PiVPN successful handshake but external web pages don't load Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
Post Reply
danmo117
Posts: 18
Joined: Wed Jun 03, 2020 4:01 pm

PiVPN successful handshake but external web pages don't load

Post by danmo117 »

Hi all,

I'm experiencing an issue accessing external webpages whilst using pivpn (wireguard) however locally hosted pages like pi-hole admin and Homebridge web ui open fine. Based on this, it confirms port forwarding is set up correctly.

As mentioned above I'm running pi-hole, and Unbound is also configured and all software packages were installed using dietpi-software.

It might be worth noting that I think this issue started after installing Unbound which was done some time after pi-hole and pivpn were set up. Additionally, whilst reviewing the debug output below it states that the pivpnDNS1=10.6.0.1 and the client DNS is the same IP, however pi-hole is configured to use Unbound as the DNS (127.0.0.1#5335). Not sure if that makes a difference or not.

Any guidance is greatly appreciated, many thanks.

Code: Select all

::: Generating Debug Output
::::		PiVPN debug		 ::::
=============================================
::::		Latest commit		 ::::
commit d7771c251418fa443869397d46f93c5b0c197558
Author: 4s3ti <4s3ti@protonmail.com>
Date:   Sat Feb 6 23:04:11 2021 +0100

    Merge branch test into master
    
    fixes #1234
    ci/cd fixes and improvements
=============================================
::::	    Installation settings    	 ::::
PLAT=Debian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
install_user=dietpi
install_home=/home/dietpi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnPROTO=udp
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=0
INSTALLED_PACKAGES=(wireguard-tools)
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
ListenPort = 51820
### begin PackmoorVPN ###
[Peer]
PublicKey = PackmoorVPN_pub
PresharedKey = PackmoorVPN_psk
AllowedIPs = 10.6.0.2/32
### end PackmoorVPN ###
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = PackmoorVPN_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1

[Peer]
PublicKey = server_pub
PresharedKey = PackmoorVPN_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
:::: 	Recursive list of files in	 ::::
::::	[4m/etc/wireguard shown below	 ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
PackmoorVPN.conf
clients.txt

/etc/wireguard/keys:
PackmoorVPN_priv
PackmoorVPN_psk
PackmoorVPN_pub
server_priv
server_pub
=============================================
::::		Self check		 ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
User avatar
MichaIng
Site Admin
Posts: 2783
Joined: Sat Nov 18, 2017 6:21 pm

Re: PiVPN successful handshake but external web pages don't load

Post by MichaIng »

If I remember right, IP forwarding is not automatically enabled with PiVPN. Can you check:

Code: Select all

iptables -L FORWARD
sysctl -a | grep forwarding
This is not related to the port forwarding from the router to the VPN server, which obviously works, but to forward incoming requests (that do not address LAN-internal hosts) on the VPN server system to the internet network adapter, to effectively share the internet connection to VPN clients.
User avatar
Joulinar
Posts: 4249
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN successful handshake but external web pages don't load

Post by Joulinar »

To excluded any DNS related issues, you can try opening web page 1.1.1.1 for testing while connected to your VPN server. On the other hand, check inside Pihole to have it set to listen on all interfaces and permit all origin
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
danmo117
Posts: 18
Joined: Wed Jun 03, 2020 4:01 pm

Re: PiVPN successful handshake but external web pages don't load

Post by danmo117 »

MichaIng wrote: Mon Apr 05, 2021 1:22 pm If I remember right, IP forwarding is not automatically enabled with PiVPN. Can you check:

Code: Select all

iptables -L FORWARD
sysctl -a | grep forwarding
This is not related to the port forwarding from the router to the VPN server, which obviously works, but to forward incoming requests (that do not address LAN-internal hosts) on the VPN server system to the internet network adapter, to effectively share the internet connection to VPN clients.
Hi MichaIng and Joulinar,

Thanks for helping out.

For the two queires,
iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
sysctl -a | grep forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wg0.bc_forwarding = 0
net.ipv4.conf.wg0.forwarding = 1
net.ipv4.conf.wg0.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wg0.forwarding = 0
net.ipv6.conf.wg0.mc_forwarding = 0
As for
Joulinar wrote: Mon Apr 05, 2021 1:32 pm To excluded any DNS related issues, you can try opening web page 1.1.1.1 for testing while connected to your VPN server. On the other hand, check inside Pihole to have it set to listen on all interfaces and permit all origin
1.1.1.1 loads without issue, however subsequently navigating to any other external site still doesn't load. I also checked Pi-hole as suggested and I can confirm it is set up to listen on all interfaces.
User avatar
Joulinar
Posts: 4249
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN successful handshake but external web pages don't load

Post by Joulinar »

If 1.1.1.1 is loading within issue, it looks like a DNS issue. On Pihole you have 2 options, listen on all interfaces and listen on all interfaces + permit all origin. Which one was set?

For testing you could change DNS server inside the Wireguard client app to a public one.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
danmo117
Posts: 18
Joined: Wed Jun 03, 2020 4:01 pm

Re: PiVPN successful handshake but external web pages don't load

Post by danmo117 »

Joulinar wrote: Mon Apr 05, 2021 5:22 pm If 1.1.1.1 is loading within issue, it looks like a DNS issue. On Pihole you have 2 options, listen on all interfaces and listen on all interfaces + permit all origin. Which one was set?

For testing you could change DNS server inside the Wireguard client app to a public one.
Pi-hole is set to the first option "listen on all interfaces".

I just changed the DNS in the Wireguard client config file to 1.1.1.1 and web pages are working again. Does this mean I can't use Unbound as the DNS when connected via the VPN? I tried pointing the Wireguard client to use DNS 127.0.0.1 however web pages stopped loading again.

Cheers.
User avatar
Joulinar
Posts: 4249
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN successful handshake but external web pages don't load

Post by Joulinar »

Inside Wireguard client app you need to use the VPN server IP 10.x.x.x. Depending what your server is configured for. As well inside Pihole try to set the other option, listen on all interfaces and permit all origin.

For me this is working quite well and at the end has nothing to do with unbound as Pihole is your DNS server you are targeting ;) for the VPN client it doesn't matter if you use unbound or not.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
danmo117
Posts: 18
Joined: Wed Jun 03, 2020 4:01 pm

Re: PiVPN successful handshake but external web pages don't load

Post by danmo117 »

Joulinar wrote: Mon Apr 05, 2021 5:36 pm Inside Wireguard client app you need to use the VPN server IP 10.x.x.x. Depending what your server is configured for. As well inside Pihole try to set the other option, listen on all interfaces and permit all origin.

For me this is working quite well and at the end has nothing to do with unbound as Pihole is your DNS server you are targeting ;) for the VPN client it doesn't matter if you use unbound or not.
Thanks for your assistance Joulinar,

Strangely, after reverting the wireguard client app settings to the original server IP (10.6.0.1 in my instance), external site are now working and no other settings have been adjusted on pi-hole. Not sure what was going on but it's now working.

Thanks again.
User avatar
Joulinar
Posts: 4249
Joined: Sat Nov 16, 2019 12:49 am

Re: PiVPN successful handshake but external web pages don't load

Post by Joulinar »

Ok perfect 😊
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply