Roo – Page 11 – Roo's View

OpenWRT – LuCI missing DHCP and DNS menu option

OpenWRT usually has a “DHCP and DNS” menu in the web UI (LuCI), it will also have “Hostnames” as well. Something was amiss with my setup, as the menu wasn’t showing up.

This menu is a web based view of the /etc/config/dhcp configuration file. I’ve got quite a bit of customization in this file and for the most part my network was behaving normally, so this was a bit of a puzzle for me. Why would most things be working as expected, but the LuCI web UI wasn’t?

My first inclination was to reboot things to see if this was something that turning it off and on again would resolve, nope that didn’t do it. Thankfully it wasn’t hard to search up a forum post that covered exactly this problem. The LuCI web UI will not show you the menu if the configuration file contains an error. This is easy to check with the CLI.

# uci show dhcp
uci: Parse error (invalid command) at line 156, byte 1

1 2	# uci show dhcp uci: Parse error (invalid command) at line 156, byte 1

Editing the file and going to that line made the problem obvious. I’d made an error when I was manually editing the file and had optino instead of option. Easy to fix.

One reboot later and my LuCI menu was back. Again, I find it very interesting that configuration items lower down in the file were working fine. I’m guessing that errors in the file don’t prevent it from skipping the error entries and parsing the ones that do work, this is pretty handy because it means a single error won’t cause things to be inoperable. It’d be nice if the web UI gave you some sort of easy to spot error indication vs. just removing menu items.

OpenWRT as a wireguard client

Previously I’ve written about running wireguard as a self hosted VPN. In this post I’ll cover how to connect a remote site back to your wireguard installation allowing that remote site to reach machines on your local (private) network. This is really no different than configuring a wireguard client on your phone or laptop, but by doing this on the router you build a network path that anyone on the remote network can use.

I should probably mention that there are other articles that cover a site-to-site configuration, where you have two wireguard enabled routers that extend your network across an internet link. While this is super cool, it wasn’t what I wanted for this use case. I would be remiss in not mentioning tailscale as an alternative if you want a site-to-site setup, it allows for the easy creation of a virtual network (mesh) between all of your devices.

In my case my IoT devices can all talk to my MQTT installation, and that communication not only allows the gathering of data from the devices, but offers a path to controlling the devices as well. What this means is that an IoT device at the remote site, if it can see the MQTT broker I host on my home server – will be controllable from my home network. Thus setting up a one way wireguard ‘client’ link is all I need.

I will assume that the publicly visible wireguard setup is based on the linuxserver.io/wireguard container. You’ll want to add a new peer configuration for the remote site. This should generate a peer_remote.conf file that should look something like:

[Interface]
Address = 10.13.13.4
PrivateKey = SECRETPRIVKEY=
ListenPort = 51820
DNS = 10.0.0.8

[Peer]
PublicKey = SECRETPUBKEY=
PresharedKey = SECRETPRESHARE=
Endpoint = mydomain.com:51820
AllowedIPs = 0.0.0.0/0, ::/0

[Interface]

Address = 10.13.13.4

PrivateKey = SECRETPRIVKEY=

ListenPort = 51820

DNS = 10.0.0.8

[Peer]

PublicKey = SECRETPUBKEY=

PresharedKey = SECRETPRESHARE=

Endpoint = mydomain.com:51820

AllowedIPs = 0.0.0.0/0, ::/0

This is the same conf file you’d grab and install into a wireguard client, but in our case we want to setup an OpenWRT router at a remote location to use this as it’s client configuration. The 10.13.13.x address is the default wireguard network for the linuxserver.io container.

I will assume that we’re on a recent version of OpenWRT (21.02 or above), as of this writing 23.03.2 is the latest stable release. As per the documentation page on setting up the client you’ll need to install some packages. This is easy to do via the cli.

# Install packages
opkg update
# 21.02 or above
opkg install wireguard-tools luci-app-wireguard luci-proto-wireguard

# Install packages

opkg update

# 21.02 or above

opkg install wireguard-tools luci-app-wireguard luci-proto-wireguard

Now there are some configuration parameters you need to setup (again in the cli, as we’re going to set some environment variables then use them later).

# Configuration parameters
WG_IF="wg0"
WG_SERV="mydomain.com"
WG_PORT="51820"
WG_ADDR="10.13.13.4/32"
WG_KEY="SECRETPRIVKEY="
WG_PSK="SECRETPRESHARE="
WG_PUB="SECRETPUBKEY="

# Configuration parameters

WG_IF="wg0"

WG_SERV="mydomain.com"

WG_PORT="51820"

WG_ADDR="10.13.13.4/32"

WG_KEY="SECRETPRIVKEY="

WG_PSK="SECRETPRESHARE="

WG_PUB="SECRETPUBKEY="

Now this is where I got stuck following the documentation. It wasn’t clear to me that the WG_ADDR value should be taken from the peer_remote.conf file as I’ve done above. I thought this was just another private network value to uniquely identify the new wg0 device I was creating on the OpenWRT router. Thankfully some kind folk on the OpenWRT forum helped point me down the right path to figure this out.

Obviously WG_SERV points at our existing wireguard installation, and the three secrets WG_KEY, WG_PSK, and WG_PUB all come from the same peer_remote.conf file. I do suspect that one of these might be allowed to be unique for the remote installation however, I know that this works – and I do not believe we are introducing any security issues.

