After upgrade all non-default packages were gone (config was still there)

Hi

After upgrade all non-default packages were gone (config was still there)

This was a security problem because I was connected to internet without WG.

I did a reinstall of all packages and everything was working.

Did I do something wrong?

No. User installed packages don't get carried across upgrades. You either need to create your own custom build (either through the full build process or the imagebuilder) or reinstall the packages after upgrade.

7 Likes
7 Likes

What you recommend for the next upgrade to not reveal my "real" ip?
My seed box was running during upgrade. How you do that?

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extra#kill_switch

3 Likes

can I just copy paste that?
Or I need to modify names for my setup?
What is this doing exactly?

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci del_list firewall.wan.network="wg0"
uci add_list firewall.vpn.network="wg0"
uci set firewall.lan_wan.enabled="0"
uci commit firewall
/etc/init.d/firewall restart

thanks @vgaetera

According to your screenshot, manually removing the LAN to WAN forwarding should be enough.

The code relies on the WireGuard client how-to, so it may not apply properly to your custom setup.

1 Like

Thanks, but I can't do that. Because my AppleTV runs ***** Netflix which can't be routed over WG.

I use " VPN and WAN Policy-Based Routing" for AppleTV.

Remove the LAN to WAN forwarding, but add a custom rule allowing specific IP address to forward to the WAN zone.

1 Like

consider using imagebuilder for your next upgrades (same openwrt realase) so you can include all your additional packages and configs.

3 Likes

I removed the LAN to WAN forwarding and added a static IP address to AppleTV. But I don't understand how to do a custom rule. I think this the job of VPN and WAN Policy-Based Routing? At the moment netflix not working.

1 Like

You can copy-paste the following:

uci -q delete firewall.appletv_fwd
uci set firewall.appletv_fwd="rule"
uci set firewall.appletv_fwd.name="Forward-AppleTV"
uci set firewall.appletv_fwd.src="lan"
uci set firewall.appletv_fwd.src_ip="192.168.1.5"
uci set firewall.appletv_fwd.dest="wan"
uci set firewall.appletv_fwd.proto="all"
uci set firewall.appletv_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Make sure to reconnect/restart the device to obtain a new lease.

No, PBR is responsible for directions/priorities, but not permissions/filtering.

You are real hero. It's working, but only after reboot (I lost internet).

Can I now uninstall PBR? I not need it. Only thing I did with it to forward appletv to Non_WG

1 Like

Better not, otherwise you will have to manually manage the routing policies.

1 Like

This is what I put in my rc.local so that on upgrade (of my repeater) my extra packages are reinstalled and services I don't need are turned off...

check_pkg_installed() {
   opkg status $1 | grep installed > /dev/null
}

install_if_not_installed() {
   for pkg in $@; do
      check_pkg_installed $pkg
      [  $? -ne 0 ] && opkg install $pkg
   done
}

install_after_upgrade() {
   local PACKAGES="luci-ssl luci-proto-relay htop iperf3 wireless-tools"
   local INSTALLED=/etc/config/auto_installed_on_upgrade
   if [ ! -f $INSTALLED ]; then
      #Wait for connection
      sleep 30
      opkg update
      install_if_not_installed $PACKAGES
      [ $? -eq 0 ] && echo $PACKAGES > $INSTALLED
      #Don't need odhcp and dnsmasq which are enabled by default
      /etc/init.d/dnsmasq stop
      /etc/init.d/dnsmasq disable
      /etc/init.d/odhcpd stop
      /etc/init.d/odhcpd disable
      #Restart http server now that we have ssl so we can login
      /etc/init.d/uhttpd restart
   fi
}

Has worked well for me upgrading from 19.07.2 to 19.07.3 and from 19.07.3 to 19.07.4

You just need to manually list your non default packages in local PACKAGES= and adapt/remove the services actions

1 Like