Kamoj Kamoj Add-on 5.1 Beta testing poll

[nsx]

Tested with Voxel v1.0.2.76sf and Kamoj v5.3b4......doesent bypass
Tested with Voxel v1.02.77sf and Kamoj v 5.3b4 and Kamoj 5.3b5 ....doesent bypass
Tested with Voxel v1.0.2.76sf and Kamoj v5.3b5......doesent bypass
Can anyone confirm bypass on ovpn works ?

I can confirm it works fine (lastest Voxel + latest kamoj addon)
tested with "curl ipinfo.io" from the router (VPN IP address) and same command from computer (real IP address = bypass works)

 

[jrbmw]

I can confirm it works fine (lastest Voxel + latest kamoj addon)
tested with "curl ipinfo.io" from the router (VPN IP address) and same command from computer (real IP address = bypass works)

Strange ...I get from my computer.....which I know is my vpn address

root@R7800:/$ curl ipinfo.io
{
"ip": "23.92.127.66",
"city": "Dublin",
"region": "Leinster",
"country": "IE",
"loc": "53.3331,-6.2489",
"org": "AS47536 Global IP Exchange",
"postal": "D02",
"timezone": "Europe/Dublin",
"readme": "https://ipinfo.io/missingauth"
}root@R7800:/$

 

[jrbmw]

Thanks nsx

 

[R. Gerrits]

Strange ...I get from my computer.....which I know is my vpn address

root@R7800:/$ curl ipinfo.io

If that is really the output of your computer, then you are testing it wrong.
If you, from your computer, ssh into your router and then run the test, then it shows the public IP that the router is using. Not the public IP that the computer is using.
You should really use a shell (or commandline or browser) that is actually running on the computer itself.

Also just to be sure, could you share output of (on the router):
ip route show table main
and
ip route show table novpn

If table novpn somehow has gotten the wrong default route, that is the only explaination.

Also, just to be sure, you aren't running a proxy-server (like squid) for all your pc's??

 

[jrbmw]

As you can see ...both the same ....my vpn address,no proxy

This from my computer windows command


"ip": "23.92.127.10",
"city": "Dublin",
"region": "Leinster",
"country": "IE",
"loc": "53.3331,-6.2489",
"org": "AS47536 Global IP Exchange",
"postal": "D02",
"timezone": "Europe/Dublin",
"readme": "https://ipinfo.io/mis

This from my router and putty

oot@R7800:/$
root@R7800:/$ curl ipinfo.io
{
"ip": "23.92.127.10",
"city": "Dublin",
"region": "Leinster",
"country": "IE",
"loc": "53.3331,-6.2489",
"org": "AS47536 Global IP Exchange",
"postal": "D02",
"timezone": "Europe/Dublin",
"readme": "https://ipinfo.io/missingauth"
}root@R7800:/$





root@R7800:/$
root@R7800:/$ ip route show table main
0.0.0.0/1 via 10.21.10.5 dev tun21
default via 172.16.10.217 dev ppp0
10.21.10.1 via 10.21.10.5 dev tun21
10.21.10.5 dev tun21 proto kernel scope link src 10.21.10.6
23.92.127.10 via 172.16.10.217 dev ppp0
128.0.0.0/1 via 10.21.10.5 dev tun21
172.16.10.217 dev ppp0 proto kernel scope link src 195.213.38.68
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
239.0.0.0/8 dev br0 scope link


oot@R7800:/$
root@R7800:/$ ip route show table novpn
root@R7800:/$
root@R7800:/$

 

[jrbmw]

This is what the gui no vpn table shows

0: from all lookup local
32761: from 192.168.1.10 lookup novpn
32762: from 192.168.1.4 lookup novpn
32763: from 192.168.1.5 lookup novpn........my computer
32764: from 192.168.1.6 lookup novpn
32765: from 192.168.1.8 lookup novpn
32766: from all lookup main
32767: from all lookup default

 

[R. Gerrits]

root@R7800:/$ ip route show table novpn
root@R7800:/$
root@R7800:/$

Thats the issue, table novpn contains no routes, so it proably falls back to table main, which is VPN

could you try executing this:

ip route show table main | grep -vE "tun21|wg0" | while read -r route; do  
   ip route add $route table novpn
done

(it's the code I'm using in my version of VPN bypass)

 

[jrbmw]

Thats the issue, table novpn contains no routes, so it proably falls back to table main, which is VPN

could you try executing this:

ip route show table main | grep -vE "tun21|wg0" | while read -r route; do 
   ip route add $route table novpn
done

(it's the code I'm using in my version of VPN bypass)

root@R7800:/$
root@R7800:/$ ip route show table main | grep -vE "tun21|wg0" | while read -r route; do
> ip route add $route table novpn
> done
root@R7800:

 

[R. Gerrits]

and does bypass now work / ip route show table vpn does have content?

 

[jrbmw]

A massive thanks for that @R. Gerrits. Its WORKING


Router

oot@R7800:/$
root@R7800:/$ curl ipinfo.io
{
"ip": "23.92.127.10",
"city": "Dublin",
"region": "Leinster",
"country": "IE",
"loc": "53.3331,-6.2489",
"org": "AS47536 Global IP Exchange",
"postal": "D02",
"timezone": "Europe/Dublin",
"readme": "https://ipinfo.io/missingauth"
}root@R7800:/$


computer

C:\Users/curl ipinfo.io
{
"ip": "195.213.38.68",
"hostname": "68.38.213.195....................",
"city": "Chelmsford",
"region": "England",
"country": "GB",
"loc": "51.7358,0.4696",
"org": "AS6871 .......",
"postal": "...
"timezone": "Europe/London",
"readme": "https://ipinfo.io/missingauth"
}
C:\Users

 

[jrbmw]

and does bypass now work / ip route show table vpn does have content?

Yes it does ...Thanks again
Regards

root@R7800:/$
root@R7800:/$ ip route show table novpn
default via 172.16.10.217 dev ppp0
23.92.127.10 via 172.16.10.217 dev ppp0
172.16.10.217 dev ppp0 proto kernel scope link src 195.213.38.68
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
239.0.0.0/8 dev br0 scope link
root@R7800:/$
root@R7800:/$

 

[R. Gerrits]

good to hear, but this fix is temporary. As soon as router restarts the firewall (which might be a few times per day), this route table will be cleared again by Kamoj's addon_bypassvpn.sh

 

[jrbmw]

Ok,Hopefully @kamoj will sort it.
I’ve kept the code ...in case
Enjoy your weekend and Regards @R.Gerrits

 

[blueliner]

I can confirm it works fine (lastest Voxel + latest kamoj addon)
tested with "curl ipinfo.io" from the router (VPN IP address) and same command from computer (real IP address = bypass works)

I think OpenVPN/Bypass may have a problem on my R9000 too. After installing 5.3b5 (on Voxel 1.0.4.41HF), I finished setting things up and decided to do a reboot. Once the router was back up, I then did a "curl ipinfo.io" from my laptop to help with this discussion. The laptop should have been using the VPN but it wasn't. And to my surprise, the VPN Kill Switch was on, yet I still had internet access. Turns out that my VPN config had lost the username/password after the reboot, so the VPN never connected. I corrected that and tried again after the VPN started. This time my connection was routed through the VPN as it should. I thought all was good.

However, the laptop lost all internet connection after adding it to the OpenVPN Bypass List. Shutting off the Kill Switch got the connection back and the device was properly bypassing the VPN. I found that turning the Kill Switch back on consistently kills the connection for the laptop but it doesn't for another device I checked. Not sure whats up there...

I repeated all the above to confirm the results...same things except that I did find out toggling the Kill Switch off then back on would block internet access (as it should) when the VPN was down (they still had access until the Kill Switch was toggled).

