pivpn: [Support] PiVPN+Wireguard Internet access doesn't work while on Pihole DNS
In raising this issue, I confirm the following:
{please fill the checkboxes, e.g: [X]}
- I have read and understood the contributors guide.
- The issue I am reporting can be replicated.
- The issue I am reporting can be is directly related to the pivpn installer script.
- The issue I am reporting isn’t a duplicate (see FAQs, closed issues, and open issues).
Issue
I have a fresh install of PiVPN with Wireguard, on top of an also-freshly installed Pi-hole DNS server. At first, I thought that clients connected to the Wireguard server had no connectivity, but based on the FAQ/another issue, I loaded the VPN connection on my phone over mobile data AND changed the DNS server to 8.8.8.8, which caused the VPN to work (it does not work without the edited DNS server).
Presumably there is some bad interaction happening with PiVPN and Pi-hole, but it’s not clear to me where. Pi-hole seems to work fine in isolation, and PiVPN works when the client is totally off of my home LAN.
Have you searched for similar issues and solutions?
(yes/no / which issues?)
https://github.com/pivpn/pivpn/issues/1162 https://github.com/pivpn/pivpn/issues/1190 https://github.com/pivpn/pivpn/issues/1192 (tried setting Pi-hole DNS to listen on eth0 only, didn’t help) https://github.com/pivpn/pivpn/issues/1195
Console output of curl -L install.pivpn.dev | bash
::: Update option selected.
::: The updating functionality for PiVPN scripts is temporarily disabled
::: To keep the VPN (and the system) up to date, use 'apt update' and 'apt upgrade'
Console output of pivpn add or pivpn add nopass
::: Client Keys generated
::: Client config generated
::: Updated server config
::: Updated hosts file for Pi-hole
::: WireGuard reloaded
======================================================================
::: Done! foo.conf successfully created!
::: foo.conf was copied to /home/pi/configs for easy transfer.
::: Please use this profile only on one device and create additional
::: profiles for other devices. You can also use pivpn -qr
::: to generate a QR Code you can scan with the mobile app.
======================================================================
Console output of pivpn debug
::: Generating Debug Output
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
commit 13f0fe7cbdcdb31537b3fd0e2eb34652e886cc1b
Author: 4s3ti <4s3ti@protonmail.com>
Date: Wed Dec 9 19:22:29 2020 +0100
ProBot Stale
Added probot integration to marke topics as inactives and automatically
close them.
read .github/stale.yml for more details.
=============================================
:::: Installation settings ::::
PLAT=Raspbian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
dhcpReserv=
IPv4addr=192.168.1.165/24
IPv4gw=192.168.1.1
install_user=pi
install_home=/home/pi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnPROTO=udp
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
UNATTUPG=1
INSTALLED_PACKAGES=()
=============================================
:::: Server configuration shown below ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
ListenPort = 51820
### begin nixpad ###
[Peer]
PublicKey = nixpad_pub
PresharedKey = nixpad_psk
AllowedIPs = 10.6.0.2/32
### end nixpad ###
### begin mat-iphone ###
[Peer]
PublicKey = mat-iphone_pub
PresharedKey = mat-iphone_psk
AllowedIPs = 10.6.0.3/32
### end mat-iphone ###
### begin foo ###
[Peer]
PublicKey = foo_pub
PresharedKey = foo_psk
AllowedIPs = 10.6.0.4/32
### end foo ###
=============================================
:::: Client configuration shown below ::::
[Interface]
PrivateKey = nixpad_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1
[Peer]
PublicKey = server_pub
PresharedKey = nixpad_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
:::: Recursive list of files in ::::
::::[4m/etc/wireguard shown below ::::
/etc/wireguard:
configs
keys
wg0.conf
/etc/wireguard/configs:
clients.txt
foo.conf
mat-iphone.conf
nixpad.conf
/etc/wireguard/keys:
foo_priv
foo_psk
foo_pub
mat-iphone_priv
mat-iphone_psk
mat-iphone_pub
nixpad_priv
nixpad_psk
nixpad_pub
server_priv
server_pub
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://github.com/pivpn/pivpn/wiki/FAQ
=============================================
:::: WARNING: This script should have automatically masked sensitive ::::
:::: information, however, still make sure that PrivateKey, PublicKey ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this: ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe ::::
=============================================
:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::
Have you taken any steps towards solving your issue?
tcpdump output:
root@raspberrypi:/home/pi# tcpdump -n -i eth0 udp port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:21:26.243211 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:26.243302 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:26.243351 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 148
09:21:26.247161 IP 192.168.1.165.51820 > NNN.NNN.N.NNN.55582: UDP, length 92
09:21:26.299773 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 32
09:21:28.127688 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:28.127791 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:31.663584 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:31.664506 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:31.664577 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:31.664616 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:31.664659 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:31.664695 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:31.665040 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:31.665086 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:32.147132 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:32.151099 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:33.755726 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:33.755822 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:33.755863 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:33.755900 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:33.755936 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:33.759598 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:33.759671 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:33.759710 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:35.098313 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:35.137306 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.206470 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.211437 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.813448 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.817155 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.817221 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.817258 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.830122 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:37.830186 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:37.830226 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:37.830262 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:38.332967 IP 192.168.1.165.51820 > NNN.NNN.N.NNN.55582: UDP, length 32
09:21:40.287544 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:40.287637 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:41.396678 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:41.396770 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:43.147451 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:43.148255 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:45.203591 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:45.203696 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:46.175396 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:46.175502 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:46.176151 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:46.176210 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:46.176248 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:46.176284 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:46.179570 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:46.179640 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:49.347726 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:49.347810 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:49.688036 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:49.688114 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:21:50.493039 IP 192.168.1.165.51820 > NNN.NNN.N.NNN.55582: UDP, length 32
09:21:56.389398 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:56.389509 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:57.567752 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:21:57.568575 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:22:05.755012 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:22:05.757489 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 112
09:22:06.492994 IP 192.168.1.165.51820 > NNN.NNN.N.NNN.55582: UDP, length 32
09:22:14.238450 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:22:14.238571 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:22:24.413027 IP 192.168.1.165.51820 > NNN.NNN.N.NNN.55582: UDP, length 32
09:22:29.611402 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:22:29.611518 IP NNN.NNN.N.NNN.55582 > 192.168.1.165.51820: UDP, length 96
09:22:39.772984 IP 192.168.1.165.51820 > NNN.NNN.N.NNN.55582: UDP, length 32
^C
72 packets captured
72 packets received by filter
0 packets dropped by kernel
root@raspberrypi:/home/pi# exit
pi@raspberrypi:~ $ sudo iptables -vnL
Chain INPUT (policy ACCEPT 27765 packets, 3014K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23961 packets, 3959K bytes)
pkts bytes target prot opt in out source destination
pi@raspberrypi:~ $ sudo iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 3121 packets, 287K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3018 packets, 239K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3299 packets, 233K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 10.6.0.0/24 0.0.0.0/0 /* wireguard-nat-rule */
Chain OUTPUT (policy ACCEPT 3299 packets, 233K bytes)
pkts bytes target prot opt in out source destination
Unsure if there are recommendations particular to this situation. I tried pointing the DNS of the client VPN profile to 8.8.8.8, but it seems like having the Pi-hole managing DNS for my LAN means no local traffic will work on the VPN.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16 (8 by maintainers)
There should a “latest handshake” field. It’s like the handshake is failing. Can you inspect the log in the wireguard mobile app for any clue?