I have problems getting custom firewall rules (or a script) automatically executed.
Background:
The Turris Omnia is deployed in an office and starts automatically a Wireguard connection at startup. This works flawlessly.
But some services must be excluded from the vpn route and therefor I have the following script:
#!/bin/sh
logger "ReRouting VPN exceptions start"
wan_gw=$(ip route | awk '/dev eth2.102 proto static/ { print $3 }' | awk NR==1)
ip rule add from 192.168.1.192/27 table novpn
ip rule add from 49.190.2.82 table novpn
ip route add default via "$wan_gw" dev eth2.102 table novpn
ip route add 192.168.1.192/27 dev eth2.102 table novpn
ip route flush cache
logger "ReRouting VPN exceptions end"
(There is a corresponding script restoring the default route in case the VPN is shut down.)
This script works, but I am not able to autostart or autoload this as custom firewall rules.
I tried:
The script in /etc/rc.d/ (which I might have done wrong)
a call to the script (not the commands themselves) in /etc/rc.local
the commands as custom firewall rules in the “command window” under Firewall - Custom rules
None of this worked! I can never find the logger output in any log. And every time the router restarts, I have to run the script “by hand”.
I therefore hope someone can help me to fix this.
My ideas / questions:
Maybe all the script does can be done in configuration and does not need a script at all? <— Preferable, as I see it.
What is the “proper” way to autostart this script? Init.d? cron @boot?
As far as I can see the Wireguard implementation does not support on-startup / on-shutdown scripts as OpenVPN does. Do I understand this wrong?
You need to create init.d script with correct format, at least with start function, see other scripts at /etc/init.d/
They have standard format with such functions: start stop status restart etc,.
And add to /etc/rc.d/ as well with proper filename, should have bigger value, such as S99.
I have custom firewall rules defined in /etc/firewall.user which are (for whatever reason) not automatically applied when the firewall service starts along a reboot.
In /etc/cron.d I therefore created an addition file firewall-restart-reboot containing
if you want to add/remove additional rules by up/down state of the intefaces then you need to write a small application(c lang) where it will listen for certain network events. Btw wg interface already is brought up during boot, you need to find another event for wg state change.
For Debian like systems /etc/network is the custom scripting place for such network events, don’t know if similar with OpenWrt.
I’m using the /etc/rc.local file for this. I have discovered I need to put sleep 10 as a first command and then as the second command the path to the script.