วีดีโอ

Thanks for watching @PhilipLemon! Appreciate the compliment 😊

You're welcome, thanks for watching @gowtham1598! I have been seeing my viewers saying they are able to get it working with WARP successfully. As for IPv6 not routing, I can't be so certain why. I assume you have set it up with the correct routing rules (i.e. Allowed IPs to be all IPv6 IPs, ::0/0. A good follow up is if WARP is giving you an IPv6 IP to use for your VPN. If not, that could be a reason. Or if IPv6 to IPv4 translation isn't being done (depending on the origin type of the traffic and what IP version its going out on, 4 or 6). What troubleshooting have you done in regards to IPv6 routing?

Thanks for watching @tzvikawasserman1776! So I'm not sure I completely understand the ask, but my answer would be it depends. Do you want all your VLANs to communicate to all RFC1918 networks? Depends on the purpose of your VLAN. For example, my IoT VLAN doesn't communicate with all RFC1918 networks, because I want to limit its communication to the local subnet, and to the internet, rather than to devices on my other networks, or to my VPN network that I've configured with WireGuard. But you might want to use RFC1918 for a management VLAN to talk to all devices, and therefore would use that rule.

@georgeShtuller thanks for watching! Not sure what your error is, I haven't seen that before. Doing a quick search, I did find this comment within the forum. forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/24 Maybe this will help? Otherwise, I'd suggest the forum for more help since its easier to post configurations there and let alone, you're problem has probably been experienced by someone else and already resolved by them.

@@DevOdyssey Thank you. I was on this forum. I tried this solution, but no. On Mr. shangri's advice, updating the version from his repository did not help. For some reason, he doesn't answer anymore. He says that the configuration is correct, everything should work - in reality it does not work. The forum is useless so far

You're welcome @ARMINJB, thanks for watching!

@alkardo332 You're welcome, thanks for watching!

To configure a proxy client on the Raspberry Pi 4b, that will greatly vary depends on your operating system. From other comments I've seen you make on different videos it seems like you are using OpenWrt. If so, you can follow this video below that reviews it. th-cam.com/video/tjiMyuLrejA/w-d-xo.html You can use privoxy to forward requests to an upstream http proxy, as you've given in your comment. For Raspberry Pi OS, you should be able to do it in your OS configuration, and a simple search should give you plenty of information to do that. I'd be sure to specify if you are using Raspberry Pi OS with a GUI or just a terminal. Either way, heres an example of how to set one up using the terminal. forums.raspberrypi.com/viewtopic.php?t=28835

While this video doesn't cover proxy configuration, the video below gives you a example of how to configure a SOCKS5 proxy in OpenWrt. th-cam.com/video/tjiMyuLrejA/w-d-xo.html

Thanks for watching @MASKDANTE! While I don't have a video that will exactly sho you how to do this, the process is straightforward. Generally you search for the driver as a package, and you should be able to find if its supported by getting some packages to show up. If nothing does, then its likely not supported out of the box by OpenWrt. Now googling the driver, I do see some posts about it, but it seems you have to add it to OpenWrt manually. At this point, I'd suggest looking at other WiFi adapters, as this one is not well supported by the vendor / OpenWrt community. It would be much easier to do that, or get a mini router and flash it with vanilla OpenWrt like the GLiNet travel routers, instead of trying to get this dongle to work, or getting a new dongle even (again, really depends on cost). But if you really want to use this WiFi adapter / dongle, you can do some searching and find github repos that have the driver, where then you might have to cross compile the ipk, then add it to OpenWrt. These repos are not official either, so you will take some risk there installing them, and I can't personally guarantee they will work. So given all that, I'd honestly just find another WiFi adapter, as noted, or even a mini router like GL iNet, as I've personally had a great experience with them and made a couple of videos on them too, below being the latest. th-cam.com/video/CKpKuHt8BaE/w-d-xo.html

You're welcome and thanks for watching @ghkpr! Happy this video helped! 🙂

Thanks for the compliment @wilsonomonz299! I enjoy sharing practical educational material, as its fun for me, but also what I find to be the most helpful when I'm looking to learn how to do something new. So thats my preferred format, to talk about it and do it 🙂

Thanks for watching and being a fan @tobiasholter1224. I do certainly appreciate the suggestion, and I have actually already done that, but not particularly with Mullvad. I have with IPRoyal but the concept should remain the same. th-cam.com/video/tjiMyuLrejA/w-d-xo.html

Thanks for watching @hassanbagheri8265! I am not exactly sure I understand, but to set some URLs to go through the VPN, you simply set your WAN as your default gateway, and then when creating your rules (policy), you choose to have those URLs go through the VPN, and thats it. Everything else will go through the WAN by default. Following the video should explain it. As for a method to wildcard allow all subdomains, refer to my latests comments. Yea can have subdomains be routed by default in a rule when including the top level domain by using dnsmasq's nftset. docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport

Thanks for watching @ivannicolas166! If I'm understanding your question correctly, which I think I am, then yes, you can have two WireGuard interfaces running, where one acts as an "inbound" VPN that lets you connect into your home, and one as an "outbound" VPN, that you use to tunnel traffic out through a VPN. You'd simply have to set up the routes properly to facilitate this but its definitely possible, and something I'm looking to explore setting up in the future.

Thanks for watching @saswatachakraborty! Yup it does, you can create multiple WireGuard interfaces, each with a different peer in a different physical location, then from there you'd have to route to the different WireGuard interfaces so you can change your location. Now you can put all of these different peers (locations) under one WireGuard interface, but you can't route to all of them in the same way (say for example have a full tunnel to each / default route of all traffic), it simply wouldn't know how to route your traffic. So separating them out by new WireGuard interfaces would make it easier to move between them, and effectively you'd change your route between each WireGuard interface. This is all taken care of by the "Allowed IPs" section in your peer configuration that will create the necessary routes for you automatically. However, in order to forcibly change which location you are routing you, you'd have to do that manually, or potentially using failover configuration (such as mwan3).

Thank you and thanks for watching @belyrodriguezmorales8032! I'm not sure why you wouldn't see that, other than if you didn't update your list of packages. Did you first update your lists of packages by clicking update lists? It goes without say, but make sure you do this with an upstream internet connection to your Raspberry Pi 4B Given the hardware and software you are using, you shouldn't have any issue finding that package, and there wouldn't be an alternative (other than using terminal commands).

Thanks for watching @tonysteele3805. So I'm not sure what this is the case for you, but are you sure that each rule you have made is set to log, such as at 11:34? If you haven't, they will never show up in your firewall log. As for working after the recent update, it still works fine for me, so I'm not sure why (or what) you are experiencing this. DHCP has changed to a new backend. It's using a more modern version of DHCP called KEA. You can find more in the link below, but the old version of DHCP is reaching end of life. docs.opnsense.org/manual/dhcp.html I wouldn't say it's infiltrated, there doesn't seem to be any indication that is the case, and would advise to be cautious of those statements without more concrete evidence, since unfortunately this is becoming a thing in modern day supply chain security of open source developed software, and should be taken very seriously, just as with the recent example of the xz backdoor that was created. I digress, but what has been seen so far is normal in software lifecycle.

Thanks for watching @marcg1043. Yes, so they're physically separate, in that each port on a router, is its own physical port. Now most of these are switch ports, which, I'll get back to in a second regarding its significance, but technically they aren't the same port. By default on any off the shelf router, if you plug into each LAN port, you'll be placed on the same network. That, of course, is by design. They will be on the same layer 2 and technically won't be separated as you noted. On other systems, say a mini PC's with more than one ethernet port, those will often have a dedicated ethernet controller for each ethernet port. As a result, this physical separation of ethernet controllers means that the ports can have their own separate networks defined, alluding to that physical separation of networks. On a standard router, these physical ethernet ports share the same ethernet controller, thereby acting as switch ports, and placing you on the same layer 2 network, unless its VLAN capable, which this video goes into how thats done. Anyway, thats the gist of it, but a notable caveat, so I appreciate the question. I assign a separate subnet to my VLAN because I want that VLAN to be a different network, its a simple as that. I can't make the VLAN be the same subnet as my primary LAN, as that would cause collisions and it simply doesn't work that way. Conceptually its against the purpose of a VLAN. A new subnet must be created for each new VLAN. Each are their own network.

Thanks for watching @bogdangusak4573! Glad the step by step instructions worked for you exactly as expected. Enjoy your VPN router!

Thanks for watching @pokomoro9461! Thats very strange, can you elaborate more on what that means? Are your devices on the second router not able to get to the internet? Have you tried to directly use the second router to communicate with the first? Have you repeated this and is it always that after 1 hour it "stops communicating"? How are you doing this testing to observe that the second router stops communicating with the first router? Some more context should help, but if the first router can still communicate with the second router, then it makes me wonder what the real issue is.

You're welcome, happy to see you watching another video! You should be able to simply set youtube.com as your destination and it should work. Now I'm not sure if this covers everything that youtube uses on the back end as a part of its services, but this is effectively where you'd start. In addition, if you needed to route youtube sub domains, I did talk about that as well on a high level at 9:02. Basically, you can create a script that would pre populate all dnsmasq nfset (so long as you set that as your resolver), and pull down IPs for domains and subdomains, and any policies you write, would inherenetly include the subdomains (so long as you have a domain set in your policy). You can find more information here on that, that I actually referred to recently in another comment. docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport For now start with adding youtube.com in your policy and see if it works as expected.

Thanks for sharing @rysterstech! I have't used Cloudflare WARP myself, but I see it's WireGuard based and happy to hear this helped you set it up. Should be easier then when I get trying it out. I wouldn't expect it to break tailscale, given they'll simply be different interfaces. Its honestly really neat to see how much you can do with these little boxes and Open Source Software. Let alone, it really gives you insight into how much manufacturers have limited consumer ability to customize their devices. It's grown a ton since the early days, but still you won't get that level of customization using off the shelf software for the hardware you buy. Plus this is more fun, especially when you get your use cases working 😊

You're welcome and thanks for watching! @Kim-jj3nr

Thanks for watching @j0efil! Not sure I completely understand, but I'll try. You can create different networks, or subnets, in OpenWrt, and each of those will have a different router IP, (say 192.168.1[.]1 and 192.168.2[.]1). They both would physically lie on the same system (the OpenWrt router). You can achieve this in multiple ways. If your router has more than one ethernet interface, you can simply create a new network on it. If not, you can create VLANs that can achieve the same thing, with a bit more flexibility. You can watch my video on creating VLANs below (for newer OpenWrt systems). The second video you can watch for more educational information regarding what VLANs are. VLANs in OpenWrt 21.02+ th-cam.com/video/d3aYMqt-b_c/w-d-xo.html How VLANs work (and how to set them up in OpenWrt 19.x) th-cam.com/video/5TtlAXeaGUM/w-d-xo.html

@@DevOdyssey thanks! Big help! Also do you have a guide how to setup port priority using mwan3?

@@j0efil You're welcome! I unfortunately don't have a guide on it at this time, but I suggest following through with their guides. openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 But if I understand what you are getting it, it should be as easy as changing the metric on the port, that really defines its routing priority. The hight the metric, the increased priority it has, it's really as simple at shat.

Thanks for watching @AlexanderDavila-q9r! Thats interesting, I haven't seen that before. Doing a quick search, it seems like entries can be logged in the /var/log/messages. Have you checked any other OS log location to see if squid is logging there? I'm not sure what distro you are using but thats something to consider here where it can mess with logging. Also, can you confirm that the proxy is working as expected? Are your requests being proxied after you've configured it? I used the base install of squid from Ubuntu, and didn't modify anything for logging, so depending on how you installed it, I wouldn't expect you to have missed something from a default install. Otherwise, I'd encourage doing some research to see how you can resolve this.

You're welcome @user-fc9ic5cm8d! I don't have a video on that unfortunately, but you should be able to follow the docs for pbr and set this up. docs.openwrt.melmac.net/pbr/#UseDNSMASQnftsetsSupport There is a screenshot in there that shows you an option to change your resolver set. After making sure you have dnsmasq-full package installed, I don't think there is anything else you'd need to do. You can add custom user files on top of that if you want, but again not required. You can find more information on that in the link above.

Thanks for watching @Rugbyu17-jh8qg! Is the snippet you shared your config? It seems like so (as I don't see it in my video). What equipment are you running OpenWrt on for each site? to me it looks like your ethernet interface is actually USB based, and its using a USB adapter for that ethernet interface (built in to the board going over the USB controller, or simply an adapter plugged into the USB port). Looks like they would be different equipment too since it sounds like they aren't the same.

Thanks for watching @chuckcorvec3453! Sorry to hear about your trouble. I'm curious about that rule, I have to look again to check if that's a default rule in my installations. Anyway, these two rules will not be suitable for a all traffic on your home network. Rather, this was merely to show the example of how to create rules, and not all the rules you any home network needs. The rules you need depend on the devices in your environment. What you do want is allow rules for HTTP/HTTPS, for most web and internet based traffic. The way I recommend doing this process is setting up your base rules, all above your default ANY / ANY rule (making sure quick match is checked off). Then, when you feel you have done enough rules, you can disable the ANY / ANY rule, and see what happens. If something breaks, you can turn that rule back on, and begin to troubleshoot to find out how you can make a new rule to fix what broke, since you ideally wouldn't want that ANY / ANY rule in place indefinitely. This ANY / ANY rule is just an easy way to make sure everything works, and if you want the easiest solution, you can leave that on. However, it reduces the control you have over your network traffic. Depends on what you're trying to achieve and what level of control you want to exercise over your network.

Thanks for the compliment @sirlanzi! Always happy to hear when people get value out of my videos. As for your question, technically no. DynDNS will not save you from needing the keep alive, you could still well need it with DynDNS. The reason DynDNS is needed is because of two reasons really. One is your external IP is CGNATed. Meaning you share a public IP address with other people. Because of that, you don't control the public IP address the internet sees, and you can't do port forwarding. The second reasons is you don't control your network, or have access to port forwarding or open up ports on your firewall. What the keep alive does is make sure one end of the tunnel initiates the connection, and keeps it going, since the opposite end cannot initiate the connection, due to the above reasons. When you get DynDNS, this doesn't remediate CGNAT or lack of network control, it just gives your IP address a DNS record. So if you fall into either situation above, you'll still need the keep alive on one end of the tunnel, particularly on the end that has your CGNAT IP or "IP you can't control". DynDNS is just convenient for the end IP that does change, that you know you'll always be hitting the right endpoint.

Thanks for watching @wanttotree and great question. Yes, you certainly can by using a package called pbr, or "Policy Based Routing". I created a video on how to do that, which you can follow here: th-cam.com/video/FN2qfxNIs2g/w-d-xo.html

Interesting question! Theoretically, yes, you could use a failover package called mwan3, which you'd use to set up your second WireGuard interface, as a failover interface. It effectively operates on pings, and if the pings fail on the first WireGuard interface, traffic will begin to be routed over the second WireGuard interface. All you'd need to do is set up 2 WireGuard interfaces, then setup the mwan3 package. I haven't used mwan3 yet, but it should be pretty simple to follow. openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

Thanks for watching @saotekwong3276! Referring to the link below, you should be able to route all subdomains of a domain in your policy. However, you don't explicitly wildcard it. Instead you write to domain as you normally would, say google.com, and then when you set your resolver set to dnsmasq.ipset or dnsmasq.nftset, whichever is supported on your system, then it will route subdomains through your existing policy. Refer to the comment below from the creator of PBR for more information. My answer is simply what he provided, and not something I have personally experienced. forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/779

@@DevOdyssey Thank you very much. I tried dnsmasq.nftset, but it is not working. I have no idea why

@@DevOdyssey Thz for you information. However, I have tried and but it does not work.

@@saotekwong3276 So can you elaborate on it? Whats not working about it and how is it not working? How have you tested it to prove its not working? Have you ensured that you have dnsmasq set up on your router? If you have further trouble here, it would probably be worth getting onto the OpenWrt's forums to ask for assistance, where you can share screenshots of what you've done any your observations of your tests, and the community should help you get it working, including creator of the pbr package. forum.openwrt.org/ forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639?page=38

Snort3 or suricata can definitely be helpful, though those are more IPs/IDS solutions, that are on top of DPI in general. IDS and IPS solutions can be for source intensive too, so OpenWrt on your standard routers won’t be able to handle too many rules in either platform. They’d be better on a x86 mini pc if you still wanted to use OpenWrt. To that point, it doesn’t seem like suricata has been fully ported to OpenWrt, only Snort has been. There are other DPI systems like Netify that work on OpenWrt, but I have not tried it, and it seems to be a paid solution as well. They don’t seem to exactly be an IDP or IDS but simply doing packet inspection for network analytics. For DPI and related services like IDP or IDS, I’d recommend using a platform with more power, and using BSD based solutions like OPNsense or pfSense, using Intel based hardware, and something with more than 1 GB of RAM. I haven’t gotten around to doing DPI or IDP/IDS personally, other than enterprise grade solutions such as Palo, so I don’t have much experience to share here. Though I’ve heard good things about ZenArmor that I’m hoping to try in the near future that offers tons of functionality more than IDP and IDS, more in the realm of “Next Generation Firewalls”. If you do happen to use Snort on OpenWrt, I’d be curious to hear about your experience. You might get to it before I do.

Thanks @mikeclites8407! Awesome to hear from another happy viewer. I can't honestly say if or when I'd get to it, but if you do try it out yourself, I'd be happy to give my 2 cents. I haven't used mwan at all yet, but my understanding of it is pretty straight forward. Do you have a reference that says it works with ipsets using a specific script?

You're welcome @striker_rafael! Thanks for watching. I'm happy to make great content just like this. I have plenty of more video / network ideas I need to get started on that I'd be happy to share.

Thanks for watching @JBlask! Appreciate you sharing your ideas. A general firewall rule video on good rules to implement is one I've been wanting to make for sometime, but haven't gotten around to it. Those additional rules you're referring to, I havent really ever made rules for all those, as some are automatic, like the dhcp rules. HTTP(s), FTP and SSH are straight forward, pgp clients I'm not sure on, and doing rules for applications like TH-cam or Zoom requires a different type of firewall, one that can create Layer 7 or application rules. You won't be able to create those with OpenWrt. I have wanted to do a network tools video too, like ping, iperf3, tcpdump, but haven't fully fleshed that idea out. Deep packet inspection is something I still need to improve on, so one day I could go more in depth there. Nonetheless, I'm happy to hear this video as it stands was able to teach the basics, just as I had intended.

Thanks for watching @confusio4207! Appreciate the compliment!

Thanks for watching @luhwoppp! Could you elaborate more? Does it actually show up after the install, and are you saying the dropdown doesn't show anything? What version of OpenWrt are you running? I haven't used this in the newer versions, 23.05, so I can't be sure if there are any issues, but to me it sounds like it could be something you are misunderstanding.

Thanks @mikenyc1589! Really appreciate the compliment.

@@DevOdyssey I would like that info on mwan3....I wouldn't want wifey getting pissed if internet knonks out while shes working..:(

I managed to resolve the issue with some help from the openwrt forum. Firstly I disabled the firewall for each of the routers using the command, /etc/init.d/firewall stop. I also disabled the windows firewall on both PC's. I was then able to Ping from PC to PC in both directions. I added the windows firewall back and could only ping in one direction. SO one of the PC's firewall needed configuring. Moving on I added config forward option dest 'lan' option src 'vpn' to each router. This created the rules required so I could start the firewall on each of them again with /etc/init.d/firewall start. Finally to get the ping working for both directions I added the WG subnet (10.10.10.0/24) and the opposite site subnet to each of the windows inbound firewall settings. Now all up and running. Great video. I found out a lot setting it up. One being that OpenWRT will block Forwarding on the lan when source and destination subnets are different.

