thank you sir it was excellent. but i am gonna in other way. i need to set some urls to go thru VPN and almost other from lan. how to config this? and is there any method to create a wildcard to allow all subdomains in a role too?
if i had an other wireguard "inbound" working as a server,to connect from outside,can i use both? for example,when i connect from outside to my home network through mi wireguard server config, i will be navigating on internet trough this wireguard client? thanks a lot.
Great tutorial however I can't find luci-app-wireguard on the software tab. I am using a raspberry pi4b and openwrt 23.05.04. What I am doing wrong? Any alternative?
My entries don't appear on the live view at all. FYI none of this works after the recent update. Also DHCP server totally changed. Seems someone has infiltrated the project. Way too many coincidences.
Thanks for watching @tonysteele3805. So I'm not sure what this is the case for you, but are you sure that each rule you have made is set to log, such as at 11:34? If you haven't, they will never show up in your firewall log. As for working after the recent update, it still works fine for me, so I'm not sure why (or what) you are experiencing this. DHCP has changed to a new backend. It's using a more modern version of DHCP called KEA. You can find more in the link below, but the old version of DHCP is reaching end of life. docs.opnsense.org/manual/dhcp.html I wouldn't say it's infiltrated, there doesn't seem to be any indication that is the case, and would advise to be cautious of those statements without more concrete evidence, since unfortunately this is becoming a thing in modern day supply chain security of open source developed software, and should be taken very seriously, just as with the recent example of the xz backdoor that was created. I digress, but what has been seen so far is normal in software lifecycle.
Interesting viewpoint. The networks on different ports of your router are physically separated? Are you sure? Plug 2 devices into 2 ports and ping the other one. You will see that each device can see the other one. No separation through ports. And why would you assign a separate subnet to your VLAN. Thats just mixing two network layers. The VLAN should work fine within the same subnet. No?
Thanks for watching @marcg1043. Yes, so they're physically separate, in that each port on a router, is its own physical port. Now most of these are switch ports, which, I'll get back to in a second regarding its significance, but technically they aren't the same port. By default on any off the shelf router, if you plug into each LAN port, you'll be placed on the same network. That, of course, is by design. They will be on the same layer 2 and technically won't be separated as you noted. On other systems, say a mini PC's with more than one ethernet port, those will often have a dedicated ethernet controller for each ethernet port. As a result, this physical separation of ethernet controllers means that the ports can have their own separate networks defined, alluding to that physical separation of networks. On a standard router, these physical ethernet ports share the same ethernet controller, thereby acting as switch ports, and placing you on the same layer 2 network, unless its VLAN capable, which this video goes into how thats done. Anyway, thats the gist of it, but a notable caveat, so I appreciate the question. I assign a separate subnet to my VLAN because I want that VLAN to be a different network, its a simple as that. I can't make the VLAN be the same subnet as my primary LAN, as that would cause collisions and it simply doesn't work that way. Conceptually its against the purpose of a VLAN. A new subnet must be created for each new VLAN. Each are their own network.
Hi I hope you can help. i made all the setting you do for a lan to lan conection. and it worked. the problem its that second router at 1 hour later stops comunicating with first router.but first router still can comunicate with second router.
Thanks for watching @pokomoro9461! Thats very strange, can you elaborate more on what that means? Are your devices on the second router not able to get to the internet? Have you tried to directly use the second router to communicate with the first? Have you repeated this and is it always that after 1 hour it "stops communicating"? How are you doing this testing to observe that the second router stops communicating with the first router? Some more context should help, but if the first router can still communicate with the second router, then it makes me wonder what the real issue is.
Hey thanks for your reply on the other video now i got to this video and got bpr working via ip address. Now im curious if i can tunnel only youtube for example?
You're welcome, happy to see you watching another video! You should be able to simply set youtube.com as your destination and it should work. Now I'm not sure if this covers everything that youtube uses on the back end as a part of its services, but this is effectively where you'd start. In addition, if you needed to route youtube sub domains, I did talk about that as well on a high level at 9:02. Basically, you can create a script that would pre populate all dnsmasq nfset (so long as you set that as your resolver), and pull down IPs for domains and subdomains, and any policies you write, would inherenetly include the subdomains (so long as you have a domain set in your policy). You can find more information here on that, that I actually referred to recently in another comment. docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport For now start with adding youtube.com in your policy and see if it works as expected.
Used this tutorial to setup WARP on my Pi4 based OpenWRT portable router. Worked like a charm and it didnt break tailscale compatibility so i can use rsync to synchronize a shared USB SSD on the router back to my server at home. It's amazing how much functionality you can cram into such a small space.
Thanks for sharing @rysterstech! I have't used Cloudflare WARP myself, but I see it's WireGuard based and happy to hear this helped you set it up. Should be easier then when I get trying it out. I wouldn't expect it to break tailscale, given they'll simply be different interfaces. Its honestly really neat to see how much you can do with these little boxes and Open Source Software. Let alone, it really gives you insight into how much manufacturers have limited consumer ability to customize their devices. It's grown a ton since the early days, but still you won't get that level of customization using off the shelf software for the hardware you buy. Plus this is more fun, especially when you get your use cases working 😊
So by firewall zones, it is possible to make like 2 or more physical routers and each of them has different local IP gateway in Openwrt system? (I dont know how to say it technically but you get the idea, right?) and if so, can you guide me what are the steps? Thanks 😊
Thanks for watching @j0efil! Not sure I completely understand, but I'll try. You can create different networks, or subnets, in OpenWrt, and each of those will have a different router IP, (say 192.168.1[.]1 and 192.168.2[.]1). They both would physically lie on the same system (the OpenWrt router). You can achieve this in multiple ways. If your router has more than one ethernet interface, you can simply create a new network on it. If not, you can create VLANs that can achieve the same thing, with a bit more flexibility. You can watch my video on creating VLANs below (for newer OpenWrt systems). The second video you can watch for more educational information regarding what VLANs are. VLANs in OpenWrt 21.02+ ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-d3aYMqt-b_c.html How VLANs work (and how to set them up in OpenWrt 19.x) ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-5TtlAXeaGUM.html
@@j0efil You're welcome! I unfortunately don't have a guide on it at this time, but I suggest following through with their guides. openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 But if I understand what you are getting it, it should be as easy as changing the metric on the port, that really defines its routing priority. The hight the metric, the increased priority it has, it's really as simple at shat.
Hi it looks like I got this configured to work but I'm not seeing anything in the access.log. Is there anything I'm missing to why this is not printing there?
Thanks for watching @AlexanderDavila-q9r! Thats interesting, I haven't seen that before. Doing a quick search, it seems like entries can be logged in the /var/log/messages. Have you checked any other OS log location to see if squid is logging there? I'm not sure what distro you are using but thats something to consider here where it can mess with logging. Also, can you confirm that the proxy is working as expected? Are your requests being proxied after you've configured it? I used the base install of squid from Ubuntu, and didn't modify anything for logging, so depending on how you installed it, I wouldn't expect you to have missed something from a default install. Otherwise, I'd encourage doing some research to see how you can resolve this.
You're welcome @user-fc9ic5cm8d! I don't have a video on that unfortunately, but you should be able to follow the docs for pbr and set this up. docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport There is a screenshot in there that shows you an option to change your resolver set. After making sure you have dnsmasq-full package installed, I don't think there is anything else you'd need to do. You can add custom user files on top of that if you want, but again not required. You can find more information on that in the link above.
Thanks for watching @Rugbyu17-jh8qg! Is the snippet you shared your config? It seems like so (as I don't see it in my video). What equipment are you running OpenWrt on for each site? to me it looks like your ethernet interface is actually USB based, and its using a USB adapter for that ethernet interface (built in to the board going over the USB controller, or simply an adapter plugged into the USB port). Looks like they would be different equipment too since it sounds like they aren't the same.
I tried this. My installation had a default allow ANy to any rule. I removed it and added the first two in this video. My entire network went down. I could not get to anything. ANy idea why
Thanks for watching @chuckcorvec3453! Sorry to hear about your trouble. I'm curious about that rule, I have to look again to check if that's a default rule in my installations. Anyway, these two rules will not be suitable for a all traffic on your home network. Rather, this was merely to show the example of how to create rules, and not all the rules you any home network needs. The rules you need depend on the devices in your environment. What you do want is allow rules for HTTP/HTTPS, for most web and internet based traffic. The way I recommend doing this process is setting up your base rules, all above your default ANY / ANY rule (making sure quick match is checked off). Then, when you feel you have done enough rules, you can disable the ANY / ANY rule, and see what happens. If something breaks, you can turn that rule back on, and begin to troubleshoot to find out how you can make a new rule to fix what broke, since you ideally wouldn't want that ANY / ANY rule in place indefinitely. This ANY / ANY rule is just an easy way to make sure everything works, and if you want the easiest solution, you can leave that on. However, it reduces the control you have over your network traffic. Depends on what you're trying to achieve and what level of control you want to exercise over your network.
Thanks for the compliment @sirlanzi! Always happy to hear when people get value out of my videos. As for your question, technically no. DynDNS will not save you from needing the keep alive, you could still well need it with DynDNS. The reason DynDNS is needed is because of two reasons really. One is your external IP is CGNATed. Meaning you share a public IP address with other people. Because of that, you don't control the public IP address the internet sees, and you can't do port forwarding. The second reasons is you don't control your network, or have access to port forwarding or open up ports on your firewall. What the keep alive does is make sure one end of the tunnel initiates the connection, and keeps it going, since the opposite end cannot initiate the connection, due to the above reasons. When you get DynDNS, this doesn't remediate CGNAT or lack of network control, it just gives your IP address a DNS record. So if you fall into either situation above, you'll still need the keep alive on one end of the tunnel, particularly on the end that has your CGNAT IP or "IP you can't control". DynDNS is just convenient for the end IP that does change, that you know you'll always be hitting the right endpoint.
Thanks for watching @wanttotree and great question. Yes, you certainly can by using a package called pbr, or "Policy Based Routing". I created a video on how to do that, which you can follow here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-FN2qfxNIs2g.html
Good vid! As an MSP, I can definitely recommend Thirdlane's cloud phone system. It's not free but cost-effective, with decent support and customization options. 3CX is alright, but we've switched to Thirdlane and are really happy now.
Interesting question! Theoretically, yes, you could use a failover package called mwan3, which you'd use to set up your second WireGuard interface, as a failover interface. It effectively operates on pings, and if the pings fail on the first WireGuard interface, traffic will begin to be routed over the second WireGuard interface. All you'd need to do is set up 2 WireGuard interfaces, then setup the mwan3 package. I haven't used mwan3 yet, but it should be pretty simple to follow. openwrt.org/docs/guide-user/network/wan/multiwan/mwan3
Thanks for watching @saotekwong3276! Referring to the link below, you should be able to route all subdomains of a domain in your policy. However, you don't explicitly wildcard it. Instead you write to domain as you normally would, say google.com, and then when you set your resolver set to dnsmasq.ipset or dnsmasq.nftset, whichever is supported on your system, then it will route subdomains through your existing policy. Refer to the comment below from the creator of PBR for more information. My answer is simply what he provided, and not something I have personally experienced. forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/779
@@saotekwong3276 So can you elaborate on it? Whats not working about it and how is it not working? How have you tested it to prove its not working? Have you ensured that you have dnsmasq set up on your router? If you have further trouble here, it would probably be worth getting onto the OpenWrt's forums to ask for assistance, where you can share screenshots of what you've done any your observations of your tests, and the community should help you get it working, including creator of the pbr package. forum.openwrt.org/ forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639?page=38
Snort3 or suricata can definitely be helpful, though those are more IPs/IDS solutions, that are on top of DPI in general. IDS and IPS solutions can be for source intensive too, so OpenWrt on your standard routers won’t be able to handle too many rules in either platform. They’d be better on a x86 mini pc if you still wanted to use OpenWrt. To that point, it doesn’t seem like suricata has been fully ported to OpenWrt, only Snort has been. There are other DPI systems like Netify that work on OpenWrt, but I have not tried it, and it seems to be a paid solution as well. They don’t seem to exactly be an IDP or IDS but simply doing packet inspection for network analytics. For DPI and related services like IDP or IDS, I’d recommend using a platform with more power, and using BSD based solutions like OPNsense or pfSense, using Intel based hardware, and something with more than 1 GB of RAM. I haven’t gotten around to doing DPI or IDP/IDS personally, other than enterprise grade solutions such as Palo, so I don’t have much experience to share here. Though I’ve heard good things about ZenArmor that I’m hoping to try in the near future that offers tons of functionality more than IDP and IDS, more in the realm of “Next Generation Firewalls”. If you do happen to use Snort on OpenWrt, I’d be curious to hear about your experience. You might get to it before I do.
