Aegis Aegis 1.7.0 beta

[HELLO_wORLD]

1.7.0b5

Upgrade from terminal only:

aegis unset
aegis upgrade -repo=beta

Then either from CLI:

aegis up -v

Or from web: COMMAND -> Shield up; but please, if you had the web page already open, reload it before anything else (because the one loaded in web browser is the previous version).

@R. Gerrits please, tell me if it is now ok for you.
If not, I will PM you to activate the debug mode.

PS: postponing switch from beta to stable a little to check if all is ok with this version.

 

[R. Gerrits]

Also, the first error is like the unset was not taken into account. Do you remember (if you tried) if the aegis CLI gave you the same output for status?

I released 1.7.0b5, I will post about it here.

I didn't check the status via CLI.

just upgraded to 1.7.0b5b5

Status @ 2021-02-25 18:58:09 (router time)​

• Problems found!
• Aegis shield is up for: WAN interface (brwan).
• Blocking a total of 619579284 IP addresses (global: 619579284, WAN only: 0).
• Bypassing 1 IP addresses (global: 1, WAN only: 0).
• Logging is enabled.

Problems​

• directives: there are no blocking directives!
• VPN: tunnel changed from '' to 'tun21' since aegis was upreared!
• VPN: tunnel subnet range changed from to since aegis was upreared!
• logd: log daemon was started but is not running!

 

[HELLO_wORLD]

I didn't check the status via CLI.

just upgraded to 1.7.0b5b5

Status @ 2021-02-25 18:58:09 (router time)​

• Problems found!
• Aegis shield is up for: WAN interface (brwan).
• Blocking a total of 619579284 IP addresses (global: 619579284, WAN only: 0).
• Bypassing 1 IP addresses (global: 1, WAN only: 0).
• Logging is enabled.

Problems​

• directives: there are no blocking directives!
• VPN: tunnel changed from '' to 'tun21' since aegis was upreared!
• VPN: tunnel subnet range changed from to since aegis was upreared!
• logd: log daemon was started but is not running!

Thanks.

Question: do you start VPN after you launch aegis?
That would explain it.
Seems like tun21 was not existing when aegis was launched.

Also, do you in any way delete and rebuild the iptables after aegis is launched? Maybe when the VPN is launched? That would explain the log daemon crash.

Aegis should be started last.
What is/are your firewall-start.sh script(s)

 

[R. Gerrits]

VPN was already started when I removed, upgraded and restarted.

I have these firewall scripts:

/opt/scripts$ ls -al firewall-start* 
-rwxr-xr-x    1 root     root          130 Feb  6 16:42 firewall-start-adguardhome.sh
-rwxr-xr-x    1 root     root          124 Feb  6 16:42 firewall-start-bwusage.sh
-rwxr-xr-x    1 root     root         2508 May 27  2020 firewall-start-bypassvpnports.sh
-rwxr-xr-x    1 root     root           86 Oct 31 14:02 firewall-start-killswitch-bittorent.sh
-rwxr-xr-x    1 root     root          118 Feb  6 16:43 firewall-start-openvpnkillswitch.sh
-rwxr-xr-x    1 root     root          148 Feb  3 22:48 firewall-start-route_to_other_net.sh
-rwxr-xr-x    1 root     root         1195 Feb 25 18:57 firewall-start.sh

and firewall-start.sh (which should normally be started last) has these last two lines:
# Bolemo aegis
[ -x /opt/bolemo/scripts/aegis ] && /opt/bolemo/scripts/aegis _fws

Perhaps better continue the discussion via PM ?

 

[R. Gerrits]

VPN was already started when I removed, upgraded and restarted.

I have these firewall scripts:

/opt/scripts$ ls -al firewall-start*
-rwxr-xr-x    1 root     root          130 Feb  6 16:42 firewall-start-adguardhome.sh
-rwxr-xr-x    1 root     root          124 Feb  6 16:42 firewall-start-bwusage.sh
-rwxr-xr-x    1 root     root         2508 May 27  2020 firewall-start-bypassvpnports.sh
-rwxr-xr-x    1 root     root           86 Oct 31 14:02 firewall-start-killswitch-bittorent.sh
-rwxr-xr-x    1 root     root          118 Feb  6 16:43 firewall-start-openvpnkillswitch.sh
-rwxr-xr-x    1 root     root          148 Feb  3 22:48 firewall-start-route_to_other_net.sh
-rwxr-xr-x    1 root     root         1195 Feb 25 18:57 firewall-start.sh

and firewall-start.sh (which should normally be started last) has these last two lines:
# Bolemo aegis
[ -x /opt/bolemo/scripts/aegis ] && /opt/bolemo/scripts/aegis _fws

Perhaps better continue the discussion via PM ?

I already found 1 issue:
When I run it from commandline, then it uses /opt/bin/ps -w to detect openvpn.
Somehow, on my installation, ps from entware only returns 2 processes.

Changing the TUN_IF detection line to use /bin/ps -w fixes my VPN issue.

Only these remain:

• directives: there are no blocking directives!
• logd: log daemon was started but is not running!

 

[HELLO_wORLD]

I already found 1 issue:
When I run it from commandline, then it uses /opt/bin/ps -w to detect openvpn.
Somehow, on my installation, ps from entware only returns 2 processes.

Changing the TUN_IF detection line to use /bin/ps -w fixes my VPN issue.

Only these remain:

• directives: there are no blocking directives!
• logd: log daemon was started but is not running!

Ok, I try to always use /bin /sbin /usr/... to prevent differences between firmware and Entware if installed (to prevent exactly what happened here). This TUN_IF detection has been there for early ages of Aegis, and I never checked it back to add the full path since then. Thank you for finding this and I will definitely change it.
Weird thing is when called from the status argument, it finds TUN_IF, but not when called during uprearing (building rules...).

The directives error is from a status code I changed today, and another user had the same thing. I just need to tweak it, not a big or complicated issue.

The logd error is more tricky. The daemon does copy anything related to aegis from log-messages to its own log-aegis file. It rotates the file, and check if the aegis iptables logging rules are present. If not, it exits (no need to keep it running if iptables in not logging anymore).
Seems like it is what happens, and the daemon thinks logging rules are not there and quits. To be sure, we can activate the debug mode that will output all kind of debug code from aegis and log daemon. Will PM you about that.

 

[HELLO_wORLD]

1.7.0b6

Fixed the VPN bug encountered by @R. Gerrits (related to ps)
Fixed the wrongly reported problem: no blocking directives
Fixed the /32 subnet error (IP without CIDR reported as different than IP with /32 CIDR)

Same upgrade procedure (from CLI, unset, upgrade with beta repo, up)

 

[HELLO_wORLD]

1.7.0b7

Fixed the wrongly reported problem: no blocking directives when shield is down.
Added full path for some binaries used in aegis just in case a weird or different (from firmware) version would be on a system.

Still not fixing the logd bug encountered by @R. Gerrits , but we are making progress on that, and it seems to only affect his setup so far.

 

[HELLO_wORLD]

Info: found a status bug when logging is showing as enabled even if it is disabled.

It is already corrected and will be in next beta release.

 

[HELLO_wORLD]

1.7.0b8

Worked on the logging daemon, after understanding the problem @R. Gerrits encountered: in rare cases it does not exit (if its /var/run/ PID file is missing). Now, if the PID file is missing or the daemon has a different PID, it automatically exits, and should provoke any double daemon running to exit as well.

The basic logging status is more accurate (could say enabled when it was not), and will say defective if either logd or iptables logging rules are missing.

It seems that 1.7.0 beta is getting stable. I will release 1.7.0 as normal (non beta) soon (1 to 3 days).