Essentially I was using the wifi as the WAN and the Ethernet as the LAN. So at 9min 38secs of the video where you set VPN zone to forward to WAN, I needed to forward VPN to LAN. Something that I only realised after getting it to work.

@@jamesnorth6078 Thanks for watching and sharing what you've done, I appreciate it. These extensive notes are sure to help anyone else experiencing the same issue. Your experience reminds me of basically anything I make a video on, I have to rough through the experiences of getting it wrong so many times until I get it right. Given what you said, it makes sense why it didn't and did work after your changes. My simulated Internet was to show this with public IP addresses, and its pretty easy to set up in OpenWrt. Just define your subnet and allow forwarding. Thats pretty much it, and was pretty novel for me to do in this video. Though in future videos, I have some cloud ideas in mind for my demonstrations. Anyway, thanks again for sharing your experience, and I hope this set uo continues to treat you well!

Thanks for watching @barneybarney3982, and no worries. I'm not taking any offense, I appreciate you sharing your thoughts. This video is really meant to provide the hands on approach that you wouldn't get from click "full help". While the things I say certainly has overlap, the full help won't click through the options for you and show how they are used, in conjunction with different options I have thought about some general "firewall tips" videos about best practices and good rules, that I hope to get to in the future, as I can see that being a very helpful video. I just havent gotten around to it yet.

Thanks for watching @ANTHONYBOOTH! Self hosted version would be cool to try, as I like to get my hands dirty that way. This video was a fun experiment in learning SIP and VOIP tech. Happy to hear that the platform has been treating you well overall!

Thanks for watching @Anonym12393! Glad to hear it worked. So what this seems to indicate here is that your DNS server is not accessible outside of the tunnel, and therefore DNS requests are failing (and therefore any other requests that rely on DNS). You can remediate this by using a cloud flare DNS or simply making sure the DNS server is accessible outside of the tunnel. I believe Mullvad has DNS servers that are public that you can use, but obviously feel free to use one you trust.

Thanks for watching Victor! The height shouldn't matter since the fins do stick our of the enclosure, for the sake of air flow and letting the heat dissipate. I went ahead and measured it, and the height is roughly 4 mm, from the top of the fan to the base of the heat sink. Is there a reason you're concerned on the height?

@@DevOdyssey There are other heatsinks with differing heights, but same length and width for a CM4, but I understand now that the height doesn't matter for assembly purposes, any of them will do, thanks!

@@Victor-779 You're welcome and good to know. I figured there are, I don't shop around for different heatsinks for Raspberry Pi CM4s often. But yea it can be even taller if need be to catch more airflow, and it won't get in the way unless you squeeze the whole unit into a tight space, which I don't imagine anyone would really be doing.

Danke fürs zuschauen @dominikseildein6049! Entschuldigen Sie, während ich Google Translate verwende, um zu antworten. Die Beschleunigung soll das Video auf einer angemessenen Länge halten, aber ich sehe, dass es dadurch schwierig werden kann, dem Video zu folgen. Ich empfehle, das Video in diesen Abschnitten zu verlangsamen, um es genauer verfolgen zu können.

Thanks for watching @tranquiloteov! Nice setup! So from my research, you can setup OpenWrt within a container, but I can't say I have ever done it. The reverse is also true, you can run containers within OpenWrt (as the host OS). So you could run those adguard and dns server in a container on OpenWrt, or simply use the adguard package and built in dnsmasq. But if you want to use OpenWrt as a container, I'd refer to this reddit thread here with some notable links on OpenWrt containers. www.reddit.com/r/openwrt/comments/p7qple/has_anyone_tried_running_openwrt_in_a_docker/ openwrt.org/docs/guide-user/virtualization/lxc github.com/oofnikj/docker-openwrt If you do get it working, give update this here with a comment, I'd be happy to hear about it.