This is really not urgent more a little annoying .... so a hint from you will do

My Linksys WRT1900ACS OpenWRT is running 20+ clients on multiple Wireguard interfaces with VPN policy routing in a DMZ on a ASUS AC86U ...... this is stable and highly efficient.

The "opkg update" does only work after several attempts to get connected .... I decided to go from openWrt release to release, so this is not a severe issue I am more interested in finding out why it doesn't work.

The main router ASUS is on a 192.168.1.0/24 net with the router as 192.168.1.1, and it's running clients split on openvpn and directly to WAN.

The Linksys is running a 192.168.2.0/24 net with 192.168.2.1 on the router (gateway and DNS 192.168.1.1) .... DNS: 1 public and 1 wireguard server to each client.
The WAN side is in the ASUS DMZ (DHCP) with the address 192.168.1.236, DNS DHCP feeded from ASUS (1 public & 1 openvpn)

Public and VPN DNS servers are defined by my VPN provider (openvpn and wireguard)

any hints ?

What kind of error does opkg return, connection or domain name lookup related? Does nslookup on various public domains ever return a timeout or NX?

The errors below from Luci .... I do the command line "opkg update" 2 sec later and everything is fine

Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

.... 5 sec later from the command line .... now it doesn't work:

Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

root@OpenWrt:~#

ping and traceroute shows "bad address 'openwrt.org'"

I refresh the Luci web interface and bingo it works:

PING openwrt.org (139.59.209.225): 56 data bytes
64 bytes from 139.59.209.225: seq=0 ttl=54 time=21.030 ms
64 bytes from 139.59.209.225: seq=1 ttl=54 time=24.146 ms
64 bytes from 139.59.209.225: seq=2 ttl=54 time=23.909 ms
64 bytes from 139.59.209.225: seq=3 ttl=54 time=24.544 ms
64 bytes from 139.59.209.225: seq=4 ttl=54 time=19.420 ms

--- openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 19.420/22.609/24.544 ms

The command line "opkg update" is also ok

Strange behavior

Error on luci update ---- ok on command line

nslookup:

Server: 127.0.0.1
Address: 127.0.0.1#53

error

I refresh the web interface:

root@OpenWrt:~# nslookup openwrt.org
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

Is it possible your VPN routing policy is making dnsmasq send DNS queries to the wrong Wireguard endpoint on the first couple of tries?

What comes to mind is that nslookup might use one DNS server, return a fail and then use the second DNS server and return a valid result.

It's best to disable peer DNS for all interfaces and configure a public DNS provider on the WAN interface that should be reachable no matter the current routing policy:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

Good view .... actually the main router flashed DNS to the Wireguard router in scope ....the DNS's are 1 public and 1 in tunnel openvpn server / the reason why the clients are doing well is
that each client get the right DNS servers through dhcp (1 public & 1 in tunnel wireguard server)
You are spot on ... thank you

.... and your implementation advice was actually the solution to the problem / thank you

DMZ'ing the wireguard router is asking for trouble /

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.