Jul 30, 2018

Put OpenWrt to good use: DynDNS, IPv6, Adblock and VPN

After Openwrt is setup, latencies measured and the router humms happily, what's beyond?

  • DNS-over-TLS and testing a recursive and caching DNS, covered in its own blog post
  • DynDNS, IPv6, Adblock, VPN
  • a guest/neighbor wifi network
  • joining a Freifunk community, either by being a "satelitte" or via a MESH network
  • UPnP (I don't need it, but if you run internal console/settop devices. Has security implications)
  • advanced monitoring: extract values from the already present tools regularly or: collectd, prometheus-node-exporter (source package) - the crawling-nature of prometheus is maybe contradictory when it's your only always-on device, you'll need a second host, best-case in the same network or via VPN

Dynamic DNS

This has the obvious disadvantage of beind publicly "traceable". This said, being adressable by way of a nameserver you can do direct SIP. If your router has some bytes to spare or a USB port, small documents can be served on http(s) even on a trickling upstream.. this blogs frontpage serves 60 kilobytes gzipped, ~14 without the webfonts, with most posts being transfered at below 100 kilobytes total. For the low frequency of (surely patient) visitors and bots, I wonder how far 100 kb/s upstream could go.

An update method to a nameservers records is provided by the package ddns-scripts, usually by calling an http endpoint. The uci ddns reference helped me to see which options are required to be set. A full explanation can be read here. Don't mix service_name and your own update_url. use_https '1' will rewrite a http update_url. enabled '1' is mandatory, so is domain and lookup_host. I hit some special case with wget and challenge-less http basic auth, making me discover update_script and the possibility to use_curl '1' that was more forgiving. To debug, use option use_syslog '1' in your global section.

/etc/config/ddns:

config service 'myddns_ipv4'
        option enabled '1'
        option use_https '1'
        option use_ipv6 '0'
        option service_name '<service>'
        option domain '<domain>'
        option lookup_host '<domain>'
        option username '<user>'
        option password '<pass>'
    [...]

IPv6 Tunnel

My ISP can't do IPv6 for some of the connections its reselling. If you're curious, register at HE and opkg install 6in4. The userguide lists the minimally requried parameters.

config interface 'henet'
        option proto     '6in4'
        option mtu       '1480'
        option peeraddr  '216.128.x.x'
        option ip6addr   '2001:x:x:x::2/64'
        option ip6prefix '2001:x:x:x::/64'
        option tunnelid  '<tunnelid>'
        option username  '<user>'
        option updatekey '<updatekey>'

uci set firewall.@zone[1].network='wan henet'
uci commit firewall

ifup henet

/etc/init.d/network restart
/etc/init.d/firewall restart

I haven't figured out the proper odhcpd config to assign an ip6 address to a local lan client. If I assign it statically to the client ipv6 traffic gets routed though.

Adblocking

There are pre-packaged solutions for DNS level blocking, either adblock itself or simple-adblock, see comparison by the author of the latter. Disk space considerations for the blocklists apply. I would be intrigued for the possibility to receive text based blocking stats from dnsmasq, similar to FTLDNS/pi-hole: top 10/25/100 domains blocked with frequency numbers. I once ran it separately and some network behaviour was shown that was lost on me with browser-based "ublock". But both solutions mostly blocked the same amount. I think the script is able to offer a pixel-serve substitute to not break sites having blocked content beyond DNS blackholing.

Wireguard VPN

Wireguard is already packaged for OpenWrt, so after opkg install wireguard it's just following the side-by-side video in the documentation for educational purposes and afterwards using the wg-quick command to skip the manual steps. Beside the easy setup, what I always need time to wrap my head around is the best way to route external traffic. Wireguard proposes different techniques: from the classical route-creation, rule-based routing with packet markings to finally an approach using a network namespace. Currently, wg-quick will employ the second technique and lazily I go with that one. Assigning an IP to the created wg0 interface (ip addr add dev wg0 10.0.1.2/24) is either way a manual step and do not forget to enable forwarding if you want a vpn "exit-node" configuration.

sysctl -w net.ipv4.ip_forward=1
interface=ens3
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${interface} -j MASQUERADE

As you probably get the DNS told by the dhcpd from the router, make sure to use the DNS of your VPN exit to avoid DNS leakage. Though the times of easily evading geoblocking might be over, VPNs are great for authentication purposes, offering ports (imap/ssh) only within the network and of course for having a route out of hostile networks. Beside the offical documentation, I favour this Guide.

Freifunk

Deducting from the projects defaults and package sources, is it possible to setup this on the same device, going from vanilla? Freifunk Berlin has some interesting access points in its network map.