Menu
▾
▴
Re: [leaf-user] Can openresolv.lrp be added to Bering-uClibc to provide resolvconf for wireguard
|
From: Erich T. <eri...@th...> - 2026-03-31 10:54:13
|
Hi Mark Am 31.03.2026 um 02:10 schrieb LEAF: > Hi ET, > > This is going to be a bit more than a "Why do I want this" and more a > how did I get to wanting this. > > I found this tread on the leaf-user mail list: > > Re: [leaf-user] wireguard and shorewall From: John S. <jo...@sa...> - > 2020-12-05 13:02:01 with some back and forth with KP Mhhh... I have not seen this. Basically my own setup works without any additional quirks. .... > So resolvconf is happy, but we have a bunch of missing modules that > appear to not be able to be loaded by modprobe. > Probably because the modules is a squash-fs now and needs to be added > with /usr/sbin/mount_modules before modprobe or installed via /usr/sbin/ > install_modules. I don't know how to make modprobe do automatically this. modprobe will not do this. I _believe_ most of the modules are loaded when you start shorewall, which itself calls mount_modules/umount_modules to make the modules available. > > So by a process of elimination I put all the needed module names in > the /etc/modules: > > # IP tables for wireguard > # > > # Common IPV4 and IPV6 > x_tables > xt_connmark > xt_comment > xt_mark > xt_addrtype > nf_conntrack > nf_defrag_ipv4 > nf_defrag_ipv6 > libcrc32c > > # IPV4 > # > ip_tables > iptable_raw > iptable_filter > iptable_mangle > > # IPV6 > # > ip6_tables > ip6table_raw > ip6table_filter > ip6table_mangle > > But I'm thinking there must be an easier way, that I just don't know yet. I _guess_ in the "standard" set up LEAF is using shorewall as its iptables set_up utility. If your installation does not use this you may have to install the kernel modules yourself. Your method to add it to etc/modules might be inconvenient but most intuitive. > > Which finally gives me: > > router# /etc/init.d/wireguard restart > Stopping wireguard VPN server on interface wg0 > [#] ip -4 rule delete table 51820 > [#] ip -4 rule delete table main suppress_prefixlength 0 > [#] ip -6 rule delete table 51820 > [#] ip -6 rule delete table main suppress_prefixlength 0 > [#] ip link delete dev wg0 > [#] resolvconf -d wg0 -f > [#] iptables-restore -n > [#] ip6tables-restore -n > Starting wireguard VPN server on interface wg0 > [#] ip link add wg0 type wireguard > [#] wg setconf wg0 /dev/fd/63 > [#] ip -4 address add 10.2.0.2/32 dev wg0 > RTNETLINK answers: Network is unreachable > [#] ip link set mtu 1420 up dev wg0 > [#] resolvconf -a wg0 -m 0 -x > [#] wg set wg0 fwmark 51820 > [#] ip -6 route add ::/0 dev wg0 table 51820 > [#] ip -6 rule add not fwmark 51820 table 51820 > [#] ip -6 rule add table main suppress_prefixlength 0 > [#] ip6tables-restore -n > [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 > [#] ip -4 rule add not fwmark 51820 table 51820 > [#] ip -4 rule add table main suppress_prefixlength 0 > [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 > [#] iptables-restore -n > > and resolv.conf is automatically updated: > > # Generated by resolvconf > # Included file /etc/resolv.conf.head starts here > # Included file /etc/resolv.conf.head ends here > nameserver 10.2.0.1 > # Included file /etc/resolv.conf.tail starts here > # Included file /etc/resolv.conf.tail ends here > > I just need to connect the VM back to the internet via the CPE and make > sure the VPN link works, then tackle the shorewall part of the equation. > I currently have shorewall disabled from starting. > Look above, I somehow guessed it. I believe once you have shorewall up and running your troubles will just disappear. > Hope this wasn't too draw out, > Mark > ... cheers ET -- „Wer von seinem Tag nicht zwei Drittel für sich hat, ist ein Sklave.“ ―Friedrich Nietzsche |
