Kamoj Kamoj Add-on 5.1 Beta testing poll

[blueliner]

today I tried out WireGuard-go on my R7800. A few observations:

An earlier fix regarding VPN bypassing on WireGuard that I suggested to @kamoj apparently doesn't work.
(guess we don't have ppl using WG with VPN Bypass.)

  if [ -z "$WAN_GWAY" ]; then WAN_GWAY="$(ip route | awk '/via/ && /dev "$WAN_IF"/ && !/default/"'{print $3}')";fi

Here the awk command is in single quotes, so it never expands the variable "$WAN_IF"
This line does work:

  if [ -z "$WAN_GWAY" ]; then WAN_GWAY="$(ip route | awk "/via/ && /dev $WAN_IF/ && !/default/"'{print $3}')";fi

Another thing I noticed:
With OpenVPN, I can click the green box (with the white check mark) to stop OpenVPN and then click the red box to start it again.
With WireGuard however, this doesn't reliably work...
(When it doesn't work, then starting via the green "start Wireguard Client with this" does work. But for stopping, I need to use etc/init.d/wg-client stop.)

And last thing: the killswitch for WireGuard also doesn't work.

root@R7800:~$ /tmp/wireguard/firewall-start-wireguard_killswitch.sh
iptables v1.8.4 (legacy): mark: bad integer value for option "--mark", or out of range.

Try `iptables -h' or 'iptables --help' for more information.

(would't it be simpler just call the same kill-switch script as for OpenVPN? (including to exclude bypassed devices from killswitch)

also stopping wireguard doesn't properly cleanup its routes.

stopping it shows:

2020-06-09 23:57:55 [OpenVPN] WireGuard Client 32144: 4345.91:Information: Stop: Delete wireguard routing
Error: either "to" is duplicate, or "13.95.xxx.xxx" is a garbage.

and then this route still remains in my routing tables:
13.95.xxx.xxx via 94.213.xxx.xxx dev brwan

Perhaps tomorrow I'll take a look if I can improve the WG init-script

EDIT: already had a quick peek -> the issue is that I have configured additional static routes via Advanced Setup -> Static Routes.

If I remove my static routes, then the init-script does successfully cleanup on shutdown.

I normally run OpenVPN, but after seeing your post I installed WireGuard to check it out on my R9000. I see much the same...
- WireGuard bypass does not work
-The Green/Red (Start/Stop) checkbox acts buggy. For it me hasn't failed to stop WireGuard. However, checking the box to start Wireguard sometimes refreshes the section but doesn't appear to initiate a start (box doesn't turn green). I've also seen an instance where the log said WireGuard started successfully but the Shield symbol still showed Red. Restarting corrected that.

Thanks,
BL

 

[kamoj]

Changes in kamoj-addon beta version 5.3b9
-------------------------------------------------
- Wireguard Client: Fixed: By-passing was not working (@R. Gerrits, @blueliner)
- Wireguard Client: Fixed: Killswitch was not working (@R. Gerrits)
- Wireguard Client: Added: "No Killswitch for Bypass devices"
- Wireguard Client: Changed: On/Off switch behaviour (@R. Gerrits, @blueliner)
- Wireguard Client: Changed: MTU 1420 -> 1412 for ppp0
- FAQ.txt updated

 

[blueliner]

Changes in kamoj-addon beta version 5.3b9
-------------------------------------------------
- Wireguard Client: Fixed: By-passing was not working (@R. Gerrits, @blueliner)
- Wireguard Client: Fixed: Killswitch was not working (@R. Gerrits)
- Wireguard Client: Added: "No Killswitch for Bypass devices"
- Wireguard Client: Changed: On/Off switch behaviour (@R. Gerrits, @blueliner)
- Wireguard Client: Changed: MTU 1420 -> 1412 for ppp0
- FAQ.txt updated

I've installed 5.3b9. Looks to me like the changes are working as expected. WireGuard is bypassing and the start/stop worked OK. Bypassed devices don't have internet access unless the No Killswitch for Bypassed devices is activated. I think R. Gerrits' suggestion to always have it activated (?) makes sense.
I do have one error on the Router Information page. The WireGuard status shows a reg shield, with the message: ERROR wg0: No wg0 107.178.xx.xx

I report back if I see anything different...

Thanks
BL

 

[KuaiKuai]

Once again, it ease all config of my adguard home when I update to B9,maybe is I'm not using the right telnet command?
I got the file in my usb device,
/bin/opkg install -V1 --force-overwrite /mnt/sda1/kamoj-addon_200610-224120-5.3b9_r9000.ipk
but I didn't remove the old one, is that matter?
Also I can't save a backup on my usb device neither.

Thank you for the feedback!

About the AdGuard it's very strange of two reasons:
You shouldn't lose config when you update the add-on. I have tested that.
The function buttons for backup and restore of config works for me.

Have you checked on the USB device that there is no backup?
Have you read the FAQ.txt ? There you can read about how the backup functions.
Did you install/uninstall something else as well?

Happy for any more details to solve your issue.

 

[kamoj]

I just tried, and it's working for me.

Before update you should:
Adguard Home: Backup config to USB

After update you should:
Adguard Home: Restore config from USB

Maybe these buttons are not working for you?
If you improve your problem description, maybe someone can help you easier.

If you don't remove the old add-on version before installing a new one, you may get problems.
My instruction is clear that you shall uninstall previous version before installing a new one.
(Each version has a different installer that cleans up when you uninstall.
If you don't uninstall your router will be full of garbage and old files and will eventually get big problems)

Stay safe!

Once again, it ease all config of my adguard home when I update to B9,maybe is I'm not using the right telnet command?
I got the file in my usb device,
/bin/opkg install -V1 --force-overwrite /mnt/sda1/kamoj-addon_200610-224120-5.3b9_r9000.ipk
but I didn't remove the old one, is that matter?
Also I can't save a backup on my usb device neither.

 

[R. Gerrits]

After update you should:
Adguard Home: Restore config from USB

Just to doublecheck:
It seems that Restore config from USB doesn't automatically restart AdGuard Home with the new config.
So proper way currently would be stop AdGuard (set DNS Filter/Encryption to None), then press Restore config from USB, and then start AdGuard again (set DNS Filter/Encryption to AdGuard Home).

Perhaps this can be improved in the future? (automatic stop and start during restore of config)
(or even better, if AdGuard is started for the first time after installation of addon, have it check the USB disk for a backup file and copy that before starting)

 

[kamoj]

Of course this should be improved!
And don't forget to save the config from inside AdGuard Home before doing the backup!

PS
Still there is the user problem, that he/she can not save anything to USB!

Just to doublecheck:
It seems that Restore config from USB doesn't automatically restart AdGuard Home with the new config.
So proper way currently would be stop AdGuard (set DNS Filter/Encryption to None), then press Restore config from USB, and then start AdGuard again (set DNS Filter/Encryption to AdGuard Home).

Perhaps this can be improved in the future? (automatic stop and start during restore of config)
(or even better, if AdGuard is started for the first time after installation of addon, have it check the USB disk for a backup file and copy that before starting)

 

[blueliner]

Hmm,

Lost internet connection on VPN bypassed devices (with No Killswitch for bypassed devices enabled). Didn't see anything in the VPN log except for recursive routing errors. Kamoj showed VPN still connected but I didn't check any further. Stopped and restarted VPN and bypassed devices regained access... tried that first as I needed to get internet back ASAP.

Not sure that this is related to the Kamoj add-on but thought I'd mention it.

BL

 

[kamoj]

It's good you mention it here! Thank you! Let's all keep an eye on it.

When "no internet" problem, please always check if DNS is working.
Actually many complaints I've got for "no internet" has been DNS problems!

