Openwrt

Inspired on Crowdsec firewall bouncer, and also with the intention of learning some Rust, I’ve created Bulwark, a small program to run in a OpenWrt router (or any Linux machine) to ban IPs of attacks detected by my servers.

OpenWrt has recently released version 22.03, and one of the biggest changes is the switch to nftables.

I’ve noticed though that nftables doesn’t use ipsets as I was used to, but it has a new concept of sets inside the nftables ruleset.

I wanted to create a firewall rule to filter a list of IPs from an URL, however the integration was not as straightforward as with iptables, so I’ve ended creating this solution.

I’ve updated my router’s fimware to latest version of OpenWrt, and there are great improvements everywhere. The one I like more is the overhaul of the IPv6 configuration, with the new daemon odhcpd and the automatic prefix delegation. You can consult the details in the wiki.

However, I’ve found one caveat trying to configure a client to have a static DHCPv6 lease. After asking in the forums, I found the solution: First, the client has to obtain an IP by DHCPv6, that way the DUID of the client is registered in /var/hosts/odhcpd. Then, the DUID has to be added to /etc/config/dhcp.

This is an update of my previous post about configuring IPsec in OpenWrt.

The network scenario I’m describing is a central OpenWrt router with 2 internal LANs, plus 2 external hosts connected with VPN and some roadwarriors with all their traffic redirected through the IPsec tunnel.

NOTE: Please, check this updated post about this topic.

I have configured a IPsec server in my OpenWrt router to use it from my Android device when I am connected to an untrusted network. Previously I’ve used OpenVPN, but it drains too much battery, so I want to test if this solution, which is integrated in Android, works better.

I have taken the configuration from the OpenWrt Wiki.

After installing Unbound in a OpenWrt router, I noticed that afer a reboot, the DNS was not working. I saw many of these errors in the log:

failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

I have discovered that the system date was wrong. As this device lacks a hardware clock, when the machine boots, it cannot synchronize the time by NTP because there is no resolver (Unbound doesn’t start because the date validation of the ICANN certificate fails). It’s a chicken or the egg problem.

After realizing that my ISP (ONO) was hijacking the NXDOMAIN DNS responses, I decided to improve the security of the DNS queries for my entire LAN using DNSSEC.

I choosed to replace dnsmasq for unbound in my OpenWrt router. These are the steps I followed.

First I installed the required packages:

# opkg update # opkg install unbound unbound-anchor unbound-control unbound-control-setup unbound-host

As dnsmasq is also the DHCP server, I’m not going to disable it, only change the DNS port to 5353. In /etc/config/dhcp

In my OpenWrt box I have two internal networks,one for my LAN and other for the wifi guests. I have configured a proxy server, and to distribute the configuration to the clients, I did a little script to generate a proxy.pac file dependent on the client IP.

I have this in /www/cgi-bin/proxy.pac:

#!/bin/sh
mynetmask="255.255.255.0"
eval $(/bin/ipcalc.sh $REMOTE_ADDR $mynetmask)
if [ "$NETWORK" = "192.168.10.0" ]; then
  proxy=""PROXY 192.168.10.1:3128; DIRECT""
else
  proxy=""PROXY 192.168.11.1:3128; DIRECT""
fi

echo Content-Type: application/x-ns-proxy-autoconfig
echo ""

echo "function FindProxyForURL(url, host)
{
  return $proxy;
}"

Make it executable, you can test it in command line passing the client IP: