VPN connection established, but no pages load using URLs

[armaanhammer]

Initial note

I missed this step: Click Settings, and navigate to DNS. Set your Interface Listening Behavior to Listen on All Interfaces on this page: when I ran through initial setup, so if any of the subsequent scripts needed that option enabled, they would not have had it. Well into troubleshooting afterward, I discovered that I missed it, and enabled it. Then I restarted the system with it enabled. This may or may not be relevant.

Problem description

When connecting with a Pixel 2, I am able to establish a VPN. If I navigate to 10.8.0.1 or 10.8.0.1/admin from a browser, I see the relevant PiHole pages. No url requests complete though. I suspect that some kind of DNS configuration is wrong either on the VPN side or the PiHole side.

To attempt to isolate the problem, I installed lynx on the VM, and successfully navigated to several webpages. The requests showed up in the PiHole logs. No other requests exist in the PiHole logs however. All connections have originated from localhost. (Perhaps this will always be the case, even when the VPN is functioning properly?)

[armaanhammer]

Config exported from phone with redactions:

# Config for OpenVPN 3 C++
machine-readable-output
allow-recursive-routing
ifconfig-nowarn
client
verb 4
connect-retry 2 300
resolv-retry 60
dev tun
remote redacted 1194 udp
<ca>
client
dev tun
proto udp
remote redacted 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_redacted name
cipher AES-128-GCM
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
redacted
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
redacted
-----END OpenVPN Static key V1-----
</tls-crypt>

</ca>
<key>
-----BEGIN PRIVATE KEY-----
redacted
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
redacted
-----END CERTIFICATE-----
</cert>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
redacted
-----END OpenVPN Static key V1-----
</tls-crypt>
route 10.0.0.8  255.0.0.0 net_gateway
route 172.16.0.0  255.240.0.0 net_gateway
route 192.168.9.0  255.255.0.0 net_gateway
nobind
verify-x509-name server_redacted name
remote-cert-tls server
cipher AES-128-GCM
auth SHA256
persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve
# Custom configuration options
# You are on your on own here :)
# These options found in the config file do not map to config settings:
resolv-retry infinite 
tls-version-min 1.2

[rajannpatel]

I am not sure if you had a wonky cut & paste, but the contents of <ca> ... </ca> don't seem right. Compare your "OpenVPN for Android" config file export with mine:

mypixel3xl-udp-1194-split-tunnel.ovpn

# Config for OpenVPN 3 C++
machine-readable-output
allow-recursive-routing
ifconfig-nowarn
client
verb 4
connect-retry 2 300
resolv-retry 60
dev tun
remote REDACTED 1194 udp
 connect-timeout  60
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</cert>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-crypt>
route 10.0.0.8  255.0.0.0 net_gateway
route 172.16.0.0  255.240.0.0 net_gateway
route 192.168.0.0  255.255.0.0 net_gateway
nobind
verify-x509-name server_REDACTED name
remote-cert-tls server
cipher AES-128-GCM
auth SHA256
persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve
# Custom configuration options
# You are on your on own here :)
# These options found in the config file do not map to config settings:
resolv-retry infinite 
tls-version-min 1.2 

Would you be interested in sharing your server.conf file?

This is how my server.conf looks:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_REDACTED.crt
key /etc/openvpn/easy-rsa/pki/private/server_REDACTED.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-128-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
# performance
fast-io
compress lz4-v2
push "compress lz4-v2"

It is worth noting that I have just published a huge update, and if it isn't much trouble, perhaps deleting your Pi-Hole virtual machine and starting from the beginning may be worth it? I would be curious if you encounter the same problem after following the most up to date instructions.

[armaanhammer]

I am not sure if you had a wonky cut & paste, but the contents of <ca> ... </ca> don't seem right.

Yeah, I thought exactly the same thing. :-P I just check again though, and that's exactly how it came out of OpenVPN for Android. For what it's worth, I used the share button within the app that generates and auto-populates an email.

perhaps deleting your Pi-Hole virtual machine and starting from the beginning may be worth it?

Sounds like a good idea! I was considering doing that myself already. I'm going to wait until the morning when I have a clear head though, so I don't make any brain-dead mistakes.

Just for completeness, here is my server.conf:

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_redacted.crt
key /etc/openvpn/easy-rsa/pki/private/server_redacted.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-to-client
# keepalive 1800 3600
keepalive 10 60
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
# cipher AES-256-CBC
cipher AES-128-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io
# performance stuff
fast-io
compress lz4-v2
push "compress lz4-v2"

[rajannpatel]

I'm glad you waited until this morning; I realized when I was proof-reading this morning that I forgot to include the following line for the OpenVPN server.conf configuration:

push "compress lz4-v2"

I made the correction this morning. No traffic will flow through the VPN without this line. You had originally followed an older version of the document which had this line, but for a few hours last night it was missing from the documentation.

[rajannpatel]

I think we have adequately pinned the issue as a combination of starting to try this out while the documentation was still evolving, and the client .ovpn configuration looking unusual. I will close this issue, please feel free to open a new one if you encounter a problem with the current documentation.

[armaanhammer]

Want to follow up on this: I rebuilt my VM from the ground up last night using then-current instructions, and it has been functioning as expected. I saw a prompt during PiVPN setup that I don't remember seeing on the first go-through. It seemed to reference connecting to pihole on all interfaces. That leads me to think I was correct when I thought that the all-interfaces configuration in Pi-Hole was queried during PiVPN setup. Unfortunatley, I forgot to screenshot the prompt.

Just noting this in case someone else happens across the same problem: the solutions seems to be to start over, ensuring that the appropriate setting is selected in the Pi-Hole admin console prior to starting PiVPN setup.

[rajannpatel]

I will keep an eye out for this, was the default answer not the appropriate one, during the Pi-Hole setup?