Single mouseclick on the user name, and then on "Start a Conversation"hey @kamoj was hoping to give the beta a test drive. science help me I haven't found out how to pm on this forum
Kamoj Kamoj Add-on 5.1 Beta testing poll
Gallo
Occasional Visitor
thank you
Thanks for mentioning it. That sounds similar to the issues I've seen and the things I've had to do to get internet connection back.
BL
I was unable to find anything amiss with my OpenVPN configs that might be causing the dropouts. So I went ahead and installed Kamoj addon 5.3b12. Its been running OK for a day.
Thanks,
BL
R. Gerrits
Very Senior Member
Also here already running 5.3b12 since yesterday and no issues, until I started looking for them
I started testing the new Supervision function:
(I enabled it for OpenVPN, WireGuard and Adguard)
First tested OpenVPN:
blocked traffic to my VPN provider to simulate tunnel failure, by adding this command to /opt/scripts/firewall-start-sh:
iptables -t filter -I OUTPUT 1 -d <OpenVPNserver IP> -j DROP
nothing happened (other than OpenVPN itself already detecting that the tunnel is down, and trying to restart itself
-> then I remembered I also have VPN bypass enabled on my router itself, so the tests the add-on is doing still work, because they bypass the "broken" tunnel.
After removing the bypass for my router (with the iptables drop rule still active), I do see that Supervision script is restarting AdGuard.
(which itself doesn't necessarily have an issue, but simply cannot reach its upstream DNS, because the VPN tunnel is having the issue and restarting AdGuard will not fix that)
But it doesn't try to restart OpenVPN.
I see the add-on is looking for error "RESOLVE: Cannot resolve host address" in the openvpn-client.log but I'm only seeing "write UDP: Operation not permitted (code=1)" errors in OpenVPN log.
I'll try some other things, but for now, my initial feedback would be:
- first test ip connectivity by trying to connect somewhere based on IP-address only (ping 1.1.1.1 or curl 1.1.1.1 or something like that; perhaps we need more options to be certain? (not sure it there are more big internet companies that have http enabled on a well-known fixed IP like 1.0.0.1 & 1.1.1.1)
- if connection on IP is not possible, restart VPN tunnel (either WG or OVPN)
- else test DNS resolving. (and perhaps here rely on nslookup instead of ping ??)
tricky thing: if both have an issue, then VPN cannot reconnect after restart, because it might not be able to resolve the VPN endpoint name.
However, in the current setup, this is not likely to happen, as local processes like OVPN or WG still use dnsmasq for name-resolution.
This also affects AdGuard supervision logic: the router itself isn't using Adguard -> doing a ping www.cloudflare.com will only test if dnsmasq (including the dns-servers that are specified in the Internet Setup) are still working.
And these might still work fine, while AdGuard is having an issue.
Not yet sure how you'd best be able to detect AdGuard status.
(unfortunately nslookup www.cloudflare.com <routerip>:<adguardport> doesn't work...)
I started testing the new Supervision function:
(I enabled it for OpenVPN, WireGuard and Adguard)
First tested OpenVPN:
blocked traffic to my VPN provider to simulate tunnel failure, by adding this command to /opt/scripts/firewall-start-sh:
iptables -t filter -I OUTPUT 1 -d <OpenVPNserver IP> -j DROP
nothing happened (other than OpenVPN itself already detecting that the tunnel is down, and trying to restart itself
-> then I remembered I also have VPN bypass enabled on my router itself, so the tests the add-on is doing still work, because they bypass the "broken" tunnel.
After removing the bypass for my router (with the iptables drop rule still active), I do see that Supervision script is restarting AdGuard.
(which itself doesn't necessarily have an issue, but simply cannot reach its upstream DNS, because the VPN tunnel is having the issue and restarting AdGuard will not fix that)
But it doesn't try to restart OpenVPN.
I see the add-on is looking for error "RESOLVE: Cannot resolve host address" in the openvpn-client.log but I'm only seeing "write UDP: Operation not permitted (code=1)" errors in OpenVPN log.
I'll try some other things, but for now, my initial feedback would be:
- first test ip connectivity by trying to connect somewhere based on IP-address only (ping 1.1.1.1 or curl 1.1.1.1 or something like that; perhaps we need more options to be certain? (not sure it there are more big internet companies that have http enabled on a well-known fixed IP like 1.0.0.1 & 1.1.1.1)
- if connection on IP is not possible, restart VPN tunnel (either WG or OVPN)
- else test DNS resolving. (and perhaps here rely on nslookup instead of ping ??)
tricky thing: if both have an issue, then VPN cannot reconnect after restart, because it might not be able to resolve the VPN endpoint name.
However, in the current setup, this is not likely to happen, as local processes like OVPN or WG still use dnsmasq for name-resolution.
This also affects AdGuard supervision logic: the router itself isn't using Adguard -> doing a ping www.cloudflare.com will only test if dnsmasq (including the dns-servers that are specified in the Internet Setup) are still working.
And these might still work fine, while AdGuard is having an issue.
Not yet sure how you'd best be able to detect AdGuard status.
(unfortunately nslookup www.cloudflare.com <routerip>:<adguardport> doesn't work...)
Also here already running 5.3b12 since yesterday and no issues, until I started looking for them
I started testing the new Supervision function:
(I enabled it for OpenVPN, WireGuard and Adguard)
First tested OpenVPN:
blocked traffic to my VPN provider to simulate tunnel failure, by adding this command to /opt/scripts/firewall-start-sh:
iptables -t filter -I OUTPUT 1 -d <OpenVPNserver IP> -j DROP
nothing happened (other than OpenVPN itself already detecting that the tunnel is down, and trying to restart itself
-> then I remembered I also have VPN bypass enabled on my router itself, so the tests the add-on is doing still work, because they bypass the "broken" tunnel.
After removing the bypass for my router (with the iptables drop rule still active), I do see that Supervision script is restarting AdGuard.
(which itself doesn't necessarily have an issue, but simply cannot reach its upstream DNS, because the VPN tunnel is having the issue and restarting AdGuard will not fix that)
But it doesn't try to restart OpenVPN.
I see the add-on is looking for error "RESOLVE: Cannot resolve host address" in the openvpn-client.log but I'm only seeing "write UDP: Operation not permitted (code=1)" errors in OpenVPN log.
I'll try some other things, but for now, my initial feedback would be:
- first test ip connectivity by trying to connect somewhere based on IP-address only (ping 1.1.1.1 or curl 1.1.1.1 or something like that; perhaps we need more options to be certain? (not sure it there are more big internet companies that have http enabled on a well-known fixed IP like 1.0.0.1 & 1.1.1.1)
- if connection on IP is not possible, restart VPN tunnel (either WG or OVPN)
- else test DNS resolving. (and perhaps here rely on nslookup instead of ping ??)
tricky thing: if both have an issue, then VPN cannot reconnect after restart, because it might not be able to resolve the VPN endpoint name.
However, in the current setup, this is not likely to happen, as local processes like OVPN or WG still use dnsmasq for name-resolution.
This also affects AdGuard supervision logic: the router itself isn't using Adguard -> doing a ping www.cloudflare.com will only test if dnsmasq (including the dns-servers that are specified in the Internet Setup) are still working.
And these might still work fine, while AdGuard is having an issue.
Not yet sure how you'd best be able to detect AdGuard status.
(unfortunately nslookup www.cloudflare.com <routerip>:<adguardport> doesn't work...)
Hello,
Great testing and observation. What you mentioned about how the add-on checks for OpenVPN connectivity may explain the instances where I've lost VPN connections yet the add-on showed the VPN tunnel still active. The idea of a ping test makes sense to me.
Also, I have a question. How do you enable VPN bypass on the router? Is it done through the normal bypass menu or by some other means?
Thanks,
BL
R. Gerrits
Very Senior Member
I edit /usr/bin/addon_bypassvpnip.sh and add the following line just above the last occurance of "ip route flush cache"
(line 479 if using 5.3b12)
Code:
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLEAnd then afterwards do /usr/bin/addon_bypassvpnip.sh force to make the change active.
NOTE, with bypass enabled on the router, a few things change:
- DDNS (when using it) will register the actual public WAN IP with the dyndns provider. (for me this is one of the reasons to have the bypass)
(without bypass, it would (eventually) register the public VPN IP)
- all traffic initiated by the router itself, will go to the internet directly (and thus potentially is unencrypted). Most of that traffic will be DNS traffic.
But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN.
- you can start using VPN server together with the VPN client (another reason for me to enable the bypass)
Installed latest beta, have had no problems and works very fine. Too fine really in a way so I dont have much to do inside that thing.
All is working and fast and clean. I like that for every beta I get even more options and control. I also like the idea that the router starts to fix itself when lost connection and so on. Even if lost connections never is a problem for me anymore. It was before Wireguard and not related to Voxel or Kamoj-addon. I believe it's a bigger problem on Open VPN at least it was when i used it on my computer. But that was a long time ago.
I need to say thanks for spoiling us from the need to sometime have to restart the router But also that, for me, is never needed anymore as this project been going forward.
The last discussions here I don't really get. Are we talking about VPN-bypassing and how to do that? It's in the GUI so just must been talking about something else??
R.Gerrits
"But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN."
Does this mean that if you bypass some device then even transmission or Download manager get bypassed and dont use the VPN-connection for that software?
Sorry if I come out as what I really am - an illiterate in coding and tech-talk. I just want to understand this and maybe a "clarification" helps more then me.
All is working and fast and clean. I like that for every beta I get even more options and control. I also like the idea that the router starts to fix itself when lost connection and so on. Even if lost connections never is a problem for me anymore. It was before Wireguard and not related to Voxel or Kamoj-addon. I believe it's a bigger problem on Open VPN at least it was when i used it on my computer. But that was a long time ago.
I need to say thanks for spoiling us from the need to sometime have to restart the router
But also that, for me, is never needed anymore as this project been going forward.The last discussions here I don't really get. Are we talking about VPN-bypassing and how to do that? It's in the GUI so just must been talking about something else??
R.Gerrits
"But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN."
Does this mean that if you bypass some device then even transmission or Download manager get bypassed and dont use the VPN-connection for that software?
Sorry if I come out as what I really am - an illiterate in coding and tech-talk. I just want to understand this and maybe a "clarification" helps more then me.
R. Gerrits
Very Senior Member
If you have a VPN tunnel active on your router, then by default all traffic from the router and all traffic from devices on your LAN, are routed through that VPN tunnel. (and are thus hidden / encrypted for your ISP).
Kamoj's addon already allows the GUI to specify IP-addresses / mac-addresses that should bypass the VPN.
This creates routing rules that don't route traffic from those IPs through the VPN tunnel, but routes it directly to the internet via your ISP.
So if you run for instance bittorrent on the device that is Bypassed, then your ISP can see that traffic. And also your real IP address is sent to the bittorrent trackers.
Similarly, if you run the Transmission client on your router, then by default this is routed through the VPN.
But if you use SSH to connect to the router and manually make the change I mentioned, then besides all the IPs configured in the GUI, also the the traffic from the router itself is routed directly via your ISP.
And then bittorrent trackers would again see your real IP address.
Bypassing in principle only affects the devices that you configure it for.
(but whether or not you manually enable bypass for your router, might affect the functioning of DNS. And this could impact both bypassed and non-bypassed devices)
R. Gerrits
Very Senior Member
short version:
VPN Bypassing is in the GUI, but only for devices on your LAN and not for the router itself.
And bypassing a random device on your LAN does not affect Transmission or the DownloadManager on the router.
(But using SSH to manually configure bypass for the router does)
VPN Bypassing is in the GUI, but only for devices on your LAN and not for the router itself.
And bypassing a random device on your LAN does not affect Transmission or the DownloadManager on the router.
(But using SSH to manually configure bypass for the router does)
Thank you for the information on router-bypass. I am considering making some changes that appear to be similar to your setup and thought the router-bypass may be a good fit.
By the way, I did have some ping-restart errors on OpenVPN but it seems like things came back OK. Running much better for me on this version of the add-on. I made a couple tweaks to OpenVPN so we'll see how it goes...
BL
I just installed Voxel 1.0.4.42HF with the Kamoj 5.3b12 add-on. I noticed that the "Show IP Rule" for OpenVPN bypass doesn't show anything bypassed. There should be seven devices bypassed but this is what the Show IP Rule lists:
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
A quick check of one device that should be bypassed shows it is still using the VPN. Is anyone else having the same thing happen or is bypass working? I did a reboot and cleared and re-entered the bypass list but it still doesn't work.
