YazFi YazFi v4.x

[Jack Yaz]

I seem to recall reading that the YazFi DNS settings are ignored if the VPN is set to Exclusive. Also, posts on the first page on this thread (13 Feb 21) seems to say that Force DNS implements DoT. I'm confused and way, way out of my depth.

yes, this is correct. current behaviour is that if redirect VPN is true, and VPN DNS is exclusive, yazfi won't attempt to override. disabled/relaxed/strict should let you connect, though. are you using dns filter?

 

[Jack Yaz]

yes, this is correct. current behaviour is that if redirect VPN is true, and VPN DNS is exclusive, yazfi won't attempt to override. disabled/relaxed/strict should let you connect, though. are you using dns filter?

You can run

YazFi develop

which now will override both DNS Filter and Exclusive DNS if you set to Force in YazFi

 

[Ydnaroo]

yes, this is correct. current behaviour is that if redirect VPN is true, and VPN DNS is exclusive, yazfi won't attempt to override. disabled/relaxed/strict should let you connect, though. are you using dns filter?

No. Have never used the DNS filter panel on the RT-AX86U.

 

[Ydnaroo]

You can run

YazFi develop

which now will override both DNS Filter and Exclusive DNS if you set to Force in YazFi

Thank you. I'll try as soon as the Internet is not in use. Have had the system to myself today but it's in use at present. Wil try when I get up early tomorrow and report. Thanks again

BTW; assume that's to be run in a ssh command window?

 

[Jack Yaz]

BTW; assume that's to be run in a ssh command window?

correct

 

[Ydnaroo]

Right, ran '/jffs/scripts/YazFi develop' and it updated to 4.2.2. Rebooted and connected to the Guest network but no connectivity either DNS or ability to ping to external IPs. Is there anything else I should do to apply the new/changed rules with 4.2.2. Thanks again. Andy

 

[Jack Yaz]

Right, ran '/jffs/scripts/YazFi develop' and it updated to 4.2.2. Rebooted and connected to the Guest network but no connectivity either DNS or ability to ping to external IPs. Is there anything else I should do to apply the new/changed rules with 4.2.2. Thanks again. Andy

at this point i suspect the problem is in PiHole. make sure you've set it to allow traffic on all interfaces and permit all origins, as by default pihole will only allow same subnet traffic

Interfaces - Pi-hole documentation

docs.pi-hole.net

i configured a guest to use VPN set to exclusive dns, then set the guest to use my Windows Server DNS in YazFi. worked as expected

if you can't ping an IP, check the VPN tunnel is actually up

 

[Ydnaroo]

at this point i suspect the problem is in PiHole. make sure you've set it to allow traffic on all interfaces and permit all origins, as by default pihole will only allow same subnet traffic

Interfaces - Pi-hole documentation

docs.pi-hole.net

i configured a guest to use VPN set to exclusive dns, then set the guest to use my Windows Server DNS in YazFi. worked as expected

if you can't ping an IP, check the VPN tunnel is actually up

Firstly, thank you very much for your help with this but I'm getting nowhere (as I said previously, I'm way, way out of my depth here - learning about the routing rules might be handy but thats a job for long dark Winter evenings).

Setting PiHole to 'all interfaces' doesn't change anything, when I try a ping to 192.168.50.4 (my RPI) or nslookup from my laptop it cannot see the RPi. My laptop, via the Guest network, is on 192.168.5.254, the gateway (192.168.5.1) says it's unreachable.

I don't really think I understand 'Force DNS' in YazFi. I've been trying a few things out and I'm confused that with Force DNS set to No, the Guest network still pushes the DNSs in the YazFi boxes to my laptop. If I put 8.8.8.8/8.8.4.4 in, the VPN works and the laptop uses the Google servers via the tunnel. I'd expected it to use the VPN defined DNS as it does if I add my laptop to the VPN policy rules when connected to the main WiFi using the normal '50' subnet. If I put 192.168.50.4 in with Force DNS set to No my laptop shows 192.168.50.4 as the DNS but cannot see the RPi because its on the different '50' subnet (I assume).

Anyway, genuinely, thank you very much for you help but I'll have to leave this for now and come back to it another time. Cheers Andy

 

[bennor]

Throwing some random stuff at the wall here, what about using the Custom Configuration field for the OpenVPN - VPN Client and using the "push dhcp-option dns" with the IP address of the Pi-Hole.

Example:
push "dhcp-option DNS 192.168.1.10"

One may have to disable the client tunnel then reestablish it for changes to take effect.

 

[Ydnaroo]

Throwing some random stuff at the wall here, what about using the Custom Configuration field for the OpenVPN - VPN Client and using the "push dhcp-option dns" with the IP address of the Pi-Hole.

Example:
push "dhcp-option DNS 192.168.1.10"

One may have to disable the client tunnel then reestablish it for changes to take effect.

Yep, tried that yesterday, it seems to work when I'm connected via the normal WiFi connection on the '50' subnet but not via Guest/YazFi ('5' subnet). The problem I seemed to be seeing is that the Guest connection was ALWAYS passing the DNS servers set in YazFi to the client laptop regardless of how Force DNS was set. If I put the RPi's IP in it didn't work because it is on a different subnet (I assume), if I were to add it to the VPN config as you suggested and I could get Guest/YazFi to use the VPN DNS it might work??!! I was never able to use the VPN defined DNS. I was getting the impression that some rules were not being updated and (I may be barking up the wrong tree here) Merlin alluded to some such weirdness in one of his VPN Director posts earlier today. It's not a showstopper here, I'm just going to leave it for a while and try again maybe after doing a bit more reading. Thanks for your suggestion. Andy

 

[Jack Yaz]

Force DNS is YazFi's version of DNS filter. it adds firewall rules to intercept guest DNS and redirect it to the DNS server 1 you have set.

let's dial this back to basics. set two way to guest on, and get ping working from guest to the RPi. if it fails with two way to guest on, check if the rpi has a firewall and turn it off temporarily. if it still fails, how is the rpi connected to your router? is it configured to use a different VPN client on the router at all?

