.1 for testing while connected to your VPN server. On the other hand, check inside Pihole to have it set to listen on all interfaces and permit all origin
1.1.1.1 loads without issue, however subsequently navigating to any other external site still doesn’t load. I also checked Pi-hole as suggested and I can confirm it is set up to listen on all interfaces.
If 1.1.1.1 is loading within issue, it looks like a DNS issue. On Pihole you have 2 options, listen on all interfaces and listen on all interfaces + permit all origin. Which one was set?
For testing you could change DNS server inside the Wireguard client app to a public one.
Pi-hole is set to the first option “listen on all interfaces”.
I just changed the DNS in the Wireguard client config file to 1.1.1.1 and web pages are working again. Does this mean I can’t use Unbound as the DNS when connected via the VPN? I tried pointing the Wireguard client to use DNS 127.0.0.1 however web pages stopped loading again.
Inside Wireguard client app you need to use the VPN server IP 10.x.x.x. Depending what your server is configured for. As well inside Pihole try to set the other option, listen on all interfaces and permit all origin.
For me this is working quite well and at the end has nothing to do with unbound as Pihole is your DNS server you are targeting for the VPN client it doesn’t matter if you use unbound or not.
Strangely, after reverting the wireguard client app settings to the original server IP (10.6.0.1 in my instance), external site are now working and no other settings have been adjusted on pi-hole. Not sure what was going on but it’s now working.
for the VPN client it doesn’t matter if you use unbound or not.