Kamoj Kamoj Add-on Beta testing II

[kamoj]

Ok, now it looks as for me.
I've not updated any certificate, since there is no need for it.
Don't know why https://www.malwaredomainlist.com/hostslist/hosts.txt is not found,
but to get rid of the error message you can disable malwaredomainlist in the Filter section block lists.

Thanks for looking into this issue. I have gotten the blocklist downloads to work by using opkg to install the ca-certificates and ca-bundle packages from Voxel's entware:

root@R7800:/tmp/mnt/sda1/AdGuardHome$ /opt/bin/opkg install ca-certificates
Installing ca-certificates (20210119-1) to root...
Downloading http://www.voxel-firmware.com/Downloads/Voxel/Entware/Entware-3x-Voxel/ca-certificates_20210119-1_all.ipk
Configuring ca-certificates.
root@R7800:/tmp/mnt/sda1/AdGuardHome$ /opt/bin/opkg install ca-bundle
Installing ca-bundle (20210119-1) to root...
Downloading http://www.voxel-firmware.com/Downloads/Voxel/Entware/Entware-3x-Voxel/ca-bundle_20210119-1_all.ipk
Configuring ca-bundle.
root@R7800:/tmp/mnt/sda1/AdGuardHome$

Then after changing DNS Filter/Encryption back to the "None - Not recommended" radio button, waiting for AGH to stop, then selecting the "Adguard Home (DoH/DoT/DNSCrypt as configured)" radio button again, the log entries indicate successful blocklist downloads.

2021/07/08 22:40:20.111941 [info] Received signal "terminated"
2021/07/08 22:40:20.111973 [info] Stopping AdGuard Home
2021/07/08 22:40:20.112004 [info] stopping http server...
2021-07-08 18:40:22 [ADGUARD] adguard_home.sh 3575: 24858.88:STOP: Restore dnsmasq config file
2021-07-08 18:40:22 [ADGUARD] adguard_home.sh 3575: 24858.98:STOP: Terminated.
[2021-07-08 18:40:22] adguard terminated by operator trigged addon
2021-07-08 18:41:02 [ADGUARD] adguard_home.sh 6552: 24898.53:Start called
2021-07-08 18:41:04 [ADGUARD] adguard_home.sh 6552: 24901.30:Information: Time is OK
2021-07-08 18:41:04 [ADGUARD] adguard_home.sh 6552: 24901.44:Adguard Home started. Accessible GUI: http://192.168.1.1:8080
[2021-07-08 18:41:05] adguard started by operator trigged addon
2021/07/08 22:41:05.135215 [info] AdGuard Home, version v0.106.3
2021/07/08 22:41:05.388480 [info] Initializing auth module: /tmp/addons/adguard_home/data/sessions.db
2021/07/08 22:41:05.388792 [info] auth: initialized.  users:1  sessions:1
2021/07/08 22:41:05.388855 [info] Initialize web module
2021/07/08 22:41:05.395946 [info] AdGuard Home is available on the following addresses:
2021/07/08 22:41:05.405818 [info] Go to http://127.0.0.1:8080
2021/07/08 22:41:05.405912 [info] Go to http://[::1]:8080
2021/07/08 22:41:05.405943 [info] Go to http://10.0.0.1:8080
2021/07/08 22:41:05.406006 [info] Go to http://192.168.2.197:8080
2021/07/08 22:41:05.406037 [info] Go to http://10.0.1.1:8080
2021/07/08 22:41:05.416534 [info] Starting the DNS proxy server
2021/07/08 22:41:05.416721 [info] Ratelimit is enabled and set to 100 rps
2021/07/08 22:41:05.416784 [info] The server is configured to refuse ANY requests
2021/07/08 22:41:05.416815 [info] DNS cache is enabled
2021/07/08 22:41:05.416846 [info] MaxGoroutines is set to 50
2021/07/08 22:41:05.416877 [info] Creating the UDP server socket
2021/07/08 22:41:05.417127 [info] Listening to udp://[::]:5300
2021/07/08 22:41:05.417159 [info] Creating a TCP server socket
2021/07/08 22:41:05.417284 [info] Listening to tcp://[::]:5300
2021/07/08 22:41:05.417627 [info] Entering the UDP listener loop on [::]:5300
2021/07/08 22:41:05.417877 [info] Entering the tcp listener loop on [::]:5300
2021/07/08 22:41:05.989823 [info] Filter 1 has been updated: 729602 bytes, 37768 rules
2021/07/08 22:41:05.989886 [info] Saving filter 1 contents to: /tmp/addons/adguard_home/data/filters/1.txt
2021/07/08 22:41:06.323407 [info] Filter 2 has been updated: 298799 bytes, 8227 rules
2021/07/08 22:41:06.323469 [info] Saving filter 2 contents to: /tmp/addons/adguard_home/data/filters/2.txt
2021/07/08 22:41:07.006412 [info] Couldn't request filter from URL https://www.malwaredomainlist.com/hostslist/hosts.txt, skipping: Get "https://www.malwaredomainlist.com/hostslist/hosts.txt": x509: certificate has expired or is not yet valid: current time 2021-07-08T22:41:07Z is after 2021-03-10T17:07:53Z
2021/07/08 22:41:07.006568 [error] os.Chtimes(): chtimes /tmp/addons/adguard_home/data/filters/4.txt: no such file or directory
2021/07/08 22:41:07.006599 [info] Failed to update filter https://www.malwaredomainlist.com/hostslist/hosts.txt: Get "https://www.malwaredomainlist.com/hostslist/hosts.txt": x509: certificate has expired or is not yet valid: current time 2021-07-08T22:41:07Z is after 2021-03-10T17:07:53Z

2021/07/08 22:41:08.804350 [info] Filter 1590433492 has been updated: 334861 bytes, 8732 rules
2021/07/08 22:41:08.804413 [info] Saving filter 1590433492 contents to: /tmp/addons/adguard_home/data/filters/1590433492.txt
2021/07/08 22:41:09.548055 [info] Filter 1590435211 has been updated: 45816 bytes, 2886 rules
2021/07/08 22:41:09.548118 [info] Saving filter 1590435211 contents to: /tmp/addons/adguard_home/data/filters/1590435211.txt
2021/07/08 22:41:09.548274 [info] Updated filter #1.  Rules: 0 -> 37768
2021/07/08 22:41:09.548305 [info] Updated filter #2.  Rules: 0 -> 8227
2021/07/08 22:41:09.548336 [info] Updated filter #1590433492.  Rules: 0 -> 8732
2021/07/08 22:41:09.548368 [info] Updated filter #1590435211.  Rules: 0 -> 2886
2021/07/08 22:41:10.330811 [info] Filter 1584805914 has been updated: 3678 bytes, 191 rules
2021/07/08 22:41:10.330873 [info] Saving filter 1584805914 contents to: /tmp/addons/adguard_home/data/filters/1584805914.txt
2021/07/08 22:41:10.330998 [info] Updated filter #1584805914.  Rules: 0 -> 191

 

[n1llam1]

Ok, now it looks as for me.
I've not updated any certificate, since there is no need for it.
Don't know why https://www.malwaredomainlist.com/hostslist/hosts.txt is not found,
but to get rid of the error message you can disable malwaredomainlist in the Filter section block lists.

Thanks. It turns out that the certificate for www.malwaredomainlist.com has expired and is no longer valid as of 3/10/2021. The hosts.txt file at that site also does not have any useful content.

 

[francoisb]

Thank you, kamoj, I have installed the beta and the functionalities exceeded my expectation. I'm using WireGuard mainly for streaming, Is there a way to assign a different DNS for users going through the VPN?

On another subject, I modified the DNSMasq to assign different DNS and gateways to devices I tag with the MAC addresses but for some reason, it's not working. Below my configuration (I used to do this on Tomato and DD-WRT)

VPN Tag for VPN Gateway on Lan
dhcp-mac=set:tagVPN,E6:XX:5A:F6:XX:05 #My_iPad
dhcp-option=tag:tagVPN,3,10.0.0.3 #VPN Gateway
dhcp-option=tag:tagVPN,6,173.255.160.18, 173.255.160.20 #VPN DNS

DNS Tag for Streaming
dhcp-mac=set:tagSmartDNS,4C:XX:B8:XX:6F:XX #MacMini
dhcp-option=tag:tagSmartDNS,6,54.93.173.153, 54.255.130.140

I will be grateful for anyone can chip in and help me out.

