Custom firmware build for R9000/R8900 v. 1.0.4.38HF

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

Voxel

Very Senior Member
Continuation of:

https://www.snbforums.com/threads/custom-firmware-build-for-r9000.40125/
. . .
https://www.snbforums.com/threads/custom-firmware-build-for-r9000-r8900-v-1-0-4-35hf.59904/
https://www.snbforums.com/threads/custom-firmware-build-for-r9000-r8900-v-1-0-4-36hf.60635/

New version of my custom firmware build: 1.0.4.38HF.

Changes (vs 1.0.4.37HF):

1. WireGuard client support is added (tested with Integrity VPN, thanks to KW.).
2. net-wall firewall is changed to support WireGuard client.
3. hotplug2 package is changed to support automatic WireGuard client config copy from USB drive.
4. wireguard package is upgraded 0.0.20191226->0.0.20200121.
5. wireguard-tools package is upgraded 1.0.20191226->1.0.20200121.
6. ubus package is upgraded 2019-12-27->2020-01-05.
7. e2fsprogs package is upgraded 1.44.5->1.45.5.
8. curl package is upgraded 7.67.0->7.68.0.
9. DNSCrypt Proxy v.2 build scheme is changed (compilation by Go, dynamic GCC libs). Should work faster.
10. libubox package is upgraded 2019-12-28->2020-01-20.
11. Default ReadyCLOUD version is upgraded to 20190805.
12. Host tools (e2fspogs): is upgraded to 1.45.5.
13. Host tools (bison): is upgraded to 3.5.

Changes (1.0.4.37HF vs 1.0.4.36HF):

1. WireGuard package is upgraded 20191212->20191226 (plus changes in build tree).
2. OpenSSL v. 1.0.2 package is upgraded 1.0.2t->1.0.2u.
3. uci package is upgraded 2019-11-14->2019-12-12.
4. libubox package is upgraded 2019-11-24->2019-12-28.
5. ubus package is upgraded 2018-10-06->2019-12-27.
6. DNSCrypt Proxy v.2 is upgraded 2.0.35->2.0.36.
7. unbound package (used in stubby) is upgraded 1.9.5->1.9.6.
8. logrotate package is upgrader 3.8.1->3.15.0.
9. ffmpeg package is upgraded 3.4.6->3.4.7.

The link is:

https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).


WireGuard client:

To start its using you should

1. Prepare the text file with name wireguard.conf defining the following values: EndPoint, LocalIP, PrivateKey, PublicKey and Port of you WireGuard client config from WG provider.

Example:
------------------------- cut here ---------------------------------------
EndPoint="wireguard.5july.net"
LocalIP="10.0.xxx.xxx"
PrivateKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
PublicKey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX="
Port="48574"
------------------------- cut here ---------------------------------------

NOTE: no spaces before/after "=" symbol in example above.
NOTE: the name of the file wireguard.conf is lowercase.

2. Place this wireguard.conf file to the root of USB flash drive (FAT or NTFS or EXT2/3/4).

3. Insert this flash drive into your R9000/R8900.

4. Enter by telnet to your router and set the nvram variable wg-client to 1

Code:
nvram set wg-client=1
nvram commit
5. Reboot your router.

NOTE: to disable WireGuard client starting just set wg-client to "0" and reboot the router.
NOTE: USB drive with the file wireguard.conf should not be left attached to your router. It will be copied again and again after every router reboot. Remove this file after you have WG client working.

P.S. Also you can just create the file /etc/wireguard.conf manually w/o USB drive...

Voxel.
 
Last edited:

isaki

New Around Here
I've been having major performance problems for my work VPN since upgrading to 1.0.4.37HF (I went from 100-150MBit to about 5MBit, but didn't make the connection that the firmware change was what started this until I upgraded to 38). 1.0.4.38HF has restored my performance and then some (300 MBit as per fast.com). Thank you for the build and for fixing my issues!
 

Voxel

Very Senior Member
Info for Entware users: Entware is upgraded.

It is enough to run:

Code:
/opt/bin/opkg update
/opt/bin/opkg upgrade
to upgrade your version. But it is recommended to install it anew. The reason of recommendation: compiler is changed (gcc 7.4.0->gcc 8.3.0).

Voxel.
 

isaki

New Around Here
I have an update on my VPN issue; it has returned on 1.0.4.38HF. To debug further, I put my machine directly on the internet and ran a VPN test; my bandwidth, latency, and practical download speed (I used the Ubuntu 18.04.3 LTS Desktop ISO for this test) were all what I expected (400MBit on fast.com, 6ms latency, pulled the ISO in a minute or two). I restarted the router and ran the same test behind the router with the same results. It seems that after some time the router just slows to a crawl (but only for my VPN traffic); streaming on other devices and large downloads off VPN with the same device all perform at high speed. I suspected QoS, but Dynamic QoS is fully disabled.

I'm not quite sure how to debug further as the logs look clean on the router even when this is happening. I may try rolling back to 1.0.4.36HF to see if it resolves the issue.
 

kamoj

Very Senior Member
I suggest you first look in look in the OpenVPN log file. Then in the system logs.
I have an update on my VPN issue; it has returned on 1.0.4.38HF. To debug further, I put my machine directly on the internet and ran a VPN test; my bandwidth, latency, and practical download speed (I used the Ubuntu 18.04.3 LTS Desktop ISO for this test) were all what I expected (400MBit on fast.com, 6ms latency, pulled the ISO in a minute or two). I restarted the router and ran the same test behind the router with the same results. It seems that after some time the router just slows to a crawl (but only for my VPN traffic); streaming on other devices and large downloads off VPN with the same device all perform at high speed. I suspected QoS, but Dynamic QoS is fully disabled.

I'm not quite sure how to debug further as the logs look clean on the router even when this is happening. I may try rolling back to 1.0.4.36HF to see if it resolves the issue.
 

isaki

New Around Here
The OpenVPN logs on my local machine are sparse and provide no real insight (I started weeks ago with the assumption the problem as my OpenVPN client; then moved onto my ISP who assured me everything was fine, then when a firmware change made the problem go from all the time to sporadic, I started blaming the router). Same with the system logs.

This is reproducible on multiple NICs (wired vs wireless) with the router in play, but not directly on the internet. I have other routers I can try as well and may attempt that later. My next test will be to try a different OpenVPN client to see if I can better logs. The problem is that this issue is sporadic so I have to operate for long periods of time. So, I'll report back in a few days with the results of my testing!

It is entirely possible this is not the firmware at all and rather the hardware starting to die. I've had countless issues with my R9000 (this is my second one) that Voxel's firmware has helped mitigate (Netgear's stock firmware is garbage and their support basically just stopped responding to me after awhile; the ticket is still open for over a year), but maybe it is time to move on.
 
Last edited:

Jdub1

New Around Here
Hi, I want to thank Voxel for the great work to support this router. I just installed and things seem to be working fine. May I ask if there is a prerequisite to install this firmware? I saw NG just released a hotfix 1.0.5.12 a few days ago so how do I get that hotfix with Voxel? Do I go back to 1.0.5.12 followed by flashing latest Voxel again to get the hotfix?
 

L&LD

Part of the Furniture
@Jdub1, when you flash the firmware you want to use, it doesn't/shouldn't inherit features/properties of previous firmware.

And more than likely, to have a third party firmware behave as expected, a full reset to factory defaults is usually required coming from the stock firmware. Followed by a minimal and manual configuration to secure the router and connect to your ISP. A saved backup config file is not recommended. As it will negate all the good the full reset tried to accomplish (and what it accomplishes is gets your router to a good/known state).
 

Voxel

Very Senior Member
I saw NG just released a hotfix 1.0.5.12 a few days ago so how do I get that hotfix with Voxel?
Such hotfix are marked by NG as "Beta" and thus no source codes. It is not included into my fw.

The "issue" covered by this hotfix is described here:

https://www.snbforums.com/threads/browser-cert-error-when-accessing-voxel-web-ui.61456/#post-544596

As far as I understand (if I am not mistaken) NG has replaced HTTPS certificate by home-made self-signed certificate. So I do not see any reason to process with this. Better to have even revoked certificate vs self-signed. Remedy (to avoid browser warnings) is in the link above.

Voxel.
 

Jdub1

New Around Here
Thanks for the explanations :)..

I do have another problem that maybe you guys can help. My subnet for lan is 192.168.8.x but when I VPN into the router using openvpn clients on android tablet/phones, the subnet changed to 192.168.9.x so I cannot access to my lan due to different subnet. How do you resolve such problems? I can web remote manage the r9000 but I want to manage my NAS box which is on 192.168.8.x. I can port forward the NAS box but I prefer it to be only accessible from lan only.

Any insight or help there? Thanks
 

Killhippie

Senior Member
Such hotfix are marked by NG as "Beta" and thus no source codes. It is not included into my fw.

The "issue" covered by this hotfix is described here:

https://www.snbforums.com/threads/browser-cert-error-when-accessing-voxel-web-ui.61456/#post-544596

As far as I understand (if I am not mistaken) NG has replaced HTTPS certificate by home-made self-signed certificate. So I do not see any reason to process with this. Better to have even revoked certificate vs self-signed. Remedy (to avoid browser warnings) is in the link above.

Voxel.
Quote from the register, Voxel.

Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment's web-based admin interfaces.

Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices. This data can be used to create HTTPS certs that browsers trust, and can be used in miscreant-in-the-middle attacks to eavesdrop on and alter encrypted connections to the routers' built-in web-based control panel"

https://www.theregister.co.uk/2020/01/20/netgear_exposed_certificates/
 

Voxel

Very Senior Member
Quote from the register, Voxel.

Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment's web-based admin interfaces.

Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices. This data can be used to create HTTPS certs that browsers trust, and can be used in miscreant-in-the-middle attacks to eavesdrop on and alter encrypted connections to the routers' built-in web-based control panel"

https://www.theregister.co.uk/2020/01/20/netgear_exposed_certificates/
Thank you. Anyway I do not see any reason for a panic with these leaked certificates. They are valid and only could be used for domains (www.)routerlogin.net and (www.)routerlogin.com. dnsmasq package in NG routers hijack request of the gadget in your LAN and redirect all request to routerlogin.com/routerlogin.net to IP of your router.