So to sum up, here is my experience with 5.3b5:
1) Lost VPN username and password after reboot (same thing happened on a subsequent reboot)
2) VPN Bypass is working and the IP rules field shows things correctly (switched back and forth and checked ips several times)
3) VPN Kill Switch did not prevent VPN routed devices from connecting to internet when VPN was down (unless it was later toggled off/on)
4) VPN Kill Switch is preventing bypassed laptop (but not all devices) from connecting to the internet

Thanks
BL

 

[kamoj]

You lose the password etc if you have a usb device with the configurations inserted when rebooting.
That is by Voxel firmware design. If you use the kamoj built-in configuration id/password is not lost.
So rename the usb directory "openvpn-client" to something else, please.

Kill switch may need to be rewritten after the new net-wall.
Let's hope for a tip from @R. Gerrits again!

I think OpenVPN/Bypass may have a problem on my R9000 too. After installing 5.3b5 (on Voxel 1.0.4.41HF), I finished setting things up and decided to do a reboot. Once the router was back up, I 1) Lost VPN username and password after reboot (same thing happened on a subsequent reboot)
..3) VPN Kill Switch

 

[kamoj]

Source of problems seems to be the bug fixes in new-wall (both Voxel and Kamoj), in conjunction with an old bug fix
in kamoj openvpn-client. I never knew what the real problem was, so I have a fix in openvpn-client that might not work
as it should anymore.

One day I hope to fix this and make another release.

Sorry for the issues, and thank you @R. Gerrits for fixing the bugs!

 

[HELLO_wORLD]

Well, errors happens

You are one person doing this whole addon project, not a team.
The bigger it gets, the more errors can appear.

And cleaning old code is time consuming...

Source of problems seems to be the bug fixes in new-wall (both Voxel and Kamoj), in conjunction with an old bug fix
in kamoj openvpn-client. I never knew what the real problem was, so I have a fix in openvpn-client that might not work
as it should anymore.

One day I hope to fix this and make another release.

Sorry for the issues, and thank you @R. Gerrits for fixing the bugs!

 

[R. Gerrits]

Kill switch may need to be rewritten after the new net-wall.
Let's hope for a tip from @R. Gerrits again!

afaics kill switch still works as designed. It adds a rule to iptables to reject all traffic from br0 to brwan.
(not sure if kill switch also takes ppp0 connections in to account; didn't look at the code that generated /tmp/openvpn/firewall-start-openvpnkillswitch.sh)

But, I suspect that ppl might expect that bypassed devices are not affected by the killswitch. i.e. that if you add a device to the bypass list, that then for that device traffic is allowed to flow from br0 to brwan (or ppp0).

And if I read blueliners post, then it might be that /tmp/openvpn/firewall-start-openvpnkillswitch.sh is generated at the wrong place in the script. (i.e. if VPN tunnel doesn't come up after a reboot, then it is only generated when someone toggles the killswitch.)

 

[kamoj]

Thank you.

afaics kill switch still works as designed. It adds a rule to iptables to reject all traffic from br0 to brwan.
(not sure if kill switch also takes ppp0 connections in to account; didn't look at the code that generated /tmp/openvpn/firewall-start-openvpnkillswitch.sh)

But, I suspect that ppl might expect that bypassed devices are not affected by the killswitch. i.e. that if you add a device to the bypass list, that then for that device traffic is allowed to flow from br0 to brwan (or ppp0).

And if I read blueliners post, then it might be that /tmp/openvpn/firewall-start-openvpnkillswitch.sh is generated at the wrong place in the script. (i.e. if VPN tunnel doesn't come up after a reboot, then it is only generated when someone toggles the killswitch.)

 

[kamoj]

Thank you.

Well, errors happens

You are one person doing this whole addon project, not a team.
The bigger it gets, the more errors can appear.

And cleaning old code is time consuming...