Resolved: Pihole for VPN-Clients (Prioritization of DNS-Server)

Support
,
13

Yes, I read it too and changed my settings. But the server config is still not used, I had to configure Viscosity manually - also if I deactivate “ignore VPN-Server settings”.

Thank you for your hint with host-to-net.conf. I will try it.

14

Typical FYI if you want the changes to be permanent you’d have to copy & expand the custom host-to-net template. I’m very new to this concept and would reach out to @Andy_Wismer if you get stuck on this last part.

1 Like
15

I don’t think I see any difference with your setup

Yours:
System >> DNS-Record: 2.2.2.2 (your preferred DNS-Server)

My setup:

System >> Dashboard >> DNS:192.168.3.1, 8.8.8.8
System >> DNS inside of DHCP-Server: 192.168.3.3 (pihole)

image
image890×868 41.5 KB

System >> DNS-Record: pihole.lan.home 192.168.3.3
image
image2124×572 33.5 KB

within LAN:

image
image1284×242 35 KB

with VPN with automatically configured Viscosity (surprising):

image
image1134×700 75.4 KB

image
image1288×242 35.5 KB

also surprising now:

image
image980×726 77.7 KB

Whats I did / changed??? To make the screenshot of my DHCP config, I saved the DHCP configuration again.
Should this resolves the problems?

But my Open-VPN-Client on the iPhone don’t use the Pihole (192.168.3.3)

I’m really cofused…

have to copy & expand the custom host-to-net template

I have not yet dared to use the template concept due to a lack of skills.
In this respect, it would be good if someone else could take on this topic.

@Andy_Wismer uses both (VPN and Pihole) with him. But I do not know if he makes the Pihole also available to his VPN clients.

16

I tried it:

image
image1036×1534 164 KB

my OpenVPN-Client on my iPhone gets all provided configuration:

2021-02-13 17:34:48 Sending PUSH_REQUEST to server…

2021-02-13 17:34:49 OPTIONS:
0 [dhcp-option] [DOMAIN] [lan.home]
1 [dhcp-option] [DNS] [192.168.3.3]
2 [dhcp-option] [WINS] [10.99.10.1]
3 [dhcp-option] [NBDD] [10.99.10.1]
4 [dhcp-option] [NBT] [2]
5 [block-outside-dns]
6 [register-dns]
7 [route] [192.168.3.0] [255.255.255.0]
8 [route] [192.168.3.0] [255.255.255.0]
9 [route-gateway] [10.99.10.1]
10 [topology] [subnet]
11 [ping] [20]
12 [ping-restart] [120]
13 [ifconfig] [10.99.10.93] [255.255.255.0]
14 [peer-id] [0]
15 [cipher] [AES-256-GCM]
16 [block-ipv6]

But the iPhone did not use the Pihole as DNS server and uses one with IPV6 address instead.

image
image890×1004 144 KB

Is the duplicated push route suspicious?
image

17

added some information above.

18

Andy gave us the answer here as a quick how to.

Step 1 - Create directory for host-to-net.conf template

mkdir -p /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/

Step 2 - Copy template files to new directory

cp -r /etc/e-smith/templates/etc/openvpn/host-to-net.conf/* /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/

Step 3 - Add desired configuration to file within new custom-templates directory

nano /etc/e-smith/templates-custom/etc/openvpn/host-to-net.conf/customDNSsettings

push "block-outside-dns"
push "register-dns"
#Royce was here

Save your edited file. NOTE the name is arbitrarily set (the CustomDNSsettings name can be labeled whatever you want).

Step 4 - Exapnd the template to include the custom settings into Road Warrior VPN

expand-template /etc/openvpn/host-to-net.conf

Step 5 - Restart Road Warrior service

systemctl restart openvpn@host-to-net

image
image1920×1018 284 KB

On a side note I did some testing with my Android phone & PoP_OS VM with Pi-Hole as the DNS server. I found that even though I was connected to the VPN when I used utilities like dig & nslookup I would have my primary DNS (or whatever the app has hard coded) respond with an authoritative answer but when I pinged the address the Pi-Hole was used for resolution on my split tunnel VPN. As a test in Pi-Hole I created a custom DNS entry for google.com as an A record of 10.65.65.254. This makes me think that the DNS to the Pi-Hole may be working as intended but I cannot 100% validate it. See picture for results:

image
image445×825 108 KB

NS LAN - 10.22.0.1/24 acting as a gateway/router with RED interface of 10.0.99.125.
Pi-Hole - 10.22.0.3
OpenVPN Network - 10.22.22.0/24

OpenVPN RoadWarror Config

dev tunrw
server 10.22.22.0 255.255.255.0
ifconfig-pool-persist host-to-net.pool 0

UDP server

port 1194
proto udp
topology subnet

client-connect /usr/libexec/nethserver/openvpn-connect
client-disconnect /usr/libexec/nethserver/openvpn-disconnect
script-security 3
float
multihome
dh /var/lib/nethserver/certs/dh1024.pem
ca /etc/pki/tls/certs/NSRV.crt
cert /etc/pki/tls/certs/NSRV.crt
key /etc/pki/tls/private/NSRV.key
crl-verify /var/lib/nethserver/certs/crl.pem
client-to-client
push “dhcp-option DOMAIN nethsa.ga”
push “dhcp-option DNS 10.22.0.3”
push “dhcp-option WINS 10.22.22.1”
push “dhcp-option NBDD 10.22.22.1”
push “dhcp-option NBT 2”
push “route 10.22.0.0 255.255.255.0”

Authentication: certificate

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log

passtos
keepalive 20 120
client-config-dir ccd
persist-key
persist-tun
management /var/spool/openvpn/host-to-net unix
verb 3
push “block-outside-dns”
push “register-dns”

EDIT - further testing this on my Android OpenVPN connection I blacklisted Facebook.com with Wildcard and when connected to the VPN Facebook.com is unreachable on my android mobile device. Maybe the apps we are using for the nslookup/dig are just feeding us bad information and the VPN/DNS settings are working as expected?

image
image1686×942 227 KB

19

Hi

I’d think the above is true.
As the App designer can never be sure you have DNS working, they probably use a hard coded DNS like Google.
Better coding would be to test for a local DNS, if yes use it, if no report a message and use google or whatever!

My 2 cents
Andy

20

Hy @royceb
I did it, thank you for you guidance.

image
image1266×1592 286 KB

I found that even though I was connected to the VPN when I used utilities like dig & nslookup I would have my primary DNS (or whatever the app has hard coded) respond with an authoritative answer

…perhaps the at my iPhone, that confused me.

Some test cases with blocked facebook.com, facebook.net, facebook.de
between each try I cleared the DNS-Cache

Case 1: MacBook connected via (W)LAN / no VPN:

scutil --dns DNS configuration
resolver #1
  search domain[0] : lan.home
  nameserver[0] : 192.168.3.3
marko@MacBook-Pro-16  ~  dig facebook.com  ✔  572  11:16:53

; <<>> DiG 9.10.6 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;facebook.com. IN A

;; ANSWER SECTION:
facebook.com. 2 IN A 0.0.0.0

;; Query time: 42 msec
;; SERVER: 192.168.3.3#53(192.168.3.3)
;; WHEN: Sun Feb 14 11:19:27 CET 2021
;; MSG SIZE rcvd: 46

Case 2: MacBook connected via (W)LAN / + VPN:

scutil --dns DNS configuration
resolver #1
  search domain[0] : lan.home
  nameserver[0] : 192.168.3.3
marko@MacBook-Pro16-VPN  ~  dig facebook.com  ✔  574  11:22:59

; <<>> DiG 9.10.6 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40250
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;facebook.com. IN A

;; ANSWER SECTION:
facebook.com. 2 IN A 0.0.0.0

;; Query time: 38 msec
;; SERVER: 192.168.3.3#53(192.168.3.3)
;; WHEN: Sun Feb 14 11:23:02 CET 2021
;; MSG SIZE rcvd: 46

Case 3: MacBook connected via personal Hotspot an iPhone (no VPN on iPhone) / no VPN an MacBook Pro:

marko@MacBook-Pro-16  ~  scutil --dns DNS configuration  ✔  577  11:26:11 DNS configuration

resolver #1
nameserver[0] : fe80::c02:e61:9135:4a12%en0
nameserver[1] : 172.20.10.1

marko@MacBook-Pro-16  ~  dig facebook.com  ✔  578  11:26:16

; <<>> DiG 9.10.6 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;facebook.com. IN A

;; ANSWER SECTION:
facebook.com. 112 IN A 69.171.250.35

;; Query time: 54 msec
;; SERVER: 172.20.10.1#53(172.20.10.1)
;; WHEN: Sun Feb 14 11:28:12 CET 2021
;; MSG SIZE rcvd: 57

Case 4: MacBook connected via personal Hotspot an iPhone (VPN on iPhone) / no VPN on MacBook Pro:

marko@MacBook-Pro-16  ~  scutil --dns DNS configuration  ✔  582  11:30:16 DNS configuration

resolver #1
nameserver[0] : fe80::c02:e61:9135:4a12%en0
nameserver[1] : 172.20.10.1

marko@MacBook-Pro-16  ~  dig facebook.com  ✔  582  11:30:18

; <<>> DiG 9.10.6 <<>> facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34097
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;facebook.com. IN A

;; ANSWER SECTION:
facebook.com. 264 IN A 69.171.250.35

;; Query time: 52 msec
;; SERVER: 172.20.10.1#53(172.20.10.1)
;; WHEN: Sun Feb 14 11:31:10 CET 2021
;; MSG SIZE rcvd: 57

marko@MacBook-Pro-16  ~  ping facebook.com  ✔  584  11:31:43 PING facebook.com (69.171.250.35): 56 data bytes 64 bytes from 69.171.250.35: icmp_seq=0 ttl=50 time=55.917 ms 64 bytes from 69.171.250.35: icmp_seq=1 ttl=50 time=39.596 ms

Case 5: iPhone with OpenVPN on iPhone
(Clearing DNS-Cache via Airplane Mode)

OpenVPN-Log:

2021-02-14 11:37:58 OPTIONS:
0 [dhcp-option] [DOMAIN] [lan.home]
1 [dhcp-option] [DNS] [192.168.3.3]
2 [dhcp-option] [WINS] [10.99.10.1]
3 [dhcp-option] [NBDD] [10.99.10.1]
4 [dhcp-option] [NBT] [2]
5 [route] [192.168.3.0] [255.255.255.0]
6 [route] [192.168.3.0] [255.255.255.0]
7 [block-outside-dns]
8 [register-dns]

iSH-Shell:

iPhone11Pro:~# ping facebook.de

PING facebook.de (2a03:2880 : f0ff: e: face:b00c:0:2)
56 data bytes
64 bytes from 2a03:2880: f0ff:e: face: b00c: 0:2: seq
=0 ttl=-1 time=30.997 ms
64 bytes from 2a03:2880: f0ff: e: face:b00c: 0:2: seq
=1 ttl=-1 time=31.749 ms
64 bytes from 2a03:2880: f0ff:e: face:b00c:0:2: seq
=2 ttl=-1 time=30.302 ms
64 bytes from 2a03:2880: f0ff: e: face: b00c: 0:2: seq
=3 ttl=-1 time=30.495 ms
^C
facebook.de ping statistics
4 packets transmitted, 4 packets received, 0% pac
ket loss
round-trip min/avg/max = 30.302/30.885/31.749 ms

iPhone11Pro:~# drill facebook.com
->>HEADER<<= opcode: QUERY, rcode: NOERROR, id
61372
flags: qr rd ra QUERY: 1, ANSWER: 1, AUTHORI
TY: 0, ADDITIONAL: 0
QUESTION SECTION:
facebook.com. IN A

ANSWER SECTION:
facebook.com. 69 IN A 69.171.25
0.35

AUTHORITY SECTION:

ADDITIONAL SECTION:

Query time: 43 msec
SERVER: 10.74.210.211
WHEN: Sun Feb 14 10:41:52 2021
MSG SIZE revd: 46

I verified this behavior an a second iPhone with he same result after test case 6.

Case 6: iPad with OpenVPN on iPad
SENSATION

iPad-Pro:~# ping facebook.com PING facebook.com (0.0.0.0): 56 data bytes ping: sendto: Socket not connected iPad-Pro:~# drill facebook.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 20708 flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 QUESTION SECTION: facebook.com. IN A

;; ANSWER SECTION:
facebook.com. 2 IN A 0.0.0.0

;; AUTHORITY SECTION:

ADDITIONAL SECTION:

Query time: 19 msec
SERVER: 192.168.3.3
WHEN: Sun Feb 14 10:49:50 2021
MSG SIZE revd: 46
iPad-Pro:~#

ping and drill Pihole is also successful possible.

Summary

  • VPN from my MacBook works as aspected
  • VPN from different iPhone misses
  • VPN from iPad works as aspected

… I’m still confused.