Hmm,

Lost internet connection on VPN bypassed devices (with No Killswitch for bypassed devices enabled). Didn't see anything in the VPN log except for recursive routing errors. Kamoj showed VPN still connected but I didn't check any further. Stopped and restarted VPN and bypassed devices regained access... tried that first as I needed to get internet back ASAP.

Not sure that this is related to the Kamoj add-on but thought I'd mention it.

BL

 

[jrbmw]

Hmm,

Lost internet connection on VPN bypassed devices (with No Killswitch for bypassed devices enabled). Didn't see anything in the VPN log except for recursive routing errors. Kamoj showed VPN still connected but I didn't check any further. Stopped and restarted VPN and bypassed devices regained access... tried that first as I needed to get internet back ASAP.

Not sure that this is related to the Kamoj add-on but thought I'd mention it.

BL

So far working ok here

 

[R. Gerrits]

Lost internet connection on VPN bypassed devices (with No Killswitch for bypassed devices enabled). Didn't see anything in the VPN log except for recursive routing errors. Kamoj showed VPN still connected but I didn't check any further.

My guess:
With current version of the addon, the traffic from the router is not bypassing VPN -> if VPN is down, the router itself has no internet anymore, and thus also DNS does no longer function. (as kamoj is also suggesting).

 

[R. Gerrits]

@kamoj, solution for this problem would be a checkbox on the Bypass VPN page called "Bypass traffic from router" (or something like that).

And then if that checkbox is enabled, have the addon_bypassvpn.sh execute this :
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

Note, this also affects the DDNS -> If this option is enabled, then DDNS would register the real public IP, instead of the VPN public IP.
And if someone runs Transmission Bittorrent on their router, then also that Bittorrent traffic would no longer use the VPN.

(or an alternative solution, is (better) monitoring of the VPN connection and attempt to restart it automatically if it is down somehow.
But I don't really have an idea on how to do that in a fool proof manner.)

 

[jra505]

Hello

Can someone recommend a VPN provider that uses Wireguard and will supply the necessary config file to get it to work with Kamoj's add on? I was with NordVPN and they use Wireguard (which they call NordLynx) but they won't supply the config file.

Thanks,

jra505

 

[blueliner]

@kamoj, solution for this problem would be a checkbox on the Bypass VPN page called "Bypass traffic from router" (or something like that).

And then if that checkbox is enabled, have the addon_bypassvpn.sh execute this :
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

Note, this also affects the DDNS -> If this option is enabled, then DDNS would register the real public IP, instead of the VPN public IP.
And if someone runs Transmission Bittorrent on their router, then also that Bittorrent traffic would no longer use the VPN.

(or an alternative solution, is (better) monitoring of the VPN connection and attempt to restart it automatically if it is down somehow.
But I don't really have an idea on how to do that in a fool proof manner.)

Hello,

I honestly don't know the cause but I think you and Kamoj may be right about it being a DNS issue. This happened before and I forgot to post it- so I did so this time without a lot of thought since I was in a hurry. More info from both times:

1. DNSCrypt is enabled on the Kamoj add-on, but I noticed that I do not have "Include Default DNS" (router) checked on the Kamoj Settings tab. In fact I don't have any DNS addresses entered on the Kamoj Settings tab.
2. Primary DNS are two Pi-Hole/DNSCrypt servers on the network and their addresses are entered on the Voxel Basic Internet tab of the router. I am using the Kamoj DNSCrypt noted above as a trial because I'd like to eliminate one of the Pi-Hole servers and use it for something else.
2. Phones bypass VPN and use local Pi-Hole DNS - both had internet.
2. My other local network (different router but same internet connection from bridged modem) still had internet.
3. I noticed this lose of internet connectivity because the internet TV we were watching stopped playing. The R9000 with Kamoj add-on showed no internet connection on the Voxel Basic tab until restart of VPN (even though Kamoj showed VPN "green"/connected). Then the Voxel Basic tab showed Good and TV had internet again.
4. Note however that the TV that lost internet connection, is set to bypass the VPN.
5. Amazon Alexa also bypasses VPN and that lost connection at the same time...and came back when VPN was restarted.

