Is the limit of VPN Client 39? on Kamoj

[guy79]

Hello

I have a r9000 with voxel v1.0.4.5F and Kamoj V5. When i i setup my VPN i can connect fine however when it comes to creating the tunnel we have alot of smart devices and wired devices which i do not want using the VPN just because there is no need and i am guessing will slow the network down.

There are only two IP's i need to use the VPN. When moving them across i get to 39 bypass the VPN and then i can not move anymore. I also find that even though they are showing on the Bypass side they are also showing on the VPN side.

Is there anyway to get around this please because i find the NG firmware so buggy. Any help i please


Jon

 

[R. Gerrits]

I don't know about the 39 limit, but I have a similar situation, where I only want a few fixed IP-address to always use the VPN.

so my solution was to edit /usr/bin/addon_bypassvpnip.sh
and then add these lines somewhere just above the last "ip route flush cache"

[ "$(ip rule list | grep -c "iif br0 lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif br0 table $NOVPN_TABLE
[ "$(ip rule list | grep -c "192.168.1.10 lookup main")" = "0" ] && ip rule add from 192.168.1.10 table main
[ "$(ip rule list | grep -c "192.168.1.99 lookup main")" = "0" ] && ip rule add from 192.168.1.99 table main

the first line will route all internal traffic (so LAN+WLAN) via your ISP directly.
but the last two lines overrule this behavior, and route traffic from those 2 IP addresses via the VPN.

optionally, you can also add these rules:

[ "$(ip rule list | grep -c "iif tun0 lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif tun0 table $NOVPN_TABLE
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

the first one of these will ensure that a device that connects via OpenVPN to your router (for instance OVPN client on an iPhone), will use internet directly via your ISP.
the second one will ensure that the router itself uses the ISP directly. (so for instance if you use DDNS, then with this rule it will again register your real public IP with DNS. And this allows portforwarding again with VPN active (if your VPN provider does not support port-forwarding)


(if you go this way, everytime you install a new version of the addon, you'll need to make these changes again.)

EDIT 19-07-2021:

I discovered today that I forgot to mention 1 addition step, required if editted addon_bypassvpn.sh and added rules that contain "lookup main".
To have this work properly, you need to do an additional set:
change:

 # Delete all current rules tables and routes
   while [ "$(ip rule list | grep -c "lookup $NOVPN_TABLE" )" != "0" ]; do ip rule del table $NOVPN_TABLE 2>/dev/null; done

into:

 # Delete all current rules tables and routes
   while [ "$(ip rule list | grep -c "lookup $NOVPN_TABLE" )" != "0" ]; do ip rule del table $NOVPN_TABLE 2>/dev/null; done
   while [ "$(ip rule list | grep -vF "from all lookup main" | grep -cF "lookup main")" != "0" ]; do ip rule del lookup main 2>/dev/null; done

(without this 2nd cleanup line, manually added rules that would initially force traffic, after some time would no longer work, because other rules get a higher priority (lower number)).

 

[guy79]

I don't know about the 39 limit, but I have a similar situation, where I only want a few fixed IP-address to always use the VPN.

so my solution was to edit /usr/bin/addon_bypassvpnip.sh
and then add these lines somewhere just above the last "ip route flush cache"

[ "$(ip rule list | grep -c "iif br0 lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif br0 table $NOVPN_TABLE
[ "$(ip rule list | grep -c "192.168.1.10 lookup main")" = "0" ] && ip rule add from 192.168.1.10 table main
[ "$(ip rule list | grep -c "192.168.1.99 lookup main")" = "0" ] && ip rule add from 192.168.1.99 table main

the first line will route all internal traffic (so LAN+WLAN) via your ISP directly.
but the last two lines overrule this behavior, and route traffic from those 2 IP addresses via the VPN.

optionally, you can also add these rules:

[ "$(ip rule list | grep -c "iif tun0 lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif tun0 table $NOVPN_TABLE
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

the first one of these will ensure that a device that connects via OpenVPN to your router (for instance OVPN client on an iPhone), will use internet directly via your ISP.
the second one will ensure that the router itself uses the ISP directly. (so for instance if you use DDNS, then with this rule it will again register your real public IP with DNS. And this allows portforwarding again with VPN active (if your VPN provider does not support port-forwarding)


(if you go this way, everytime you install a new version of the addon, you'll need to make these changes again.)

HI Gerrits this is just what i am in need off

2nd question i have never edited scripts on a router how do i do it. I have experience with Engima sat recivers (Linux) i use telnet and Filezilla for this. Or is there a how to you can point me in thr right direction.


P.s i am a case of if it ant broke dont fix it so i wouldnt update unless there was some big update/bug fix
Many thanks for taking the time to reply

 

[R. Gerrits]

you apparently can already ssh or telnet into the router, because you managed to install kamoj addon.

then just do nano /usr/bin/addon_bypassvpnip.sh

then scroll down to the last "ip route flush cache"
and copy + paste the desired lines just above that line.
do crtl+x and choose yes to save changes.

afterwards, execute /usr/bin/addon_bypassvpnip.sh force
(to force reload the rules)

 

[guy79]

you apparently can already ssh or telnet into the router, because you managed to install kamoj addon.

then just do nano /usr/bin/addon_bypassvpnip.sh

then scroll down to the last "ip route flush cache"
and copy + paste the desired lines just above that line.
do crtl+x and choose yes to save changes.

afterwards, execute /usr/bin/addon_bypassvpnip.sh force
(to force reload the rules)

Hi Gerrits

Thank you so much for taking the time to reply and thank you for the answer this is just what i wanted and it has solved my problem 100%. I am over the moon with the results

Thanks again

Jon

 

[kamoj]

I don't recognize the 39 devices limit either.
There are other built-in ways to bypass the VPN:

1. Reserve DHCP addresses, and add the string "NOVPN" in the "Device Name"
   (In the Netgear Genie WEBGUI: Advanced: -> Setup: -> LAN Setup -> Address Reservation)
2. Create a list of devices to bypass VPN in the router flash-memory with e.g. the following commands:

nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202"
nvram commit
addon_bypassvpnip.sh force

 

[guy79]

Hi Thanks for the replies i am trying to do Gerrtis way as it seems the better way for me . i have 70+ devices online and only need two through the VPN!

I had to obtain a new R9000 as the last one had faulty USB sockets so i am only just starting on this.

When i put in

nano /usr/bin/addon_bypassvpnip.sh (Via Putty)

I get

root@R9000:/$ nano /usr/bin/addon_bypassvpnip.sh
Error opening terminal: unknown.

am i going wrong somewhere?

Regards

Jon

you apparently can already ssh or telnet into the router, because you managed to install kamoj addon.

then just do nano /usr/bin/addon_bypassvpnip.sh

then scroll down to the last "ip route flush cache"
and copy + paste the desired lines just above that line.
do crtl+x and choose yes to save changes.

afterwards, execute /usr/bin/addon_bypassvpnip.sh force
(to force reload the rules)

 

[R. Gerrits]

When i put in

nano /usr/bin/addon_bypassvpnip.sh (Via Putty)

I get

root@R9000:/$ nano /usr/bin/addon_bypassvpnip.sh
Error opening terminal: unknown.

as a workaround, you could try executing this before you use nano:

export TERM=xterm

 

[R. Gerrits]

fyi, I discovered a small omission in my examples for manually doing some vpn-bypassing

EDIT 19-07-2021:

I discovered today that I forgot to mention 1 addition step, required if editted addon_bypassvpn.sh and added rules that contain "lookup main".
To have this work properly, you need to do an additional set:
change:

# Delete all current rules tables and routes
   while [ "$(ip rule list | grep -c "lookup $NOVPN_TABLE" )" != "0" ]; do ip rule del table $NOVPN_TABLE 2>/dev/null; done

into:

# Delete all current rules tables and routes
   while [ "$(ip rule list | grep -c "lookup $NOVPN_TABLE" )" != "0" ]; do ip rule del table $NOVPN_TABLE 2>/dev/null; done
   while [ "$(ip rule list | grep -vF "from all lookup main" | grep -cF "lookup main")" != "0" ]; do ip rule del lookup main 2>/dev/null; done

(without this 2nd cleanup line, manually added rules that would initially force traffic, after some time would no longer work, because other rules get a higher priority (lower number)).

 

[kamoj]

https://www.snbforums.com/threads/kamoj-add-on-beta-testing-ii.72238/post-701530

Hi Thanks for the replies i am trying to do Gerrtis way as it seems the better way for me . i have 70+ devices online and only need two through the VPN!

I had to obtain a new R9000 as the last one had faulty USB sockets so i am only just starting on this.

When i put in

nano /usr/bin/addon_bypassvpnip.sh (Via Putty)

I get

root@R9000:/$ nano /usr/bin/addon_bypassvpnip.sh
Error opening terminal: unknown.

am i going wrong somewhere?

Regards

Jon