OpenWrt on a RPI - Issues and advices

Good evening.
Briefly I have openwrt 22.0.3 installed in an RPI working as "router on a stick". See this link, please:

Basically the cable that comes from the ONT of my ISP connects to port 8 of the Switch (VLAN 12 - WAN). Switch port 1 is connected to the RPI with openwrt installed (VLAN 1- LAN). Then all the devices on my network, including the access point, connects to ports 2-7 on the Switch.
The system works or worked very well until I added new features to openwrt such as the configuration of a vpn wireguard from AZIREVPN , as well as DNS OVER HTTPS.

At this moment I have the wireguard working and I have internet on all devices. However, when I update the lists in openwrt, the following error appears:
* opkg_download: Check your network settings and connectivity. The opkg update command failed with code 6.

Despite having read a lot about openwrt and its settings lately, I still have many doubts, especially in the firewall zones, dns forwardings, etc.

I leave the result of the following commands of my network;
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '2a0e:1c80:4:3c95::/64'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'LAN'
        option device 'br-lan'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option proto 'static'
        list ipaddr '192.168.2.1'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth0.12'
        option force_link '1'

config device
        option name 'Wireguard'
        option mtu '1420'

config device
        option name 'openvpn'
        option ipv6 '0'
        option mtu '1420'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.12'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list addresses '10.0.28.999/19'
        list addresses '2a0e:1c80:4:2000::1d99/64'

config wireguard_wg
        option description 'azirevpn'
        option public_key 'yyyyyyyyyyyyyyyyyyyyyyyyyy'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '1'
        option endpoint_host 'nl1.wg.azirevpn.net'
        option endpoint_port '51820'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option port '53'
        option readethers '1'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5054'
        list doh_backup_server '127.0.0.1#5053'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5053'
        list server '10.0.0.1'
        list server '2a0e:1c80:4:2000::1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN1'
        option interface 'VLAN1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'LAN'
        option interface 'LAN'
        option limit '150'
        option leasetime '12h'
        option start '20'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'WAN'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-IPSec-ESP'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-ISAKMP'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'WAN'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'LAN'

config zone
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option name 'WAN'
        list network 'WAN'
        list network 'wan6'

config rule
        list proto 'udp'
        option src '*'
        list src_ip '192.168.2.5'
        option src_port '25550'
        option dest '*'
        list dest_ip '192.168.2.1'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'WAN'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        list proto 'udp'
        option dest_ip '192.168.2.5'
        option src_dport '25550'
        option dest_port '25550'
        option src 'WAN'

config redirect
        option target 'DNAT'
        option name 'Wireguard LAN'
        option src 'lan'
        option dest_ip '192.168.2.5'
        option src_dport '25550'
        option dest_port '25550'
        option dest 'WAN'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'WAN'
        option dest 'lan'

config zone
        option name 'wan6zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wgzone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WAN'
        list network 'wan6'
        list network 'wg'

config forwarding
        option src 'lan'
        option dest 'wgzone'

Some advice in order to improve the stability and functioning of the system, i appreciate!

Best regards

might want to edit the post, and remove the preformatted tag for everything that isn't C&Ped from cli ...

1 Like

My first time posting at forum. Are right now!?

Thanks

1 Like

probably need to add a DNS IP and default gateway here.

1 Like

I have some doubts in this chapter also. Which gateway i must add to my LAN interface? My LAN interface is associated with device br-lan, which is connected to bridge port eth0.1 (conection between switch port 1 and my openwrt RPI).

I suspect the problem with updating the lists on my openwrt beginning after installing and enable the software Https over DNS. After that, by default, in network /DHCP and dns/resolve and host files, the parameter "ignore resolve file" are selected. As far as I know, this way openwrt is forced to use "http over DNS" dns instead of openwrt dns itself.

Feel free to do any sugestion or advices.

Best regards.

I'd recommend starting over from scratch (make a backup first). You may have made a mess of things with the capitalization of WAN and LAN everywhere. The system is case sensitive, so if things aren't entirely consistent, it will fail to work properly.

