Kamoj Kamoj Add-on Beta testing II

[R. Gerrits]

As one way of showing my gratitude, I've added your "reverse VPN/bypassing thing" for test in next release.

#Set up which IP-addresses that shall go via VPN, by adding them to an nvram variable
#(to survive router firmware updates). Separate the IPs with a space character:
nvram set kamoj_ips_to_vpn="192.168.1.10 192.168.1.99 192.168.1.100" && nvram commit

I'm very curious.
I do worry though that it might not fully work with some of my setup.
Because I have my MacBook go directly to internet, but a Window VM on top of that MacBook I want to route via VPN.
The issue: both have the same MAC-address (because the VM is bridged onto the WiFi).
And somewhere in your addon, you give priority to MAC-address. So if 2 IPs share the same MAC-address, then your addon either adds them both to the bypass or adds them both to the vpn.

I guess this is convenient for most, so that even with changing DHCP addresses, devices still stay on the list.
But not for me

 

[Droidrat]

Thank you very much for your extensive report and description!

It made me come to think about a few things:

1. Could it be that you are using PPTP, L2TP or PPPoE (Your Internet connection require a login)?
   If so, I'll fix that for next release.
   
   
2. Have you tried it with NSS switched off?
   (For me it's working even with NSS off, but I know e.g. @R. Gerrits says NSS must be off for some reason,
   and I trust him very much. So I suggest you try to switch off NSS).
   
   
3. Do you use QoS?

1. Could it be that you are using PPTP, L2TP or PPPoE (Your Internet connection require a login)?

No. No VPN, and no login to my ISP. My cable modem is an Arris SB6183. It handles ISP authentication, and the R7800 is connected to it with an Ethernet cable.

2. Have you tried it with NSS switched off?

No. I concluded that NSS is (much) more important to me than Bandwidth Usage.

3. Do you use QoS?

QoS is, and has always been, "disabled" (via Kamoj "Settings").

 

[blueliner]

You are right, the killswitch is not made to work for the router, it is only meant to be working for connected devices.
Do you have an example of how to implement that?
PS
If you switch/shut off the VPN, the killswitch will of course not be activated.

Hello,

Thank you for letting me know how the VPN bypass works for the router itself. I asked about it because I thought that when I checked out Transmission on an earlier Add-on version, Transmission lost internet connection when testing the killswitch or if the VPN dropped out.

I must have been thinking of my old home office setup. I ran files to another location using Transmission on the router. I had help setting it up and if I recall, Transmission went through the VPN and was blocked whenever the VPN went down. That system is long gone but I will dig around to see if I can verify that is how it worked and if I have a copy of the scripts used on the router. I don't know enough to do it myself.

Anyway, everything seems to be working well for me on 5.4b31!

Best wishes,
BL

 

[blueliner]

Netgear (and Voxel) firmware use udhcpd for DHCP and that doesn't support the tagging features.

a workaround you could use: If the devices that need to use a different DNS have a fixed IP-address, then you could use iptables rules to force them to use a different DNS.

iptables -w -t nat -A PREROUTING -s 192.168.1.4 -p udp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -p tcp --dport 53 -j DNAT --to 8.8.8.8:53

put the commands in /opt/scripts/firewall-start.sh
(or if you use kamoj's add-on and also use adguardhome, then place them in a script in /opt/scripts, with a name that starts with firewall-start and is alphabetically higher than firewall-start-adguardhome.sh. so for example firewall-start--vpndnsredirect.sh (i.e. a double dash, which comes before "dash a"))
(and don't forget to make the script executable)

disadvantage: using these rules you can only redirect to 1 DNS server -> if that goes down, then you have no working dns.

alternative:
say you configure everything via DHCP with DNS servers 1.2.3.4 and 5.6.7.8
then you could also have these iptables rules:

iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 1.2.3.4 -p udp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 5.6.7.8 -p udp --dport 53 -j DNAT --to 8.8.4.4:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 1.2.3.4 -p tcp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 5.6.7.8 -p tcp --dport 53 -j DNAT --to 8.8.4.4:53

R. Gerrits,

I wanted to comment on this.... I have used the first set of iptable rules and they work well for me. However, I hadn't thought about that alternative method - very clever! I sure learn a lot from you and the other folks on SNB!

Thanks,
BL

 

[kamoj]

Changes in kamoj-addon beta version 5.4b32
--------------------------------------------------
- AdGuard Home: Added Oisd basic (Changed list /opt/kamoj/addons/defaults/AdGuardHome.yaml )
- AdGuard Home: Disabled Malwarebytes
- AdGuard Home: Automatic restore of configuration from USB at install
- AdGuard Home: Updated default "AdGuardHome.yaml" to latest schema_version: 10
- DNS Privacy/Ad-Blocking: Added: Edit Dnsmasq Configuration
- DNS Privacy/Ad-Blocking: Added: "Cloudflare Connection Information" to "DNS Speed / Latency and Test Tools"
- DNS Privacy/Ad-Blocking: Added: "Cloudflare Trace" to "DNS Speed / Latency and Test Tools"
- DNS Privacy/Ad-Blocking: Added: "eibgrad about DNS leaks" to "DNS Leak Test / Privacy links"
- Bandwidth Monitor: Minor changes
- Bandwidth Monitor: Renamed firewall-start-bwusage.sh to firewall-start-z-bwusage.sh (@R. Gerrits)
- Settings: Disable Kwilt/hipplay : Close tcp port 42443 when disabling Kwilt. (@R. Gerrits)
- OpenVPN Client: PureVPN default settings changed (for higher speed) (@LSM)
- OpenVPN Client: Added: Synchronize configurations with USB-device ("auto-backup").
- OpenVPN Client: Minor changes
- WireGuard Client: Added: Synchronize configurations with USB-device ("auto-backup").
- Added: Function to block any device (IP) from Internet access. See FAQ.txt
- Added: "Reverse VPN bypassing", i.e. Default that all devices bypass the VPN. See FAQ.txt
- Added: Allow devices using a certain interface to bypass the VPN. See FAQ.txt
- Speedtest.sh: Minor changes
- Minor fixes.
- FAQ.txt updated.

UPDATE:
Note that these 2 functions are buggy in 5.4b32:
- Updated: "Reverse VPN bypassing", i.e. Default that all devices bypass the VPN. See FAQ.txt
- Updated: Allow devices using a certain interface to bypass the VPN. See FAQ.txt
To correct the obvious errors, run from router command prompt:
sed -i 's/echo XXX //g' /usr/bin/addon_bypassvpnip.sh

 

[L&LD]

@kamoj, you've been busy!

 

[kamoj]

@kamoj, you've been busy!

Thank you for the attention!
You are "always" alert.

 

[Jamike]

Thank you for the attention!
You are "always" alert.

Yes i see you've been busy love your addon so far updated to b32 like the Adguard web!

 

[baursak]

Hello dear forum participants! Please tell me if it is possible to do this, devices that are connected to WiFi (2.4 GHz) did not use VPN, and devices that are connected to WiFi (5.0 GHz) used it. The new version (5.4В 32) of Addon Kamoj has only fine settings, which unfortunately do not suit me very much. I distribute WIFI to all my visitors only via WiFi (2.4 GHz), so I had such an urgent need. This is a simple and crude setup, but very effective. Can anyone know how to do this?
This is my first message, please don't kick me too much))
Best regards to you Baursak.

 

[kamoj]

UPDATE:
Note that these 2 functions are buggy in 5.4b32:
- Updated: "Reverse VPN bypassing", i.e. Default that all devices bypass the VPN. See FAQ.txt
- Updated: Allow devices using a certain interface to bypass the VPN. See FAQ.txt
To correct the obvious errors, run from router command prompt:
sed -i 's/echo XXX //g' /usr/bin/addon_bypassvpnip.sh

 

[kamoj]

Hello dear forum participants! Please tell me if it is possible to do this, devices that are connected to WiFi (2.4 GHz) did not use VPN, and devices that are connected to WiFi (5.0 GHz) used it. The new version (5.4В 32) of Addon Kamoj has only fine settings, which unfortunately do not suit me very much. I distribute WIFI to all my visitors only via WiFi (2.4 GHz), so I had such an urgent need. This is a simple and crude setup, but very effective. Can anyone know how to do this?
This is my first message, please don't kick me too much))
Best regards to you Baursak.

You can use the add-on function "Create start script entries manually (Executed at boot time)" in Settings 2, and add e.g. this code:

#!/bin/sh
while :; do #2.4 GHz:
NO_VPN_LST_ALWAYS="$(for i in ath1 ath11; do wlanconfig $i list sta;done|grep ":"|cut -d" " -f1|while IFS= read -r DEV; do grep -i "$DEV" /proc/net/arp | awk '{print $1}' | tail -1; done|xargs)"
[ "$(nvram get NO_VPN_LST_ALWAYS)" != "$NO_VPN_LST_ALWAYS" ] && { nvram set NO_VPN_LST_ALWAYS="$NO_VPN_LST_ALWAYS" && addon_bypassvpnip.sh force; }
sleep 10
done

After a reboot the list of 2.4 GHz WiFi clients is checked every 10:th second and routed outside the tunnel.

 

[baursak]

Thank you so much for the prompt reply Kamoj !!! After the tests, I will definitely write the result.
Bleiben Sie gesund!!!

 

[R. Gerrits]

You can use the add-on function "Create start script entries manually (Executed at boot time)" in Settings 2, and add e.g. this
After a reboot the list of 2.4 GHz WiFi clients is checked every 10:th second and routed outside the tunnel.

Not sure if it really a good idea to every 10 seconds wipe and rebuild the routing table + restart the firewall.

Especially for the "guest" devices that should not be routed via VPN, these would every 10 seconds temporary again send a few packets (for at least a second) via VPN, while the routing is rebuild.
But also the frequent restarting of the firewall might cause some disruptions.

A better solution would be to define an ebtables rule to mark all packets that come in via ath1 (=2.4 GHz) and than have a ip rule to route all those marked packets via routing table novpn.

simple PoC:
edit /usr/bin/addon_bypassvpnip.sh and just above the last "ip route flush cache" insert this line:

[ "$(ip rule list | grep -c "fwmark 0x64 lookup $NOVPN_TABLE")" = "0" ] && ip rule add fwmark 0x64 table $NOVPN_TABLE

then execute /usr/bin/addon_bypassvpnip.sh force to activate that rule.

And finally execute this command, to start marking the packets:
ebtables -I INPUT -i ath1 -j mark --set-mark 0x64 --mark-target CONTINUE

Just tested this myself, and it works perfectly.
Only thing I do not yet know, is the best place to put that ebtables command, so it persists reboots.
(probably needs to go into /lib/wifi/qcawifi.sh)

 

[baursak]

Not sure if it really a good idea to every 10 seconds wipe and rebuild the routing table + restart the firewall.

Especially for the "guest" devices that should not be routed via VPN, these would every 10 seconds temporary again send a few packets (for at least a second) via VPN, while the routing is rebuild.
But also the frequent restarting of the firewall might cause some disruptions.

A better solution would be to define an ebtables rule to mark all packets that come in via ath1 (=2.4 GHz) and than have a ip rule to route all those marked packets via routing table novpn.

simple PoC:
edit /usr/bin/addon_bypassvpnip.sh and just above the last "ip route flush cache" insert this line:

[ "$(ip rule list | grep -c "fwmark 0x64 lookup $NOVPN_TABLE")" = "0" ] && ip rule add fwmark 0x64 table $NOVPN_TABLE

then execute /usr/bin/addon_bypassvpnip.sh force to activate that rule.

And finally execute this command, to start marking the packets:
ebtables -I INPUT -i ath1 -j mark --set-mark 0x64 --mark-target CONTINUE

Just tested this myself, and it works perfectly.
Only thing I do not yet know, is the best place to put that ebtables command, so it persists reboots.
(probably needs to go into /lib/wifi/qcawifi.sh)

Yes, that is right. After using this script, the VPN client does not start. (After rebooting the router) It starts only manually.
I also want to say that all the devices still go through the VPN tunnel.
Thank you, I will try your option.

 

[kamoj]

Not sure if it really a good idea to every 10 seconds wipe and rebuild the routing table + restart the firewall.

Especially for the "guest" devices that should not be routed via VPN, these would every 10 seconds temporary again send a few packets (for at least a second) via VPN, while the routing is rebuild.
But also the frequent restarting of the firewall might cause some disruptions.

A better solution would be to define an ebtables rule to mark all packets that come in via ath1 (=2.4 GHz) and than have a ip rule to route all those marked packets via routing table novpn.

simple PoC:
edit /usr/bin/addon_bypassvpnip.sh and just above the last "ip route flush cache" insert this line:

[ "$(ip rule list | grep -c "fwmark 0x64 lookup $NOVPN_TABLE")" = "0" ] && ip rule add fwmark 0x64 table $NOVPN_TABLE

then execute /usr/bin/addon_bypassvpnip.sh force to activate that rule.

And finally execute this command, to start marking the packets:
ebtables -I INPUT -i ath1 -j mark --set-mark 0x64 --mark-target CONTINUE

Just tested this myself, and it works perfectly.
Only thing I do not yet know, is the best place to put that ebtables command, so it persists reboots.
(probably needs to go into /lib/wifi/qcawifi.sh)

Thank you sir!
I'll add that to the todo-list...

Maybe you need to add ath11 as well - for the 2.4 GHz Guest WiFi?!

My script above does not do anything every 10 second, unless needed, i.e. the WiFi clientele has changed.
The write to nvram does not cause any nvram wear either, since no commit is done.

The script is working perfectly if started manually from a router command prompt,
so there is a bug or two to be fixed in the add-on functions "Create Firewall entries manually" and "Create start script entries manually (Executed at boot time)".
Else the ebtables rules maybe could be placed in the Settings 2: "Create Firewall entries manually".
Seems like I forgot the write about it in the FAQ.txt
These function rely on a mounted USB-device to store the scripts as well.
Sorry for all the trouble!

 

[kamoj]

Yes, that is right. After using this script, the VPN client does not start. (After rebooting the router) It starts only manually.
I also want to say that all the devices still go through the VPN tunnel.
Thank you, I will try your option.

Since the script is lost at reboot due to a bug, VPN Client should not be effected.
Please check log-files (supervision and VPN client) to see what went wrong!
Sorry for the trouble!

 

[R. Gerrits]

My script above does not do anything every 10 second, unless needed, i.e. the WiFi clientele has changed.
The write to nvram does not cause any nvram wear either, since no commit is done.

you're totally right, I overlooked that IF statement.
but stll less perfect than marking the traffic. but your solution is easier for people that don't want to edit scripts.

 

[dracubin11]

Can someone give me the link of kamoj beta 5.2 for me? i need to experience on fw voxel 74.3sf

 

[blueliner]

Hello,

I installed 5.4b32 on my R9000. I was unable to get VPN bypassing to work and I had to try several times to get AdGuard to install/start (which it eventually did). I assume it is something relating to my system. I didn't see anything in the logs that stuck out, however I was unable to download the Kamoj or Voxel information from the System Information page. Everything else seemed OK. Things I tried:

- A restart of the router, cleaning the browser cache on the machine I was using and restarting the machine.
- Clearing the VPN bypassing by moving items back to non-bypassed and clicking the clear bypassing from NVRAM buttons.
- Uninstall 5.4b32. Factory reset router, reinstall the current Voxel firmware and 5.4b32

The ip rule display on the VPN bypass page showed nothing was being bypassed no matter what I did...and checking the ip of several devices using curl confirmed devices in the bypass selection list were still using the VPN.

As I needed to get the router going again, I reinstalled 5.4b31. Everything worked as it should on 5.4b31 except I was still unable to download the Voxel release notes, Kamoj release notes or Kamoj FAQ. Downloading the Aegis info, etc., still worked.

Didn't have time to check further, but thought I would pass this along as I won't be able to hop back on here for a while.

Best wishes,
BL

 

[R. Gerrits]

just updated to 5.b32

Just the usual issue with the OpenVPN password file. I have this issue everytime I upgrade. But never took the time to make a topic about it.

Issue: VPN doesn't start after re-install of new addon + reboot.

Log file says:

2021-07-28 21:45:00; 66.96; [OpenVPN]; [rc.common 13922 Information: Check that OpenVPN Client is enabled];
2021-07-28 21:45:00; 66.97; [OpenVPN]; [rc.common 13922 Information: Check that a configuration file is given and exist];
2021-07-28 21:45:00; 67.00; [OpenVPN]; [rc.common 13922 Existing OpenVPN configuration selected in nvram: ipvanish-NL-Amsterdam-ams-a42.ovpn];
2021-07-28 21:45:00; 67.03; [OpenVPN]; [rc.common 13922 check_password_file . Get password file for: /etc/openvpn/config/client/ipvanish-NL-Amsterdam-ams-a42.ovpn];
2021-07-28 21:45:00; 67.06; [OpenVPN]; [rc.common 13922 Information: Password file according to ipvanish-NL-Amsterdam-ams-a42.ovpn:];
2021-07-28 21:45:00; 67.08; [OpenVPN]; [rc.common 13922 Password file given and exist:/etc/openvpn/config/client/];
2021-07-28 21:45:00; 67.11; [OpenVPN]; [rc.common 13922 Information: fix_password_file /etc/openvpn/config/client/];
2021-07-28 21:45:00; 67.16; [OpenVPN]; [rc.common 13922 Password file not found. Password file Must be 2 lines. FILE: /etc/openvpn/config/client/];
2021-07-28 21:45:00; 67.17; [OpenVPN]; [rc.common 13922 No password file found: /tmp/openvpn_client/idpw. Check pre-defined username/password];
2021-07-28 21:45:00; 67.19; [OpenVPN]; [rc.common 13922 No password file found. No pre-defined username/password exist.];
2021-07-28 21:45:00; 67.21; [OpenVPN]; [rc.common 13922 ERROR: No password file found and no default passwords exist. Exiting];
2021-07-28 21:45:00; 67.23; [OpenVPN]; [rc.common 13922 Information: exit_it ];

Normally, I would then "Create/Edit an OpenVPN Client Configuration manually", load the existing .opvn, fill in the username and password, then save the configuration and then restart the VPN connection and it would work.

However, with this version, if I click the button to save the configuration, then I do see "create_vpn_config_button_clicked 2"
But I do not see an .auth file created.
And also VPN still doesn't start.

EDIT: I do see the file /tmp/openvpn_client/config/ipvanish-NL-Amsterdam-ams-a42.ovpn.pw created with my username + password.
But somehow openvpn is not using that.
(and I wonder: after a reboot, this file would be gone. so how does that work?)