OpenWrt host and luci have no internet after setting up external AdguardHome. Lan is working fine

Reconvene9657 · March 13, 2023, 5:36pm

I am sure I messed up something, but I can't seem to figure out how to fix this.

Set up AdguardHome on a separete host. IP 10.1.1.20

Devices on lan are getting internet access correctly. But openwrt does not have internet.
I tried changing dns server on wan interface, but doesnt seem to do anything.

Thanks for your help.

~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=119 time=7.686 ms
64 bytes from 8.8.8.8: seq=1 ttl=119 time=8.110 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.686/7.898/8.110 ms

~ # ping google.com
ping: bad address 'google.com'

My setup is as follows:
cat /etc/config/dhcp

~ # cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option port '54'
	option noresolv '0'
	option cachesize '1000'
	option rebind_protection '0'
	list server '10.1.1.20'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,10.1.1.20'
	list dhcp_option '3,10.1.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

~ # cat /etc/config/firewall
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

cat /etc/config/network

~ # cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd18:04cd:600f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.1.1.1'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option peerdns '0'

frollic · March 13, 2023, 5:41pm

what does /etc/resolv.conf and /tmp/resolv.conf.d/resolv.conf.auto contain ?

Reconvene9657 · March 13, 2023, 5:46pm

Thanks.

cat /etc/resolv.conf

~ # cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1

cat /tmp/resolv.conf.d/resolv.conf.auto

~ # cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface vpn
nameserver 10.1.1.20
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1

frollic · March 13, 2023, 5:48pm

how does the VPN DNS come into the picture ?

does nslookup google.com 1.1.1.1 and nslookup google.com 10.1.1.20 work ?

Reconvene9657 · March 13, 2023, 5:51pm

There is indeed a vpn wireguard interface in network config.

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'masked'
	option listen_port 'masked'
	list addresses 'masked/24'
	option peerdns '0'
	list dns '10.1.1.20'

nslookup results

~ # nslookup google.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1:53

Non-authoritative answer:
Name:	google.com
Address: 142.250.80.78

Non-authoritative answer:
Name:	google.com
Address: 2607:f8b0:4006:80d::200e

~ # nslookup google.com 10.1.1.20
Server:		10.1.1.20
Address:	10.1.1.20:53

Non-authoritative answer:
Name:	google.com
Address: 2607:f8b0:4002:c09::64
Name:	google.com
Address: 2607:f8b0:4002:c09::8b
Name:	google.com
Address: 2607:f8b0:4002:c09::71
Name:	google.com
Address: 2607:f8b0:4002:c09::65

Non-authoritative answer:
Name:	google.com
Address: 142.250.177.46

frollic · March 13, 2023, 6:17pm

is the router traffic also supposed to go via the VPN tunnel, or only the traffic from the clients ?`

Reconvene9657 · March 13, 2023, 6:20pm

I set the Adguard dns for vpn interface so that vpn connections can access local hostnames. But only wireguard connections are supposed to go through vpn tunnel.

Reconvene9657 · March 13, 2023, 6:23pm

also, lan interface is advertising adguard ip via dhcp option 6. and lan clients are connecting to the dns server just fine. its just the openwrt host which cannot.

frollic · March 13, 2023, 6:25pm

not sure you need the DNS IP in the VPN config, I'd probably put it on the clients, via DHCP, assuming all clients are supposed to use it, all the time.

but I'm no VPN expert

Reconvene9657 · March 13, 2023, 6:30pm

sure, yea. I can try changing it and see how it works. Its been a while since I used wireguard since I just connect via tailscale these days.

But coming back to my original question, is there anything I misconfigured because of which the openwrt host is not being able to connect to internet?

frollic · March 13, 2023, 6:33pm

it is able to connect to internet, since ping works, it's the DNS that isn't working.
I wouldn't have added the VPN DNS to the WAN interface, but again, I'm no expert.

Reconvene9657 · March 13, 2023, 6:36pm

vpn dns is not on wan.

local adguard instance is on ip 10.1.1.20

I have 3 interfaces: lan, vpn and wan.

lan clients reach adguard dns via option 6
vpn interface have adguard set as dns server
wan interface have cloudflare set as dns server.

still ping google.com fails.

frollic · March 13, 2023, 6:38pm

/tmp/resolv.conf.d/resolv.conf.auto wouldn't agree with you ...

Reconvene9657 · March 13, 2023, 6:38pm

I just removed dns from vpn. still the same

~ # cat /etc/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1
~ # cat /tmp/resolv.conf
search lan
nameserver 127.0.0.1
nameserver ::1
~ # cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1
~ # ping google.com
ping: bad address 'google.com'

frollic · March 13, 2023, 7:55pm

Just out of curiosity, what does opkg update say?

Reconvene9657 · March 13, 2023, 9:50pm

~ # opkg update
Downloading https://downloads.openwrt.org/releases/22.03.3/targets/x86/64/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/targets/x86/64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/targets/x86/64/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

fuad00 · May 19, 2023, 8:42pm

any updates?

zerojj · September 6, 2023, 8:14pm

The same problem. For me help this

uci -q delete network.wan.dns
uci add_list network.wan.dns="8.8.8.8"
uci commit dhcp
uci commit network
/etc/init.d/network restart
/etc/init.d/dnsmasq restart
/etc/init.d/odhcpd restart