Hi so, in my quest for a network for my needs I have cheated a bit with openwrt.
These days I use this very fine indeed firmware and of late, it's wireguard capabilities.
Alas;
A WNDR3700 does not bestow me the oompf to utilize the full bandwidth of my internetshookup. Sure, I can buy a Gl. iNet GL B1300 for ~€90 and that would be ok.
However, I already got a Odroid N2 with CoreELEC that does'nt really stretch it's legs.
CoreELEC do come with wireguard (or at least the 'nightly') and iptables.
How do I route all my external going traffic to the wireguard client(which connects to my VPN-provider) on the N2, and then goes out in that wast sea of the internets?
Say;
openwrt is: 192.168.1.1
N2 is: 192.168.1.3
A eth connected SOC:192.168.1.2
(MySSID)radio0 with various clients all in 192.168.1.x
And I have my openwrt-router bridge connected as a wireless client (WWAN/radio1) to an AP from my isp.
Push a custom default gateway with DHCP options , or utilize policy-based routing.
1 Like
Thanks for replying, could you expand your answer a bit?
By dhcp, do you suggest using the N2 as gateway... ?
How would you go about the policy routing?
The simplest method is to use the device which runs a VPN client as your default gateway.
You can change it on your current DHCP server with custom DHCP options as mentioned above.
Or you can disable the current DHCP server and delegate its role to your VPN client.
1 Like
If it's this simple, dang I'm simple.
Thanks.
Well, my other DHCP clients was not at all impressed with my feat of getting wireguard going on another device.
As I told them by:
uci add_list dhcp.lan.dhcg_option=3,192.168.42.3
uci commit dhcp
Where do I go from here?
The gateway for LAN clients should have an IP address from the LAN pool.
You should use the LAN IP address of the WG client.
1 Like
Yes they are all on the same 192.168.99.0/24.
mittkonto:
dhcg_option
You have a typo here, it should be dhcp_option
.
It does not match your settings from above:
mittkonto:
192.168.42.3
mittkonto:
192.168.1.x
1 Like
Corrected.
Section: /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
list dhcp_option '3,192.168.42.3'
1 Like
Hm nope. On 192.168.1.3 I get:
wg0 inet addr:172.21.79.97
And it works:
I see my external IP by:
nslookup myip.opendns.com resolver1.opendns.com
And the grace of ping is bestowed upon me:
ping google.com
PING google.com (172.217.20.110): 56 data bytes
64 bytes from 172.217.20.110: seq=0 ttl=120 time=77.531 ms
trendy
July 31, 2020, 10:27am
12
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Without:
{
"kernel": "5.4.50",
"hostname": "ImAllOutOfLove",
"system": "Atheros AR7161 rev 2",
"model": "Netgear WNDR3700 v2",
"board_name": "netgear,wndr3700-v2",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r13768-f632747704",
"target": "ath79/generic",
"description": "OpenWrt SNAPSHOT r13768-f632747704"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'boinc/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option ifname 'eth0'
list dns '192.168.42.1'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'ImSoLostWithOutYou'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.42.1'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:11.0'
option channel '10'
option country 'IKnowYouWereRightBelievingForSoLong'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'IamAllOutOfLoveWhatAmIWithoutYou'
option encryption 'psk2'
option key 'IcantBeToLateToSayIWasWrong'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:12.0'
option htmode 'HT20'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option ssid 'IWantYouToComeBackAndCarryMeHome'
option key 'AwayFromThisLongLonelyNights'
option encryption 'psk2'
option network 'wwan'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '0'
option localservice '1'
option rebind_protection '0'
option dnsforwardmax '9000'
option noresolv '1'
option localuse '1'
option cachesize '0'
list server '127.0.0.42#4242'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config hosts be here like ImReachingForYouAreYouFeelingItToo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.42.1/24 brd 192.168.42.255 scope global br-lan
valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.43.243/24 brd 192.168.43.255 scope global wlan0
valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.243
192.168.42.0/24 dev br-lan proto kernel scope link src 192.168.42.1
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.243
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.42.0 dev br-lan table local proto kernel scope link src 192.168.42.1
local 192.168.42.1 dev br-lan table local proto kernel scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-lan table local proto kernel scope link src 192.168.42.1
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.243
local 192.168.43.243 dev wlan0 table local proto kernel scope host src 192.168.43.243
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.243
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
With:
I guess its the same but:
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
list dhcp_option '3,192.168.42.3'
trendy
July 31, 2020, 1:20pm
14
Remove that from lan and wwan, you are supposed to add there third nameservers reachable from the interfaces.
mittkonto:
list dns '192.168.42.1'
This is not needed, it advertises itself as nameserver anyway.
Option 3 for gateway is properly configured too. You can renew the dhcp on a lan host and verify by checking the routing table.
1 Like
Like so;
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'five/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option ifname 'eth0'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'cat'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
And;
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '0'
option localservice '1'
option rebind_protection '0'
option dnsforwardmax '9000'
option noresolv '1'
option localuse '1'
option cachesize '0'
list server '127.0.0.42#4242'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
list dhcp_option '3,192.168.42.3'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config hosts here
?
trendy
July 31, 2020, 1:47pm
16
You may remove this, as it is the default behavior.
Other than that it looks fine.
1 Like
mk24
July 31, 2020, 2:20pm
17
Leave it that way for testing but you probably want to revisit the issue since it is a DNS leak-- The clients still use the ISP's DNS so the names of the sites they visit can be monitored by the ISP or anyone eavesdropping the ISP line.
1 Like
Still no go, can't ping anything:
"kernel": "5.4.50",
"hostname": "Himma",
"system": "Atheros AR7161 rev 2",
"model": "Netgear WNDR3700 v2",
"board_name": "netgear,wndr3700-v2",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r13768-f632747704",
"target": "ath79/generic",
"description": "OpenWrt SNAPSHOT r13768-f632747704"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'f'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option ifname 'eth0'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'e'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:11.0'
option channel '10'
option country 'Space'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'wrt'
option encryption 'psk2'
option key ''
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:12.0'
option htmode 'HT20'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option ssid 'isp ap'
option key ''
option encryption 'psk2'
option network 'wwan'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '0'
option localservice '1'
option rebind_protection '0'
option dnsforwardmax '9000'
option noresolv '1'
option localuse '1'
option cachesize '0'
list server '127.0.0.42#4242'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '3,192.168.42.3'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.42.1/24 brd 192.168.42.255 scope global br-lan
valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.43.243/24 brd 192.168.43.255 scope global wlan0
valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.243
192.168.42.0/24 dev br-lan proto kernel scope link src 192.168.42.1
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.243
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.42.0 dev br-lan table local proto kernel scope link src 192.168.42.1
local 192.168.42.1 dev br-lan table local proto kernel scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-lan table local proto kernel scope link src 192.168.42.1
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.243
local 192.168.43.243 dev wlan0 table local proto kernel scope host src 192.168.43.243
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.243
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Where do you see it leaks, and to what ip?
The to be gateway-device has the following iptables:
/etc/iptables/home.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
/etc/iptables/public.v4
# Netfilter rules for public "untrusted" networks
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow tethered Wifi AP
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Block DOCKER
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A DOCKER-USER -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
And I can make my own and save it in:
/storage/.config/iptables/rules.v4 for ipv4