During the last 11 months, I went through a lot of design and try and test regarding my local network in my home. I made an article about this “journey”. It might be useful for anybody who reads it and has in similar situation like me.
Everything has a backstory
Some years ago, I made a server from spare computer parts. Since, it has got a lot of software and hardware upgrade. I use it, as a private center of my files (media, books, etc.), Plex Media server, save keep my project repositories here in a Gitlab instance and I store some data in databases which are running here.
As the number of services were growing, I thought, if there would be any outage, I would feel it. So, need something to monitor the system and makes intervention if needed. I could purchase products of course, which are doing it. But I am engineer, I like resolving problems and I like learning new things. Why shouldn’t I combo those things?
I have begun to create my own applications and monitoring scripts. During years, they were improved and I have reached a level, what I considered to make public (btw, this is the purpose of this website).
How does it related to local network?
Those services (e.g.: alerting service) are using dedicated ports in my Apache config. I am not a fan of using dedicated port, sub-domains would be better. Because I also using Apple products too, I can’t modify /etc/hosts file everywhere because a jail-break is not worth for it.
I decided to buy a better router and build a better network environment which meets with my needs. I wanted to make a network, where:
- I can reach any sub-domain in my local network from my every device
- I also reach them via VPN
To find the proper software was difficult because I am not only using one ecosystem, but I mix them, because:
- My server is running with Debian
- Seldomly, I use a Raspberry Pi with Raspbian
- My main PC is running with Windows 10
- I also have an iPad and iPhone
How have I started it?
My starter point was my router. I had only that router what ISP gave me. It does not have any extra, I even can’t setup anything within it. I have bought an ASUS RT-AX55 router. It was not quite expensive and it has those features what I have looking for: 5 GHz WiFi support, separated guest WiFi, VPN server. It also had a Dnsmasq service which was running.
After I purchased it and I has begun to configure it, I have met my first “but moment” during this project. Dnsmasq cannot be configured permanently. Router make its config file after each router restart. I have checked AsusWRT Merlin ROM where it can be configures, but they does not support my router.
What’s next?
I like solving problems, it satisfies me. This is the reason, that even if there is no problem, I make some. If DNS server cannot run on router, then it will run one of my machine. I choose the Raspberry Pi 3, because I did not use it for anything for years. Plus, it has enough the passive cooling, it makes no noise. (I have no dedicated server room, I store devices in my room).
I have installed and configured a Dnsmasq service on the Pi. My experience was:
- Debian: worked
- Raspbian: worked
- Windows: worked
- iOS, iPadOS: does not work 🙁
There was no error message on Apple devices or in the server log. I did not understand it. It seemed that the request is not even received on DNS server side. Then what the hell is happening… I could not find any normal analyzer program for those operating systems. I were reading a lot post, forum and Reddit on the internet about the topic. Because I had no other idea, I also made some TCP trace and dump to figure out the nature of the error.
Finally, I have figured it out (I guess). With iOS 14 and iPadOS 14, Apple handles the DNS request on different way. They are using Type 65 record types. This type is technically “DNS over HTTPS”, which means that they are sending the request as encrypted data and wait for it. This was the problem, that Dnsmasq could not handle these kind of requests.
Dnsmasq is not able to handle it, on Apple devices I cannot turned it off. What can I do now? I have tried another DNS service, called Bind9. I installed and configured it. During test, it worked everywhere, includes Apple devices too!
I am using the following settings. On this way, I have resolved my DNS service, it worked as I wanted to work! I am not saying, it is the best ever made config (I am sure if somebody who understand it deeper level could find redundant stuff in it), but it works on that way as I want to work.
named.conf.local: ================= zone "pihome.local" { type master; file "/etc/bind/pihome.local.db"; }; zone "atihome.local" { type master; file "/etc/bind/atihome.local.db"; }; zone "50.168.192-addr.arpa" { type master; file "/etc/bind/rev.50.168.192.in-addr.arpa"; }; pihome.local.db: ================ ; BIND data file for pihome.local ; $TTL 14400 @ IN SOA ns1.pihome.local. host.pihome.local. ( 201006601 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 604800) ; Default TTL ; pihome.local. IN NS ns1.pihome.local. pihome.local. IN A 192.168.50.202 ns1 IN A 192.168.50.202 www IN CNAME pihome.local. pihome.local. IN TXT "v=spf1 ip4:192.168.50.202 a mx ~all" atihome.local.db: ================= ; BIND data file for atihome.local ; $TTL 14400 @ IN SOA atihome.local. host.atihome.local. ( 201006601 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 604800) ; Default TTL ; atihome.local. IN NS gitlab.atihome.local. atihome.local. IN NS services.atihome.local. atihome.local. IN NS ns1.atihome.local. atihome.local. IN A 192.168.50.201 ns1 IN A 192.168.50.201 services IN A 192.168.50.201 gitlab IN A 192.168.50.201 www IN CNAME atihome.local. pihome.local. IN TXT "v=spf1 ip4:192.168.50.201 a mx ~all" rev.50.168.192.in-addr.arpa: ============================ @ IN SOA pihome.local. ( 2010081401; 28800; 604800; 604800; 86400 ); IN NS ns1.pihome.local. 4 IN PTR pihome.local. IN NS gitlab.atihome.local IN NS services.atihome.local. IN NS ns1.aithome.local. 4 IN PTR atihome.local
Is something left?
Yes, it is. I also wanted tor each my services outside of my house. I did not want setup port forwarding for my public IP to allow that anybody can reach it. So, I have begun to setup an OpenVPN server on my router.
At the first try, I went through the setup steps on router web interface and I have set what I considered as logic setting. Result: my devices reached the VPN server with client. But I had one issue: names are not resolved, so VPN server does not use my DNS service.
In default, OpenVPN server was TUN type. Based on some forum, I have got the idea to use TAP type. But based on official FAQ, it is not supported on Apple devices. It might have wolved my problem, but due to Apple platform limitation, I could not try.
What have I done? I were reading and a lot and tried a lot of config OpenVPN server config. At the end, I ended up successfully, with the following settings:
Respond to DNS –> Yes
Advertise DNS to clients –> No
Push LAN to clients –> Yes
Direct clients to redirect Internet traffic –> No
Changed the VPN subnet from 10.0.0.0 to 192.168.100.0 (my local services under 192.168.50.0 subnet)
I also added some custom configuration:
push “dhcp-option DNS 192.168.50.202”
push “dhcp-option DOMAIN pihome.local”
push “dhcp-option DOMAIN atihome.local”
push “register-dns”
push “block-outside-dns”
With these settings, OpenVPN working as I want, it uses my local DNS service to resolve my names (e.g.: gitlab.atihome.local, services.atihome.local, etc.)
Final words
It was a veeeeeeeery long journey. I have begun to think on it for 11 months. But now, I am ended up with a solution package what is working as I want without any compromises.