Hey Dev, appreciate your videos. Would you be able to do one on mwan3 & openwrt 23.05 I understand there is a script now that makes it work with ipsets. Thanks again!
Thanks @mikeclites8407! Awesome to hear from another happy viewer. I can't honestly say if or when I'd get to it, but if you do try it out yourself, I'd be happy to give my 2 cents. I haven't used mwan at all yet, but my understanding of it is pretty straight forward. Do you have a reference that says it works with ipsets using a specific script?
You're welcome @striker_rafael! Thanks for watching. I'm happy to make great content just like this. I have plenty of more video / network ideas I need to get started on that I'd be happy to share.
I would like to see a set of basic firewall rules set up on OpenWRT with a default deny rule set on the LAN. I would like to see rules for DNS/mDNS, dhcp-client including refresh, http/https-client, passive ftp client, ssh-client, pgp-clients, multimedia (like RU-vid) clients, and video conferencing clients (like ZOOM). An episode where you review assorted network tools would also be useful. I would like to be able to inspect the details of packets that get dropped for example, to figure out how to write my own rules and to check my configuration. Thanks for explaining the basics of linux firewalls. Some things definitely make more sense now.
Thanks for watching @JBlask! Appreciate you sharing your ideas. A general firewall rule video on good rules to implement is one I've been wanting to make for sometime, but haven't gotten around to it. Those additional rules you're referring to, I havent really ever made rules for all those, as some are automatic, like the dhcp rules. HTTP(s), FTP and SSH are straight forward, pgp clients I'm not sure on, and doing rules for applications like RU-vid or Zoom requires a different type of firewall, one that can create Layer 7 or application rules. You won't be able to create those with OpenWrt. I have wanted to do a network tools video too, like ping, iperf3, tcpdump, but haven't fully fleshed that idea out. Deep packet inspection is something I still need to improve on, so one day I could go more in depth there. Nonetheless, I'm happy to hear this video as it stands was able to teach the basics, just as I had intended.
Thanks for watching @luhwoppp! Could you elaborate more? Does it actually show up after the install, and are you saying the dropdown doesn't show anything? What version of OpenWrt are you running? I haven't used this in the newer versions, 23.05, so I can't be sure if there are any issues, but to me it sounds like it could be something you are misunderstanding.
Great video. I have everything working except for the very last part I cannot ping a device on the opposite site LAN. I get a reply from the opposite sites WG interface address, Destination port unreachable. Handshake is fine, a PC on Site A can ping the wireguard interface address on site b, also the Pi running openwrt on site b. This also works in the other direction. However, a PC on site A cannot ping a PC on site B and the same fails in the other direction. IP’s and allowed IP’s are below. Also, I do not seem to see any error in the logread after failed ping attempts. If I ping a PC on site B from site A then the WG address on site B replies with Destination port unreachable. I have tried to set VPN and WAN forwards to ACCEPT but I am guessing really. I even tried temporarily disabling the windows firewall on each PC but this did not resolve the issue. Any help would be appreciated in what I can check next. Further info: I am using a draytek router as my simulated internet connection. I have LAN 3 and LAN 4 for site a and site b. The routing table shows both networks are in there. site_a (Pi OpenWRT 192.168.100.1 - WAN 192.168.3.10/24 - WG 10.10.10.1/32) Allowed IPs (10.10.10.0/24 - 192.168.200.0/24) site_b (Pi OpenWRT 192.168.200.1/24 - WAN 192.168.4.10/24 - WG 10.10.10.2/32) Allowed IPs (10.10.10.0/24 - 192.168.100.0/24)
I managed to resolve the issue with some help from the openwrt forum. Firstly I disabled the firewall for each of the routers using the command, /etc/init.d/firewall stop. I also disabled the windows firewall on both PC's. I was then able to Ping from PC to PC in both directions. I added the windows firewall back and could only ping in one direction. SO one of the PC's firewall needed configuring. Moving on I added config forward option dest 'lan' option src 'vpn' to each router. This created the rules required so I could start the firewall on each of them again with /etc/init.d/firewall start. Finally to get the ping working for both directions I added the WG subnet (10.10.10.0/24) and the opposite site subnet to each of the windows inbound firewall settings. Now all up and running. Great video. I found out a lot setting it up. One being that OpenWRT will block Forwarding on the lan when source and destination subnets are different.
Essentially I was using the wifi as the WAN and the Ethernet as the LAN. So at 9min 38secs of the video where you set VPN zone to forward to WAN, I needed to forward VPN to LAN. Something that I only realised after getting it to work.
@@jamesnorth6078 Thanks for watching and sharing what you've done, I appreciate it. These extensive notes are sure to help anyone else experiencing the same issue. Your experience reminds me of basically anything I make a video on, I have to rough through the experiences of getting it wrong so many times until I get it right. Given what you said, it makes sense why it didn't and did work after your changes. My simulated Internet was to show this with public IP addresses, and its pretty easy to set up in OpenWrt. Just define your subnet and allow forwarding. Thats pretty much it, and was pretty novel for me to do in this video. Though in future videos, I have some cloud ideas in mind for my demonstrations. Anyway, thanks again for sharing your experience, and I hope this set uo continues to treat you well!
not trying to be rude or something, but i kinda expected to see something different, like some tips or w/e, but video is less informative than just opening "full help" right on the rule page.
Thanks for watching @barneybarney3982, and no worries. I'm not taking any offense, I appreciate you sharing your thoughts. This video is really meant to provide the hands on approach that you wouldn't get from click "full help". While the things I say certainly has overlap, the full help won't click through the options for you and show how they are used, in conjunction with different options I have thought about some general "firewall tips" videos about best practices and good rules, that I hope to get to in the future, as I can see that being a very helpful video. I just havent gotten around to it yet.
I am hoping that my self-hosted 4SC FREE license will renew on June 2nd; - about 3 years ago, I ran up 3CX as a VM, - I was so impressed that I ran it 'on the metal' ......currently on V20 and I did my DNS homework...
Thanks for watching @ANTHONYBOOTH! Self hosted version would be cool to try, as I like to get my hands dirty that way. This video was a fun experiment in learning SIP and VOIP tech. Happy to hear that the platform has been treating you well overall!
Thank you, it worked. Though , when I stop the WireGuard interface, I can't connect to any website anymore. To get it to work again, I have to tick the box at "Use the DNS servers advertised by peer" in the WAN interface again, any idea how to fix that?
Thanks for watching @Anonym12393! Glad to hear it worked. So what this seems to indicate here is that your DNS server is not accessible outside of the tunnel, and therefore DNS requests are failing (and therefore any other requests that rely on DNS). You can remediate this by using a cloud flare DNS or simply making sure the DNS server is accessible outside of the tunnel. I believe Mullvad has DNS servers that are public that you can use, but obviously feel free to use one you trust.
Regarding the heatsink, probably 40mmx55mm standard size for a compute module 4. Could you let me know what the fin height is in your example? I'm not sure if it matters whether or not the fins stick out of the enclosure or not. Great video on this! 👍
Thanks for watching Victor! The height shouldn't matter since the fins do stick our of the enclosure, for the sake of air flow and letting the heat dissipate. I went ahead and measured it, and the height is roughly 4 mm, from the top of the fan to the base of the heat sink. Is there a reason you're concerned on the height?
@@DevOdyssey There are other heatsinks with differing heights, but same length and width for a CM4, but I understand now that the height doesn't matter for assembly purposes, any of them will do, thanks!
@@Victor-779 You're welcome and good to know. I figured there are, I don't shop around for different heatsinks for Raspberry Pi CM4s often. But yea it can be even taller if need be to catch more airflow, and it won't get in the way unless you squeeze the whole unit into a tight space, which I don't imagine anyone would really be doing.
Danke fürs zuschauen @dominikseildein6049! Entschuldigen Sie, während ich Google Translate verwende, um zu antworten. Die Beschleunigung soll das Video auf einer angemessenen Länge halten, aber ich sehe, dass es dadurch schwierig werden kann, dem Video zu folgen. Ich empfehle, das Video in diesen Abschnitten zu verlangsamen, um es genauer verfolgen zu können.
