I am a noob here. Last month I bought a BTHH5A with readymade OpenWRT (19.07.04) installed. I could configure it to suit my home needs and it's working very well. I could install protonvpn (free pack) on tun0 device and it is working fine.
I've noticed a strange behaviour about dns resolution. While on vpn, the router fails to resolve dns, however the wifi clients have absolutely no problem. They can connect to protonvpn's dns server. I guess they request the router and the router forwards it to the server in /var/resolv.conf.vpn .
But the router can't do on its own. I sshed into the router and executed nslookup bbc.co.uk , only to find error : ;; connection timed out; no servers could be reached
When I switch off the vpn, I get exactly opposite behaviour. The router can reach virgin media ( = my isp ) dns servers, but the wifi clients can't.
I've got a public ip on my wan. Am I missing something obvious here?
Post the output redacting the private parts when the VPN is connected:
uci show network; uci show firewall; uci show dhcp; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip address show; ip route show table all; ip rule show
Thank you for your response. There is so much info available that I could not pinpoint to the relevent details. Anyways, here are the outputs you requested
--------------------------------------------------------------
uci show network;
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdbb:473b:26a6::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.ds_snr_offset='0'
network.dsl.tone='a'
network.dsl.annex='b'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.0.1'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='84:a4:23:18:3e:0d' # fake
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.macaddr='96:11:22:33:44:55'
network.wan_dsl0_dev=device
network.wan_dsl0_dev.name='dsl0'
network.wan_dsl0_dev.macaddr='84:a4:23:18:3e:0e' # fake
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.tun0if=interface
network.tun0if.ifname='tun0'
network.tun0if.proto='none'
--------------------------------------------------------------
uci show firewall;
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].dest_port='6174' # fake
firewall.@redirect[0].src='wan'
firewall.@redirect[0].name='ssh on wan'
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.0.1'
firewall.@redirect[0].src_dport='31749' # fake
firewall.@rule[9]=rule
firewall.@rule[9].src='lan'
firewall.@rule[9].name='kindle'
firewall.@rule[9].dest='wan'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].stop_time='09:00:00' # fake
firewall.@rule[9].src_mac='51:AB:F0:84:6B:19' # fake
firewall.@rule[9].start_time='10:00:00' # fake
firewall.@zone[2]=zone
firewall.@zone[2].network='tun0'
firewall.@zone[2].name='tun0fwz'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].device='tun0'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='tun0fwz'
firewall.@forwarding[1].src='lan'
--------------------------------------------------------------
uci show dhcp;
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].sequential_ip='1'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='2'
dhcp.lan.limit='253'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].mac='00:02:4E:80:11:72' # fake
dhcp.@host[0].ip='192.168.0.2'
dhcp.@host[0].name='host2' # fake
dhcp.@host[0].dns='1'
dhcp.@host[0].leasetime='infinite'
dhcp.@host[1]=host
dhcp.@host[1].mac='00:41:6A:5B:82:8D'
dhcp.@host[1].ip='192.168.0.3'
dhcp.@host[1].name='host3' # fake
dhcp.@host[1].dns='1'
dhcp.@host[1].leasetime='infinite'
....... long list of hosts removed .......
dhcp.@host[22]=host
dhcp.@host[22].mac='00:B3:6C:38:2B:71' # fake
dhcp.@host[22].ip='192.168.0.24'
dhcp.@host[22].name='unknown' # fake
dhcp.@host[22].dns='1'
dhcp.@host[22].leasetime='infinite'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='2'
dhcp.guest.limit='253'
dhcp.guest.leasetime='1h'
--------------------------------------------------------------
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*;
==> /etc/resolv.conf <==
# Interface wan
nameserver 194.168.4.100
nameserver 194.168.8.100
search cable.virginm.net
==> /tmp/resolv.conf <==
# Interface wan
nameserver 194.168.4.100
nameserver 194.168.8.100
search cable.virginm.net
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 194.168.4.100
nameserver 194.168.8.100
search cable.virginm.net
==> /tmp/resolv.conf.vpn <==
nameserver 10.20.0.1
head: /tmp/resolv.*/*: No such file or directory
--------------------------------------------------------------
ip address show;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 74:b8:dd:60:31:7c brd ff:ff:ff:ff:ff:ff # fake
inet6 fe80::f8ae:ceff:fe43:569/64 scope link
valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 96:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff
inet 86.10.53.36/22 brd 86.10.55.255 scope global eth0.2 # fake
valid_lft forever preferred_lft forever
inet6 fe80::9411:22ff:fe33:4455/64 scope link
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 84:a4:23:18:3e:0d brd ff:ff:ff:ff:ff:ff # fake
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fdbb:473b:26a6::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::86a4:23ff:fe06:4ffa/64 scope link
valid_lft forever preferred_lft forever
11: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 84:a4:23:18:3e:0d brd ff:ff:ff:ff:ff:ff # fake
