After upgrade all non-default packages were gone (config was still there)

Naftali · September 15, 2020, 9:42am

Hi

This was a security problem because I was connected to internet without WG.

I did a reinstall of all packages and everything was working.

Did I do something wrong?

krazeh · September 15, 2020, 9:46am

No. User installed packages don't get carried across upgrades. You either need to create your own custom build (either through the full build process or the imagebuilder) or reinstall the packages after upgrade.

vgaetera · September 15, 2020, 9:50am

Upgrading OpenWrt firmware via LuCI and CLI > How the OpenWrt OS upgrade works

Both the LuCI and sysupgrade upgrade procedures work by saving specified configuration files, wiping the entire file system, installing the new version of OpenWrt and then restoring back the saved configuration files. This means that any parts of the file system that are not specifically saved will be lost.

In particular, any manually installed software packages you may have installed after the initial OpenWrt installation have to be reinstalled after an OpenWrt upgrade. That way everything will match, e.g. the updated Linux kernel and any installed kernel modules.

Any configuration files or data files placed in locations not specifically listed as being preserved below will also be lost in an OpenWrt upgrade. Be sure to check any files you have added or customized from a default OpenWrt install to back up these items before an upgrade.

Naftali · September 15, 2020, 2:21pm

What you recommend for the next upgrade to not reveal my "real" ip?
My seed box was running during upgrade. How you do that?

vgaetera · September 15, 2020, 2:56pm

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#kill_switch

Naftali · September 16, 2020, 6:00am

can I just copy paste that?
Or I need to modify names for my setup?
What is this doing exactly?

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci del_list firewall.wan.network="wg0"
uci add_list firewall.vpn.network="wg0"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

thanks @vgaetera

vgaetera · September 16, 2020, 6:16am

According to your screenshot, manually removing the LAN to WAN forwarding should be enough.

The code relies on the WireGuard client how-to, so it may not apply properly to your custom setup.

Naftali · September 16, 2020, 6:18am

Thanks, but I can't do that. Because my AppleTV runs ***** Netflix which can't be routed over WG.

I use " VPN and WAN Policy-Based Routing" for AppleTV.

vgaetera · September 16, 2020, 6:20am

Remove the LAN to WAN forwarding, but add a custom rule allowing specific IP address to forward to the WAN zone.

jesanor · September 16, 2020, 6:20am

consider using imagebuilder for your next upgrades (same openwrt realase) so you can include all your additional packages and configs.

Naftali · September 16, 2020, 6:28am

I removed the LAN to WAN forwarding and added a static IP address to AppleTV. But I don't understand how to do a custom rule. I think this the job of VPN and WAN Policy-Based Routing? At the moment netflix not working.

vgaetera · September 16, 2020, 6:31am

You can copy-paste the following:

uci -q delete firewall.appletv_fwd
uci set firewall.appletv_fwd="rule"
uci set firewall.appletv_fwd.name="Forward-AppleTV"
uci set firewall.appletv_fwd.src="lan"
uci set firewall.appletv_fwd.src_ip="192.168.1.5"
uci set firewall.appletv_fwd.dest="wan"
uci set firewall.appletv_fwd.proto="all"
uci set firewall.appletv_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Make sure to reconnect/restart the device to obtain a new lease.

No, PBR is responsible for directions/priorities, but not permissions/filtering.

Naftali · September 16, 2020, 6:53am

You are real hero. It's working, but only after reboot (I lost internet).

Can I now uninstall PBR? I not need it. Only thing I did with it to forward appletv to Non_WG

vgaetera · September 16, 2020, 7:34am

Better not, otherwise you will have to manually manage the routing rules.

dwardo · September 19, 2020, 10:13am

This is what I put in my rc.local so that on upgrade (of my repeater) my extra packages are reinstalled and services I don't need are turned off...

check_pkg_installed() {
   opkg status $1 | grep installed > /dev/null
}

install_if_not_installed() {
   for pkg in $@; do
      check_pkg_installed $pkg
      [  $? -ne 0 ] && opkg install $pkg
   done
}

install_after_upgrade() {
   local PACKAGES="luci-ssl luci-proto-relay htop iperf3 wireless-tools"
   local INSTALLED=/etc/config/auto_installed_on_upgrade
   if [ ! -f $INSTALLED ]; then
      #Wait for connection
      sleep 30
      opkg update
      install_if_not_installed $PACKAGES
      [ $? -eq 0 ] && echo $PACKAGES > $INSTALLED
      #Don't need odhcp and dnsmasq which are enabled by default
      /etc/init.d/dnsmasq stop
      /etc/init.d/dnsmasq disable
      /etc/init.d/odhcpd stop
      /etc/init.d/odhcpd disable
      #Restart http server now that we have ssl so we can login
      /etc/init.d/uhttpd restart
   fi
}

Has worked well for me upgrading from 19.07.2 to 19.07.3 and from 19.07.3 to 19.07.4

You just need to manually list your non default packages in local PACKAGES= and adapt/remove the services actions

tmomas · September 29, 2020, 10:13am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.