Thanks for the awsome video.I have a raspberry pi 5 with docker and adguard as a dns server. Would it be possible to add another container for openwrt? or i have to use another independent raspberry pi?
Thanks for watching @tranquiloteov! Nice setup! So from my research, you can setup OpenWrt within a container, but I can't say I have ever done it. The reverse is also true, you can run containers within OpenWrt (as the host OS). So you could run those adguard and dns server in a container on OpenWrt, or simply use the adguard package and built in dnsmasq. But if you want to use OpenWrt as a container, I'd refer to this reddit thread here with some notable links on OpenWrt containers. www.reddit.com/r/openwrt/comments/p7qple/has_anyone_tried_running_openwrt_in_a_docker/ openwrt.org/docs/guide-user/virtualization/lxc github.com/oofnikj/docker-openwrt If you do get it working, give update this here with a comment, I'd be happy to hear about it.
@diyer1190 thanks for watching! Sorry to hear you’re having trouble. What version of OpenWrt are you running, and have you looked at the logs to see if there are any errors? That’ll get you started to see what the issue may be happening. Refer to the PBR documentation in the video description for additional guidance
i have openwrt route which i have install openvpn and it is connecting and working very well, but i do have a problem. all my devices connected to my lan port and wireless are showing one vpn ip address, what is not good. I want each device that is connected to my router lan and vlan to have different vpn ip address. i hope you understand what i want to achieve.
Thanks for watching @emmanuelessien8184. Can you explain a bit more of what you’re trying to achieve? By VPN IP address you mean a public VPN endpoint that you pay for access? If you want that then you’ll need to pay for enough access to cover all your devices and set up separate tunnels for each other them to use. This probably would be a comment better for the policy based routing video I did which I see you wrote this same comment there too, if I’m understanding you correctly. If so you should follow that video but create separate tunnels for them each and policy route each of those lan devices to a different vpn interface.
@emmanuelessien8174 given what you described, it sounds like it’s what I expect. Given that, if they all must require a different VPN IP / location, then you must set the individual VMs with their own VPN software (WireGuard or OpenVPN client) or do the same thing on the firewall, but that means you’d have 300 interfaces for each VPN connection. You’re probably better off setting each VM with their own VPN client, as to not deal with significant performance issues on the firewall / router due to so many interfaces in it
@@DevOdyssey I have tried it out it's working using vlans but when i created upto 50 tunnels the router stuck and luci shutdown. I am using Linksys WRT3200ACM. What might be the problem. Does openwrt have limit on number of tunnel and vpn. What is your advice. Thank you
i have openwrt route which i have install openvpn and it is connecting and working very well, but i do have a problem. all my devices connected to my lan port and wireless are showing one vpn ip address, what is not good. I want each device that is connected to my router lan and vlan to have different vpn ip address. i hope you understand what i want to achieve.
Hi @emmanuelessien8184, thanks for watching. I replied to your comment on my OpenVPN video, but I’ll repeat the relevant part here. If you want each lan device to have a different VPN public IP then you’ll need to pay for enough access to cover all your devices and set up separate tunnels for each other them to use. You should follow this video and create separate tunnels for each lan device and policy route each of those lan devices to a different vpn interface.
Thank you for covering file transfer speeds, it was the essential info I needed to make a decisino on which model to buy. Every other reviewer didn't cover this.
You're welcome @amir-jg4zy! I figured I'd cover most common use cases, which file shares are definitely one of them. It's definitely helpful to know what version of SMB comes out of the box, not only for security sake, but also for speed. Let alone, its nice to actually see what file transfer speeds the CPU can handle. Ping tests and good old speedtest in of itself won't tell you the speed of file transfers, so it definitely needs its own separate testing. Glad I could help you make the decision that's right for you.
What is the need to flash the sysupgrade image when you have already flashed the *full* factory image? I flash the router with a full factory image (OpenWrt) when I am switching the device from Netgear's firmware to an OpenWrt firmware. Thanks for the "jffs2reset" hint.
Thanks for watching @arunkhan4951! There shouldn't be a need to perform a sysupgrade immediately after you have flashed the full factory image. This was just to show you how to perform an upgrade to a newer version of OpenWrt once you are already on OpenWrt, and particularly a lower version.
