Single mouseclick on the user name, and then on "Start a Conversation"hey @kamoj was hoping to give the beta a test drive. science help me I haven't found out how to pm on this forum
Single mouseclick on the user name, and then on "Start a Conversation"hey @kamoj was hoping to give the beta a test drive. science help me I haven't found out how to pm on this forum
thank youSingle mouseclick on the user name, and then on "Start a Conversation"
I too have had the internet drop out on occasions.I have some devices on bypass and some through the tunnel.The kill switch is off on the router.I have an app for the vpn on my computer and the killswitch was on.I moved my computer from the tunnel to bypass on the gui with the router vpn on and lost all internet wireless and wired.Had to do a factory reset and and reload to get it all back before I summised what had happened.
Today my internet dropped out but the router leds said it was connected .The vpn app on my laptop said connected. The router gui said no internet.....To get it back this time I turned the vpn off on the router and internet came back on. I then turned the vpn back on and all was ok.So there is a conflict somewhere. the reason I have different devices with vpns is so I can go to different countries on whatever device
Changes in kamoj-addon beta version 5.3b12
-------------------------------------------------
INFORMATION/WARNING: This is a BETA release for the adventurous only.
It is tested very little, but I release it since I'll be away for some time,
and it's good to get early feedback.
- ............................................................................................................
The supervision functions "Restart at connection failure",
are meant to restart the "service" when it fails,
and when the DNS / Internet cease to work.
So far so good for me too. Hopefully some of the bugs @kamoj sorted were part of the problemI was unable to find anything amiss with my OpenVPN configs that might be causing the dropouts. So I went ahead and installed Kamoj addon 5.3b12. Its been running OK for a day.
Thanks,
BL
Also here already running 5.3b12 since yesterday and no issues, until I started looking for them
I started testing the new Supervision function:
(I enabled it for OpenVPN, WireGuard and Adguard)
First tested OpenVPN:
blocked traffic to my VPN provider to simulate tunnel failure, by adding this command to /opt/scripts/firewall-start-sh:
iptables -t filter -I OUTPUT 1 -d <OpenVPNserver IP> -j DROP
nothing happened (other than OpenVPN itself already detecting that the tunnel is down, and trying to restart itself
-> then I remembered I also have VPN bypass enabled on my router itself, so the tests the add-on is doing still work, because they bypass the "broken" tunnel.
After removing the bypass for my router (with the iptables drop rule still active), I do see that Supervision script is restarting AdGuard.
(which itself doesn't necessarily have an issue, but simply cannot reach its upstream DNS, because the VPN tunnel is having the issue and restarting AdGuard will not fix that)
But it doesn't try to restart OpenVPN.
I see the add-on is looking for error "RESOLVE: Cannot resolve host address" in the openvpn-client.log but I'm only seeing "write UDP: Operation not permitted (code=1)" errors in OpenVPN log.
I'll try some other things, but for now, my initial feedback would be:
- first test ip connectivity by trying to connect somewhere based on IP-address only (ping 1.1.1.1 or curl 1.1.1.1 or something like that; perhaps we need more options to be certain? (not sure it there are more big internet companies that have http enabled on a well-known fixed IP like 1.0.0.1 & 1.1.1.1)
- if connection on IP is not possible, restart VPN tunnel (either WG or OVPN)
- else test DNS resolving. (and perhaps here rely on nslookup instead of ping ??)
tricky thing: if both have an issue, then VPN cannot reconnect after restart, because it might not be able to resolve the VPN endpoint name.
However, in the current setup, this is not likely to happen, as local processes like OVPN or WG still use dnsmasq for name-resolution.
This also affects AdGuard supervision logic: the router itself isn't using Adguard -> doing a ping www.cloudflare.com will only test if dnsmasq (including the dns-servers that are specified in the Internet Setup) are still working.
And these might still work fine, while AdGuard is having an issue.
Not yet sure how you'd best be able to detect AdGuard status.
(unfortunately nslookup www.cloudflare.com <routerip>:<adguardport> doesn't work...)
Also, I have a question. How do you enable VPN bypass on the router? Is it done through the normal bypass menu or by some other means?
[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE
If you have a VPN tunnel active on your router, then by default all traffic from the router and all traffic from devices on your LAN, are routed through that VPN tunnel. (and are thus hidden / encrypted for your ISP).Does this mean that if you bypass some device then even transmission or Download manager get bypassed and dont use the VPN-connection for that software?
I edit /usr/bin/addon_bypassvpnip.sh and add the following line just above the last occurance of "ip route flush cache"
(line 479 if using 5.3b12)
Code:[ "$(ip rule list | grep -c "iif lo lookup $NOVPN_TABLE")" = "0" ] && ip rule add iif lo table $NOVPN_TABLE
And then afterwards do /usr/bin/addon_bypassvpnip.sh force to make the change active.
NOTE, with bypass enabled on the router, a few things change:
- DDNS (when using it) will register the actual public WAN IP with the dyndns provider. (for me this is one of the reasons to have the bypass)
(without bypass, it would (eventually) register the public VPN IP)
- all traffic initiated by the router itself, will go to the internet directly (and thus potentially is unencrypted). Most of that traffic will be DNS traffic.
But for instance if you'd run Transmission or the DownloadManager on your router, then that traffic is also no longer protected/hidden by the VPN.
- you can start using VPN server together with the VPN client (another reason for me to enable the bypass)
can you ssh into the router and execute:
/usr/bin/addon_bypassvpn.sh
And see if that fixes it (check via ip rule show list)
If not then you can also try:
/usr/bin/addon_bypassvpn.sh force
root@R7800:~$ ip route show table novpn
Error: argument "novpn" is wrong: table id value is invalid
[ "$(grep -c "${novpn}$" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables
[ "$(grep -c "${NOVPN_TABLE}" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!