From 4449ae0a5cb476f8a32415f9839c449fa95f0e8b Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 22 Mar 2021 15:33:45 +0100 Subject: [PATCH 1/4] Some bibliography about Unbound and OpenWRT --- README.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4b1b43f..73f63ce 100644 --- a/README.md +++ b/README.md @@ -207,6 +207,12 @@ verbose call end reason (3,2001): [cm] no-service ## Final Modem Configuration +### Generic + + 1. Set a password + 2. Set a name: `parangon` + 3. Set IP range: `192.168.0.254/24` + ### ModemManager We append the following to ModemManager: @@ -234,7 +240,7 @@ ping -6 openwrt.org ### Configure Zones -*Not yet written* +Add our broadband interface to the WWAN zone. ### Configure Wireguard @@ -246,7 +252,21 @@ ping -6 openwrt.org ### Configure our DNS recursive resolver -*Not yet written* +Related with OpenWRT: + - https://openwrt.org/docs/guide-user/services/dns/unbound + - https://openwrt.org/docs/guide-user/services/dns/dot\_unbound + - https://forum.openwrt.org/t/using-unbound-alongside-dnsmasq/50537 + - https://gist.github.com/kevinoid/00656e6e4815e3ffe25dabe252e0f1e3 + - https://kevinlocke.name/bits/2017/03/09/unbound-with-dnsmasq-on-openwrt/ + - https://blog.josefsson.org/tag/openwrt/ + - http://kacangbawang.com/say-bye-to-providers-dns-servers-be-your-own-dns-resolver/ + - https://zhmail.com/2018/04/20/setting-up-a-dns-over-tls-forwarding-cache-on-openwrt-snapshot-r6693-or-later/ + - https://www.dnssec-deployment.org/2012/03/a-validating-recursive-resolver-on-a-70-home-router/ + - https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ + +Not related with OpenWRT: + - https://calomel.org/unbound_dns.html + - https://feeding.cloud.geek.nz/posts/setting-up-your-own-dnssec-aware/ Sites to test: - sci-hub.se (`ping sci-hub.se` should not return `127.0.0.1`) From fac53e9fb376717f7d6ae49e58ed3aec3fb0600a Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 22 Mar 2021 18:22:29 +0100 Subject: [PATCH 2/4] Improve README --- README.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 73f63ce..23dbe08 100644 --- a/README.md +++ b/README.md @@ -252,6 +252,18 @@ Add our broadband interface to the WWAN zone. ### Configure our DNS recursive resolver +We use LuCi to setup our recursive DNS + +Go to Network -> DHCP and DNS -> Advanced Settings -> Set port 5353 for the DNS server +Go to Service -> Recursive DNS -> Unbound -> DHCP -> and select dnsmasq +Go to System -> Startup -> Start unbound +Check in Service -> Recursive DNS -> Files -> Show: Unbound -> at the end, forward-zone must be declared for you +Check with `netstat -tlpn` that unbound listens on port 53 and dnsmasq on port 5353. +Finally check with `dig +short @192.168.1.1 sci-hub.se` and `dig +short @192.168.1.1 parangon.lan` (this is the name of our router) + +We use: + - http://kacangbawang.com/say-bye-to-providers-dns-servers-be-your-own-dns-resolver/ + Related with OpenWRT: - https://openwrt.org/docs/guide-user/services/dns/unbound - https://openwrt.org/docs/guide-user/services/dns/dot\_unbound @@ -259,7 +271,6 @@ Related with OpenWRT: - https://gist.github.com/kevinoid/00656e6e4815e3ffe25dabe252e0f1e3 - https://kevinlocke.name/bits/2017/03/09/unbound-with-dnsmasq-on-openwrt/ - https://blog.josefsson.org/tag/openwrt/ - - http://kacangbawang.com/say-bye-to-providers-dns-servers-be-your-own-dns-resolver/ - https://zhmail.com/2018/04/20/setting-up-a-dns-over-tls-forwarding-cache-on-openwrt-snapshot-r6693-or-later/ - https://www.dnssec-deployment.org/2012/03/a-validating-recursive-resolver-on-a-70-home-router/ - https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/ @@ -277,6 +288,10 @@ Sites to test: Test with Youtube on Android. +## Known Bugs + +section\_id is not defined: https://forum.openwrt.org/t/updated-cant-fetch-latest-git-error-when-creating-interface-with-luci-section-id-is-not-defined/91836/3 + ## Logs uboot logs: From 75ab8b78421d23d62a0a69c94abb6e02e74afac1 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 22 Mar 2021 18:37:55 +0100 Subject: [PATCH 3/4] Add wireguard guide --- README.md | 43 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 23dbe08..62beda3 100644 --- a/README.md +++ b/README.md @@ -244,11 +244,48 @@ Add our broadband interface to the WWAN zone. ### Configure Wireguard -*Not yet written* +On the router: -### Configure SQS +```bash +mkdir /tmp/x +cd /tmp/x +umask go= +wg genkey | tee wgclient.key | wg pubkey > wgclient.pub +wg genpsk > wgclient.psk -*Only if required, not yet written* +uci add_list firewall.wan.network="vpn" +uci commit firewall +/etc/init.d/firewall restart + +uci set network.vpn="interface" +uci set network.vpn.proto="wireguard" +uci set network.vpn.private_key="$(cat /tmp/x/wgclient.key)" +uci add_list network.vpn.addresses="192.168.2.3/24" + +uci set network.wgserver="wireguard_vpn" +uci set network.wgserver.public_key="$(cat /tmp/x/wgclient.pub)" +uci set network.wgserver.preshared_key="$(cat /tmp/x/wgclient.psk)" +uci set network.wgserver.endpoint_host="rayonx.machine.deuxfleurs.fr" +uci set network.wgserver.endpoint_port="51820" +uci set network.wgserver.route_allowed_ips="1" +uci set network.wgserver.persistent_keepalive="25" +uci add_list network.wgserver.allowed_ips="0.0.0.0/0" +uci add_list network.wgserver.allowed_ips="::/0" +uci commit network + +# update server's configuration + +ifup vpn +``` + +Doc: + + - https://openwrt.org/docs/guide-user/services/vpn/wireguard/basics + - https://openwrt.org/docs/guide-user/services/vpn/wireguard/client + +### Configure SQM + +*Not relevant now* ### Configure our DNS recursive resolver From 41a833a2dbd8f4522f0742e44425a45b133f8b7b Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Mon, 22 Mar 2021 18:43:26 +0100 Subject: [PATCH 4/4] Simplify VPN config --- README.md | 41 +++++++++++++++++------------------------ 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 62beda3..15213f5 100644 --- a/README.md +++ b/README.md @@ -231,6 +231,8 @@ Then we can start the interface with: ifup broadband ``` +Add our broadband interface to the WAN zone in the firewall. + Both IPv6 and IPv4 should work: ``` @@ -238,9 +240,6 @@ ping openwrt.org ping -6 openwrt.org ``` -### Configure Zones - -Add our broadband interface to the WWAN zone. ### Configure Wireguard @@ -252,30 +251,24 @@ cd /tmp/x umask go= wg genkey | tee wgclient.key | wg pubkey > wgclient.pub wg genpsk > wgclient.psk +``` -uci add_list firewall.wan.network="vpn" -uci commit firewall -/etc/init.d/firewall restart +Add to `/etc/config/network` -uci set network.vpn="interface" -uci set network.vpn.proto="wireguard" -uci set network.vpn.private_key="$(cat /tmp/x/wgclient.key)" -uci add_list network.vpn.addresses="192.168.2.3/24" +``` +config interface 'wg0' + option proto 'wireguard' + list addresses '192.168.2.3' + option private_key '???' -uci set network.wgserver="wireguard_vpn" -uci set network.wgserver.public_key="$(cat /tmp/x/wgclient.pub)" -uci set network.wgserver.preshared_key="$(cat /tmp/x/wgclient.psk)" -uci set network.wgserver.endpoint_host="rayonx.machine.deuxfleurs.fr" -uci set network.wgserver.endpoint_port="51820" -uci set network.wgserver.route_allowed_ips="1" -uci set network.wgserver.persistent_keepalive="25" -uci add_list network.wgserver.allowed_ips="0.0.0.0/0" -uci add_list network.wgserver.allowed_ips="::/0" -uci commit network - -# update server's configuration - -ifup vpn +config wireguard_wg0 + option public_key '???' + option description 'rayonx' + option persistent_keepalive '25' + option endpoint_port '51820' + list allowed_ips '192.168.2.0/24' + option route_allowed_ips '1' + option endpoint_host 'rayonx.machine.dufour.io' ``` Doc: