Kamoj Kamoj Add-on 5.1 Beta testing poll

[Droidrat]

hey @kamoj was hoping to give the beta a test drive. science help me I haven't found out how to pm on this forum

Single mouseclick on the user name, and then on "Start a Conversation"

 

[Gallo]

Single mouseclick on the user name, and then on "Start a Conversation"

thank you

 

[blueliner]

I too have had the internet drop out on occasions.I have some devices on bypass and some through the tunnel.The kill switch is off on the router.I have an app for the vpn on my computer and the killswitch was on.I moved my computer from the tunnel to bypass on the gui with the router vpn on and lost all internet wireless and wired.Had to do a factory reset and and reload to get it all back before I summised what had happened.
Today my internet dropped out but the router leds said it was connected .The vpn app on my laptop said connected. The router gui said no internet.....To get it back this time I turned the vpn off on the router and internet came back on. I then turned the vpn back on and all was ok.So there is a conflict somewhere. the reason I have different devices with vpns is so I can go to different countries on whatever device

Thanks for mentioning it. That sounds similar to the issues I've seen and the things I've had to do to get internet connection back.

BL

 

[blueliner]

Changes in kamoj-addon beta version 5.3b12
-------------------------------------------------
INFORMATION/WARNING: This is a BETA release for the adventurous only.
It is tested very little, but I release it since I'll be away for some time,
and it's good to get early feedback.
- ............................................................................................................
The supervision functions "Restart at connection failure",
are meant to restart the "service" when it fails,
and when the DNS / Internet cease to work.

I was unable to find anything amiss with my OpenVPN configs that might be causing the dropouts. So I went ahead and installed Kamoj addon 5.3b12. Its been running OK for a day.

Thanks,
BL

 

[jrbmw]

I was unable to find anything amiss with my OpenVPN configs that might be causing the dropouts. So I went ahead and installed Kamoj addon 5.3b12. Its been running OK for a day.

Thanks,
BL

So far so good for me too. Hopefully some of the bugs @kamoj sorted were part of the problem

 

[R. Gerrits]

Also here already running 5.3b12 since yesterday and no issues, until I started looking for them

I started testing the new Supervision function:
(I enabled it for OpenVPN, WireGuard and Adguard)

First tested OpenVPN:
blocked traffic to my VPN provider to simulate tunnel failure, by adding this command to /opt/scripts/firewall-start-sh:
iptables -t filter -I OUTPUT 1 -d <OpenVPNserver IP> -j DROP

nothing happened (other than OpenVPN itself already detecting that the tunnel is down, and trying to restart itself
-> then I remembered I also have VPN bypass enabled on my router itself, so the tests the add-on is doing still work, because they bypass the "broken" tunnel.

After removing the bypass for my router (with the iptables drop rule still active), I do see that Supervision script is restarting AdGuard.
(which itself doesn't necessarily have an issue, but simply cannot reach its upstream DNS, because the VPN tunnel is having the issue and restarting AdGuard will not fix that)

But it doesn't try to restart OpenVPN.

I see the add-on is looking for error "RESOLVE: Cannot resolve host address" in the openvpn-client.log but I'm only seeing "write UDP: Operation not permitted (code=1)" errors in OpenVPN log.

I'll try some other things, but for now, my initial feedback would be:

- first test ip connectivity by trying to connect somewhere based on IP-address only (ping 1.1.1.1 or curl 1.1.1.1 or something like that; perhaps we need more options to be certain? (not sure it there are more big internet companies that have http enabled on a well-known fixed IP like 1.0.0.1 & 1.1.1.1)
- if connection on IP is not possible, restart VPN tunnel (either WG or OVPN)
- else test DNS resolving. (and perhaps here rely on nslookup instead of ping ??)

tricky thing: if both have an issue, then VPN cannot reconnect after restart, because it might not be able to resolve the VPN endpoint name.
However, in the current setup, this is not likely to happen, as local processes like OVPN or WG still use dnsmasq for name-resolution.

This also affects AdGuard supervision logic: the router itself isn't using Adguard -> doing a ping www.cloudflare.com will only test if dnsmasq (including the dns-servers that are specified in the Internet Setup) are still working.
And these might still work fine, while AdGuard is having an issue.

Not yet sure how you'd best be able to detect AdGuard status.
(unfortunately nslookup www.cloudflare.com <routerip>:<adguardport> doesn't work...)

 

[blueliner]

Also here already running 5.3b12 since yesterday and no issues, until I started looking for them

I started testing the new Supervision function:
(I enabled it for OpenVPN, WireGuard and Adguard)

First tested OpenVPN:
blocked traffic to my VPN provider to simulate tunnel failure, by adding this command to /opt/scripts/firewall-start-sh:
iptables -t filter -I OUTPUT 1 -d <OpenVPNserver IP> -j DROP

nothing happened (other than OpenVPN itself already detecting that the tunnel is down, and trying to restart itself
-> then I remembered I also have VPN bypass enabled on my router itself, so the tests the add-on is doing still work, because they bypass the "broken" tunnel.

After removing the bypass for my router (with the iptables drop rule still active), I do see that Supervision script is restarting AdGuard.
(which itself doesn't necessarily have an issue, but simply cannot reach its upstream DNS, because the VPN tunnel is having the issue and restarting AdGuard will not fix that)

But it doesn't try to restart OpenVPN.

I see the add-on is looking for error "RESOLVE: Cannot resolve host address" in the openvpn-client.log but I'm only seeing "write UDP: Operation not permitted (code=1)" errors in OpenVPN log.

I'll try some other things, but for now, my initial feedback would be:

- first test ip connectivity by trying to connect somewhere based on IP-address only (ping 1.1.1.1 or curl 1.1.1.1 or something like that; perhaps we need more options to be certain? (not sure it there are more big internet companies that have http enabled on a well-known fixed IP like 1.0.0.1 & 1.1.1.1)
- if connection on IP is not possible, restart VPN tunnel (either WG or OVPN)
- else test DNS resolving. (and perhaps here rely on nslookup instead of ping ??)

tricky thing: if both have an issue, then VPN cannot reconnect after restart, because it might not be able to resolve the VPN endpoint name.
However, in the current setup, this is not likely to happen, as local processes like OVPN or WG still use dnsmasq for name-resolution.

This also affects AdGuard supervision logic: the router itself isn't using Adguard -> doing a ping www.cloudflare.com will only test if dnsmasq (including the dns-servers that are specified in the Internet Setup) are still working.
And these might still work fine, while AdGuard is having an issue.

Not yet sure how you'd best be able to detect AdGuard status.
(unfortunately nslookup www.cloudflare.com <routerip>:<adguardport> doesn't work...)

Hello,

Great testing and observation. What you mentioned about how the add-on checks for OpenVPN connectivity may explain the instances where I've lost VPN connections yet the add-on showed the VPN tunnel still active. The idea of a ping test makes sense to me.

Also, I have a question. How do you enable VPN bypass on the router? Is it done through the normal bypass menu or by some other means?

Thanks,
BL

 

[Gallo]

@kamoj wowwwwwwwwwwwww. Dude this is incredible. I'm starting to use the features so far so good . Cant wait to enable adblocking will play tomorrow. I had drifted away from voxel's not by choice but because of missing features, thats all changed now.

 

[R. Gerrits]

Also, I have a question. How do you enable VPN bypass on the router? Is it done through the normal bypass menu or by some other means?

I edit /usr/bin/addon_bypassvpnip.sh and add the following line just above the last occurance of "ip route flush cache"
(line 479 if using 5.3b12)

     [ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

And then afterwards do /usr/bin/addon_bypassvpnip.sh force to make the change active.

NOTE, with bypass enabled on the router, a few things change:
- DDNS (when using it) will register the actual public WAN IP with the dyndns provider. (for me this is one of the reasons to have the bypass)
(without bypass, it would (eventually) register the public VPN IP)
- all traffic initiated by the router itself, will go to the internet directly (and thus potentially is unencrypted). Most of that traffic will be DNS traffic.
But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN.
- you can start using VPN server together with the VPN client (another reason for me to enable the bypass)

 

[KW.]

Installed latest beta, have had no problems and works very fine. Too fine really in a way so I dont have much to do inside that thing.

All is working and fast and clean. I like that for every beta I get even more options and control. I also like the idea that the router starts to fix itself when lost connection and so on. Even if lost connections never is a problem for me anymore. It was before Wireguard and not related to Voxel or Kamoj-addon. I believe it's a bigger problem on Open VPN at least it was when i used it on my computer. But that was a long time ago.

I need to say thanks for spoiling us from the need to sometime have to restart the router But also that, for me, is never needed anymore as this project been going forward.

The last discussions here I don't really get. Are we talking about VPN-bypassing and how to do that? It's in the GUI so just must been talking about something else??

R.Gerrits

"But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN."

Does this mean that if you bypass some device then even transmission or Download manager get bypassed and dont use the VPN-connection for that software?

Sorry if I come out as what I really am - an illiterate in coding and tech-talk. I just want to understand this and maybe a "clarification" helps more then me.

 

[R. Gerrits]

Does this mean that if you bypass some device then even transmission or Download manager get bypassed and dont use the VPN-connection for that software?

If you have a VPN tunnel active on your router, then by default all traffic from the router and all traffic from devices on your LAN, are routed through that VPN tunnel. (and are thus hidden / encrypted for your ISP).

Kamoj's addon already allows the GUI to specify IP-addresses / mac-addresses that should bypass the VPN.

This creates routing rules that don't route traffic from those IPs through the VPN tunnel, but routes it directly to the internet via your ISP.
So if you run for instance bittorrent on the device that is Bypassed, then your ISP can see that traffic. And also your real IP address is sent to the bittorrent trackers.

Similarly, if you run the Transmission client on your router, then by default this is routed through the VPN.

But if you use SSH to connect to the router and manually make the change I mentioned, then besides all the IPs configured in the GUI, also the the traffic from the router itself is routed directly via your ISP.
And then bittorrent trackers would again see your real IP address.

Bypassing in principle only affects the devices that you configure it for.

(but whether or not you manually enable bypass for your router, might affect the functioning of DNS. And this could impact both bypassed and non-bypassed devices)

 

[R. Gerrits]

short version:
VPN Bypassing is in the GUI, but only for devices on your LAN and not for the router itself.
And bypassing a random device on your LAN does not affect Transmission or the DownloadManager on the router.

(But using SSH to manually configure bypass for the router does)

 

[KW.]

Thank you so much that made it clear for me. So fun to see your and others brains work in here. I pick up some and learn some and miss allot and that make it so interesting!

thank you again.

 

[blueliner]

I edit /usr/bin/addon_bypassvpnip.sh and add the following line just above the last occurance of "ip route flush cache"
(line 479 if using 5.3b12)

     [ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE

And then afterwards do /usr/bin/addon_bypassvpnip.sh force to make the change active.

NOTE, with bypass enabled on the router, a few things change:
- DDNS (when using it) will register the actual public WAN IP with the dyndns provider. (for me this is one of the reasons to have the bypass)
(without bypass, it would (eventually) register the public VPN IP)
- all traffic initiated by the router itself, will go to the internet directly (and thus potentially is unencrypted). Most of that traffic will be DNS traffic.
But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN.
- you can start using VPN server together with the VPN client (another reason for me to enable the bypass)

Thank you for the information on router-bypass. I am considering making some changes that appear to be similar to your setup and thought the router-bypass may be a good fit.

By the way, I did have some ping-restart errors on OpenVPN but it seems like things came back OK. Running much better for me on this version of the add-on. I made a couple tweaks to OpenVPN so we'll see how it goes...

BL

 

[blueliner]

I just installed Voxel 1.0.4.42HF with the Kamoj 5.3b12 add-on. I noticed that the "Show IP Rule" for OpenVPN bypass doesn't show anything bypassed. There should be seven devices bypassed but this is what the Show IP Rule lists:

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

A quick check of one device that should be bypassed shows it is still using the VPN. Is anyone else having the same thing happen or is bypass working? I did a reboot and cleared and re-entered the bypass list but it still doesn't work.

I had neglected to check if the bypass was working when I was on Voxel 1.0.4.41HF. Suggestions or any information I can provide that may be helpful?

Thanks,
BL

 

[R. Gerrits]

can you ssh into the router and execute:
/usr/bin/addon_bypassvpn.sh

And see if that fixes it (check via ip rule show list)

If not then you can also try:
/usr/bin/addon_bypassvpn.sh force

 

[blueliner]

can you ssh into the router and execute:
/usr/bin/addon_bypassvpn.sh

And see if that fixes it (check via ip rule show list)

If not then you can also try:
/usr/bin/addon_bypassvpn.sh force

Thank you R. Gerrits. Unfortunately, I didn't notice your reply earlier and I went ahead and uninstalled/reinstalled the addon (people were getting impatient with me!).

That fixed the problem so perhaps something get messed up when I updated firmware/add-on. If it happens again I will try your suggestion and report back.

Thanks,
BL

 

[R. Gerrits]

fyi, I just flashed the new R7800-V1.0.2.78SF firmware and installed kamoj's addon, restored my own manual additions to addon_bypassvpnip.sh and rebooted.

After the reboot, I also see none of the ip rules for devices that should be bypassed.

I only see my manual rules for traffic that I want to force through the VPN (route via table main)
All the rules that should go via table novpn are missing. (both my manual rules as the onces that the addon is supposed to set.)

Will see if I can find the cause.

 

[R. Gerrits]

found the issue:

root@R7800:~$ ip route show table novpn
Error: argument "novpn" is wrong: table id value is invalid

and is caused by line 451 in /usr/bin/addon_bypassvpnip.sh :

  [ "$(grep -c "${novpn}$" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables

should be

  [ "$(grep -c "${NOVPN_TABLE}" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables

after changing it, and doing a /usr/bin/addon_bypassvpnip.sh force, the rules are back.

(but I cannot explain why @blueliner managed to solve it by reinstalling the addon... would one work if first reinstall 5.3b11 and then after reboot upgrade to b12.)
(b11 still was oke, as it had grep -c "novpn$")

 

[jrbmw]

(but I cannot explain why @blueliner managed to solve it by reinstalling the addon... would one work if first reinstall 5.3b11 and then after reboot upgrade to b12.)
(b11 still was oke, as it had grep -c "novpn$")[/QUOTE]

Same here upgraded to latest Voxel. Reloaded Kamoj addon v12 and no ip rules.So I tried what you summised ...downgraded to Kamoj v11 then upgraded back to v12 and ip rules are there.