Probably I can find an answer on Google.
@royceb: Thank you for your attention.
21

Additionally: Even if I use Passepartout as VPN client and manually overwrite the DNS server, the iPhone does not use my local DNS server.
Although I’m pretty cautious with such assumptions, since I wouldn’t assume I’d be the first to notice something like that, it looks to me like iOS 14 has a problem getting local DNS servers to default.
iPad OS on the other hand does not, which also seems strange.
Anyway, I’m at a dead end

22

@capote
@royceb

Hi

Maybe just to answer a few questions:

I do have OpenVPN & IPsec RoadWarrior VPNs to home. I do NOT use these to surf the Internet when I’m out of the house, but on my Macbook the PI-Hole is respected…

I NEVER surf with my iPhone, I only access mail, weather and maybe news and the railway timetable, most of these are with Apps (except for news). I do not like using a small screen…
I maybe use to test if a site is available (Firewall tests, for example!), but not really surfing.

These are settings which must be set (at least for me!)…
IOS now features a “fake” MAC Address to thwart off trackers! That’s not bad, but is not WLan dependent, it’s globally set. :frowning:
Now, I’d like my device to use the allocated DNS when at home, nothing else!
I have home control, which needs to know if I’m at home or not!
So I have to globally deactivate this - at least until Apple provides a per WLan AP setting for this.

IMG_1776.PNG
IMG_1776.PNG1125×2436 332 KB

The second one is to show that my PI-Hole is respected at home - i’ve never tested it from outside, indeed, I’ve never installed a VPN on my phone, I use it really exclusively to phone, SMS and read mail - I almost NEVER write a response on my iPhone…

This shows that my PI-Hole is used, at least when I’m at home!

IMG_1775.PNG
IMG_1775.PNG1125×2436 210 KB

My 2 cents
Andy

23

Hi Andy, inside my LAN works Pihole as local DNS-Sever properly. OpenVPN I tested only with the 4G-connection.
But I have traditionally disabled the private Wi-Fi address as well, for the same reason as you.
Sincerely, MArko

24

Hi Marko

Both Roadwarrior VPNs (OpenVPN & IPsec) work correctly, but as said, I’ve never used VPN on my iPhone…
But on my Mac, they work also using the personal Hotspot in my iPhone…

Best regards from very sunny and very cold Bodensee!
Andy

25

perhaps you can try it for me? :slight_smile:

26

I can test it with my old iPhone next week…

Will report.

27

Random question, is it possible to virtualize the Mac OS and IPhone OS in Proxmox for testing?

28

@royceb

Hi Royce

Ever heard of a Hackintosh?

Did a triple boot on the 2010 “Netbooks” with MacOS, Linux and Windows, the second one with Mac, Linux and OpenBSD…

You can install Proxmox directly on say a newer Mac Mini, these are quite powerful little (expensive) bstards. Then it would be legal to install and run MacOS virtualized…
If you then - eg due to HA move it to other hardware - sht happens… But it’ll still keep on running. I think the Proxmox needs at least a Haswell CPU (Old anyways…)

My 2 cents
Andy

iPhone emulation is AFAIK only available in Apple’s IDE (xCode, for free!). It’s quite powerful, but you need a Mac… (Or Hackintosh…)

1 Like
29

I found the solution.
iPhones uses IPv4 and IPv6 simultaneous. Since Road Warrior only provides IPv4 information to the iPhone within a LAN, the IPv4 DNS server/gateway are used.

Outside it uses the IPv6-Servers.
I override this behavior by using the app Passepartout and deactivated IPv6 Gateway. It is not enough to configure only the DNS server manually.

image
image928×1858 154 KB

The same configured in Viscosity on my MacBook:

image
image1148×384 62.6 KB

Now it works.

1 Like
30

@capote

I actually deactivate IPv6 in a NethServer environment, be it for Win, Mac or Linux and Tablets / Smartphones.
IPv6 is also deactivated on my OPNsense for that reason…

This is not a statement for delaying IPv6 on NethServer! :slight_smile:
It must come with NS8…

My 2 cents
Andy

1 Like
31

I don’t know of any way to generally disable IPv6 on iOS.

32

@capote

You can’t! What you did was the right way! :slight_smile:
(It’s only an issue in a NS environment, no issues with the rest of the Internet!)

1 Like