 

[Droidrat]

I'm sorry you are a not happy beta-tester. But so good you found out and reported it here. Thank you!

The Bandwidth metering has always worked for me and several other users, even with NSS on.
So there is more in this than NSS.
I always use DNSCrypt, Aegis and VPN for all devices, e.g. and it measures bandwidth very accurate.

The add-on measurements are done using standard iptables settings, so I start to think about
if some other fixes with iptables or routing messes up something, like the order of the rules.
Have you added any own firewall or routing rules?

There is also the possibility for you to use the Netgear built-in "Traffic Meter"!
Have you tried it, and how does it compare with real values?

I never said that I was an "unhappy" beta tester. As I understand it (and as you have pointed out several times before), my obligation as a tester is to actively use the software, look for issues, report what I have found (in detail), and attempt to resolve the issues (or help in the resolution).

I have always done all of that.

And here, I am reporting a feature (Bandwidth Usage) which doesn't work for me. In fact, it is massively inaccurate.

You mentioned the Netgear Traffic Meter. I turned that on when I first acquired my R7800 (a time when I was aware of Voxel firmware, but not of the Kamoj add-on), but I didn't monitor it closely, and I don't know how accurate it is/was. And then I installed Voxel ver 44SF and, for whatever reason, lost all of my settings through making the upgrade (which was from an earlier Voxel). I went looking for solutions, and in my research discovered that I was not the only one afflicted by ver 44SF and lost settings. And one of the comments I saw suggested that perhaps my NVRAM was bad and, associated with that, was a suggestion to NOT use the Netgear Traffic Meter because it excessively "stresses" the NVRAM. So I turned off the Netgear Traffic Meter, and have never re-enabled it.

In connection with assessing the possible causes for why I lost my settings during the upgrade, I was also led to the Kamoj add-on as a way to identify the maker of my NVRAM (as the quality apparently varies among the several manufacturers). At the time, I wasn't aware of the other Kamoj features; I installed the add-on solely to identify my NVRAM. Only later did I go exploring the various menus. [BTW, I ultimately concluded that my NVRAM is fine, and that there was something "quirky" with 44SF, as I haven't had any difficulties with the many subsequent Voxel upgrades.]

My installation is absolutely "plain vanilla." No DNSCrypt, Aegis, VPN, routing rules, or personal firewall. I have added nothing (yet).

FWIW, the reported upload numbers are plausible (though I haven't verified them). The download numbers are absurdly low. Originally, I wanted the data for use in allocation of an Internet bill. but I no longer have that need. Most recently, I was interested in the individual (and relative) usage of my various devices, but the current inaccuracy precludes that.

If you have some test you would like me to run, please let me know. Thank you for your generous support.

 

[sppmaster]

I'd like to make a suggestion for adding a new feature to the @Voxel firmware natively or through the @kamoj add-on.
As we know Netgear disabled the WPS button (and its LED) in its latest firmware.
So I suggest if possible to repurpose the WPS button function (LED too) for turning on/off the Guest Wireless Network. It would be very handy (at least for me, but others can vote too).
On my old OpenWRT router I have used the WPS LED to show if the Gust WLAN was turned on/off. At least it was possible to do that from OpenWRT settings.

 

[guy79]

Kamjo this is so amazing this version is like a new product. It has fixed all the issues i was having with the bypass VPN its now all working. The setup of the VPN is also working alot smoother and responds alot better than the last version. i will keep you posted on anything else i find

 

[guy79]

Right i seem to have a little issue

r9000 running Voxel 1.0..4.51 and beta from Kamjo.

I have vpn client setup and only two ip addresses running through it . However its like the whole network is still going through VPN

online games are laggy, Internet radio disconnects, I am unable to open www.Amazon.co.uk and bbc.co.uk but everything else seems ok.

It was working fine. If i plug my XR700 router in everything returns to normal and ideas please

 

[R. Gerrits]

Right i seem to have a little issue

r9000 running Voxel 1.0..4.51 and beta from Kamjo.

I have vpn client setup and only two ip addresses running through it . However its like the whole network is still going through VPN

online games are laggy, Internet radio disconnects, I am unable to open www.Amazon.co.uk and bbc.co.uk but everything else seems ok.

It was working fine. If i plug my XR700 router in everything returns to normal and ideas please

question of course is which version of kamoj you are running.
and to diagnose, the output of Kamoj Addon -> VPN Bypassing -> ip rule show would be useful.

 

[guy79]

question of course is which version of kamoj you are running.
and to diagnose, the output of Kamoj Addon -> VPN Bypassing -> ip rule show would be useful.

If i am honest i am so confused now with the VPN. I had everything setup nice and the Network is running so smooth i have spent so many hours on this and i just cant get it over the end

kamoj-addon_210707-195534-5.4b31_ipq806x.ipk

is the one i am using. trying to do this and work and family life is hard very hard i guess i am no bill gates lol

 

[guy79]

Fixed it all , i removed the EX8000 and now everything is running smooth. seems ips were connecting via the ex8000 and making a bypass, now everything is running smooth and fast. VPN is working as expected sooooooo happy

20.00

spoke to soon back down to a crawl some devices dont seem effected but some hit hard ps4 slow but ps5 ok. bbc,amazon, and a few others not loading again. i am going to roll back to the older version of Kamoj tomorrow and see what happens

 

[guy79]

Hi

I have pulled this network apart today and i mean pulled. The VPN bypass does not work

tried with Open VPN and *bought wireguard*
when ether is started it appears to bring anything thats in bypass mode into the VPN as i am unable to open bbc/amazon uk and another couple of uk sites. some ip addresses do not seem affected as much

i have tired different version of Voxel back to 2020. Voxel on its own doesn't have any effect
different modem using hg612 also tried vigor
tried different DNS
vpn used Surfshark, HMA & torguard

sometimes it works then i remember open vp or wireguard isnt running turn it on and network changes

anyone got and ideas

just add also put the modem on a sub net still doesnt work

 

[blueliner]

Hi

I have pulled this network apart today and i mean pulled. The VPN bypass does not work

tried with Open VPN and *bought wireguard*
when ether is started it appears to bring anything thats in bypass mode into the VPN as i am unable to open bbc/amazon uk and another couple of uk sites. some ip addresses do not seem affected as much

i have tired different version of Voxel back to 2020. Voxel on its own doesn't have any effect
different modem using hg612 also tried vigor
tried different DNS
vpn used Surfshark, HMA & torguard

sometimes it works then i remember open vp or wireguard isnt running turn it on and network changes

anyone got and ideas

just add also put the modem on a sub net still doesnt work

Hello,

guy79, VPN bypassing has worked well on my R9000. I did find that under certain circumstances I needed to take all devices out of bypass and then set them to bypass again for it to work properly. I think this was only after installing new firmware but I have gotten into the habit of doing that each time I update firmware and/or the Kamoj Add-on, and now I can't remember the specific circumstances requiring it.

Kamoj, great to see you back on SNB and I really like the improvements in 5.4b31. I do have some observations on the new router VPN bypass feature. It is working, but the action of the Killswitch is not what I expected. With the router in the default bypass mode (check box unchecked/going through VPN), an ip check shows the router ip address to be that of the VPN. Checking the router bypass checkbox then bypasses the VPN as expected (an ip check shows my isp ip) - all is well regarding the bypass itself.

However, with the Killswitch activated (and router going through VPN), if I shut off the VPN or run a bogus VPN configuration that fails, the router itself will still have full internet connectivity and ip checks will show my isp's ip. I also checked this with the router's Transmission torrent client while downloading a Linux distro. With a working VPN, a torrent ip check will show the VPN ip when the router is not bypassed and Killswitch on. But a failed VPN connection will still allow a torrent to download and the torrent ip check will show my isp ip.

A check of other devices connected to the router showed the bypass and Killswitch to work normally for them. It appears that the Killswitch does not work for the router. I don't know if that is the way it is supposed to be, but if it is, may I suggest making the Killswitch work for the router as it does for other devices? Otherwise the router's processes would run over an "open" internet connection if the VPN should fail(?)

Anyway I sure like the other changes in 5.4b31 and everything else is running great. Thank you Kamoj!

Best wishes,
BL

 

[kamoj]

Thank you very much for using the add-on, and your report!

Try this:

#Edit and copy to correct place:
nano /etc/dnsmasq-resolv.conf
\cp /etc/dnsmasq-resolv.conf /tmp/dnsmasq.conf

#Make sure the configuration is OK:
/usr/sbin/dnsmasq --test

#Restart dnsmasq:
/etc/init.d/dnsmasq stop
/etc/init.d/dnsmasq start

#Check log file:
tail /var/log/dnsmasq.log

Thank you, kamoj, I have installed the beta and the functionalities exceeded my expectation. I'm using WireGuard mainly for streaming, Is there a way to assign a different DNS for users going through the VPN?

On another subject, I modified the DNSMasq to assign different DNS and gateways to devices I tag with the MAC addresses but for some reason, it's not working. Below my configuration (I used to do this on Tomato and DD-WRT)

VPN Tag for VPN Gateway on Lan
dhcp-mac=set:tagVPN,E6:XX:5A:F6:XX:05 #My_iPad
dhcp-option=tag:tagVPN,3,10.0.0.3 #VPN Gateway
dhcp-option=tag:tagVPN,6,173.255.160.18, 173.255.160.20 #VPN DNS

DNS Tag for Streaming
dhcp-mac=set:tagSmartDNS,4C:XX:B8:XX:6F:XX #MacMini
dhcp-option=tag:tagSmartDNS,6,54.93.173.153, 54.255.130.140

I will be grateful for anyone can chip in and help me out.

 

[kamoj]

Thank you very much for your extensive report and description!

It made me come to think about a few things:

1. Could it be that you are using PPTP, L2TP or PPPoE (Your Internet connection require a login)?
   If so, I'll fix that for next release.
   
   
2. Have you tried it with NSS switched off?
   (For me it's working even with NSS off, but I know e.g. @R. Gerrits says NSS must be off for some reason,
   and I trust him very much. So I suggest you try to switch off NSS).
   
   
3. Do you use QoS?

I never said that I was an "unhappy" beta tester. As I understand it (and as you have pointed out several times before), my obligation as a tester is to actively use the software, look for issues, report what I have found (in detail), and attempt to resolve the issues (or help in the resolution).

I have always done all of that.

And here, I am reporting a feature (Bandwidth Usage) which doesn't work for me. In fact, it is massively inaccurate.

You mentioned the Netgear Traffic Meter. I turned that on when I first acquired my R7800 (a time when I was aware of Voxel firmware, but not of the Kamoj add-on), but I didn't monitor it closely, and I don't know how accurate it is/was. And then I installed Voxel ver 44SF and, for whatever reason, lost all of my settings through making the upgrade (which was from an earlier Voxel). I went looking for solutions, and in my research discovered that I was not the only one afflicted by ver 44SF and lost settings. And one of the comments I saw suggested that perhaps my NVRAM was bad and, associated with that, was a suggestion to NOT use the Netgear Traffic Meter because it excessively "stresses" the NVRAM. So I turned off the Netgear Traffic Meter, and have never re-enabled it.

In connection with assessing the possible causes for why I lost my settings during the upgrade, I was also led to the Kamoj add-on as a way to identify the maker of my NVRAM (as the quality apparently varies among the several manufacturers). At the time, I wasn't aware of the other Kamoj features; I installed the add-on solely to identify my NVRAM. Only later did I go exploring the various menus. [BTW, I ultimately concluded that my NVRAM is fine, and that there was something "quirky" with 44SF, as I haven't had any difficulties with the many subsequent Voxel upgrades.]

My installation is absolutely "plain vanilla." No DNSCrypt, Aegis, VPN, routing rules, or personal firewall. I have added nothing (yet).

FWIW, the reported upload numbers are plausible (though I haven't verified them). The download numbers are absurdly low. Originally, I wanted the data for use in allocation of an Internet bill. but I no longer have that need. Most recently, I was interested in the individual (and relative) usage of my various devices, but the current inaccuracy precludes that.

If you have some test you would like me to run, please let me know. Thank you for your generous support.

 

[kamoj]

The subject to use the WPS button for other things has been discussed e.g. here:
https://www.snbforums.com/threads/s...rol-in-my-build-of-firmware.54815/post-578043
https://forum.openwrt.org/t/time-and-button-controlled-content-filtering/62383

These settings are for OpenWRT and not working for Netgear/Voxel fimware.

I've no time to investigate and test this, if you or anyone will do the basics, I'll
consider to implement it!

I'd like to make a suggestion for adding a new feature to the @Voxel firmware natively or through the @kamoj add-on.
As we know Netgear disabled the WPS button (and its LED) in its latest firmware.
So I suggest if possible to repurpose the WPS button function (LED too) for turning on/off the Guest Wireless Network. It would be very handy (at least for me, but others can vote too).
On my old OpenWRT router I have used the WPS LED to show if the Gust WLAN was turned on/off. At least it was possible to do that from OpenWRT settings.

 

[kamoj]

Do you have problem only with devices that are connected through WiFi?

How do you "know" the bypassing is not working?
Maybe you can at least check it for at least one of your troublesome devices?

Hi

I have pulled this network apart today and i mean pulled. The VPN bypass does not work

tried with Open VPN and *bought wireguard*
when ether is started it appears to bring anything thats in bypass mode into the VPN as i am unable to open bbc/amazon uk and another couple of uk sites. some ip addresses do not seem affected as much

i have tired different version of Voxel back to 2020. Voxel on its own doesn't have any effect
different modem using hg612 also tried vigor
tried different DNS
vpn used Surfshark, HMA & torguard

sometimes it works then i remember open vp or wireguard isnt running turn it on and network changes

anyone got and ideas

just add also put the modem on a sub net still doesnt work

If you want help and likely get it, please try to give "recommended" information, e.g. as ask by R. Gerrits:

...
and to diagnose, the output of Kamoj Addon -> VPN Bypassing -> ip rule show would be useful.

 

[kamoj]

You are right, the killswitch is not made to work for the router, it is only meant to be working for connected devices.
Do you have an example of how to implement that?
PS
If you switch/shut off the VPN, the killswitch will of course not be activated.

Hello,

guy79, VPN bypassing has worked well on my R9000. I did find that under certain circumstances I needed to take all devices out of bypass and then set them to bypass again for it to work properly. I think this was only after installing new firmware but I have gotten into the habit of doing that each time I update firmware and/or the Kamoj Add-on, and now I can't remember the specific circumstances requiring it.

Kamoj, great to see you back on SNB and I really like the improvements in 5.4b31. I do have some observations on the new router VPN bypass feature. It is working, but the action of the Killswitch is not what I expected. With the router in the default bypass mode (check box unchecked/going through VPN), an ip check shows the router ip address to be that of the VPN. Checking the router bypass checkbox then bypasses the VPN as expected (an ip check shows my isp ip) - all is well regarding the bypass itself.

However, with the Killswitch activated (and router going through VPN), if I shut off the VPN or run a bogus VPN configuration that fails, the router itself will still have full internet connectivity and ip checks will show my isp's ip. I also checked this with the router's Transmission torrent client while downloading a Linux distro. With a working VPN, a torrent ip check will show the VPN ip when the router is not bypassed and Killswitch on. But a failed VPN connection will still allow a torrent to download and the torrent ip check will show my isp ip.

A check of other devices connected to the router showed the bypass and Killswitch to work normally for them. It appears that the Killswitch does not work for the router. I don't know if that is the way it is supposed to be, but if it is, may I suggest making the Killswitch work for the router as it does for other devices? Otherwise the router's processes would run over an "open" internet connection if the VPN should fail(?)

Anyway I sure like the other changes in 5.4b31 and everything else is running great. Thank you Kamoj!

Best wishes,
BL

 

[R. Gerrits]

Thank you, kamoj, I have installed the beta and the functionalities exceeded my expectation. I'm using WireGuard mainly for streaming, Is there a way to assign a different DNS for users going through the VPN?

On another subject, I modified the DNSMasq to assign different DNS and gateways to devices I tag with the MAC addresses but for some reason, it's not working. Below my configuration (I used to do this on Tomato and DD-WRT)

Netgear (and Voxel) firmware use udhcpd for DHCP and that doesn't support the tagging features.

a workaround you could use: If the devices that need to use a different DNS have a fixed IP-address, then you could use iptables rules to force them to use a different DNS.

iptables -w -t nat -A PREROUTING -s 192.168.1.4 -p udp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -p tcp --dport 53 -j DNAT --to 8.8.8.8:53

put the commands in /opt/scripts/firewall-start.sh
(or if you use kamoj's add-on and also use adguardhome, then place them in a script in /opt/scripts, with a name that starts with firewall-start and is alphabetically higher than firewall-start-adguardhome.sh. so for example firewall-start--vpndnsredirect.sh (i.e. a double dash, which comes before "dash a"))
(and don't forget to make the script executable)

disadvantage: using these rules you can only redirect to 1 DNS server -> if that goes down, then you have no working dns.

alternative:
say you configure everything via DHCP with DNS servers 1.2.3.4 and 5.6.7.8
then you could also have these iptables rules:

iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 1.2.3.4 -p udp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 5.6.7.8 -p udp --dport 53 -j DNAT --to 8.8.4.4:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 1.2.3.4 -p tcp --dport 53 -j DNAT --to 8.8.8.8:53
iptables -w -t nat -A PREROUTING -s 192.168.1.4 -d 5.6.7.8 -p tcp --dport 53 -j DNAT --to 8.8.4.4:53

 

[R. Gerrits]

[*]Have you tried it with NSS switched off?
(For me it's working even with NSS off, but I know e.g. @R. Gerrits says NSS must be off for some reason,
and I trust him very much. So I suggest you try to switch off NSS).

also just spotted a minor thing that could mess up the statistics:
if you have kill-switch enabled, then firewall-start-openvpnkillswitch.sh or firewall-start-wireguard_killswitch.sh is executed after firewall-start-bwusage.sh.

If you also have the option "No Killswitch for Bypass devices" enabled, then the "jump to br0_fwd" rules for bypassed devices, are inserted BEFORE the RRDIPT rule, and thus no longer counted by that rule.

This happens everytime the firewall is reloaded.
It seems that one of your cronjobs eventually fixes it. but depending how often you check it, the BW monitoring might occassionally miss some data for some time.

quick workaround: rename the script to for instance firewall-start-z-bwusage.sh to ensure that it runs after firewall-start-wireguard_killswitch.sh and before firewall-start.sh

 

[kamoj]

Thank you again, you are very clever indeed.
The add-on would never be what it is without your help.

As one way of showing my gratitude, I've added your "reverse VPN/bypassing thing" for test in next release.
https://www.snbforums.com/threads/is-the-limit-of-vpn-client-39-on-kamoj.73384/post-697773

If it's working OK, I'll add a GUI for it, improve after your review, and clean-up in another release.

I also added to use an nvram variable to setup interfaces to bypass VPN.

I used nvram to make settings persistent even after @Voxel firmware update.

#Set up which IP-addresses that shall go via VPN, by adding them to an nvram variable
#(to survive router firmware updates). Separate the IPs with a space character:
nvram set kamoj_ips_to_vpn="192.168.1.10 192.168.1.99 192.168.1.100" && nvram commit

#Switch on "reverse bypassing":
nvram set kamoj_reverse_bypass_vpn=1 && nvram commit
addon_bypassvpnip.sh force


#Set up which interfaces that shall bypass the VPN, by adding them to an nvram variable.
#Separate the interfaces with a space character:
nvram set kamoj_interfaces_to_bypass_vpn="tun0" && nvram commit
addon_bypassvpnip.sh force

also just spotted a minor thing that could mess up the statistics:
if you have kill-switch enabled, then firewall-start-openvpnkillswitch.sh or firewall-start-wireguard_killswitch.sh is executed after firewall-start-bwusage.sh.

If you also have the option "No Killswitch for Bypass devices" enabled, then the "jump to br0_fwd" rules for bypassed devices, are inserted BEFORE the RRDIPT rule, and thus no longer counted by that rule.

This happens everytime the firewall is reloaded.
It seems that one of your cronjobs eventually fixes it. but depending how often you check it, the BW monitoring might occassionally miss some data for some time.

quick workaround: rename the script to for instance firewall-start-z-bwusage.sh to ensure that it runs after firewall-start-wireguard_killswitch.sh and before firewall-start.sh