Kamoj Kamoj Add-on Beta testing II

[primitivo]

Hello Primitivo,

It has been a long time since I set up AdGuard. As I recall, the setup menu gives the option to use an alternate addressort. Mine is set for the web gui to use port 8080 and for the DNS server to listen on port 5300 . I followed the setup from the Kamoj FAQ after making sure the desired ports were available:

Thanks @blueliner, I was misled by Adguard notice that it has to use port 53 for DNS in order to work properly. I guess kamoj addon handles DNS redirection on port 53, so the port provided in adguard setup probably doesn't matter much. I followed 8080 and 5300. Setup ControlD DoH and DoT and they seem to be working very well. I have now also disabled ad-blocking on ControlD, since Adguard handles that. What is nice also is that you can enable selected devices to bypass these blocks on the router level, something you cannot currently achieve with ControlD.

AdGuard itself has the option to use their hosted database for security checks, parental control and safe search. You can also use your own or third party blocklists by entering the ip address for the file location.

So the way I understand it, is that there is some Adguard locally hosted database which is updated and downloaded to the router periodically and based on this it is decided if the address should be blocked or passed. Unlike ControlD, where this is decided on DNS query level.

I wonder now what happens to the DNS addresses provided on the router WAN page? Are they disregarded completely?

Also in Adguard settings, what did you insert under: "Private reverse DNS servers"? Should router main IP be entered e.g. 192.168.1.1 ?

Just found another way to "break" WG connection - by updating internet WAN DNS. WG client shield will turn red and won't re-establish the connection until we uncheck and re-check the green square box manually. This is all despite having "Restart at connection failure" checked.

@blueliner also now with the DoH and DoT setup from ControlD I don't have to care if:
- VPN IP would get changed on reconnection (although I use static IP - but let's say it gives me greater flexibility server wise)
- VPN connection will terminate and ISP connection would kick in - ControlD automatically whitelist new IP via 1st DoH or DoT request

That means if I am not at home, kids won't complain that e.g. Disney+ was not working for them, because VPN stopped working. Obviously I wish things were working more reliably but I hope we will get there at some point once @kamoj do all the fixes and switch from Beta to RC1

 

[blueliner]

Hello,

Primitivo, I am glad to see that AdGuard Home is working for you.

I don't know much about AdGuard Home so my thoughts may not be correct. As far as I know, the DNS servers in the router WAN page are still used by the router for lookups to establish internet/VPN connection, time sync etc. on startup. AdGuard also uses them by default for reverse lookups. I have a backup PiHole DNS server, so I entered that ip into the reverse lookup server box (as far as I know, AGH will use router DCHP assigned ip addresses for local lookups by default).

Regarding the AdGuard Security Service and Parental Controls...I am not sure how they work. A local database as you mentioned would make sense to me, as that would then work like the custom filter lists. But I was thinking the AdGuard services actually make a call when a DNS lookup is requested, so with my slow connection, I don't use them. Instead I use AdGuard blocklists in the custom filters so the blocking is done from a database at the local level. Guess I need to look into this.... maybe someone else on SNB forums knows more about it?

WireGuard...I don't have a PPPoE connection. When I change DNS servers or loose connection, WireGuard starts back up fine.

Best wishes,
BL

 

[B-dog66]

Check memory and cpu usage.
And of course, check the AdGuard log file.
Run speedtest.sh from router command line to check internet speed.

Hello Kamoj,

Thanks for guide, only modification I have done is I disabled the Aegis cron job and since then 7 days 23 hours is AdGuard is running without any issues.

 

[primitivo]

Thanks @blueliner , I guess I need to educate myself a bit more about the way Adguard works but the basic default settings are completely sufficient for me for now. I block some other e.g. adult content via ControlD for now.

I am pretty sure PPPoE specifics is the source of all the problems with the way VPN behaves. I guess it can be fixed but I would need first to call @kamoj ISP to change his connection to PPPoE

So we have a pretty nice setup here: R9000 + WG + Adguard + ControlD DoH & DoT

It's pretty amazing that it work and I wonder if it works because Wireguard DNS settings are completely disregarded or it would also work with OpenVPN configs? By disregarded I mean that regardless of which DNS servers are provided in WG client config, always router DNS (or Adguard Home DNS settings if configured) is used. I don't know if this is due to WG specifics or a bug but it works. The way I see it if someone would be using DNS automatically provided by ISP + WG client, he would leak DNS all the time.

 

[jberry]

Thanks @blueliner , I guess I need to educate myself a bit more about the way Adguard works but the basic default settings are completely sufficient for me for now. I block some other e.g. adult content via ControlD for now.

I am pretty sure PPPoE specifics is the source of all the problems with the way VPN behaves. I guess it can be fixed but I would need first to call @kamoj ISP to change his connection to PPPoE

So we have a pretty nice setup here: R9000 + WG + Adguard + ControlD DoH & DoT

It's pretty amazing that it work and I wonder if it works because Wireguard DNS settings are completely disregarded or it would also work with OpenVPN configs? By disregarded I mean that regardless of which DNS servers are provided in WG client config, always router DNS (or Adguard Home DNS settings if configured) is used. I don't know if this is due to WG specifics or a bug but it works. The way I see it if someone would be using DNS automatically provided by ISP + WG client, he would leak DNS all the time.

Yes, the same thought has crossed my mind too, that the DNS in the wireguard config file is "disregarded" and the main DNS in the router is used. The only problem I have with that is, some VPN providers like Windscribe ( I have a residential IP with them ), their DNS for R.O.B.E.R.T is 10.255.255.1 or 10.255.255.2 - also TorGuard has their internal DNS at 10.8.0.1 or 10.9.0.1 - So my problem is when I set my primary DNS on my router to 10.255.255.1 for my Windscribe wireguard Residential IP VPN, everything is fine with VPN via wireguard, when it is on. When I disconnect, my local ISP actually has a server with the address of 10.255.255.1 and the router sends DNS info to that, but that server is sending something back and there is a loop... usually if I use TorGuard internal DNS at 10.8.0.1 and if the router cant resolve this address, it goes to my secondary of 208.67.222.222 (Open DNS ) for example, internet seems slow but it still loads webpages. Thats the only problem I have... So the only solution in my mind is just use a public resolver that my ISP and VPN likes, but I do think the internal DNS from windscribe for example is safer and actually faster.

 

[primitivo]

Yes, the same thought has crossed my mind too, that the DNS in the wireguard config file is "disregarded" and the main DNS in the router is used. The only problem I have with that is, some VPN providers like Windscribe ( I have a residential IP with them ), their DNS for R.O.B.E.R.T is 10.255.255.1 or 10.255.255.2 - also TorGuard has their internal DNS at 10.8.0.1 or 10.9.0.1 - So my problem is when I set my primary DNS on my router to 10.255.255.1 for my Windscribe wireguard Residential IP VPN, everything is fine with VPN via wireguard, when it is on. When I disconnect, my local ISP actually has a server with the address of 10.255.255.1 and the router sends DNS info to that, but that server is sending something back and there is a loop... usually if I use TorGuard internal DNS at 10.8.0.1 and if the router cant resolve this address, it goes to my secondary of 208.67.222.222 (Open DNS ) for example, internet seems slow but it still loads webpages. Thats the only problem I have... So the only solution in my mind is just use a public resolver that my ISP and VPN likes, but I do think the internal DNS from windscribe for example is safer and actually faster.

I understand your problem very well. I think the solution would be to setup Adguard and then in Adguard "upstream DNS servers" provide all local DNS of Windscribe and Torguard + some other DNS (e.g. Cisco OpenDNS) which would not have the same latency as the local ones. You would then setup "Fastest IP address" resolution in Adguard DNS settings, so in theory it should always resolve via the local one. If not, make sure that the public DNS you set has significantly higher (e.g. by 20-30ms) latency that the local ones. You can then verify the resolvers via Query Log on Adguard Home (highly recommended).

Alternatively you can try controld.com - it is smart DNS by Windscribe, think of it as much better version of R.O.B.E.R.T . You can try it for free for 30 days and if you have Windscribe full priced subscription (e.g. not discounted or lifetime) then you get 50% on Controld.com which makes it $20 per year. It's super value considering what it can do e.g. unblock geo content from many countries (ControlD is using exit IP points of Windscribe, including residential, in fact it is possible to redirect some services via RES Dallas and RES Chicago). You are also not restricted to their supported services, you can build you own recipes based on DNS log queries. I use controld.com DoH and DoT resolvers in Adguard upstream servers, while the main router WAN DNS IP 2x Cisco OpenDNS. Also the benefit of using DoH and DoT of Controld.com is that if your VPN connection goes down or you will use another VPN connection, the new IP will be automatically whitelisted on Controld.com on 1st DoH or DoT request.

ControlD resolvers are based on anycast - they will automatically connect to the nearest servers. Since ControlD.com is using Windscribe infrastructure, if you setup Windscribe WG config + ControlD resolvers, it will be most probably the same speed wise as if you would setup local DNS of Windscribe: https://controld.com/network/

For example I have Torguard WG config in the same location and data center where ControlD DNS is hosted, so I get 5ms DNS latency, which is frankly a delay from my my ISP to that data center, otherwise the DNS query would be seen as under 1ms I believe (same network, same data center).

 

[blueliner]

Yes, the same thought has crossed my mind too, that the DNS in the wireguard config file is "disregarded" and the main DNS in the router is used. The only problem I have with that is, some VPN providers like Windscribe ( I have a residential IP with them ), their DNS for R.O.B.E.R.T is 10.255.255.1 or 10.255.255.2 - also TorGuard has their internal DNS at 10.8.0.1 or 10.9.0.1 - So my problem is when I set my primary DNS on my router to 10.255.255.1 for my Windscribe wireguard Residential IP VPN, everything is fine with VPN via wireguard, when it is on. When I disconnect, my local ISP actually has a server with the address of 10.255.255.1 and the router sends DNS info to that, but that server is sending something back and there is a loop... usually if I use TorGuard internal DNS at 10.8.0.1 and if the router cant resolve this address, it goes to my secondary of 208.67.222.222 (Open DNS ) for example, internet seems slow but it still loads webpages. Thats the only problem I have... So the only solution in my mind is just use a public resolver that my ISP and VPN likes, but I do think the internal DNS from windscribe for example is safer and actually faster.

Hello,

For some reason, I find that both my WireGuard and OpenVPN connections now use both the AdGuard and VPN DNS. That wasn't the case before for OpenvPN and it seems odd that this is happening on all three providers that I can run on the router. However, I have updated all my configs to use new certificates and/or the latest version of OpenVPN - yet the devices where I use a local VPN (like my Linux machines) strictly use the VPN DNS. I wonder if I inadvertently changed something else along the way?

jberry, 10.255.255.4 also works as a Windscribe DNS (although I am not sure if R.O.B.E.R.T works with it???). Could you use that DNS?

Best wishes,
BL

 

[blueliner]

Thanks @blueliner , I guess I need to educate myself a bit more about the way Adguard works but the basic default settings are completely sufficient for me for now. I block some other e.g. adult content via ControlD for now.

I am pretty sure PPPoE specifics is the source of all the problems with the way VPN behaves. I guess it can be fixed but I would need first to call @kamoj ISP to change his connection to PPPoE

So we have a pretty nice setup here: R9000 + WG + Adguard + ControlD DoH & DoT

It's pretty amazing that it work and I wonder if it works because Wireguard DNS settings are completely disregarded or it would also work with OpenVPN configs? By disregarded I mean that regardless of which DNS servers are provided in WG client config, always router DNS (or Adguard Home DNS settings if configured) is used. I don't know if this is due to WG specifics or a bug but it works. The way I see it if someone would be using DNS automatically provided by ISP + WG client, he would leak DNS all the time.

Hello,

If you want to make it more likely for the VPN devices to use the VPN DNS, you could put only the VPN DNS in the Kamoj Add-on's "Custom DNS" on the Settings page. When I do that, leak tests only show the VPN DNS - but then devices that bypass the VPN do not use AdGuard but instead use the VPN DNS too, so it defeats the purpose of AdGuard.

I wonder, is there a way to prevent this behavior (VPN clients using DNS other than the one on the VPN) by modifications to the ip table rules?

