The GL-iNet routers include Wireguard VPN capabilities. Only a few issues needed to be resolved with some custom configurations. There are issues with MTU, local DNS delivery and DNS search domains. Below are resolutions to those issues using a GL-iNet GL-AR750S-Ext Slate router.
MTU fragmentation issues were experienced with MacBook Pro clients using the Slate router in repeater mode attached to a motel Wi-Fi tunneling to a Ubiquiti EdgeRouter. The solution adds MSS clamping to the wireguard zone of the firewall.
After making the changes, make sure to handle the hotel captive portals before connecting the VPN with the web interface. Connect the VPN then, renew the lease to the client so it gets the new configurations. After use, use the web interface to disconnect the VPN before powering down the router.
Be aware that these changes will most likely be lost with a router firmware/software update.
Add this line to the /etc/init.d/wireguard file
uci set firewall.wireguard.mtu_fix='1'
wireguard_add_firewall()
.....
#zone
uci set firewall.wireguard='zone'
uci set firewall.wireguard.name='wireguard'
uci set firewall.wireguard.input='ACCEPT'
uci set firewall.wireguard.forward='ACCEPT'
uci set firewall.wireguard.output='ACCEPT'
uci set firewall.wireguard.masq='1'
uci set firewall.wireguard.device='wg0'
# add the line below
uci set firewall.wireguard.mtu_fix='1'
Another issue is use of internal DNS after the tunnel is connected. The router needs external DNS prior to the connection of the VPN so the clients can acknowledge the hotel captive portals. Destination internal DNS is required after after the tunnel is connected. Again the /etc/init.d/wireguard script must be modified to change the dnsmasq DHCP to deliver the internal DNS and reverse that when the VPN tunnel is disconnected. The Wireguard web configuration page includes a "DNS" entry, use that for the local internal DNS server address. Only one address can be added.
Add this line to /etc/init.d/wireguard
uci add_list dhcp.lan.dhcp_option="6,$dns"
peers_func()
.....
if [ "$dns" != "" ];then
#mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo -e "nameserver $dns" > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.vpn'
# add the next line
uci add_list dhcp.lan.dhcp_option="6,$dns"
uci commit dhcp
/etc/init.d/dnsmasq restart
else
Another edit is required to remove the local DNS when the VPN is disconnected.
Add this line to /etc/init.d/wireguard
uci del_list dhcp.lan.dhcp_option="6,$dns"
stop_service()
.....
[ -f "/tmp/resolv.conf.vpn" ] && {
rm -rf /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
# add the next line
uci del_list dhcp.lan.dhcp_option="6,$dns"
uci commit dhcp
/etc/init.d/dnsmasq restart
}
The final thing is to add DNS search domains to the client. Unfortunately there is not a way to make this a variable with each VPN configuration.
Add this line to the /etc/config/dhcp file
list dhcp_option '119,yourdomain.com,example.com'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option dhcpv6 'server'
option ra 'server'
# add the next line
list dhcp_option '119,yourdomain.com,example.com'
References
- This configuration is based on GL version gl-ar750s-3.003-0929
- GL.iNet routers are based on OpenWrt
- Good MTU MSS blog with video
- Wireguard header overhead (MTU and MSS)
Updates
- 2018-12-17
You seems to know your way round openwrt configurations. Have you thought of split vpn using policy based routing? You can have 2 APs, one passthrough(captive portal registration) and one vpn.
ReplyDeleteWhen you say add this line "list dhcp_option '119,yourdomain.com,example.com'" does that mean do I add that line as it is , or should I replace yourdomain.com,example.com with actual dns server IPs like 8.8.8.8,8.8.4.4
ReplyDeleteIt means a list of search domains, not dns server IPs. If you have your own domain such as 'mydomain.com' you would list it there. If you don't want to control the search list in /etc/resolv.conf you don't need to add that line.
Delete