Jul 30, 2018

Put OpenWrt to good use: DynDNS, IPv6, Adblock and Wireguard VPN

After Openwrt is setup, latencies measured and the router humms happily, what's beyond?

  • transport encryption for DNS queries, covered in a separate post
  • dynamic DNS, IPv6 if missing, DNS based adblocking and setting up a VPN
  • basic and advanced monitoring
  • a guest and neighbor wifi network access point
  • joining a Freifunk community, either as "satelitte" or in its MESH network

Dynamic DNS

This has the obvious disadvantage of a publicly known reverse IP. This said, being discoverable by way of a nameserver is handy for P2P applications like direct SIP. Too, if your router has some bytes to spare or a USB port, I estimate small documents can be served on http(s) even on a trickling upstream. This blogs frontpage serves 60 kilobytes gzipped, ~14 without the webfonts, with most posts in total below 100 kilobytes, a 100 kb/s connection could serve some users of a lowfrequency blog.

An update method to a nameservers records is provided by the package ddns-scripts, usually by calling an http endpoint. The uci ddns reference helped me to see which options are required to be set. A full explanation can be read here. Don't mix service_name and your own update_url. use_https '1' will rewrite a http update_url. enabled '1' is mandatory, so is domain and lookup_host. I hit some special case with wget and challenge-less http basic auth, making me discover update_script and the possibility to use_curl '1' that was more forgiving. To debug, use option use_syslog '1' in your global section.

/etc/config/ddns:

config service 'myddns_ipv4'
        option enabled '1'
        option use_https '1'
        option use_ipv6 '0'
        option service_name '<service>'
        option domain '<domain>'
        option lookup_host '<domain>'
        option username '<user>'
        option password '<pass>'
    [...]

IPv6 Tunnel

My ISP can't do IPv6 for this connection it is reselling. If you're curious for IPv6, register at Hurricane Electrics Tunnelbroker and opkg install 6in4. The userguide lists the minimally requried parameters.

config interface 'henet'
        option proto     '6in4'
        option mtu       '1480'
        option peeraddr  '216.128.x.x'
        option ip6addr   '2001:x:x:x::2/64'
        option ip6prefix '2001:x:x:x::/64'
        option tunnelid  '<tunnelid>'
        option username  '<user>'
        option updatekey '<updatekey>'

then run:

uci set firewall.@zone[1].network='wan henet'
uci commit firewall

ifup henet

/etc/init.d/network restart
/etc/init.d/firewall restart

I'm not intimate with radvd or SLAAC, so some dhcp configuration is still lost on me. At first I had dashes ("he-net") in network interface names and I guess that broke firewall definitions for uci, but I have not confirmed this. With alphanumeric naming and adding the interface to the firewall settings things worked out. It's a classic to forget about IPv6 when setting up firewall filtering rules. ss and nmap are your friends then for quickly reminding what is listening publicly.

IPv6 won't go away and being exposed to its usage informs the uninitiated. Not needing Network Address Translation (NAT) is a benefit for P2P communications. One thing to consider though: for tracking prevention it is best to cycle the address by way of enabling the Privacy Extensions. This is a setting within the clients kernel, check with sysctl -a net.ipv6 2>/dev/null | grep use_tempaddr and if this is set to < 2 raise it to 2 in your distribution, see docs. Ubuntu has it enabled by default on all interfaces.

Adblocking

There are pre-packaged solutions for DNS level blocking, either adblock itself or simple-adblock, see comparison by the author of the latter. Disk space considerations for the blocklists apply. I would be intrigued for the possibility to receive text based blocking stats from dnsmasq, similar to FTLDNS/pi-hole: top 10/25/100 domains blocked with frequency numbers. I once ran it separately and some network behaviour was shown that was lost on me with browser-based "ublock". But both solutions mostly blocked the same amount. I think the script is able to offer a pixel-serve substitute to not break sites having blocked content beyond DNS blackholing.

Wireguard VPN

Wireguard is already packaged for OpenWrt, so after opkg install wireguard it's just following the side-by-side video in the documentation for educational purposes and afterwards using the wg-quick command to skip the manual steps. Beside the easy setup, what I always need time to wrap my head around is the best way to route external traffic. Wireguard proposes different techniques: from the classical route-creation, rule-based routing with packet markings to finally an approach using a network namespace. Currently, wg-quick will employ the second technique and lazily I go with that one. Assigning an IP to the created wg0 interface (ip addr add dev wg0 10.0.1.2/24) is either way a manual step and do not forget to enable forwarding if you want a vpn "exit-node" configuration.

sysctl -w net.ipv4.ip_forward=1
interface=ens3
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${interface} -j MASQUERADE

As you probably get the DNS told by the dhcpd from the router, make sure to use the DNS of your VPN exit to avoid DNS leakage. Though the times of easily evading geoblocking might be over, VPNs are great for authentication purposes, offering ports (imap/ssh) only within the network and of course for having a route out of hostile networks. Beside the offical documentation, I favour this Guide.

Traffic Monitoring

For basic monitoring, vnstat can show traffic by time intervals and for the hours (-h) displays a histogram too. iptables -v -L can show packet counts and bytes for each table that has counters enabled. If rules are present to match the traffic, they could show what traffic is IP v4/v6 bound or by what protocol. To persist monitoring data, the storage capabilities of the device matter if it is not pulled from a remote. For OpenWrt different solutions are available: collectd, netdata and prometheus-node-exporter (source package). For the last you'll need a always-on host in the same network to pull metrics continously.

Freifunk

Deducting from the projects defaults and package sources, is it possible to setup this on the same device, going from vanilla? Freifunk Berlin has some interesting access points in its network map.