Could this be related to how I have DNS setup on my router/Kamoj? What would be the best way to set this up in Voxel/Kamoj (Pi-Hole as Primary DNS and Kamoj DNSCrypt as secondary)?

If DNS is the issue, I can't think of better solutions than what you propose (unless there is a way to use an alternate DNS for VPN??). Since router bypass could be a security risk as you mentioned, if that is incorporated into the add-on it may be good for the bypass checkbox to include warning/confirmation.

If the internet issue happens again, I will try to take the time to investigate more thoroughly.

Thanks,
BL

 

[jrbmw]

Hello

Can someone recommend a VPN provider that uses Wireguard and will supply the necessary config file to get it to work with Kamoj's add on? I was with NordVPN and they use Wireguard (which they call NordLynx) but they won't supply the config file.

Thanks,

jra505

Mullvad supply wireguard config and works ok on @kamoj addon

 

[jrbmw]

I did notice when I was using PIA vpn If I didnt have their dns servers in my internet settings I lost the internet.I dont use dnscrypt or stubby as I seem to get dns leaks.Aegis works fine and no leaks.
I now use express vpn and their dns servers are encrypted in their software so are used regardless of settings. I have several devices on bypass and all work ok with no internet loss and show my real ip address.

 

[blueliner]

I did notice when I was using PIA vpn If I didnt have their dns servers in my internet settings I lost the internet.I dont use dnscrypt or stubby as I seem to get dns leaks.Aegis works fine and no leaks.
I now use express vpn and their dns servers are encrypted in their software so are used regardless of settings. I have several devices on bypass and all work ok with no internet loss and show my real ip address.

Hello,

Thanks for the information. If I loose internet connection again I may try adding their DNS server.

BL

 

[kamoj]

Very big thank you for your reports, definitely helping to improve the add-on!

Can you please be more specific.
First, was it OpenVPN or Wireguard? (Both are VPN).
Plus, in the add-on there are at least 5 ways you can have got that impression.
(If I know where, I can improve the add-on.)
Router Information: OpenVPN Client Status
OpenVPN Client: Connection Status: (Cyclic Status update: On)
OpenVPN Client: Show full VPN log (Or one of the other 2 show log options)
Wireguard Client: Connection Status: (Cyclic Status update: On)
Wireguard Client: Show full VPN log (Or one of the other 2 show log options)

Also the status of your DNS and it's log would be helpful

.. Kamoj showed VPN still connected but I didn't check any further. ..

 

[kamoj]

I find this statement very interesting.
Can you please evolve why you "seem to get dns leaks"?
I.e. why you think they leak.

If both dnscrypt and stubby should leak, there might be something wrong with your setup,
and you might be leaking other things as well.
I hope you don't trust the tests at each VPN suppliers home page,
making you to use only their dns without open source or other insight.
(They only test if you use their dns, and considers all other safe dns in the world as leaks.)

PS
Did you try AdGuard Home?

.. I dont use dnscrypt or stubby as I seem to get dns leaks. ..

 

[jrbmw]

I find this statement very interesting.
Can you please evolve why you "seem to get dns leaks"?
I.e. why you think they leak.

If both dnscrypt and stubby should leak, there might be something wrong with your setup,
and you might be leaking other things as well.
I hope you don't trust the tests at each VPN suppliers home page,
making you to use only their dns without open source or other insight.
(They only test if you use their dns, and considers all other safe dns in the world as leaks.)

PS
Did you try AdGuard Home?

@kamoj......its me that said that
I Always check for dns leaks with as many internet sites as I can.When I get the red box(s) with you might be leaking dns I dont know whether all the servers that are shown belong to my vpn supplier
only the one with my dns ip address.When I get green box from a few different sites Im satisfied no leaks. Never had a green box on dnscrypt or stubby.Always had green box on all sites using pia dns servers.express vpn mostly green boxes. Had same results using mullvad wireguard,stubby and dnscrypt