Kamoj Kamoj Addon 5.5 Beta for Netgear R7800/R8900/R9000 with Voxel FW - Continuation

[matttt22]

Hi @kamoj,

Since the last thread is locked I figured I would start a new one to report back on using the Kamoj addon as well as add a couple questions.

I wanted to say thank you so much for all your hard work on this add on. I have been using @Voxel's firmware for a few months and along with your add in, this has significantly improved the functionality of my R7800 router and makes things significantly easier to configure than using the command line.

Most of the settings, checkboxes, and buttons are pretty self explanatory and I was able to get Wireguard setup pretty quickly and initiate a tunnel. The only thing I am currently struggling with is doing a split tunnel with Wireguard where I want it to only route traffic over the VPN based on destination subnet. I know routing can be done by device in the VPN Bypassing menu and found this post where I can do a reverse bypass https://www.snbforums.com/threads/k...ear-r7800-x4s-and-r9000-x10.60590/post-788646 but I am not sure if this will work for destination IPs/Subnets and haven't had a chance to test it yet.

Does anyone have any recommendations on how to do a split VPN tunnel based on destination IPs/Subnet (as opposed to originating IPs/Devices)? In other words I want to route ALL devices over the VPN ONLY if its destination is a specific subnet ex. 10.200.200.0/24. All other traffic should be going to the default route (WAN).

I also wanted to provide a bit of feedback so-far on where I am at including the Features I must-have, nice-to-haves. and don't need. This is not to say others won't find these features useful to them but just thought I would share what I, personally, found especially useful to me.

Feature I Love (must-haves)

• Wireguard Client - This is the single most important feature for me. While it slower than OpenVPN (120 Mbps vs > 80 Mbps) on this router, it suits my needs as I am mainly using it to connect to a Pihole instance in Google cloud. All other internet traffic is routed out the WAN (no VPN). This is how I found the Voxel addin in the first place, looking for a solution to add Wireguard to my router. The fact this can be configured in the UI makes it significantly easier.

Feature I Love (Nice-to-have)

• Disable Router GUI timeout- I absolutely love this setting. The only reason I put it in the "nice-to-have" category is because I would still use the addin without this feature. It's so annoying trying to configure things and get timed out and have to sign in again.
  • Enhancement Request - It would be nice if the timeout was configurable. Ex. Increase it to 30 or 60 minutes, this way it will still log you our for security reasons.
• OpenVPN - While I am not currently using this, it is great to be able to use the router as a Client. I like having the option for this as the router only include a server (which very limited functionality as a server within the UI)
• Wake-On-LAN (WOL) - Not using currently, but have used in the past. This makes it so I don't need to download a WOL client to my computer to send a WOL packet.
• Allow SSH login with Username & Password - SSH is easier to connect to and more secure. However, I have not figured out how to elevate privileges yet since sudo is not installed. Has anyone installed sudo or recommend another method to obtain elevated privileges when using SSH?
• Allow SSH access from wan (Internet) - I am not currently using this, but it has been a useful feature for me in the past when trying to setup site-to-site VPN to a remote host over the internet. It makes it easy to configure VPN remotely without risking loosing access.
• Enable Telnet after boot - This one is great! Since initial configuration requires several reboots, its very annoying having to re-enable Telnet every time.

Features That I do not, personally use

• Transmission - Since I have a NAS that does this - but I can see there is already a checkbox is "Disable Transmission"
• Adguard - Since I use pihole in Google cloud instead

Potential (Minor) Bugs -Nighthawk(R) X4S R7800BASICADVANCEDRouter Firmware Version (Voxel) V1.0.2.111SF - Kamoj Add-on V5.5b44

• Screen stays on previous hidden menu while Emule Server screen loads
  • Go to Hidden Menus -> Any menu other than "Emule Server" ex. Extender Mode
  • Go to Emule Server List Menu
  • Notice the screen stays on that of the previous menu until the page loads.
  • I am not sure if this is expected behavior for it to take this long to load, but it almost looks like the screen is not loading (even though it is in the background)
• Auto-Reboot did not work after Installing Wireguard
  • When I was installing Wireguard, I clicked "Install" checkbox
  • I received a notice that a reboot would be required and I could click Ok to reboot
  • The reboot did not actually occur and I had to perform it manually
  • Note: I already had Wireguard-Tools and Wireguard-Go installed - I am not sure if this had any impact on this but thought I would mention it.

I hope this helps and will continue to update as I continue testing the addin. Again, thank you so much for making such an amazing addin @kamoj !

 

[jberry]

Does anyone have any recommendations on how to do a split VPN tunnel based on destination IPs/Subnet (as opposed to originating IPs/Devices)? In other words I want to route ALL devices over the VPN ONLY if its destination is a specific subnet ex. 10.200.200.0/24. All other traffic should be going to the default route (WAN).

Yes, I believe you can go into kamoj menu --> Settings 2 --> "Create Firewall entries manually (E.g. iptables, ip6tables - Note: A USB device is recommended)"
Enter below #!/bin/sh
ip route add 10.200.200.0/24 via $(nvram get wan_gateway) dev $WAN_IF
I believe when I used this, I was able to VPN bypass whatever in that subnet please try, and someone correct me if I am wrong.

Allow SSH login with Username & Password - SSH is easier to connect to and more secure. However, I have not figured out how to elevate privileges yet since sudo is not installed. Has anyone installed sudo or recommend another method to obtain elevated privileges when using SSH?

Maybe the closest thing is installing entware on the router.

I am using Router Firmware Version (Voxel) V1.0.4.77HF with Kamoj Add-on V5.5b44 on the Netgear R9000.

 

[matttt22]

@jberry thanks for your recommendation!

To make it so that only traffic destined for the 10.200.200.0/24 subnet goes over the VPN tunnel:

1. I switched on reverse bypassing so that all traffic goes via my WAN interface (directly to the internet) nvram set kamoj_reverse_bypass_vpn=1 && nvram commit (see FAQ)
2. (Optional) I set my tun0 adapter to bypass VPN (because I am running the built-in Netgear "VPN Service" OpenVPN server in parallel. This way all this incoming traffic via tun0 will not be outed to the wg0 VPN interface nvram set kamoj_interfaces_to_bypass_vpn=tun0 && nvram commit
3. Then I added a single line to the bottom of the addon_bypassvpnip.sh file: ip route add 10.200.200.0/24 dev wg0 table novpn this way, It will be on the novpn table that gets created when Wireguard is enabled and deleted when Wireguard is turned off.

-----

@kamoj Based on my testing/solution above I can confirm that that the kamoj_reverse_bypass_vpn=1 feature appears to be working great and as-expected. I also tested this by assigning a few local devices/ips to FORCE them over the network by populating the kamoj_ips_to_vpn as well as testing the kamoj_macs_to_vpn fields. Both of these appear to be working as expected!

Suggestions & Feature Requests for any future versions for consideration:

1. You mentioned that you may build the kamoj_reverse_bypass_vpn into the UI after some testing which I would love to see! I think this would be useful to many.
2. I also noticed without kamoj_reverse_bypass_vpn there is the two options in the UI to (1) "Bypass from specified IPs" and (2) "Bypass to specified IP": When kamoj_reverse_bypass_vpn enabled there is the kamoj_ips_to_vpn parameter which is the inverse of (1) "Bypass from specified IPs" however, it would be great if there was also an inverse to (2) "Bypass to specified IP," when reverse bypass is enabled, where you can specify destination addresses that go over the VPN.
3. It would also be nice if, for all the above settings regarding bypassing/not bypassing by IP address, you could also enter them in CDIR notation and/or a range of IPs (instead of one-by-one). However, this is probably not going to be needed by many users of this addon, so i would say if it is a significant effort to implement, it may not be worth it.
4. Maybe instead of "Settings 2" name this menu something more descriptive like "Firewall & Scripts" or "Firewall & Samba Settings"

Overall this is a very solid addon and cannot thank you enough! I can definitely appreciate the work you put into this @kamoj. The fact that I could configure everything in your addon and only need to add a single command to get it to work exactly to my needs says a lot about how well-written and functional this addon is. I can tell you took the time to understand use cases and try to understand all potential use-cases.

----

Additional Observations

DynamicDNS not updating (unable to consistently reproduce) - I am not not even sure if this is Kamoji addon-related since I found several similar issues in the Netgear community form. I also found the exact same issue reported in another SNB thread here where Kamoj addon was being used. Although, this may not have anything to do with this addon, I thought I would report my experience here for some data points.

• I use DynamicDNS with a NO IP account. (I originally set it up as a NETGEAR account and had to switch to a NO IP account after my domain lapsed. I am still using the mynetgear.com domain though.)
• I made an update to add secondary DNS server to point to another DNS server
• The router automatically rebooted and I didn't have internet, after I reset my modem and router together I got a new IP address from my ISP and saw DnyamcDNS didn't update my hostname
• I got the error message "No update action. There is no IP address on the Internet port." when trying to force an update even though I had a public IP address assigned
• I had to change my NO IP password to something incorrect, then switch it back, click Apply and then the DynamicDNS service started working again.
• Looking through the logs, upon bootup, I noticed DynamicDNS ran BEFORE I had a WAN/Public IP address assigned. So I think it's this sequence of events that causes this. But what is weird is it seems to break other subsequent updates as well.
• Another thing that was interesting is I rebooted everything manually again, got a new Public IP address and DynamicDNS worked just fine.

