Hi,
Setup:
Router is configured to access Intermet only via VPN with OpenVPN.
If OpenVPN connection drops, Router blocks Internet access to all devices (KILL SWITCH)
For privacy, I have also configured the LAN interface to use OpenDNS
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '1'
list dhcp_option '6,208.67.222.222,208.67.220.220'
list ra_flags 'none'
Lastly, one device on my local network is 'Bypassing VPN'
config vpnbypass 'config'
option enabled '1'
list localsubnet '192.168.8.50'
Ok so this works fine...well almost!
Problem:
Whenever (list dhcp_option '6,208.67.222.222,208.67.220.220') is set, the local device's hostname is not locally resolved anymore.
sergio@M93p:~$ ping spirarevault
ping: spirarevault: Temporary failure in name resolution
Goal:
I need DNS privacy and don't want to use the ISP's DNS
I need the local devices (on LAN) hostname to be resolved
What I have tried:
I removed (list dhcp_option '6,208.67.222.222,208.67.220.220') from LAN Interface and set in the WAN DNS servers while disabling peer DNS.
Then, the local device's hostname does resolve BUT the device 192.168.8.50 bypassing VPN can't resolve any Internet DNS anymore !?!
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option hostname '*'
option type 'bridge'
option peerdns '0'
list dns '208.67.220.220'
list dns '208.67.222.222'
I hope this all makes sense and that someone can help me resolve this.
Any hits would greatly be appreciated.
Here is the full Router config:
"kernel": "5.15.53",
"hostname": "R4Router",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4S",
"board_name": "friendlyelec,nanopi-r4s",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "rockchip/armv8",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:ab:cd::/48'
config device
option name 'eth0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option hostname '*'
option type 'bridge'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config device
option name 'eth1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.8.1'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
config interface 'EXPRESS_VPN'
option proto 'none'
option device 'tun0'
option peerdns '0'
config interface 'WG0'
option proto 'wireguard'
option listen_port '51820'
list addresses '10.0.0.1/32'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option nohostroute '1'
option peerdns '0'
config wireguard_WG0
option description 'Spiramentum'
list allowed_ips '10.0.0.2/32'
option endpoint_host 'www.xxxxxxxxxxx.xx'
option persistent_keepalive '25'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option endpoint_port '51820'
option route_allowed_ips '1'
config interface 'Bullet'
option auto '0'
option type 'bridge'
option device 'eth0'
option proto 'dhcp'
config interface 'wwan'
option proto 'dhcp'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option rebind_protection '1'
option domain 'spirare'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '1'
list dhcp_option '6,208.67.222.222,208.67.220.220'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option dns '1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.8.50'
option name 'JoanneTab'
config host
option name 'M93p'
option dns '1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.8.30'
config host
option dns '1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '192.168.8.60'
option name 'spirarevault'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WG0'
list network 'Bullet'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wwan'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config zone
option name 'Ex_VPN'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'EXPRESS_VPN'
config forwarding
option src 'lan'
option dest 'Ex_VPN'
config rule
option name 'wg0'
option target 'ACCEPT'
option src 'lan'
list src_ip '10.0.0.2'
option dest 'wan'
list dest_ip '10.0.0.1'
option enabled '0'