 

[Ydnaroo]

Force DNS is YazFi's version of DNS filter. it adds firewall rules to intercept guest DNS and redirect it to the DNS server 1 you have set.

let's dial this back to basics. set two way to guest on, and get ping working from guest to the RPi. if it fails with two way to guest on, check if the rpi has a firewall and turn it off temporarily. if it still fails, how is the rpi connected to your router? is it configured to use a different VPN client on the router at all?

Right. Guest 'Access Intranet' set to Enable, YazFi 'Two way to guest' Yes. Connect to Guest (IP4 Address 192.168.5.241, Netmask 255.255.255.0, Gateway 192.168.5.1) and can ping the main router gateway on 192.168.50.1 but cannot access the webpage. Cannot ping 192.168.50.4 (RPi) even with 'Listen on all interfaces, permit all origins' set in PiHole. Andy

 

[Ydnaroo]

... how is the rpi connected to your router? is it configured to use a different VPN client on the router at all?

Missed that bit. No firewall on RPi, however RPi is using VPN Client 1. Will change that and retest.

 

[bennor]

however RPi is using VPN Client 1. Will change that and retest.

Why was the RPi configured to use VPN Client 1?

Not sure about anyone else but as Raspberry Pi + Pi-Hole user that is running YazFi (edit: no VPN) I'm a bit confused on how you had things setup.

 

[Ydnaroo]

Aha! Removed RPi from Client 1 and I can ping it from Guest. A quick test shows it is now using the WAN. The connection now works and DNS Leaktest now shows IP and DNS to be via VPN. I don't think PiHole is being used though as Ads are not being blocked and there seems to be no activity in PiHole's log. Suspect it's using the VPN DNS. (If I do a nslookup on the laptop it works and shows the RPi IP.) Will have a play around later and try adding the RPi IP to the VPN config again. Thanks!! Andy

 

[Ydnaroo]

Why was the RPi configured to use VPN Client 1?

Not sure about anyone else but as Raspberry Pi + Pi-Hole user that is running YazFi (edit: no VPN) I'm a bit confused on how you had things setup.

So am I.

 

[bennor]

So am I.

Probably a good idea to go back and start from the beginning on setting up your local network with the Pi-Hole. Then introduce YazFi and get it working properly with Pi-Hole. Get everything working BEFORE introducing or activating the VPN Client setting. Some suggestions (if you haven't done them already).

Make sure the router's LAN > DHCP Server is configured to use the Pi-Hole for it's DNS. Make sure Advertise router's IP in addition to user-specified DNS is set to No. Do not use the Pi-Hole in the router WAN DNS fields, if you do you could experience a feedback loop error with Pi-Hole (been there done that). Connect the Raspberry Pi to the main LAN, not the Guest WiFi. The Raspberry Pi hosting Pi-Hole should be configured to pull it's IP address from the router's DHCP server not from the Guest Network. Best to use an IP reservation in the router's DHCP server section (if not using a static IP on the Pi) if one hasn't done so for their Raspberry Pi.

Of course one wild card is the VPN server configuration at the other end of the VPN Client tunnel and if it is introducing issues preventing things on the client side from running properly.

 

[Ydnaroo]

Probably a good idea to go back and start from the beginning on setting up your local network with the Pi-Hole. Then introduce YazFi and get it working properly with Pi-Hole. Get everything working BEFORE introducing or activating the VPN Client setting. Some suggestions (if you haven't done them already).

Make sure the router's LAN > DHCP Server is configured to use the Pi-Hole for it's DNS. Make sure Advertise router's IP in addition to user-specified DNS is set to No. Do not use the Pi-Hole in the router WAN DNS fields, if you do you could experience a feedback loop error with Pi-Hole (been there done that). Connect the Raspberry Pi to the main LAN, not the Guest WiFi. The Raspberry Pi hosting Pi-Hole should be configured to pull it's IP address from the router's DHCP server not from the Guest Network. Best to use an IP reservation in the router's DHCP server section (if not using a static IP on the Pi) if one hasn't done so for their Raspberry Pi.

Of course one wild card is the VPN server configuration at the other end of the VPN Client tunnel and if it is introducing issues preventing things on the client side from running properly.

Yep, all that done and setup in that way. Have reset and rebuilt the the router config 3 or 4 times over the past few days checking it out and creating incremental backups as I went. Cheers - Andy

 

[Jack Yaz]

Aha! Removed RPi from Client 1 and I can ping it from Guest. A quick test shows it is now using the WAN. The connection now works and DNS Leaktest now shows IP and DNS to be via VPN. I don't think PiHole is being used though as Ads are not being blocked and there seems to be no activity in PiHole's log. Suspect it's using the VPN DNS. (If I do a nslookup on the laptop it works and shows the RPi IP.) Will have a play around later and try adding the RPi IP to the VPN config again. Thanks!! Andy

change policy rules strict to policy rules on vpn client 1, then the router knows how to get the traffic from yazfi guest to pi

 

[Ydnaroo]

Right, it looks like I've got it working with all your help. Added 'dhcp-option DNS 192.168.50.4' (RPI IP) to Client 2 config and set 'Accept config to Strict and it works. I'm getting VPN access over Guest with PiHole as DNS with blocking working and entries appearing in PiHole log. Great!

Next job to save PDFs of all the screens so I can remember how to set it up again when I need to!

Thanks again to you both for your help and patience. Andy