I am using Router Firmware Version (Voxel) V1.0.2.111SF with Kamoj Add-on V5.5b44 on the Netgear R7800.

 

[kamoj]

@jberry thanks for your recommendation!

To make it so that only traffic destined for the 10.200.200.0/24 subnet goes over the VPN tunnel:

1. I switched on reverse bypassing so that all traffic goes via my WAN interface (directly to the internet) nvram set kamoj_reverse_bypass_vpn=1 && nvram commit (see FAQ)
2. (Optional) I set my tun0 adapter to bypass VPN (because I am running the built-in Netgear "VPN Service" OpenVPN server in parallel. This way all this incoming traffic via tun0 will not be outed to the wg0 VPN interface nvram set kamoj_interfaces_to_bypass_vpn=tun0 && nvram commit
3. Then I added a single line to the bottom of the addon_bypassvpnip.sh file: ip route add 10.200.200.0/24 dev wg0 table novpn this way, It will be on the novpn table that gets created when Wireguard is enabled and deleted when Wireguard is turned off.

-----

@kamoj Based on my testing/solution above I can confirm that that the kamoj_reverse_bypass_vpn=1 feature appears to be working great and as-expected. I also tested this by assigning a few local devices/ips to FORCE them over the network by populating the kamoj_ips_to_vpn as well as testing the kamoj_macs_to_vpn fields. Both of these appear to be working as expected!

Suggestions & Feature Requests for any future versions for consideration:

1. You mentioned that you may build the kamoj_reverse_bypass_vpn into the UI after some testing which I would love to see! I think this would be useful to many.
2. I also noticed without kamoj_reverse_bypass_vpn there is the two options in the UI to (1) "Bypass from specified IPs" and (2) "Bypass to specified IP": When kamoj_reverse_bypass_vpn enabled there is the kamoj_ips_to_vpn parameter which is the inverse of (1) "Bypass from specified IPs" however, it would be great if there was also an inverse to (2) "Bypass to specified IP," when reverse bypass is enabled, where you can specify destination addresses that go over the VPN.
3. It would also be nice if, for all the above settings regarding bypassing/not bypassing by IP address, you could also enter them in CDIR notation and/or a range of IPs (instead of one-by-one). However, this is probably not going to be needed by many users of this addon, so i would say if it is a significant effort to implement, it may not be worth it.
4. Maybe instead of "Settings 2" name this menu something more descriptive like "Firewall & Scripts" or "Firewall & Samba Settings"

Overall this is a very solid addon and cannot thank you enough! I can definitely appreciate the work you put into this @kamoj. The fact that I could configure everything in your addon and only need to add a single command to get it to work exactly to my needs says a lot about how well-written and functional this addon is. I can tell you took the time to understand use cases and try to understand all potential use-cases.

----

Additional Observations

DynamicDNS not updating (unable to consistently reproduce) - I am not not even sure if this is Kamoji addon-related since I found several similar issues in the Netgear community form. I also found the exact same issue reported in another SNB thread here where Kamoj addon was being used. Although, this may not have anything to do with this addon, I thought I would report my experience here for some data points.

• I use DynamicDNS with a NO IP account. (I originally set it up as a NETGEAR account and had to switch to a NO IP account after my domain lapsed. I am still using the mynetgear.com domain though.)
• I made an update to add secondary DNS server to point to another DNS server
• The router automatically rebooted and I didn't have internet, after I reset my modem and router together I got a new IP address from my ISP and saw DnyamcDNS didn't update my hostname
• I got the error message "No update action. There is no IP address on the Internet port." when trying to force an update even though I had a public IP address assigned
• I had to change my NO IP password to something incorrect, then switch it back, click Apply and then the DynamicDNS service started working again.
• Looking through the logs, upon bootup, I noticed DynamicDNS ran BEFORE I had a WAN/Public IP address assigned. So I think it's this sequence of events that causes this. But what is weird is it seems to break other subsequent updates as well.
• Another thing that was interesting is I rebooted everything manually again, got a new Public IP address and DynamicDNS worked just fine.

I am using Router Firmware Version (Voxel) V1.0.2.111SF with Kamoj Add-on V5.5b44 on the Netgear R7800.

Thank you very much for starting this thread, and the very useful and constructive feedback!
I'll look at all your suggestions and tips in due Time. At the very moment I'm away from routers.
I have never touched the dynamic DNS thing, but your guess could be right. I've modified a lot of code since it took for granted that there was always access to Internet, and time always synced.
Best regards,
Kamoj