I’m experiencing an issue accessing external webpages whilst using pivpn (wireguard) however locally hosted pages like pi-hole admin and Homebridge web ui open fine. Based on this, it confirms port forwarding is set up correctly.
As mentioned above I’m running pi-hole, and Unbound is also configured and all software packages were installed using dietpi-software.
It might be worth noting that I think this issue started after installing Unbound which was done some time after pi-hole and pivpn were set up. Additionally, whilst reviewing the debug output below it states that the pivpnDNS1=10.6.0.1 and the client DNS is the same IP, however pi-hole is configured to use Unbound as the DNS (127.0.0.1#5335). Not sure if that makes a difference or not.
Any guidance is greatly appreciated, many thanks.
::: Generating Debug Output
:::: PiVPN debug ::::
:::: Latest commit ::::
Author: 4s3ti <email@example.com>
Date: Sat Feb 6 23:04:11 2021 +0100
Merge branch test into master
ci/cd fixes and improvements
:::: Installation settings ::::
:::: Server configuration shown below ::::
PrivateKey = server_priv
Address = 10.6.0.1/24
ListenPort = 51820
### begin PackmoorVPN ###
PublicKey = PackmoorVPN_pub
PresharedKey = PackmoorVPN_psk
AllowedIPs = 10.6.0.2/32
### end PackmoorVPN ###
:::: Client configuration shown below ::::
PrivateKey = PackmoorVPN_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1
PublicKey = server_pub
PresharedKey = PackmoorVPN_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
:::: Recursive list of files in ::::
:::: [4m/etc/wireguard shown below ::::
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
If I remember right, IP forwarding is not automatically enabled with PiVPN. Can you check:
iptables -L FORWARD
sysctl -a | grep forwarding
This is not related to the port forwarding from the router to the VPN server, which obviously works, but to forward incoming requests (that do not address LAN-internal hosts) on the VPN server system to the internet network adapter, to effectively share the internet connection to VPN clients.
To excluded any DNS related issues, you can try opening web page 188.8.131.52 for testing while connected to your VPN server. On the other hand, check inside Pihole to have it set to listen on all interfaces and permit all origin
184.108.40.206 loads without issue, however subsequently navigating to any other external site still doesn’t load. I also checked Pi-hole as suggested and I can confirm it is set up to listen on all interfaces.
Pi-hole is set to the first option “listen on all interfaces”.
I just changed the DNS in the Wireguard client config file to 220.127.116.11 and web pages are working again. Does this mean I can’t use Unbound as the DNS when connected via the VPN? I tried pointing the Wireguard client to use DNS 127.0.0.1 however web pages stopped loading again.
Inside Wireguard client app you need to use the VPN server IP 10.x.x.x. Depending what your server is configured for. As well inside Pihole try to set the other option, listen on all interfaces and permit all origin.
For me this is working quite well and at the end has nothing to do with unbound as Pihole is your DNS server you are targeting for the VPN client it doesn’t matter if you use unbound or not.
Strangely, after reverting the wireguard client app settings to the original server IP (10.6.0.1 in my instance), external site are now working and no other settings have been adjusted on pi-hole. Not sure what was going on but it’s now working.