In order to let devices that connected to guest WiFi (172.10.3.0/24) be able to access local vpn server 192.168.1.4:443, I wrote a customized rule as follow:
which works well after restart firewall. But it won't sustain a reboot of my OpenWRT router, since this rule will be loaded before a DNS server available.
Is there a way to let this rule take effect after a proper DNS server is functional? How do I do that?
Edit: The domain name my_vpn_domain.com is pointing to the ip address got from the ISP.
The rule will get added the moment the wan interface comes up and your dns will of course then be available to resolve queries.
NOTE: this hotplug script will be called whenever the network settings get changed, so you probably need to put in a rule in your script first to delete the rule you added. If you don't do this, it's possible you'll get multiple copies of the rule added whenever the network config gets changed
If I understand you correctly, though, the my_vpn_domain.com is actually the IP address of your wan interface, in which case you could use something like $(uci get network.wan.ipaddr) in the rule to add it instead of using a dns canonical name, which is super inefficient and will force multiple dns lookups and is generally a bad idea. But then again, not sure if I understand you correctly since that type of redirection seems a little odd - it would be better to redirect from a fixed internal IP rather than the wan ip.
Yeah, that is actually my wan ip. However, I just don't know how to put the correct whatever command in a customized rule. Tried every way but still restart firewall result in failure.
Edit: Thank you a lot for the hint. I found in an old thread and got the solution:
Given that these clients are on your private guest lan, I still don't see why you are connecting them to the wan interface and using the redirection on your wan interface? This seems odd and potentially a security risk unless you've got the vpn server running on your wan interface anyway because you need access from outside.
But even if this is the case, you can still tell your guest lan clients to connect to an internal IP instead. Just redirect from the br-guest ip.
So, assuming your guest br-lan IP address is 172.10.3.1, you'd use something like
instead and then you don't need a hotplug-based rule. You could just put the rule in etc/firewall.user
Those two endpoint addresses are ipv4 addresses, not ipv6 addresses and the connection is actually ipv4. It happens because the server is listening on a AF_INET6 socket which can accept both ipv4 and ipv6 connections
Actually I have tried using uci but failed. It probably because what I am using is master branch compiled.
There would be no further security risks since the vpn service is also open to wan. The purpose for the customized rule is for me to access the vpn service both in home with local network or at other places with outside network, without changing the settings on the vpn client side.