I've set up an openvpn server with my raspberry Pi. local network of this server is 192.168.1.0/24 and box is at 192.168.1.254, pi at 192.168.1.250
A dnsmasq server is present on this raspberry aswell in order to resolve "mycustom.local" for 192.168.1.250 and 10.16.0.1

The aim was to provide 3 networks:

10.16.0.0/24 : "admin" rights : full access, internet,dns are routed to this network, and 192.168.1.0/24 is accessible from this network
10.16.1.0/24 : "normal" rights : only 10.6.1.0/24 should be routed to this network. No internet access, no 192.168.1.0/24 access right
10.16.2.0/24 : "internet" rights : all traffic needs to go to this interface, including dns requests, but no access to 192.168.1.0/24 server side

Everything seems to work, however, when I'm on 10.16.1.0/24, dns requests still goes to the pi. Furthermore, I think dnsmasq is serving all domains.. I would like the pi to :
- resolve only the domain mycustom.domain for 192.168.1.0/24 and 10.16.0.1/24, that means my client would directly call another dns resolver in order to query another domain (but maybe i would be force to tell dnsmasq to follow the request.. to the box ?)
- resolve all queries for 10.16.0.0/24 and 10.16.2.0/24

I don't know why, but i got forced somehow to put a /16 mask for some networks (if my pi could get a 10.16.1.0/24 address when it is linked to a 10.16.1.0/24 client it would solve this problem i guess)

I do have difficulties aswell with my iptables rules even though they are working

here is my openvpn server.conf : Hello, I've set up an openvpn server with my raspberry Pi. local network of this server is 192.168.1.0/24 and box is at 192.168.1.254, pi at 192.168.1.250 A dnsmasq server is present on this raspberry aswell in order to resolve "mycustom.local" for 192.168.1.250 and 10.16.0.1

The aim was to provide 3 networks:

10.16.0.0/24 : "admin" rights : full access, internet, dns are routed to this network, and 192.168.1.0/24 is accessible from this network 10.16.1.0/24 : "normal" rights : only 10.6.1.0/24 should be routed to this network. No internet access, no 192.168.1.0/24 access right next step would be : 10.16.2.0/24 : "internet" rights : all traffic needs to go to this interface, including dns requests, but no access to 192.168.1.0/24 server side

Everything seems to work, however, when I'm on 10.16.1.0/24, dns requests still goes to the pi. Furthermore, I think dnsmasq is serving all domains.. I would like the pi to : - resolve only the domain mycustom.domain for 192.168.1.0/24 and 10.16.0.1/24, that means my client would directly call another dns resolver in order to query another domain (but maybe i would be force to tell dnsmasq to follow the request.. to the box ?) - resolve all queries for 10.16.0.0/24 and 10.16.2.0/24

Here are my problems : I don't know why, but i got forced somehow to put a /16 mask for some networks

I do have difficulties aswell with my iptables rules even though they are working

here is a part of my openvpn server.conf :

dev tun
topology subnet
...
server 10.16.0.0 255.255.0.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 10.16.0.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
#push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
client-config-dir /etc/openvpn/ccd

and inside my /etc/openvpn/ccd : admin_profile_1 :

push "block-outside-dns"
push "redirect-gateway def1"
ifconfig-push 10.16.0.2 255.255.255.0

classic_profile_1 (/24 if pi can get a 10.16.1/24 ip):

ifconfig-push 10.16.1.2 255.255.0.0

and i guess i'll do (/24 if pi can get a 10.16.2/24 ip)

internet_profile_1 :
push "block-outside-dns"
push "redirect-gateway def1"
ifconfig-push 10.16.2.2 255.255.0.0

_

my dnsmasq.conf : everything is default value, i just added :

listen-address=127.0.0.1,192.168.1.250,10.16.0.1

my resolv.conf is auto generated :

nameserver 127.0.0.53
options edns0

my hosts :

127.0.0.1 localhost
10.16.0.1 mycustom.domain
192.168.1.250 mycustom.domain

Now the problem is, when i'm connected as a 10.16.1.0/24 client, dns queries still goes through the vpn. I would like the VPN to only server mycustom.domain for 10.16.1.0/24 client, and other domains would be resolved through client's dns. Thus, i need dnsmasq to serve only mycustom.domain to 10.16.0.1 and, if possible not even forward the other dns request

Finally, here my iptables rules :

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.16.0.0/24         anywhere

I believe I types these 3 commands :

sudo iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1195 -j ACCEPT && sudo iptables -A INPUT -i tun+ -j ACCEPT && sudo iptables -A FORWARD -i tun+ -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.16.0.0/24 -o eth0 -j MASQUERADE && sudo iptables -A OUTPUT -o tun+ -j ACCEPT

but... iptables -L returns only :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

but somehow it still works

Thank you for your time