What reason could there be, after the VPN correctly handshaking, but my public IP stays the same? Gateway metric is much lower on the VPN than the WAN interface but still my public IP is the one from my ISP. Help would be appreciated!
Thanks for watching @vanhoeppen! When I read this, it sounds to me like your traffic is not being through the tunnel. When you look at the TX and RX traffic for the WireGuard interface, do you notice it increasing normally, or is it barely increasing? Given your gateway metrics, it should prioritize the VPN Gateway. Can you check your route table and make sure the default route is set to the WireGuard VPN interface / IP? You can also try running a curl command and specify the WireGuard interface within your command and that should help you verify if traffic can go through that interface.
Wow! It is a rare thing to have a YT creator actually answer to a comment/question! Much appreciated, good Sir! Thanks! Alright. Sadly the traffic count of the VPN interface does not change anymore after some initial MBs directly after configuration. Also, I get a handshake confirmation in the Wireguard status section. But that's it. Please, I cannot for the life of me find the default route setting! Where is this?
@vanhoeppen you’re welcome! I try my best to respond to everyone, and while it takes a lot of effort, your appreciation is felt and admired! So it does seem like it’s a routing issue. So you can find your routes by logging in over SSH and simply typing in “route” command. That will spit out all your routes, including the default one, which will be at the top, and it should show you if this default route is the VPN. If it’s not, then you can go back to your vpn peer configuration and check off a box that “Route Allowed IPs”. I did this in the video and it should work, but if for some reason it doesn’t, you’d have to create that route manually. But you don’t want it in there twice (it shouldn’t even work if you tried) so first make sure this is the situation. If so, then create the route using the route command. Googling it should help you get the proper command and switches. Be cautious here since if you do the route wrong you can basically cut off internet access so you’ll want to know how to delete the route too just in case it doesn’t work.
Thanks for watching @stricken5tein! It's not necessary, and you can use the LAN already on OPNsense by default. I simply made it to kinda start from scratch, and have a separate interface for this configuration. This was my way of making sure if I messed something up on my new, second, LAN or VLAN, I still had the default LAN I could use to to access the web GUI.
Hello @DevOdyssey, I watched this video and am wondering why the laptop pulled a DHCP address from the VLAN instead of the 192.168.100.0 subnet assigned to the interface itself? I am really interested in the answer to this question.
Thanks for watching @DougLiebig! Thats a great question. So in a prior video, I made a Raspberry Pi managed switch using OpenWrt, and took that opportunity to talk about VLANs. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-d3aYMqt-b_c.html So prior to this video, I simply created the VLAN config on the switch, tagged it on the port connecting between the OPNsense PC and RPi, and untagged this VLAN (150) on the switch, specifically on the port that I connect to my computer. So once I connected my mac to the Raspberry Pi, it received the VLAN of 150. Additionally, if you're curious, you can do this without the Raspberry Pi switch. You should be able to configure VLANs on macOS, and likely for Windows and Linux, though I haven't tried it there. Then you can simply drop into the VLAN by directly connecting to the OPNsense PC, just as if you were connecting to the RPi switch in this video.
Thanks for watching @redblue4962! Don't apologize, its not a dumb question at all, its an interesting one. So from reading the default and your question, your internet should still work, if you've already connected to it. If not, then it might fail to work for IPv6 traffic, and it might not get a new IP address. Honestly, I'm still not well versed in IGMP and ISKAMP, so I'm not sure of what the implications are there. It doesn't seem like there is a default "allow outbound" rule, as it seems to be implicitly allow outbound traffic unless you block it, so I don't think you'd block yourself from reaching the internet. So I definitely wouldn't do it without knowing what each rules exactly does, but it doesn't seem to be catostrophic. Oh and you won't be able to ping your router from the internet, which isn't exactly a bad thing, and from a security sense, can be beneficial.
are you serious???? These days the real threat is traffic going out of your network. All the Spying that Google and Microsoft, to name a few are doing on you. Weather you are logged in at work or at home. There is no mention and most likely no way to block outgoing traffic to particular domains in your software, because the companies benefiting from the spying, also sponsor this channel, the software and the people making money from it, to provide content. Not buying it, waste of time.
