Snippets
Created by
Frank Horowitz
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 | Start with a clean install of OpenWRT.
After Luci is up, DO NOT configure wifi. Do NOT install wireguard yet. Install travelmate next. That's the only way I could figure out to make it actually work.
Travelmate Doco is here: <https://github.com/openwrt/packages/blob/master/net/travelmate/files/README.md>
Travelmate support thread is here: <https://forum.openwrt.org/t/travelmate-support-thread/5155/21>
Make sure prereqs are satisfied (iwinfo, etc.) as per Doco...
Install luci-app-travelmate (should pull in main dependencies).
Set up **one** AP using normal Luci interface (not travelmate).
I like to use a 2.4 GHz band at very low power. The theory is that the main WWAN backhaul will be less congested on a 5 GHz channel. Experience will tell if that holds up in a hotel situation. The obvious thing of setting up a second AP on the other band did not work for my GL-AR750. That may be due to a single radio not supporting simultaneous AP and STA or something, but in any event I haven't chased it down.
Dealing with AP and STA being on different channels is also somewhat of a mystery at the moment. Perhaps that's confounding the "AP on the same radio as the STA" issue???
Use travelmate to configure WWAN STA's. Travelmate scans for signals in its "Wireless Stations" panel, and allows you to connect. There is a scriptable captive portal thingy, but that looks to be for more permanent things than I want to deal with when I'm tired and setting things up for a few nights in a hotel and just want to get connected to the net.
I haven't figured out how to deal with VPN and captive portal stuff yet, but I **THINK** you simply need to change the firewall to point to the WAN instead of the WG zone to let the captive portal do it's thing. Once the MAC number of your travel router is known to the WWAN, that *should* be enough to let the whole mess to work.
Then re-configure the firewall to use WG.
Getting DNS through wg was a bit of a hit-and-miss thing. My current config (as of 13 November 2019) for Travelo appears to be working.
Just for reference, most of the instructions for getting WG installed on OpenWRT were the obvious modifications for my Algo setup to these instructions: <https://www.azirevpn.com/support/guides/router/openwrt/wireguard>.
I'm glad I took time to figure this out before trying it out live. I am somewhat dubious of being able to go to arbitrary captive portals because I had some funky thing going on when I tried the campus wifi setup. But, maybe that was all misconfiguration that has since been massaged out.
Some config files from my travel router, with some sensitive stuff replaced with the text REDACTED.
The travelmate config:
config travelmate 'global'
option trm_captive '1'
option trm_proactive '1'
option trm_netcheck '0'
option trm_autoadd '0'
option trm_iface 'trm_wwan'
option trm_triggerdelay '2'
option trm_debug '0'
option trm_maxretry '5'
option trm_listexpiry '0'
option trm_minquality '35'
option trm_maxwait '30'
option trm_timeout '60'
option trm_rtfile '/tmp/trm_runtime.json'
option trm_enabled '1'
The wireless config:
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option txpower '7'
option htmode 'VHT20'
option channel '44'
option country 'US'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'BC5Test'
option wpa_disable_eapol_key_retries '1'
option key 'REDACTED'
option encryption 'psk2'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option disabled '0'
option txpower '9'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'BCTest'
option wpa_disable_eapol_key_retries '1'
option key 'REDACTED'
option encryption 'psk2'
config wifi-iface 'radio0_RedRover_'
option network 'trm_wwan'
option device 'radio0'
option mode 'sta'
option ssid 'RedRover'
option encryption 'none'
option disabled '0'
config wifi-iface 'radio0_BC5_'
option network 'trm_wwan'
option device 'radio0'
option mode 'sta'
option ssid 'BC5'
option key 'REDACTED'
option encryption 'psk2'
option disabled '1'
The network config:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.42.1'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
list dns '172.16.0.1'
option peerdns '0'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 0t'
config interface 'trm_wwan'
option proto 'dhcp'
config wireguard_wg
option public_key 'REDACTED'
option description 'algoNewYul'
option endpoint_port '51820'
option endpoint_host 'REDACTED'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
config interface 'wg'
option proto 'wireguard'
option private_key 'REDACTED'
option listen_port '51820'
list addresses '10.19.49.7/24'
list dns '172.16.0.1'
The firewall config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 trm_wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wgzone'
option src 'lan'
config rule
option src_port '51820'
option name 'wireguard'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '51820'
option proto 'udp'
option dest '*'
option src '*'
config zone
option name 'wg'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option network 'wg'
config forwarding
option dest 'wg'
option src 'lan'
config rule
option src 'lan'
option name 'AllowDnsViaWireguard'
option dest 'wg'
option target 'ACCEPT'
option proto 'tcp udp'
option src_port '53'
option dest_ip '172.16.0.1'
option dest_port '53'
|
Comments (2)
You can clone a snippet to your computer for local editing. Learn more.
DHCP is also set to disable rebind protection.
Another fine point is that 172.16.0.1 is a dns-crypt (or maybe it’s an unbound) server deployed by Algo on my remote VPN server. You might need to fiddle things to get that to work for you.