Hello,
I'm still pretty new to OpenWrt (also in this forum) and I need some help with setting up DDNS besides with my Wireguard VPN by Mullvad.
I have 2 Routers connected together per LAN, one from my ISP (Vodafone Germany, also cable connection - in case that could be helpful), that is set into Bridge-Mode and the second is my Belkin RT3200 running with OpenWrt (Snapshot) and LuCi.
My primary goal was to setup VPN over my router with Mullvad on Wireguard, using their instructions https://mullvad.net/de/help/running-wireguard-router/ and everything works fine.
And a few weeks back, I was planning to use some of my devices, like my little NAS outside of my home network, so I asked my ISP for a public IP address and I got one (dynamic).
After that I setup DDNS with DuckDNS and used their installation instruction for OpenWrt and on DuckDNS, also the DDNS logfile shows that a connection was established (I also see now my public IP on DuckDNS).
But now I'm struggling to port forward and my guess is that my WireGuard connection is causing this problem, but I'm also not sure, and if there a some configurations, like for the firewall zone or something in the interface settings that I have to change, but I don't know what I have to change, since I'm not very familiar, so that's why I'm asking here for help.
The only thing I got when I try to connect to my domain, when I'm also connected to my network, I get:
Forbidden
Rejected request from RFC1918 IP to public server address
And outside of my network (per mobile data):
ERR_CONNECTION_TIMED_OUT
Here are my configs from the network, firewall dhcp, and ddns file (of course I deleted sensitive information out)
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ipv6 '1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
option ipv6 '1'
option peerdns '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option auto '0'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'hidden'
list addresses '10.xx.xx.xx/32'
option force_link '1'
option mtu '1280'
config wireguard_WGINTERFACE
option public_key 'hidden'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '193.xx.xx.xx'
option endpoint_port '58120'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'DuckDNS'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.1.1'
config rule
option name 'DuckDNS'
option src 'wan'
option dest 'lan'
option dest_port '22'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'WGZONE'
dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.64.0.1'
option strictorder '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
list dhcp_option '6,10.64.0.23'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
ddns:
config ddns 'global'
option ddns_dateformat '%F %R'
option ddns_loglines '250'
option ddns_rundir '/var/run/ddns'
option ddns_logdir '/var/log/ddns'
config service 'duckdns'
option enabled '1'
option update_url 'http://www.duckdns.org/update?domains=[USERNAME]&token=[PASSWORD]&ip=[IP]'
option lookup_host 'mydomain.duckdns.org'
option use_ipv6 '0'
option domain 'mydomain.duckdns.org'
option username 'mydomain'
option password 'hidden'
option ip_source 'network'
option interface 'wan'
option use_syslog '2'
option check_interval '10'
option check_unit 'minutes'
option force_interval '72'
option force_unit 'hours'
option retry_unit 'seconds'
option ip_network 'wan'
option use_https '1'
option cacert '/etc/ssl/certs/cacert.pem'
And a part from the ddns logfile:
200506 : Detect registered/public IP
200506 : #> /usr/bin/nslookup mydomain.duckdns.org >/var/run/ddns/duckdns.dat 2>/var/run/ddns/duckdns.err
200507 : Registered IP '95.xx.xx.xx' detected
200507 info : Rerun IP check at 2023-09-13 20:05
200507 : Detect current IP on 'network'
200507 : Current IP '95.xx.xx.xx' detected on network 'wan'
200507 : Waiting 600 seconds (Check Interval)
I hope that someone can help me out with this, I would he very thankful and if necessary I surely can give out more information.