I have a Fritzbox 6660 as my main router (I need the cable connection for my ISP).
In another room, I have the GL-MT6000, flashed with OpenWrt. I connected the GL-MT6000 to my main router via Wifi (not LAN!) via Mode: Client.
My goal is that all connections to the GL-MT6000, be it LAN or Wifi, should go through a VPN (AirVPN), while all connections to the Fritzbox don't go through any VPN.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I changed everything accordingly. I think so at least (had to start all over, because I messed up). Now I cannot access the Internet any longer. Neither via Wifi nor LAN. I can only access OpenWrt.
I ran your commands again:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd22:cf41:ae7a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr 'xxx'
config device
option name 'lan2'
option macaddr 'xxx'
config device
option name 'lan3'
option macaddr 'xxx'
config device
option name 'lan4'
option macaddr 'xxx'
config device
option name 'lan5'
option macaddr 'xxx
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr 'xxx'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'AirVpn'
option proto 'wireguard'
option private_key 'xxx='
list addresses 'xxx/32'
list addresses 'xxx/128'
list dns 'xxx'
list dns 'xxx::1'
config wireguard_AirVpn
option description 'Imported peer configuration'
option public_key 'xxx='
option preshared_key 'xxx='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option endpoint_host 'xxx.vpn.airdns.org'
option endpoint_port '1637'
option route_allowed_ips '1'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'sae'
option key 'xxx'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'sta'
option network 'wwan'
option ssid 'xxx'
option encryption 'psk2'
option key 'xxx'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'AirVpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vpn'
@psherman That worked! Now there are two problems left:
IPv6 doesn't work. When I visit ipleak.net, I only see an IPv4 address. This isn't due to the VPN, since I only saw an IPv4 address even before adding the VPN interface. When I connect directly to my Fritzbox, I see an IPv6 address as well.
While the IPv4 address shown on ipleak.net is from the VPN, the DNS addresses show both my ISP as well as the VPN DNS. Even though I set custom DNS server to 172.16.0.1 on wan and wan6 interfaces. Might this be due to the Fritzbox?
DNS won’t affect your wan/wan6 interfaces because they aren’t active (you have connectivity via wwan). You must have a non-vpn dns in order for the system to resolve the vpn in the first place. But you can use a public dns instead of your isp dns.
AirVpn supports IPv6. When I connect to my Fritzbox without VPN, I have a IPv6 address. When I use AirVpn via wireguard on my PC and connect to my Fritzbox, I also have a IPv6 address. So there must be a certain reason why my current router setup doesn't support IPv6?
That makes sense. I set custom DNS server of the wwan to 172.16.0.1 and DNS leaks are gone.
For wireguard IPv6 you also have to enable masquerading of ipv6 on the wg firewall zone.
Furthermore you either have to disable source routing or easier use this as allowed ips instead of ::/0:
8000::/1 and ::/1
@egc I activated IPv6 Masquerading for vpn and wan interfaces and changed allowed ips to: 0.0.0.0/0, 8000::/1, ::/1.
Changed nothing unfortunately. Still no IPv6 according to ipleak.net. Any logs / configs you'd like to see?
@psherman I previously stated that I set custom DNS server of the wwan to 172.16.0.1 and since, DNS leaks are gone. However, this made some trouble whenever I restarted network services or rebooted. I couldn't access webpages any longer, so DNS wasn't working. I had to change it back to Use DNS servers advertised by peer. However, since I just installed AdGuard I saw that there is an option for DNS Forwards under DHCP and DNS. When I add AirVpn DNS there everything is working fine. Actually now I use AdGuard DNS their and add AirVpn DNS in AdGuard. Is that the proper way to do it? Any idea why setting the DNS in the wwan interface led to trouble?
@psherman Ah, I see. I didn't understand that at first. Thanks so much for your help! I learned a lot today Any idea what I can do to properly handle IPv6?
The traffic necessary to form and maintain the tunnel comes from the device itself. It always has the ability to route to the wan (unless explicitly blocked)
That DNS is not publicly available probably only after the tunnel is up ( no need to hide private addresses e.g. of wg that makes trouble shootung harder)
But for the tunnel to become up you need DNS resolving.
You only need to activate masq6 on the wg interface not on the wan.
Reboot afterwards and check again.
Do you have proper ipv6 if the vpn is disabled?
If it does not work please show settings again and wg show and ip -6 route show
Any idea what I can do to properly handle IPv6?