At this point we have all the configuration we need, and can proceed to configure the firewall and network

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
 
# Add VPN peer
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci commit network
/etc/init.d/network restart

# Configure firewall

uci rename firewall.@zone[0]="lan"

uci rename firewall.@zone[1]="wan"

uci del_list firewall.wan.network="${WG_IF}"

uci add_list firewall.wan.network="${WG_IF}"

uci commit firewall

/etc/init.d/firewall restart

# Configure network

uci -q delete network.${WG_IF}

uci set network.${WG_IF}="interface"

uci set network.${WG_IF}.proto="wireguard"

uci set network.${WG_IF}.private_key="${WG_KEY}"

uci add_list network.${WG_IF}.addresses="${WG_ADDR}"

# Add VPN peer

uci -q delete network.wgserver

uci set network.wgserver="wireguard_${WG_IF}"

uci set network.wgserver.public_key="${WG_PUB}"

uci set network.wgserver.preshared_key="${WG_PSK}"

uci set network.wgserver.endpoint_host="${WG_SERV}"

uci set network.wgserver.endpoint_port="${WG_PORT}"

uci set network.wgserver.route_allowed_ips="1"

uci set network.wgserver.persistent_keepalive="25"

uci add_list network.wgserver.allowed_ips="0.0.0.0/0"

uci commit network

/etc/init.d/network restart

This sets up a full tunnel VPN configuration. If you want to permit a split-tunnel then we need to change one line in the above script.

uci add_list network.wgserver.allowed_ips="0.0.0.0/0"

1	uci add_list network.wgserver.allowed_ips="0.0.0.0/0"

The allowed_ips needs to change to specify the subnet you want to route over this wireguard connection.

One important note. You need to ensure that your home network and remote network do not have overlapping IP ranges. This would introduce confusion about where to route what. Let’s assume that the home network lives on 192.168.1.0/24 – we’d want to ensure that our remote network did not use that range so let’s assume we’ve configure the remote OpenWRT setup to use 192.168.4.0/24. By doing this – we make it easy to know which network we mean when we are routing packets around.

Thus if we wanted to only send traffic destined for the home network over the wireguard interface, we’d specify:

uci add_list network.wgserver.allowed_ips="192.168.1.0/24"

1	uci add_list network.wgserver.allowed_ips="192.168.1.0/24"

As another way of viewing this configuration, let’s go take a peek at the config files on the OpenWRT router.

/etc/config/network will have two new sections

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'SECRETPRIVKEY='
	list addresses '10.13.13.4/32'

config wireguard_wg0 'wgserver'
	option public_key 'SECRETPUBKEY='
	option preshared_key 'SECRETPRESHARE='
	option endpoint_host 'mydomain.com'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.1.0/24'

config interface 'wg0'

option proto 'wireguard'

option private_key 'SECRETPRIVKEY='

list addresses '10.13.13.4/32'

config wireguard_wg0 'wgserver'

option public_key 'SECRETPUBKEY='

option preshared_key 'SECRETPRESHARE='

option endpoint_host 'mydomain.com'

option endpoint_port '51820'

option route_allowed_ips '1'

option persistent_keepalive '25'

list allowed_ips '192.168.1.0/24'

and the /etc/config/firewall will have one modified section

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone 'wan'

option name 'wan'

list network 'wan'

list network 'wan6'

list network 'wg0'

option input 'REJECT'

option output 'ACCEPT'

option forward 'REJECT'

option masq '1'

option mtu_fix '1'

You’ll note that the wg0 device is part of the wan zone.

It really is pretty cool to have IoT devices at a remote site, magically controlled over the internet – and I don’t need any cloud services to do this.

Wiistar HDMI Audio Extractor teardown (WS-E11B)

Back in 2020 I moved to a Roku Premiere as my primary streaming device. As my audio gear is older (pre-HDMI) I required something to split out the audio from the HDMI signal and the Wiistar HDMI Audio Extractor was a good fit.

At the time I mentioned that the device was a little suspicious, but it worked and kept working just fine for some time. After a year of trouble free operation, I did have a couple of times when the box would give up and pulling the power and rebooting it seemed to fix things. Stuff happens, no problem.

More recently it’s been acting up a lot. Blanking out, then coming back or not. Tapping or banging on the case seems to help ‘fix’ things temporarily. It appears that there is something not quite right with the power connection. This meant it was time to take things apart!

There is a horizontal seam on both sides of the device, you can see it right by the mini-USB connection and the switch. By pressing with a knife blade on this seam, I was able to un-snap the sides. This took a little doing, but was pretty easy. Some gentle wiggling freed the circuit board from the snap case.

No surprises here. It’s a single chip solution, likely decode HDMI, re-encode HDMI. There is likely a small audio amplifier circuit here to feed the 3.5mm jack. It’s pretty amazing that you can get something like this for the price.

The USB-mini power jack seems to be well affixed to the circuit board (no bad joints). I inspected the cable as well, and it looks to be a power only cable – only two pins on the plug. I tried adjusting the connector fit a little which might help my power problem (and I could have done from the outside of the case).

Then I took a closer look at that one chip..

Yup, that’s a blank, unbranded chip. I’m guessing this is a chip that failed QC and was discarded or sold off as seconds. Bunnie wrote about counterfeit chips which will give you an idea of how this chip may have ended up being used. In this case, they aren’t even trying to fake the chip – they just are trying to use one that was cheaper.

Well – it was interesting to open it up which turned out to be easy. I may have improved the power connection, but first try and it’s not working. Meanwhile I’ve ordered an AmazonBasics HDMI audio extractor as a replacement. The AmazonBasics device has a lot of (mostly) positive reviews. There is a youtube video teardown which while it’s terrible, does give a peek inside. There seems to be QC stickers on the circuit board, and the underside of the case appears to have FCC logos etc.

It’s likely a very similar solution, also needing a 5V 1A power supply. The pictures show you powering it from a laptop USB port, which is only going to provide 500mA – so there is some suspicious stuff going on here too with the marketing. Also, I suspect based on the comments it accepts up to 4k input, but can only output 1080p – which is fine for my needs.