Thanks for watching @user-lv3iw8vd1d! Thats definitely the truth, and a point I emphasize in this video. No outbound rules means any traffic can leave on any port. But to your point, the service we use online, mostly https (tcp) on port 443, is where we willing send most of our data out from, and where we are being spied on. You sure can block the traffic that is being used to spy on you, but the consequence of that is you can't use the internet. Blocking particular domains and doing "Layer 7" Application type blocks is outside of the scope of this video, but its possible if you use the OPNsense Sensei plugin from ZenArmor. Anyone who uses Google products, particularly here RU-vid, knows they are obtaining and using the data they send them, whether you create content or consume it on their platform(s). OPNsense is an Open Source firewall project that does not have any relation to Google, or other major software companies, and they certainly only spying on you. You can go ahead and look at their source code for yourself. If you are really concerned about spying, your best bet is to simply not use the internet in any capacity.
Thanks for watching @electron_ij! Would you be able to explain more? It sounds like you're referring to a Realtek USB WiFi adapter. So long as you refer to OpenWrt's table of hardware to research what Realtek chipsets are supported, you should have enough information to see if you can use it. They do have a good amount of information to show what WiFI chipsets are supported so you can choose the right one that works for you.
@@electron_ij The procedure is effectively the same as with any WiFi radio, whether its built in or a dongle. Simple install the right packages, which in the example you gave, looks like its openwrt.org/packages/pkgdata/rtl8188eu-firmware Once you have that installed, you can plug it in, and then you should have a WiFi radio for you in the Network -> Wireless section that you'd set up just like I did in the video.
My compliments on your format. I have watched several of your videos and find them helpful, and well thought out. I like your technique and presentation. Keep up the good work!
Thanks for watching @mrmartymac! Means a lot to hear these types of compliments, so thanks for taking the time to share it with me. Glad to hear my videos have been helpful. I try to create my content in such a way that would help me if I were to be learning it from scratch; following a step by step process with explanations for particular settings to provide contextual understanding. I find that I learn concepts best by implementing them in "real use cases". So while I'm creating a VLAN specific in OPNsense, you can take the concepts here and create VLANs on any network hardware. Looking forward to creating more content in my personal style. Especially since it involves me first learning this process, repeating it, and then scripting it out for a youtube video (basically repeating the process at least 3 times). Appreciate having a fan like yourself!
@DevOdyssey Thank you for this amazing walkthrough! I got this working in the same conditions shown in the video. I'm wondering if this would work if I have multiple "Site B"s which I'm unable to set static IPs for and are behind ISP-provided routers. I want to build a couple of plug-and-play openwrt raspberries that I can share with my friends out of town so they can access a media server in my home network as if it were in theirs. They don't have to reach each other but Site A must be able to reach both "Site B" networks for serving media. Will it suffice to have only one peer (Site A) in those multiple "Site B"s? I'm also behind an ISP router but I think I can set up something like ddns and port-forward traffic from my ISP router to the raspi. Will this work?
Thanks for watching @milleniuminc! I really appreciate the compliment. Glad you were able to follow along and get it working! In regards to your question, yes, you can have "multiple Site B's". While they're referred to as Site to Site, it can really be site to site to site and so on. For where you do not have static IPs, those "sites" will need to use dynamic DNS. Now if these sites don't have public IP addresses you control, then you will need to use persistent keep alive when behind that site. With regards to when needs to reach where, so long as your "Allowed IPs" in the Site configuration (i.e. Site A as a peer for Site B) are reflective of Site A's IPs, then it should work. In particular, you only really need the IP Address of the media server in that configuration. This would effectively only make it possible for your friends to reach your media server over the site to site VPN. In addition, you'll want to ensure there are no firewall rules blocking the connection, but if they are using consumer grade routers, then there probably aren't. Keep in mind here that if your friends have the same local IP's you will want them (or yourself) to "Re-IP" their (your) network to a different subnet, so they can reach your media server in "Site A" In my explanation above, I refer to your home network as Site A, and your friends as Site B, just for clarity. So yes, it would suffice to only have one Site A (as a peer) in those Site B configurations. Even though you are behind an ISP router, so long as you can port forward and do dynamic DNS, as you stated, you should be able to get it working, where your friends can reach your media server, but not necessarily each other.
