WireGuard PiHole DNS not working on OpenWrt

Hello! I've just recently switched from DD-WRT to OpenWrt on my Archer C7 v5 AC1750.

I live in an area with an atrocious monopolized ISP (Centurylink) and my internet speeds suck. 3-ish mbps down and 1-ish mbps is not okay in 2022... but damn, that's all I get. There are no other ISPs in my area other than satellite options. Of course...going to satellite would mean unplayable multiplayer games, and convincing my dad to get Starlink isn't going to do much good either (it doesn't help that the equipment may not ship out until sometime in 2023 anyway, so I am stuck with this trashy ISP). I'm also a content creator/streamer. Bad internet and content creation/streaming of course doesn't mix well... but I gotta make do with what I have.

So here's the breakdown:

In order to not get "blamed" by the shitty ISP, the ISP's DSL Modem/Router is being used. I don't have access to it's admin interface (my dad keeps the password for that). And if I did, it's not very configurable anyways (even the DNS apparently can't be changed, and I certainly can't connect to my VPN with it either).

My router, which is a Archer C7 v5 running OpenWrt connects to the shitty ISP router over 2.4Ghz as a client, which is where I get my internet (I'm not allowed to plug my router into the shitty ISP router directly). Off of the same router, I'm running a wireless access point on 2.4Ghz and 5Ghz.

The nice thing about OpenWrt is that I can run an access point on 2.4Ghz, even though the 2.4Ghz radio is already being used as client (this enables my 2.4Ghz-only devices like my Chromecast, smart RGB bulb, and an old smartphone to be able to access the internet) whereas DD-WRT couldn't in it's GUI. DD-WRT's client mode disallows running an AP on the same radio at least on my router. Also the QOS/SQM in OpenWrt works better than DD-WRT's.

Tidbits aside, I deployed a PiHole instance in Oracle Cloud with WireGuard VPN mostly following this guide. The reason for this is to enhance my security and privacy ever so slightly (bypassing Centurylink's DNS and instead using my PiHole DNS which has Handshake Decentralized DNS as the upstream DNS provider), while of course getting rid of a bunch of ads that suck up my precious bandwidth. BTW, the reason I am running it in the cloud is so that I can still use my VPN outside of the house, without relying on Centurylink's trash service.

Thus, here is where the problem starts. When using my router with the WireGuard client to connect to the WireGuard/PiHole VPN, my PiHole is not filtering my DNS requests... and I'm getting DNS leaks. This results in my PiHole being unable to block ads, inappropriate sites, malware domains, etc... However, If I connect directly to my WireGuard/Pihole VPN (not through the router but using the WireGuard app) everything works as expected.

Eventually, I did find a way to make it work... except now if I disable my VPN interface, my internet stops working (which I don't want, and I had also fixed). I did that by setting the DNS settings in the Network > Interfaces tab to match my VPN, as well as change the DNS settings to match my VPN in the Network > DHCP and DNS tab.

So my question is, how can I force the DNS of my VPN to be used when my VPN interface is enabled; but automatically have Handshake DNS be used when my VPN interface is disabled?
Also I don't want to have to restart my router either, if possible.

In recent OpenWrt version 21.02 there is DNS weight introduced in the interface advanced settings. You can give a lower metric to Pihole and a higher to Handshake.

1 Like

Unfortunately this was not stable.

Upon first boot, my router would connect to the VPN/PiHole and then everything works.
No IP leaks, no DNS leaks (PiHole's upstream Handshake Decentralized DNS shows), PiHole filtering works.

I can then disable the VPN interface and everything works as intended.
IP returns as my ISP, DNS is forced through Handshake Decentralized DNS rather than the ISP, no PiHole filtering (as the VPN is disabled).

...but if I re-enable the VPN interface, my VPN works but my PiHole Filtering does not (it seems the DNS is stuck going through as if the VPN is disabled).
No IP leaks, no DNS leaks (Handshake Decentralized DNS is being used but probably not through the PiHole as I want), and PiHole filtering does not work.

At least the internet isn't dropping though. (^_^)/

Well, I found out what the issue was... Windows DNS Client caching. After flushing the cache and testing, it worked fine.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.