AdGuard Home, Active Directory and VPN


I used to have a PiHole DNS server on a seperate Pi. Besides, I have a Windows Server hosting an Active Directory which also needs a DNS. Now I replaced the PiHole with the AdGuard Home plugin. Problem: When I am using a VPN service (OpenVPN) I do not have access to WAN and LAN anymore, so something is f*cked in my settings but I don’t see where.

Basic config:
Windows Server DNS: Only for resolution of local AD-hosts. All othe requests forwarded to AdGuard Home.
AdGuard Home: Receives requests from all clients, filtering is working properly. Upstream DNS servers are big public resolvers (like Quad9, Google, Cloudflare).
Router: Promotes Windows Server as first and AdGuard Home as secondary DNS. Also serves as DHCP server. Both IPv6 and IPv4.

So, this all works very well and also did in the same manner with AdGuard home.
Just when I connect to a VPN (comercial VPN provider, no access to server config), I have no connectivity at all, but only after about 30 seconds (before that, it works and then it stops working, no idea why).

It doesnt matter if

  • I switch on or off the firewall
  • I set a specific external or internal DNS to be used
  • I switch AdGuard Home filtering on or off.

Windows Clients are set to automatic DNS.

I am puzzled and don’t know what is causing this. Anyone able to help?

This means your Adguard will only work in some of the cases, because many DNS clients use a round rubin routine to query.
The better way would be to set all devices to use the Windows DNS server and then set the Windows DNS server to query the Adguard.
All DNS queries will then go through the Adguard and that will be the one access the DNS servers on the internet.

That should solve the internal DNS lookups, but your VPN DNS issues is probably due to a misconfiguration of your VPN client.
A common setting in VPN clients is to disable local access, because this is seen as a security hole. Your computer is bypassing router and firewall rules, so if there is a security hole in your computer setup, then a hacker would gain directly access to the inner network.
You need to disable this setting to gain local access.

Another issue might be that IPv6 is the preferred protocol and some types IPv6 addresses are global, so IPv6 DNS servers are not seen as local and therefore routed over the VPN to be looked up from there, which might be blocked by firewall rules. Here you should make sure that you use Link-Local IPv6 addresses for local DNS servers that are not accessible from the internet side.

You might also have an option to use application specific VPN, depending on your use case.
Application specific VPN is an option some VPN clients offer that only routes traffic from a specific set of user defined applications over the VPN. This can be useful in cases where you maybe want to access a streaming service from a specific global location, but not anything else.

1 Like