[OpenWrt 21.02 + PiHole] Cannot access internet after set DNS to PiHole

Is there a static route on OpenWrt for the wireguard subnet? Or are you masquerading on the pihole the source IPs of the wireguard subnet?

I don't set any static route on OpenWrt for wireguard and I never set any masquerading option on pihole. How can I check if the pihole do it automatically?

It won't do it automatically. Try the following to verify it works
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Replace eth0 with the interface name if different.

should I add it into the "Firewall > Custom rules" section?
It says Custom rules allow you to execute arbitrary iptables commands which are not otherwise covered by the firewall framework. so seems the right place...

No, you should add that in the device with the pihole.

ok, I gradually start to understand...
the wireguard traffic is on wg0 interface so I need to add MASQUERADE to act each packet like it was generated on eth0 interface, right?

I added the rule you wrote and seems working, but I checked on iptables nat rules and I found this:

MASQUERADE  all  --  10.6.0.0/24  anywhere   /* wireguard-nat-rule */

with commad above I see a new rule like this

MASQUERADE  all  --  anywhere    anywhere

I think the problem is related to the interface I use to connect the Pi to router: when I setup the vpn first time I'm using WiFi, now I switched to eht0, so probably I simply need to modify the existing rule instead adding a new one?
(I see no reference to the interface in the iptables nat rules)

Ok, probably I was able to fix simple adding new rules similar to the existing one but on eth0 with

iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o eth0 -j MASQUERADE -m comment --comment "wireguard nat-rule on eth0"

:smiley:

1 Like

I suspect I stil have some misconfiguration about DNS/PiHole somewhere, I try to explain:

If I connect with my smartphone to WiFi and open an app with advertising I see banners.
If I switch on the wireguard on my smartphone and open the same app I see no advertising.
Maybe some errors on redirecting DNS rule?
Following this DNS hijacking guide I set it like this

# Network > Firewall > Port Fowardings

Protocol: TCP, UDP
Source zone: lan
External port: 53
Destination zone: lan
Internal IP address: 192.168.1.100
Internal port: 53

# Advanced
Source IP address: !192.168.1.100

Thanks for this, works for me!

I have a separate Raspberry Pi 4B (OS is Raspberry Pi OS lite 64bit), where I installed PiHole using the normal, non-Docker install.

After assigning that Rpi's DHCP-granted IP to be static in OpenWRT, I was able to tell OpenWRT to use the PiHole for the DNS server, to be advertised to all DHCP clients. :grinning:

1 Like

Did u add any particular configuration? I still have the strange behaviour I described in my previous post but I was not able to solve... seems like some clients still use the DNS of the router instead using the one advertised by DHCP, even with the firewall redidirection rules.

Is there on OpenWrt any firewall loggin page/tool to check wich connection match given rules
and? And connections requested by devices (eg. my smartphone to openwrt.org )