I had neglected to check if the bypass was working when I was on Voxel 1.0.4.41HF. Suggestions or any information I can provide that may be helpful?
Thanks,
BL
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
A quick check of one device that should be bypassed shows it is still using the VPN. Is anyone else having the same thing happen or is bypass working? I did a reboot and cleared and re-entered the bypass list but it still doesn't work.
I had neglected to check if the bypass was working when I was on Voxel 1.0.4.41HF. Suggestions or any information I can provide that may be helpful?
Thanks,
BL
R. Gerrits
Very Senior Member
can you ssh into the router and execute:
/usr/bin/addon_bypassvpn.sh
And see if that fixes it (check via ip rule show list)
If not then you can also try:
/usr/bin/addon_bypassvpn.sh force
/usr/bin/addon_bypassvpn.sh
And see if that fixes it (check via ip rule show list)
If not then you can also try:
/usr/bin/addon_bypassvpn.sh force
Thank you R. Gerrits. Unfortunately, I didn't notice your reply earlier and I went ahead and uninstalled/reinstalled the addon (people were getting impatient with me!).
That fixed the problem so perhaps something get messed up when I updated firmware/add-on. If it happens again I will try your suggestion and report back.
Thanks,
BL
R. Gerrits
Very Senior Member
fyi, I just flashed the new R7800-V1.0.2.78SF firmware and installed kamoj's addon, restored my own manual additions to addon_bypassvpnip.sh and rebooted.
After the reboot, I also see none of the ip rules for devices that should be bypassed.
I only see my manual rules for traffic that I want to force through the VPN (route via table main)
All the rules that should go via table novpn are missing. (both my manual rules as the onces that the addon is supposed to set.)
Will see if I can find the cause.
After the reboot, I also see none of the ip rules for devices that should be bypassed.
I only see my manual rules for traffic that I want to force through the VPN (route via table main)
All the rules that should go via table novpn are missing. (both my manual rules as the onces that the addon is supposed to set.)
Will see if I can find the cause.
R. Gerrits
Very Senior Member
found the issue:
and is caused by line 451 in /usr/bin/addon_bypassvpnip.sh :
should be
after changing it, and doing a /usr/bin/addon_bypassvpnip.sh force, the rules are back.
(but I cannot explain why @blueliner managed to solve it by reinstalling the addon... would one work if first reinstall 5.3b11 and then after reboot upgrade to b12.)
(b11 still was oke, as it had grep -c "novpn$")
Code:
root@R7800:~$ ip route show table novpn
Error: argument "novpn" is wrong: table id value is invalidand is caused by line 451 in /usr/bin/addon_bypassvpnip.sh :
Code:
[ "$(grep -c "${novpn}$" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables
Code:
[ "$(grep -c "${NOVPN_TABLE}" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tablesafter changing it, and doing a /usr/bin/addon_bypassvpnip.sh force, the rules are back.
(but I cannot explain why @blueliner managed to solve it by reinstalling the addon... would one work if first reinstall 5.3b11 and then after reboot upgrade to b12.)
(b11 still was oke, as it had grep -c "novpn$")
Last edited:
(but I cannot explain why @blueliner managed to solve it by reinstalling the addon... would one work if first reinstall 5.3b11 and then after reboot upgrade to b12.)
(b11 still was oke, as it had grep -c "novpn$")[/QUOTE]
Same here upgraded to latest Voxel. Reloaded Kamoj addon v12 and no ip rules.So I tried what you summised ...downgraded to Kamoj v11 then upgraded back to v12 and ip rules are there.
(b11 still was oke, as it had grep -c "novpn$")[/QUOTE]
Same here upgraded to latest Voxel. Reloaded Kamoj addon v12 and no ip rules.So I tried what you summised ...downgraded to Kamoj v11 then upgraded back to v12 and ip rules are there.
Similar threads
Latest threads
-
Axe 16000 dropping connection from games
- Started by Dyvurcz
- Replies: 0
-
-
-
-
ASUS RT-AC86U Firmware version 3.0.0.4.386_51955 (2024/11/08)
- Started by lepicane
- Replies: 0
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!
Staff online
-
RMerlinAsuswrt-Merlin dev