As there is no rule in the IP Tables for TCP port 53, and any unknown traffic is forced out of tun0, using an internal DNS server (such as Pi-Hole) breaks this container as it is unable to resolve any lookups after initial boot and the IP Tables are set.
Adding an ALLOW rule for TCP 53 for the local LAN, to the below IP Table would alleviate this.
Or, adding an ALLOW rule for TCP 53 from any to any would prevent the VPN failing after a disconnection, as the current IP Tables prevents TCP 53 anywhere after initial connection. Which would help with #19
-P INPUT DROP,
-P FORWARD ACCEPT,
-P OUTPUT DROP,
-A INPUT -i tun0 -j ACCEPT,
-A INPUT -s 172.20.0.0/16 -d 172.20.0.0/16 -j ACCEPT,
-A INPUT -i eth0 -p udp -m udp --sport 1194 -j ACCEPT,
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT,
-A INPUT -i eth0 -p tcp -m tcp --sport 8080 -j ACCEPT,
-A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp --dport 8999 -j ACCEPT,
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT,
-A INPUT -i lo -j ACCEPT,
-A OUTPUT -o tun0 -j ACCEPT,
-A OUTPUT -s 172.20.0.0/16 -d 172.20.0.0/16 -j ACCEPT,
-A OUTPUT -o eth0 -p udp -m udp --dport 1194 -j ACCEPT,
-A OUTPUT -o eth0 -p tcp -m tcp --dport 8080 -j ACCEPT,
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -j ACCEPT,
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p tcp -m tcp --sport 8999 -j ACCEPT,
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT,
-A OUTPUT -o lo -j ACCEPT,
As there is no rule in the IP Tables for TCP port 53, and any unknown traffic is forced out of tun0, using an internal DNS server (such as Pi-Hole) breaks this container as it is unable to resolve any lookups after initial boot and the IP Tables are set.
Adding an ALLOW rule for TCP 53 for the local LAN, to the below IP Table would alleviate this.
Or, adding an ALLOW rule for TCP 53 from any to any would prevent the VPN failing after a disconnection, as the current IP Tables prevents TCP 53 anywhere after initial connection. Which would help with #19