Best practice is to use lowercase for network interface names and firewall zones. Everything is pre-configured for lan and wan (in lowercase) from a default config, with the execption of the fact that your pi obviously needs a wan added since it's a single port device. So... take the default config and only add the following:

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.12'

and edit the br-lan (as you have done in your existing config) to use eth0.1:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

From there, you should be able to run opkg to install packages and configure your VPN and whatever else you need.

Also, keep in mind that if you're running multiple VPNs, it's really important to consider what they might do in terms of interactions and/or routes. Start with just one VPN (I personllay reocmmend Wireguard). and then test again.

1 Like

Thanks for your reply and sugestions. Later in this day I will work in them.

However also some doubts. You recomend lower case for all interfaces, lan, wan, wan6, wg, instead LAN, WAN, WAN6, WG, correct? The same for the firewall zones.

I dont understand this....

config interface 'wan'
option proto 'dhcp'
option device 'eth0.12'

I must add other config interface 'wan', mantining the default config posted later?

And this...

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'

You sugest edit the configuration but as I can see the default config device br-lan is like that.

Best regards

Correct. Use lowercase. The wan and lan are already preconfigured by default (except the network interface for wan on single port devices), so keeping them lowercase means that nothing has to change with any of the configs.

Your pi will not have a wan interface defined in the default state because it is a single port device. So, you need to define it. If you name it with lowercase, it will work with no extra configuration.
I just took your previous config and made it lowercase (and took out the force link option)

On the pi, I would expect br-lan to have eth0 as a member. You have made it tagged vlan 1. (Thus eth0.1). This was just a reminder to adjust that when you reset.

1 Like

Ok, I understand. Your sugestions are in the scenario that i made a new configuration from zero after doing a backup.

It is not possible edit the present configuration of network interfaces and firewall zones with lowcases and see what happens?

Note: I have a backup in another sd card of my openwrt Setup only with interfaces wan and lan.
After that i installed the wireguard interface, pbr and dns over https.

Thanks

It is certainly possible, but the reason to reset is that the process of fixing all the case sensitive names is error prone (and may be why you have issues in the first place). Resetting is faster and puts your router into a known good state.

1 Like

Thanks for all support psherman.

I will work, as soon as possible, in this theme. I will reset my Setup and start a new configuration.

After I come back giving my feedback.

Best regards

Hi again!

Yesterday I performed a clean install of OpenWRT 22.0.3 on a rpi 1 B for testing purposes. All network interfaces and zones have been configured in lowercases.
Apparently everything is working correctly and after a dozen reboots the wireguard interface starts up perfectly and I have Internet on all devices on the network.
If necessary I can open another topic, but I have a question...
Right now my openwrt is configured as azirevpn's wireguard "client". If I want to also make it a server and connect it to my android smartphone through the wireguard app, I have to add a new peer and automatically generate the credentials and generate the respective qrcode?

Best regards

Sorry for the delay in responding here...

Fantastic!

You'll actually create a second WG interface for this purpose. But, if you're going to be running 2 instances like this, you'll need to use Policy Based Routing.

If you need help with this, a new thread would make sense.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Hi again. Absolutily no problem with the delay. :wink:

I tested before the PBR on openwrt to bypass some devices from wireguard vpn. The principle is the same?

Probably I will open a new topic, but if I understand i must create a new wireguard interface with a diferent name and setup them. The firewall zone of the new interface I will and to the lan firewall zone?

Many thanks again.

Yes, you'll create a new wireguard interface wit ha new name. If the remote peers are fully trusted (i.e. your own devices), you can safely associate this interface with your lan firewall zone. Personally, I like to create a new firewall zone and then setup fowarding allowances, but either approach will work the same way.

1 Like

Thanks again.

The rule that i must create with PBR is like image shows?

Thanks again.

I’d recommend resolving this thread and creating a new one for your pbr questions.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.