[Solved] Opkg update - Failed to send request: Operation not permitted

I'm sure there's something obvious I'm missing here, but I keep running into the following message when running opkg update on my OpenWRT device.

root@OpenWrt:/# opkg update
Downloading https://downloads.openwrt.org/snapshots/targets/sunxi/cortexa7/packages/Packages.gz
Failed to send request: Operation not permitted
*** Failed to download the package list from https://downloads.openwrt.org/snapshots/targets/sunxi/cortexa7/packages/Packages.gz

The device is connected to my computer via ethernet cable; my computer is connected to my router via wi-fi and using Windows Internet Connection Sharing to permit the OpenWRT device to reach the internet.

I can ping external domains (including openwrt.org and google.com) by name, so it doesn't seem to be a DNS issue.

Any ideas? UCI dhcp, firewall, and network information below.

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc2:a9fb:043c::/48'
network.lan=interface
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.137.10'
network.lan.gateway='192.168.137.1'
network.lan.dns='8.8.8.8'

Opkg unable to pull from downloads.openwrt.org

1 Like

Strangely, I'm still getting the exact same error, though the downloads are being attempted over HTTP rather than HTTPS now. The device can still ping downloads.openwrt.org just fine.

1 Like

Disable IPv6 and DHCPv6 on the LAN interface.

1 Like

Seems like this should be straightforward, but how exactly can I do that? I've tried the following:

  • uci set network.lan.ipv6='off'
  • uci set dhcp.lan.dhcpv6='disabled'
  • uci delete network.globals.ula_prefix
  • sysctl -w net.ipv6.conf.all.disable_ipv6=1
  • echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

It still automatically configures an IPv6 address every time. Is there somewhere I'm missing?

Also delete this:

Then check:

ip address show; ip route show table all; ip rule show

I'd already deleted that actually, just forgot to include it in my last reply. Still got IPv6 showing up. Here's output from ip address show; ip route show table all; ip rule show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 02:81:d0:64:77:bf brd ff:ff:ff:ff:ff:ff
    inet 192.168.137.10/24 brd 192.168.137.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::81:d0ff:fe64:77bf/64 scope link
       valid_lft forever preferred_lft forever
default via 192.168.137.1 dev eth0
192.168.137.0/24 dev eth0 scope link  src 192.168.137.10
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.137.0 dev eth0 table local scope link  src 192.168.137.10
local 192.168.137.10 dev eth0 table local scope host  src 192.168.137.10
broadcast 192.168.137.255 dev eth0 table local scope link  src 192.168.137.10
fe80::/64 dev eth0  metric 256
local ::1 dev lo table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
local fe80::81:d0ff:fe64:77bf dev eth0 table local  metric 0
ff00::/8 dev eth0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1 Like

Scratch that – just got rid of IPv6 by changing network.lan.ipv6='off' to network.lan.ipv6='0'

Downside is that I'm still getting the Failed to send request: Operation not permitted error.

1 Like
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
nslookup downloads.openwrt.org 127.0.0.1; \
nslookup downloads.openwrt.org
root@OpenWrt:/# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
> nslookup downloads.openwrt.org 127.0.0.1; \
> nslookup downloads.openwrt.org
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      downloads.openwrt.org
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:      mirror-02.infra.openwrt.org
Address 1: 168.119.138.211
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Address 2: 2a01:4f8:251:321::2
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      downloads.openwrt.org
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Name:      mirror-02.infra.openwrt.org
Address 1: 168.119.138.211
downloads.openwrt.org   canonical name = mirror-02.infra.openwrt.org
Address 2: 2a01:4f8:251:321::2
1 Like

Okay, this isn't exactly "solved", but I decided to stop being lazy and just hook the OpenWRT device directly to my router rather than utilizing Windows Internet Connection Sharing. Of course it works perfectly now.

Still curious as to what was stopping OpenWRT from downloading things when it could freely ping external domains and all the HTTPS and IPv6 workarounds were applied.

@vgaetera Thanks so much for all the help and guidance on this weird little problem!

1 Like

This issue seems to be Windows-specific.
Might be related to an antivirus/antimalware software if any.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.