You have a typo here, it should be dhcp_option.
It does not match your settings from above:
1 Like
Corrected.
Section: /etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
list dhcp_option '3,192.168.42.3'
1 Like
Hm nope. On 192.168.1.3 I get:
wg0 inet addr:172.21.79.97
And it works:
I see my external IP by:
nslookup myip.opendns.com resolver1.opendns.com
And the grace of ping is bestowed upon me:
ping google.com
PING google.com (172.217.20.110): 56 data bytes
64 bytes from 172.217.20.110: seq=0 ttl=120 time=77.531 ms
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Without:
{
"kernel": "5.4.50",
"hostname": "ImAllOutOfLove",
"system": "Atheros AR7161 rev 2",
"model": "Netgear WNDR3700 v2",
"board_name": "netgear,wndr3700-v2",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r13768-f632747704",
"target": "ath79/generic",
"description": "OpenWrt SNAPSHOT r13768-f632747704"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'boinc/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option ifname 'eth0'
list dns '192.168.42.1'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'ImSoLostWithOutYou'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.42.1'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:11.0'
option channel '10'
option country 'IKnowYouWereRightBelievingForSoLong'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'IamAllOutOfLoveWhatAmIWithoutYou'
option encryption 'psk2'
option key 'IcantBeToLateToSayIWasWrong'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:12.0'
option htmode 'HT20'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option ssid 'IWantYouToComeBackAndCarryMeHome'
option key 'AwayFromThisLongLonelyNights'
option encryption 'psk2'
option network 'wwan'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '0'
option localservice '1'
option rebind_protection '0'
option dnsforwardmax '9000'
option noresolv '1'
option localuse '1'
option cachesize '0'
list server '127.0.0.42#4242'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config hosts be here like ImReachingForYouAreYouFeelingItToo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.42.1/24 brd 192.168.42.255 scope global br-lan
valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.43.243/24 brd 192.168.43.255 scope global wlan0
valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.243
192.168.42.0/24 dev br-lan proto kernel scope link src 192.168.42.1
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.243
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.42.0 dev br-lan table local proto kernel scope link src 192.168.42.1
local 192.168.42.1 dev br-lan table local proto kernel scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-lan table local proto kernel scope link src 192.168.42.1
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.243
local 192.168.43.243 dev wlan0 table local proto kernel scope host src 192.168.43.243
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.243
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
With:
I guess its the same but:
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
list dhcp_option '3,192.168.42.3'
Remove that from lan and wwan, you are supposed to add there third nameservers reachable from the interfaces.
This is not needed, it advertises itself as nameserver anyway.
Option 3 for gateway is properly configured too. You can renew the dhcp on a lan host and verify by checking the routing table.
1 Like
Like so;
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'five/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option ifname 'eth0'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'cat'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
And;
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '0'
option localservice '1'
option rebind_protection '0'
option dnsforwardmax '9000'
option noresolv '1'
option localuse '1'
option cachesize '0'
list server '127.0.0.42#4242'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '6,192.168.42.1'
list dhcp_option '3,192.168.42.3'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config hosts here
?
You may remove this, as it is the default behavior.
Other than that it looks fine.
1 Like
Leave it that way for testing but you probably want to revisit the issue since it is a DNS leak-- The clients still use the ISP's DNS so the names of the sites they visit can be monitored by the ISP or anyone eavesdropping the ISP line.
1 Like
Still no go, can't ping anything:
"kernel": "5.4.50",
"hostname": "Himma",
"system": "Atheros AR7161 rev 2",
"model": "Netgear WNDR3700 v2",
"board_name": "netgear,wndr3700-v2",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r13768-f632747704",
"target": "ath79/generic",
"description": "OpenWrt SNAPSHOT r13768-f632747704"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'f'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
option ifname 'eth0'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr 'e'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option blinkrate '2'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_port
option device 'switch0'
option port '1'
option led '6'
config switch_port
option device 'switch0'
option port '2'
option led '9'
config switch_port
option device 'switch0'
option port '5'
option led '2'
config interface 'wwan'
option proto 'dhcp'
option peerdns '0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'pci0000:00/0000:00:11.0'
option channel '10'
option country 'Space'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'wrt'
option encryption 'psk2'
option key ''
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:12.0'
option htmode 'HT20'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option ssid 'isp ap'
option key ''
option encryption 'psk2'
option network 'wwan'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '0'
option localservice '1'
option rebind_protection '0'
option dnsforwardmax '9000'
option noresolv '1'
option localuse '1'
option cachesize '0'
list server '127.0.0.42#4242'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '100'
option limit '150'
option leasetime '15m'
list dhcp_option '3,192.168.42.3'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.42.1/24 brd 192.168.42.255 scope global br-lan
valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.43.243/24 brd 192.168.43.255 scope global wlan0
valid_lft forever preferred_lft forever
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.243
192.168.42.0/24 dev br-lan proto kernel scope link src 192.168.42.1
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.243
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.42.0 dev br-lan table local proto kernel scope link src 192.168.42.1
local 192.168.42.1 dev br-lan table local proto kernel scope host src 192.168.42.1
broadcast 192.168.42.255 dev br-lan table local proto kernel scope link src 192.168.42.1
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.243
local 192.168.43.243 dev wlan0 table local proto kernel scope host src 192.168.43.243
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.243
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Where do you see it leaks, and to what ip?
The to be gateway-device has the following iptables:
/etc/iptables/home.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
:private-subnets - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -j private-subnets
-A FORWARD -i tether -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j private-subnets
-A private-subnets -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i eth+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i en+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i wl+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i tether -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 10.0.0.0/8 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 172.16.0.0/12 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -s 192.168.0.0/16 -i docker+ -m conntrack --ctstate NEW -j ACCEPT
-A private-subnets -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
/etc/iptables/public.v4
# Netfilter rules for public "untrusted" networks
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow tethered Wifi AP
-A INPUT -i tether -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tether -s 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o tether -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Block DOCKER
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
-A DOCKER-USER -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
And I can make my own and save it in:
/storage/.config/iptables/rules.v4 for ipv4
Do the lan hosts have the 192.168.42.3 as default gateway?
Also one more thing:
I doubt it will work without nat.
1 Like
DHCP will configure clients to send DNS requests to the main router 192.168.42.1 so then they will be forwarded unencrypted through the ISP in the usual way. Once the clients receive the DNS lookup they will then access the site through the VPN client and tunnel.
As I said this is OK for testing because you don't want to change too many things at once. But you aren't getting the most security of a VPN as long as DNS is running outside the tunnel.
Yes, they all have 192.168.42.3 as gateway through DHCP. I ought to make 192.168.42.3 static and set gateway to 192.168.42.1?
I can apparently declare my own IP-tables on the device, so modifying that roadbump should be doable, however I am a mere noob.
No, the 42.3 is correct, just cross checking.
This is something you need to figure out, otherwise it won't work.
I didn't go through all the firewall rules to verify if something else is wrong or missing, but this was too obvious.
I'll, just turn iptables off, to get things going and take it from there.
Btw, should I make 192.168.42.3 static? Or that's ok, that it gets directions of using oneself as gateway?
Of course the VPN client machine needs to be properly configured.
It's default route must be 192.168.42.1 so that it has a path to the raw Internet to reach the Wireguard server. If it takes a DHCP from the main router it would be misconfigured.
It should have the typical split 0.0.0.0/1 + 128.0.0.0/1 routes installed so that all Internet access (except the Wireguard server) goes into the tunnel.
Masquerading needs to be enabled on the tunnel.
Yes, I see my public wireguard ip from 192.168.42.3 and it uses the vpn for its traffic.