Configuring routing in a network with an uncontrolled router

I hate ads, but I buy into them all the time. I saw an ad for MGTS at the entrance – 500 megabits for 500 rubles a month, real IP, IPv6. Of the minuses – just the need to drill a wall and hang someone else’s router in the apartment. I think we need to take it – we’ll figure it out somehow. (Actually not, but more on that later). A gigabit router with WiFi 802.11ac (5GHz), but without the possibility of modifying the firmware, installing software and with minimal configuration options via the web interface. The task is to configure a VPN with a different network and transparent use of resources from the onion network (The Onion Router aka TOR) for clients using your server in the local network.

I think this article will not be enough for a complete guide. People have too different capabilities and needs – different hardware. Rather, some signpost of the way to go. For example, for the server, you can use the popular raspberries… Perhaps even with pi-hole… For example, I installed an inexpensive x86 server with a processor soldered on the motherboard, installed ubuntu and use it, including as a file, home assistant, web and application server.

In general, I wanted to be able to use the WiFi interfaces of the router, as well as for the clients of the local network to get transparent access to some resources via vpn or tor without additional configuration on the client side. And I didn’t want to unnecessarily pass all traffic through a third-party server – I wanted normal Internet traffic to go directly to the router, and the special one (tor, vpn) was processed by the server. I decided that I would disable DHCP and DNS server on the router, put DHCP on my server, which will announce the correct routes via DHCP and on which dns, vpn and tor daemon will run. With vpn everything is clear – if another local network has different addresses, then you just need to configure routing. For transparent access to resources through the onion router, I decided to use the dnsmasq + tor.VirtualAddrNetwork + tor.DNS bundle. We configure dnsmasq for the predefined domains from the list so that it uses tor to resolve them. After that, domains from the onion network will have specific addresses from a special dedicated range of private addresses and you can use normal routing rules to redirect this traffic to tor.TransPort using iptables rules. I used wireguard to connect local networks via vpn. In another LAN, there is a regular router with padavan + entware firmware.

Key parameters of my configuration:

  • Local network – The router has a static white IP

  • Another local network (which we can access via vpn) –

  • Router –

  • Ubuntu server is, ethernet interface name is enp1s0

  • tor

    • private network (VirtualAddrNetwork) –

    • dns server (DNSPort) –

    • transparent proxy address (TransPort) –

  • dnscrypt-proxy (DoH) address –

  • wireguard device network (private range of IP addresses from which addresses are assigned to wireguard interfaces) –

    • server wireguard address –

    • android client –

    • vpn server of another LAN –


My server is a regular x86 with Ubuntu 20.04 LTS.

Install packages (apt install <packet>):

  • iptables-persistent – saving and restoring iptables rules

  • tor

  • dnsmasq – DNS + DHCP server

  • dnscrypt-proxy – DoH DNS client

  • systemd + – were installed by default and are used to configure the network interface

  • wireguard – vpn

Configuring a static network interface – /etc/netplan/eth0-static.yaml and run netplan apply to apply the changes.

To enable routing, set the kernel parameters:

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

and edit the file /etc/sysctl.conf to save changes after reboot.

Set up iptables – for the filter table, set the default policy ACCEPT for the INPUT and FORWARD chains – /etc/iptables/rules.v4… And reload the rules netfilter-persistent start or iptables-restore < /etc/iptables/rules.v4

Dnsmasq settings

V / etc / default / dnsmasq add an option to ignore files with the extension * .i

We register local devices in /etc/dnsmasq.d/src/lan_hosts.csv.i to set fixed IP addresses.

Domains for access to which we will use tor are registered in /etc/dnsmasq.d/src/dns_tor_domains.txt.i

Configuring DNS options – routes, router address, dns server/etc/dnsmasq.d/dhcp.conf

DHCP option is used to announce routes classless-static-route and microsoft-classless-static-route – 249 (just in case). In principle, one could try and not disable the DHCP server on the router, but simply announce additional routes. The problem occurred on the Android phone Xiaomi Mi 9T. He did not use DHCP routes, he used only one default route. Not sure if all androids have such a problem. I had to make special settings for androids and redirect all traffic from android clients to the server.

Special settings for android – there are no routes, the server is used as the main router.

To apply the settings, run ``- is described in more detail in the section” Updating the configuration “.

Tor settings

File / etc / tor / torrc:

A list of domains that we will resolve through tor and that will have addresses from our private range (see. VirtualAddrNetwork) – AutomapHostsSuffixes – configurable by script and saved to /etc/tor/hosts_suffixes.cfg file.


DNS over HTTPS is a protocol for executing a resolution DNS by protocol HTTPS… For me, the purpose of using it is to protect against DNS spoofing by the provider.

For implementation we use dnscrypt-proxy. To install, we perform apt install dnscrypt-proxy

Configuration /etc/dnscrypt-proxy/dnscrypt-proxy.toml:

Note: I slightly changed the way dnscrypt-proxy was started because it seemed to me that it did not work for me. In the default settings, it runs through systemd.socket – that is, the port listens to systemd and starts dnscrypt-proxy when needed. I changed the configuration. In my configuration, I run dnscrypt-proxy directly. The port is listening on dnscrypt-proxy. I don’t think it’s necessary. To change the port in the default configuration – when dnscrypt is activated via systemd.socket, you need to execute systemctl edit dnscrypt-proxy.socket and install


The file should appear /etc/systemd/system/dnscrypt-proxy.socket.d/override.conf

Configuration update

Add the domain to which we want to go through tor to the file /etc/dnsmasq.d/src/dns_tor_domains.txt.i

Add the static address of the local network device to the file /etc/dnsmasq.d/src/lan_hosts.csv.i

Run the script dnsmasq_reconfig.shwhich will generate configuration files for dnsmasq (/etc/dnsmasq.d/ lan_hosts.cfg.i, resolv.conf.i), tor (/etc/tor/hosts_suffixes.cfg) and everything will restart to update the configuration.

Flushing DNS cache

Let’s say you went to the site directly, but looked and decided that it was worth going through tor. Just updating the configuration is not enough – caching DNS addresses in different places. Therefore, after updating the configuration, the caches must be reset.

On a Linux client with systemd-resolve, run sudo systemd-resolve --flush-caches

On a windows client, run ipconfig /flushdns at the command prompt with administrator rights.

In google chrome, open the page chrome://net-internals/#dns and reset the browser cache.

Wireguard VPN setup

I plan to write about setting up wireguard in the next article.

Crying Yaroslavna

Well, and finally I will write why all this turned out to be unnecessary

First, at some point MGTS took away the real IP and put everyone behind NAT. For some reason, at this moment the corporate VPN fell off and the support service recommended connecting a dedicated IP.

Secondly, after connecting the dedicated IP, IPv6 stopped working. The support service reported that MGTS, in principle, never supported IPv6. Well, that is, IPv6 seems to work, but it is not guaranteed to work. On the forums there is an explanation on this topic – like they allocate a static IP, but they cannot allocate a static IP, and in order not to confuse anyone when connecting a static IP, they stupidly chop off v6.

The tariff was increased by 100 rubles, but this is the lesser of evils, it doesn’t even count.

Thirdly, the support of MGTS is terrible. At first I had a sercomm rv6699 router – everything seemed to work more or less. And it was not a bad option – there was telnet and access to iptables. They even say it you can reflash… There was a jamb – it was impossible to reach the external IP address from the local network via http and https – but this was solved by deleting two iptables rules. But then I decided to assign a fixed channel of the WiFi 5GHz network. The channel was not assigned – I started jumping, I turned to technical support and they replaced my router with a ZTE ZXHN F680. And that turned out to be the complete end. It did not forward DHCP packets from the local network to WiFi. I could no longer use my scheme. Technical support was sent with the conclusion “in the default configuration, the pages are loaded, everything else is not our problem.” I thought I might try to use DNS from the router, but there is absolutely slag. The maximum can be configured – 10 static addresses in the local network. Static and dynamic addresses must be in the same range. In general, the WiFi router is not used.

Fourth, MGTS has full access to your router. And to have a third party, or rather even a whole company, on your local network is somehow even unhygienic.

Conclusion – you can also MGTS, but turn off WiFi and put the router in bridge mode (not the fact that this can be done, not the fact that it will not fly off after a non-disconnected auto-update, not the fact that it will not be prohibited).

They say that Sercomm RV6699 v4 router you can reflash… I wanted to try it, but I can’t – I don’t have this router anymore – it was replaced with ZTE ZXHN F680.

More they say that you can buy a box for less than 1.5 thousand rubles and it will work as a bridge – I think that’s a good option.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *