[Support] Cannot use Split tunnel unless I add VPN ip to AllowedIPs

[pikdonker]

In raising this issue, I confirm the following:

{please fill the checkboxes, e.g: [X]}

• I have read and understood the contributors guide.
• The issue I am reporting can be replicated.
• The issue I am reporting can be is directly related to the pivpn installer script.
• The issue I am reporting isn't a duplicate (see FAQs, closed issues, and open issues).

Issue

I've been trying to setup PiHole + Wireguard, using PiVPN, and ran into a persistent problem, that I've been able to fix, but I'm not sure where to problem came from and if this is the right fix:

After installing PiHole first and Wireguard second, I used pivpn add to generate a client config, and edited that config, removing 0.0.0.0/0 and adding my LAN's IP and netmask: 192.168.2.0/24. When using this config I could not get any DNS response (although I could access computers on my LAN through the VPN). If I removed my LAN IP and reset AllowedIPs to allow everything the DNS request did go through the PiHole, but I don't want to send all data through the VPN..

After lots of debugging I got the DNS split it to work by adding the IP and mask of the VPN's network, , 10.6.0.0/24.

Without the extra section in AllowedIPs I did not see any connection attempt with tcpdump -n -i eth0 udp port 8000.

Using this config the DNS queries go through Wireguard and are resolved by PiHole, so it's working as I want it to right now. But this still leaves me wondering if I got something wrong somewhere (most likely), or if the FAQ is wrong/outdated, or if the PiVPN script has a bug.

Have you searched for similar issues and solutions?

Yes

Console output of pivpn debug

::::            PiVPN debug              ::::
=============================================
::::            Latest commit            ::::
commit 4e8d4dfd8ef01e49f3137d5fc5a2afa14a465e47 (grafted
, HEAD -> master, origin/master, ori
gin/HEAD)
Author: Orazio <orazioedoardo@users.noreply.github.com>
Date:   Tue Apr 7 13:45:43 2020 +0200

    Merge pull request #1000 from psgoundar/pivpn

    Updated listOVPN to Include Expiration Dates
=============================================
::::        Installation settings        ::::
PLAT=Raspbian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
dhcpReserv=1
IPv4addr=192.168.2.9/24
IPv4gw=192.168.2.254
install_user=dietpi
install_home=/home/dietpi
VPN=wireguard
pivpnPORT=8000
pivpnDNS1=10.6.0.1
pivpnDNS2=
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnPROTO=udp
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
UNATTUPG=1
INSTALLED_PACKAGES=(iptables-persistent wireguard wireguard-tools wireguard-dkms)
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.6.0.1/24
ListenPort = 8000
# begin Android-Split
[Peer]
PublicKey = Android-Split_pub
PresharedKey = psk
AllowedIPs = 10.6.0.2/32
# end Android-Split
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = Android-Split_priv
Address = 10.6.0.2/24
DNS = 10.6.0.1

[Peer]
PublicKey = server_pub
PresharedKey = psk
Endpoint = REDACTED:8000
AllowedIPs = 192.168.2.0/24, 10.6.0.0/24

=============================================
::::    Recursive list of files in       ::::
::::    /etc/wireguard shown below       ::::
/etc/wireguard:
configs  keys  wg0.conf

/etc/wireguard/configs:
Android-Split.conf  clients.txt

/etc/wireguard/keys:
Android-Split_priv  Android-Split_pub  psk  server_priv  server_pub
=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled (it will automatically start on reboot)
:: [OK] WireGuard is listening on port 8000/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://github.com/pivpn/pivpn/wiki/FAQ
=============================================
:::: WARNING: This script should have automatically masked sensitive       ::::
:::: information, however, still make sure that PrivateKey, PublicKey      ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this:                  ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe                          ::::
=============================================
::::            Debug complete           ::::

Contents of /etc/dnsmasq.d/02-pivpn.conf

addn-hosts=/etc/pivpn/hosts.wireguard

[orazioedoardo]

When you use choose to use pi-hole as dns during the pivpn installation, the script uses 10.6.0.1, the VPN ip of the raspberry as dns for the VPN.
Since the default configuration for allowedIP 0.0.0.0/0 allows everything through the tunnel, 10.6.0.1 is allowed as well.
When you set allowedip 192.168.2.0/24, 10.6.0.1 is not allowed anymore, unless you also add 10.6.0.0/24 (or at least 10.6.0.1/32). You did right.
If you don't want to add 10.6.0.0/24 to allowed IP, just use DNS = 192.168.2.9.

[orazioedoardo]

No activity in a while, closing...

It's really sad when people open an issue and then never respond.

[planetahuevo]

@orazioedoardo but some people read it and use it.
So thank you for the reply! It helped me!