12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether c8:91:f9:48:37:2a brd ff:ff:ff:ff:ff:ff # fake
inet6 fe80::ca91:f9ff:fe3b:1cbf/64 scope link
valid_lft forever preferred_lft forever
13: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether c8:91:f9:48:37:2b brd ff:ff:ff:ff:ff:ff # fake
inet6 fe80::ca91:f9ff:fe3b:1cbe/64 scope link
valid_lft forever preferred_lft forever
19: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.20.0.22/16 brd 10.20.255.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::eb97:ba2a:4e01:af28/64 scope link stable-privacy
valid_lft forever preferred_lft forever
--------------------------------------------------------------
ip route show table all;
0.0.0.0/1 via 10.20.0.1 dev tun0
default via 86.10.53.1 dev eth0.2 proto static src 86.10.53.36 # fake
10.20.0.0/16 dev tun0 proto kernel scope link src 10.20.0.22
86.10.53.0/22 dev eth0.2 proto kernel scope link src 86.10.53.36 # fake
128.0.0.0/1 via 10.20.0.1 dev tun0
166.58.105.217 via 86.10.53.1 dev eth0.2 # fake
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
broadcast 10.20.0.0 dev tun0 table local proto kernel scope link src 10.20.0.22
local 10.20.0.22 dev tun0 table local proto kernel scope host src 10.20.0.22
broadcast 10.20.255.255 dev tun0 table local proto kernel scope link src 10.20.0.22
broadcast 86.10.53.0 dev eth0.2 table local proto kernel scope link src 86.10.53.36 # fake
local 86.10.53.36 dev eth0.2 table local proto kernel scope host src 86.10.53.36 # fake
broadcast 86.10.55.255 dev eth0.2 table local proto kernel scope link src 86.10.53.36 # fake
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
fdbb:473b:26a6::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdbb:473b:26a6::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fdbb:473b:26a6:: dev br-lan table local proto kernel metric 0 pref medium
local fdbb:473b:26a6::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::86a4:23ff:fe06:4ffa dev br-lan table local proto kernel metric 0 pref medium
local fe80::9411:22ff:fe33:4455 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::ca91:f9ff:fe3b:1cbe dev wlan1 table local proto kernel metric 0 pref medium
local fe80::ca91:f9ff:fe3b:1cbf dev wlan0 table local proto kernel metric 0 pref medium
local fe80::eb97:ba2a:4e01:af28 dev tun0 table local proto kernel metric 0 pref medium
local fe80::f8ae:ceff:fe43:569 dev eth0 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
--------------------------------------------------------------
ip rule show;
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
--------------------------------------------------------------
The changed details are tagged as fake. The public ip addresses 86.10.. are all fake. But I used a subnet calculator to make them appeare real and consistent. Sorry for my noobity. Hope this helps.
Thanks for the suggestions. I did both the changes. But still there is something going wrong.
I have to run the vpn to get the dns resolution going. When the vpn is running the nameserver 10.16.0.1 listed in /tmp/resolv.conf.vpn is working correctly. /etc/resolv.conf is pointing to /tmp/resolv.conf. Here are the resolv files :
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*;
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
==> /tmp/resolv.conf.vpn <==
nameserver 10.16.0.1
head: /tmp/resolv.*/*: No such file or directory
But when I turn off the vpn, /tmp/resolv.conf still holds the old value. It should become a link ponting to /tmp/resolv.conf.auto, right? /etc/resolv.conf is still pointing to /tmp/resolv.conf. I can't connect to the vpn because dns resolution is not available.
After some time, the router disconnects (maybe crashes....?). Now even the isp's dns are not available. I had to manually copy 8.8.8.8 and 8.8.4.4 to /tmp/resolv.conf and restart the network service.
The wifi clients still can't get dns resolved. But the router can. Now, I can connect to the vpn. /tmp/resolv.conf is back to the values listed above. The manual changes I added are lost.
Looks like vpn toying with my /tmp/resolv.conf. Can I obtain a tcpdump so as to trace dns calls? If yes, which interface I dump?
19 dec has just started. So I did it.
Yeah, that's working. Thanks a lot, mate. I will test thoroughly in the morning.
Bye for now. I am off to fairyland!
-Gamma
p.s. : I have some more setup problems. Will write a separate post.
Finally after returning from the fairyland I tested the changes you suggested. I could see that the protonvpn supplied script was messing with /tmp/resolv.conf* files. The (down) option in client script should be changed from reversing the dhcp to assigning the resolv file, as you suggested.
I rolled back the other two changes you suggested namely :
Disable peer DNS and configure a public DNS provider
Enforce dnsmasq for local system
Still I can connect to the dns services with and without vpn. This confirmed that the offending sctipt option is the only cause of my problem.
I've no idea where did protonvpn get this idea from. Perhaps they are making some dhcp config changes which they intend to roll back....? Of course this question is of no immediate relevence here. So I plan to ask them later. Let us see how it goes.
Thank you for your clear and quick guidance. I am marking change in the script as the solution.