Opkg update - minor issue /

ervin23 · October 18, 2020, 10:55am

This is really not urgent more a little annoying .... so a hint from you will do

My Linksys WRT1900ACS OpenWRT is running 20+ clients on multiple Wireguard interfaces with VPN policy routing in a DMZ on a ASUS AC86U ...... this is stable and highly efficient.

The "opkg update" does only work after several attempts to get connected .... I decided to go from openWrt release to release, so this is not a severe issue I am more interested in finding out why it doesn't work.

The main router ASUS is on a 192.168.1.0/24 net with the router as 192.168.1.1, and it's running clients split on openvpn and directly to WAN.

The Linksys is running a 192.168.2.0/24 net with 192.168.2.1 on the router (gateway and DNS 192.168.1.1) .... DNS: 1 public and 1 wireguard server to each client.
The WAN side is in the ASUS DMZ (DHCP) with the address 192.168.1.236, DNS DHCP feeded from ASUS (1 public & 1 openvpn)

Public and VPN DNS servers are defined by my VPN provider (openvpn and wireguard)

any hints ?

ergamus · October 18, 2020, 1:03pm

What kind of error does opkg return, connection or domain name lookup related? Does nslookup on various public domains ever return a timeout or NX?

ervin23 · October 18, 2020, 9:28pm

The errors below from Luci .... I do the command line "opkg update" 2 sec later and everything is fine

Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

ervin23 · October 18, 2020, 9:28pm

.... 5 sec later from the command line .... now it doesn't work:

Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz

Downloading http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/targets/mvebu/cortexa9/kmods/4.14.195-1-a92a3f5c5bed2671533484c7ace9d5b5/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.4/packages/arm_cortex-a9_vfpv3-d16/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

root@OpenWrt:~#

ervin23 · October 18, 2020, 9:28pm

ping and traceroute shows "bad address 'openwrt.org'"

I refresh the Luci web interface and bingo it works:

PING openwrt.org (139.59.209.225): 56 data bytes
64 bytes from 139.59.209.225: seq=0 ttl=54 time=21.030 ms
64 bytes from 139.59.209.225: seq=1 ttl=54 time=24.146 ms
64 bytes from 139.59.209.225: seq=2 ttl=54 time=23.909 ms
64 bytes from 139.59.209.225: seq=3 ttl=54 time=24.544 ms
64 bytes from 139.59.209.225: seq=4 ttl=54 time=19.420 ms

--- openwrt.org ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 19.420/22.609/24.544 ms

The command line "opkg update" is also ok

Strange behavior

ervin23 · October 18, 2020, 9:29pm

Error on luci update ---- ok on command line

nslookup:

Server: 127.0.0.1
Address: 127.0.0.1#53

error

I refresh the web interface:

root@OpenWrt:~# nslookup openwrt.org
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1

ergamus · October 18, 2020, 4:44pm

Is it possible your VPN routing policy is making dnsmasq send DNS queries to the wrong Wireguard endpoint on the first couple of tries?

What comes to mind is that nslookup might use one DNS server, return a fail and then use the second DNS server and return a valid result.

vgaetera · October 19, 2020, 2:41pm

It's best to disable peer DNS for all interfaces and configure a public DNS provider on the WAN interface that should be reachable no matter the current routing policy:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#upstream_dns_provider

ervin23 · October 19, 2020, 2:37pm

Good view .... actually the main router flashed DNS to the Wireguard router in scope ....the DNS's are 1 public and 1 in tunnel openvpn server / the reason why the clients are doing well is
that each client get the right DNS servers through dhcp (1 public & 1 in tunnel wireguard server)
You are spot on ... thank you

ervin23 · October 19, 2020, 2:41pm

.... and your implementation advice was actually the solution to the problem / thank you

DMZ'ing the wireguard router is asking for trouble /