Best wishes,
BL

 

[blueliner]

Hello,

Kamoj, I had a lot of internet dropouts and VPN disconnects this morning due to a severe thunderstorm. In case it may be helpful for the updated "restart" on the next version, I have attached the WireGuard and Supervisor logs during this time when the Add-on was making restarts. I have the addon_fast_openvpn_supervision enabled and ping set to 11 sec.

Best wishes,
BL

 

[kamoj]

Hello,

Kamoj, I had a lot of internet dropouts and VPN disconnects this morning due to a severe thunderstorm. In case it may be helpful for the updated "restart" on the next version, I have attached the WireGuard and Supervisor logs during this time when the Add-on was making restarts. I have the addon_fast_openvpn_supervision enabled and ping set to 11 sec.

Best wishes,
BL

Of course this is helpful!!! Very good of you to share - Thank you!!!

 

[jberry]

I understand your problem very well. I think the solution would be to setup Adguard and then in Adguard "upstream DNS servers" provide all local DNS of Windscribe and Torguard + some other DNS (e.g. Cisco OpenDNS) which would not have the same latency as the local ones. You would then setup "Fastest IP address" resolution in Adguard DNS settings, so in theory it should always resolve via the local one. If not, make sure that the public DNS you set has significantly higher (e.g. by 20-30ms) latency that the local ones. You can then verify the resolvers via Query Log on Adguard Home (highly recommended).

Alternatively you can try controld.com - it is smart DNS by Windscribe, think of it as much better version of R.O.B.E.R.T . You can try it for free for 30 days and if you have Windscribe full priced subscription (e.g. not discounted or lifetime) then you get 50% on Controld.com which makes it $20 per year. It's super value considering what it can do e.g. unblock geo content from many countries (ControlD is using exit IP points of Windscribe, including residential, in fact it is possible to redirect some services via RES Dallas and RES Chicago). You are also not restricted to their supported services, you can build you own recipes based on DNS log queries. I use controld.com DoH and DoT resolvers in Adguard upstream servers, while the main router WAN DNS IP 2x Cisco OpenDNS. Also the benefit of using DoH and DoT of Controld.com is that if your VPN connection goes down or you will use another VPN connection, the new IP will be automatically whitelisted on Controld.com on 1st DoH or DoT request.

ControlD resolvers are based on anycast - they will automatically connect to the nearest servers. Since ControlD.com is using Windscribe infrastructure, if you setup Windscribe WG config + ControlD resolvers, it will be most probably the same speed wise as if you would setup local DNS of Windscribe: https://controld.com/network/

For example I have Torguard WG config in the same location and data center where ControlD DNS is hosted, so I get 5ms DNS latency, which is frankly a delay from my my ISP to that data center, otherwise the DNS query would be seen as under 1ms I believe (same network, same data center).

Thank you so much for your lengthy reply. I do remember ControlD when they were first beta testing it, and I did try some settings with R.O.B.E.R.T. such as ad blocking, to see if I would like ControlD (like a better version of R.O.B.E.R.T.) but sometimes the ad blocking would not have the desired effect I want. For example, when my wife would click on an email advertisement from my Macys for example, or a suggestion in Google, the page just would not load, which is cool because ad block is working, but she would of course get frustrated that the page just doesn't load, and then would say to me "Stop messing around with the Internet!, its that stupid VPN again!", and then she would just go LTE data on her iPhone lol.

I do like VPN on the router, since all my devices in my house can access Disney+, I live on Guam, and we have all streaming services here just as the U.S. mainland, we even have 4 netflix servers on the island, but we just cant get Disney+ ! So dumb, my ISP has a fiber undersea cable from Guam to LA, so latency is around 115ms which isnt bad, and so I usually choose VPNs that have an LA or west coast connection. Over the last 2 years of messing with VPNs, I kinda came to the conclusion that I want the cleanest IP I can get, so macys or target or etsy, or even eBay wont give me a hard time, especially with Purchasing (Paypal one time I couldnt add my credit card, I found out, its because I was using ExpressVPN). So far Torguard streaming IPs are pretty good, StarVPN pricey has the best IPs I have used, and Windscribe sadly no residential via west coast, closest is Dallas which is around 144ms. Speeds max out my connection which is 100mb down and 11mb up, so all the VPNs I use is pretty fast. Sometimes anycast doesnt work for my location, one time while using wireguard for StarVPN it auto connected me to India?? which game me super high latency, cuz my ISP routes either via here to LA or here via HongKong. Other ISPs here, route via Japan, but of course if I connect VPN and did ControlD im sure it will connect me to the closet DNS of the VPN I am choosing.

So I may not need all the features of ControlD, but I do want a fast DNS that will prevent malware, I'll give ControlD a look. I did think about just using ControlD and not a VPN, but just the though about all my data being not encrypted didnt work well in my mind lol. I will also give adguard a look, just so my router will choose the fastest DNS if possible, which will be very interesting. Thanks again!

Hello,

For some reason, I find that both my WireGuard and OpenVPN connections now use both the AdGuard and VPN DNS. That wasn't the case before for OpenvPN and it seems odd that this is happening on all three providers that I can run on the router. However, I have updated all my configs to use new certificates and/or the latest version of OpenVPN - yet the devices where I use a local VPN (like my Linux machines) strictly use the VPN DNS. I wonder if I inadvertently changed something else along the way?

jberry, 10.255.255.4 also works as a Windscribe DNS (although I am not sure if R.O.B.E.R.T works with it???). Could you use that DNS?

Best wishes,
BL

Oh that is weird??!! Thanks for the tip BL! Im sure my ISP wont have 10.255.255.4 - I can try that on my Router's DNS. I did try the ping times, and they seem more stable versus the 10.255.255.1 I am using, thanks again!

 

[Thang]

I have used NordVPN's wireguard config file Link, but I don't know how to enter the Wireguard index on the Kamoj add-on to be able to run the VPN in this form. Can anyone guide me. Or does that not work for the Kamoj add-on ? Thank you !

 

[primitivo]

So I may not need all the features of ControlD, but I do want a fast DNS that will prevent malware, I'll give ControlD a look. I did think about just using ControlD and not a VPN, but just the though about all my data being not encrypted didnt work well in my mind lol. I will also give adguard a look, just so my router will choose the fastest DNS if possible, which will be very interesting. Thanks again!

You have to see how it will work out for you. I am in the UAE and I am using Boston server in the USA on ControlD for Disney+. To USA Boston I have around 200ms. The latency when it comes to streaming does not really matter that much as long as the connection is good and fast. I use ControlD via Adguard together with Torguard Wireguard config. It works super.

I have also switched off ad blocking filter on Controld.com , since Adguard is doing the same on router level even when using ControlD DoH and DoT resolvers. Also the benefit of letting adguard handling ad blocking things is that you can e.g. skip adguard for certain devices e.g. your wife's iPhone, so she can see ads while you don't. This is not possible when using ControlD alone. Adguard is a very nice tool and very comprehensive. You can also easily whitelist certain domains which were ad-blocked, so they would be passed through. What's more you can whitelist ad-blocked URLs for selected devices only!

And yes I think ControlD could perfectly replace VPN. The only reason why I use VPN is to avoid international speed throttling by ISP.

 

[jberry]

I have used NordVPN's wireguard config file Link, but I don't know how to enter the Wireguard index on the Kamoj add-on to be able to run the VPN in this form. Can anyone guide me. Or does that not work for the Kamoj add-on ? Thank you !

I do remember stumbling upon this page, when I bought a years worth of NordVPN and NordVPN's Dedicated IP, and I was sad to find out there were no wireguard config files to use on my router, I even downloaded the NordVPN app on my router when it was using dd-wrt, anyway. As long as you have your private and public keys, the servers endpoint and port, server internal address (I think thats what its called), you can paste the config file in this format below to Kamoj's add on, under 'wireguard' and save the config file, is this what you are asking for? I believe only the beta version has the 'wireguard':


[Interface]
PrivateKey = YourKeyHere
Address = xxx.xxx.xxx.xxx/32
DNS = 1.1.1.1

[Peer]
PublicKey = ServerKeyHere
AllowedIPs = 0.0.0.0/0
Endpoint = ServerAddressortNumber

You have to see how it will work out for you. I am in the UAE and I am using Boston server in the USA on ControlD for Disney+. To USA Boston I have around 200ms. The latency when it comes to streaming does not really matter that much as long as the connection is good and fast. I use ControlD via Adguard together with Torguard Wireguard config. It works super.

I have also switched off ad blocking filter on Controld.com , since Adguard is doing the same on router level even when using ControlD DoH and DoT resolvers. Also the benefit of letting adguard handling ad blocking things is that you can e.g. skip adguard for certain devices e.g. your wife's iPhone, so she can see ads while you don't. This is not possible when using ControlD alone. Adguard is a very nice tool and very comprehensive. You can also easily whitelist certain domains which were ad-blocked, so they would be passed through. What's more you can whitelist ad-blocked URLs for selected devices only!

And yes I think ControlD could perfectly replace VPN. The only reason why I use VPN is to avoid international speed throttling by ISP.

Hello primitivo, thanks for the reply, I'm starting to understand how beneficial your setup is, especially with ControlD. I rarely do any torrenting, maybe like once a year haha, I just do newsgroups also not often, but I always connect via SSL. So that might be redundant, VPN and SSL for newsgroups. Before, VPN would always slow down your connection, now that we have wireguard I do like the fast speeds, same as my local ISP. My ISP doesnt throttle, at least I dont think they do? havnt really been on them for 2 years. I did have the idea just to use ControlD, like a proxy, but main reason why I started doing VPN was Disney+ now that ControlD can give you access... I really need to look into ControlD soon, thank you!

 

[Thang]

I do remember stumbling upon this page, when I bought a years worth of NordVPN and NordVPN's Dedicated IP, and I was sad to find out there were no wireguard config files to use on my router, I even downloaded the NordVPN app on my router when it was using dd-wrt, anyway. As long as you have your private and public keys, the servers endpoint and port, server internal address (I think thats what its called), you can paste the config file in this format below to Kamoj's add on, under 'wireguard' and save the config file, is this what you are asking for? I believe only the beta version has the 'wireguard':


[Interface]
PrivateKey = YourKeyHere
Address = xxx.xxx.xxx.xxx/32
DNS = 1.1.1.1

[Peer]
PublicKey = ServerKeyHere
AllowedIPs = 0.0.0.0/0
Endpoint = ServerAddressortNumber


Hello primitivo, thanks for the reply, I'm starting to understand how beneficial your setup is, especially with ControlD. I rarely do any torrenting, maybe like once a year haha, I just do newsgroups also not often, but I always connect via SSL. So that might be redundant, VPN and SSL for newsgroups. Before, VPN would always slow down your connection, now that we have wireguard I do like the fast speeds, same as my local ISP. My ISP doesnt throttle, at least I dont think they do? havnt really been on them for 2 years. I did have the idea just to use ControlD, like a proxy, but main reason why I started doing VPN was Disney+ now that ControlD can give you access... I really need to look into ControlD soon, thank you!

Thank you very much. This help is extremely useful for users who have little knowledge about VPNs and many other things.

 

[manup85]

not sure guys if you have the same issue with AdGuard. i'm running latest beta version b.8. time to time i'm loosing ETH and Wireless connection because adguard freeze. page is not reachable. the only solution is to disable DNS script and activate it back.

 

[primitivo]

not sure guys if you have the same issue with AdGuard. i'm running latest beta version b.8. time to time i'm loosing ETH and Wireless connection because adguard freeze. page is not reachable. the only solution is to disable DNS script and activate it back.

I have it running on R9000 since few days b.8 too and did not notice such issues with loosing ETH. Do you have "Restart at connection failure" checked?

 

[manup85]

I have it running on R9000 since few days b.8 too and did not notice such issues with loosing ETH. Do you have "Restart at connection failure" checked?

nope. should i activate it? the strange thing is that possibly one of the laptop i have at home it is causing whole adguard to freeze.. i'm still investigating

 

[primitivo]

nope. should i activate it? the strange thing is that possibly one of the laptop i have at home it is causing whole adguard to freeze.. i'm still investigating

You can try and see if it helps.

 

[manup85]

You can try and see if it helps.

It seems the issue is that laptop sending a lot of rDNS request ip.in.arpa causing whole adguard failing