VPN killswitch with Local DNS Hijacking prevents the vpn from connecting

PatoPanSir · June 14, 2023, 7:48am

I didn't have an issue last time I set this up on my previous router. After that broke, I got a new one and tried to set it up and the kill switch is not working. I keep getting the error "Try again: `bos-298-wg.vpn.com:1194'. Trying again in 5.16 seconds" on the system log. The vpn works when the firewall zone is set to forward both wan and wgclient.

I used this guide to set it up and I also used my previous post which had the configuration of my previous router as reference

I had probably made a small mistake somewhere, but I can't tell what it is. is anyone able to point it out?

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3e:8f07:980e::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	list dns '192.168.2.15'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '192.168.2.15'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key 'fsfsfsgsgss'
	list dns '192.168.2.15'
	list addresses '100.70.83.85/32'

config wireguard_wgclient
	option public_key '5HFJFJHDRG='
	option endpoint_host 'www.vpn.com'
	option endpoint_port '1194'
	option description 'Alaska'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option preshared_key 'TSFG='
	option route_allowed_ips '1'
	option persistent_keepalive '15'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wgclient'
	option masq '1'
	option mtu_fix '1'
	option output 'ACCEPT'
	list network 'wgclient'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config redirect 'dns_int'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'
	option src_mac '!00:E0:4C:36:00:61'
	option name 'Redirect-DNS'
	option src_ip '!192.168.2.15'
	option dest_ip '192.168.2.15'

config ipset 'doh'
	option name 'doh'
	option family 'ipv4'
	option match 'net'
	option loadfile '/var/ipset-doh'

config rule 'doh_fwd'
	option name 'Deny-DoH'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv4'
	option ipset 'doh dest'
	option target 'REJECT'

config ipset 'doh6'
	option name 'doh6'
	option family 'ipv6'
	option match 'net'
	option loadfile '/var/ipset-doh6'

config rule 'doh6_fwd'
	option name 'Deny-DoH'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv6'
	option ipset 'doh6 dest'
	option target 'REJECT'

config rule 'dot_fwd'
	option name 'Deny-DoT'
	option src 'lan'
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp udp'
	option target 'REJECT'

config nat 'dns_masq'
	option name 'Masquerade-DNS'
	option src 'lan'
	option dest_ip '192.168.2.15'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'MASQUERADE'

config forwarding
	option src 'lan'
	option dest 'wgclient'

Note: I did accidentally share my private key. It's whatever, I deleted it from my vpn provider and got a new one.

pavelgl · June 14, 2023, 11:48am

It looks like you are using a FQDN to access your VPN provider.
It also appears that the router is only allowed to use 192.168.2.15 as a DNS server (this statement is false if you are using the wan and not the wwan interface).

When you disable lan=>wan forwarding, 192.168.2.15 cannot access the upstream DNS servers in order to resolve the VPN provider's FQDN to an IP address.

Try creating an exception rule like this:

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-DNS-to-WAN'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].proto='udp'
uci add_list firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src_ip='192.168.2.15'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'

mk24 · June 14, 2023, 1:01pm

Yes this is probably because DNS does not work before the VPN is up, and in order to bring the VPN up you need to DNS the name of the peer since it is configured as 'vpn.com'

If you're using a commercial VPN service, their IP is unlikely to change and you could enter it numerically.

PatoPanSir · June 14, 2023, 2:55pm

it had no effect

PatoPanSir · June 14, 2023, 2:55pm

If this is the case, is there a way I can allow the vpn to use another dns address to resolve it's address?

PatoPanSir · June 14, 2023, 3:01pm

it worked after I ran it through ssh instead of luci, no idea what I did wrong in luci

system · June 24, 2023, 3:02pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

psherman · June 27, 2023, 11:31pm

PatoPanSir · June 28, 2023, 7:18am

When I changed peers and restarted my router I lost connection. To fix this, I also allowed the icmp protocol to the rule that Pavel provided.

This may be a requirement of Raspberry Pi OS or Pi-Hole (my dns resolver). For some reason if they can't ping a server, it believes it has no internet connection and it won't resolve addresses. My Pi-Hole uses upstream dns servers (as opposed to unbound) which may contribute to the issue.

iplaywithtoys · June 28, 2023, 9:29am

Do a before-and-after comparison of the change. See what looks different in LuCI, when making a change using SSH. It might be something glaringly obvious, or it might be something subtle that you weren't expecting.

PatoPanSir · June 28, 2023, 6:18pm

I didn't save it, and it's been a while. I don't think I can repeat the same mistake if I try it again now since it's human error (it's also possible I did it right, but I didn't add the icmp protocol). It's also possible that when I made the rule and I selected "any", even if I untoggled it, the port I specified was deleted and I didn't enter it again.

psherman · July 5, 2023, 6:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.