So, it is valid in your LAN only (HTTPS certificates). If you enter to your router externally (remote control, from Internet) you cannot use routerlogin.com/routerlogin.net HTTPS connection. So you will get the error/warning message of your browser. And I would not advice to use remote access of your router GUI from Internet. At all. Much more other possibilities and holes in security that it will be hacked vs leaked certificates.

The only if you have very professional hacker (member of your family?) inside your home LAN who wants to hack/intercept your connection to the router's GUI. But believe me, there are other more simple ways to hack your router and control it if real hacker is already connected to your LAN...

[Edited]

I'd rather say that this is problem of NG sites but not the owners of NG routers. Because if DNS of your router is not working properly you will be directed to real site owned by NG i.e. routerlogin.net or routerlogin.com. And these sites are under phishing attack...

Voxel.
 
Last edited:

Killhippie

Senior Member
Thank you. Anyway I do not see any reason for a panic with these leaked certificates. They are valid and only could be used for domains (www.)routerlogin.net and (www.)routerlogin.com. dnsmasq package in NG routers hijack request of the gadget in your LAN and redirect all request to routerlogin.com/routerlogin.net to IP of your router.

So, it is valid in your LAN only (HTTPS certificates). If you enter to your router externally (remote control, from Internet) you cannot use routerlogin.com/routerlogin.net HTTPS connection. So you will get the error/warning message of your browser. And I would not advice to use remote access of your router GUI from Internet. At all. Much more other possibilities and holes in security that it will be hacked vs leaked certificates.

The only if you have very professional hacker (member of your family?) inside your home LAN who wants to hack/intercept your connection to the router's GUI. But believe me, there are other more simple ways to hack your router and control it if real hacker is already connected to your LAN...

[Edited]

I'd rather say that this is problem of NG sites but not the owners of NG routers. Because if DNS of your router is not working properly you will be directed to real site owned by NG i.e. routerlogin.net or routerlogin.com. And these sites are under phishing attack...

Voxel.
Netgears workaround was just to use http or the app for the router so I think you are correct, I just wanted mention what I had read in case it helped, Voxel.
 

Stan Dragos Cristian

New Around Here
Hello,

First of all thank you for this great firmware ! Very nice job.

1. you have a little typo in the guide at Cap.4 (Setup Entware) / step 5 - "Reboot router again. After this use “/opt/bin/pkg update” -- missing an o from opkg :)

2. Installed packages can't be launched without specifying full working directory ? i.e: i installed iftop --> /opt/bin/opkg install iftop , but if i try to run it: iftop i get: -ash: iftop: not found , instead i need to run: /opt/bin/iftop in order to work.

Thanks.
Dragos
 

Jdub1

New Around Here
Any help from fellow mates how to resolve such problem?
I've been googling and not much help there ;)

Thanks for the explanations :)..

I do have another problem that maybe you guys can help. My subnet for lan is 192.168.8.x but when I VPN into the router using openvpn clients on android tablet/phones, the subnet changed to 192.168.9.x so I cannot access to my lan due to different subnet. How do you resolve such problems? I can web remote manage the r9000 but I want to manage my NAS box which is on 192.168.8.x. I can port forward the NAS box but I prefer it to be only accessible from lan only.

Any insight or help there? Thanks
 

Voxel

Very Senior Member
Any help from fellow mates how to resolve such problem?
I've been googling and not much help there ;)
It is necessary to make some test. In your case I think that following should be changed:

1. Adding the line into you ovpn file for iPhone/android something like
route 192.168.8.0 255.255.255.0 192.168.9.1

2. Most probably changes in iptables rules of your router (/opt/scripts/firewall-start.sh, see my README) something like

iptables -I FORWARD -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE


Just theoretical ideas. I am sorry but cannot check this now on practice and in nearest time too...

Voxel.
 

lateparty

Occasional Visitor
Thanks again Voxel for your continued support of this custom firmware! Going to update to this in a few days after I donate, but just wanted to throw out some suggestions that I use in my home network.
  1. To avoid using Netgear's certificates, I have a custom router.subdomain.com URL forward to my NGINX reverse proxy which sits on another box in my LAN to use my own certs which I trust.
  2. I run a personal Wireguard server on another network device that runs OpenWRT in my LAN and made a guide that should be pretty portable to this release for anyone that wants to VPN back home, to effectively "automate" the client creation process - https://www.reddit.com/r/WireGuard/comments/eo33pw/automating_peer_creation_on_openwrt_via_cli/ - Please take note of my added comment at the end. I found an interesting feature in Wireguard after implementing the script and included the changes required to make it work for multiple clients
Cheers,
lateparty
 

Voxel

Very Senior Member
Thanks again Voxel for your continued support of this custom firmware! Going to update to this in a few days after I donate, but just wanted to throw out some suggestions that I use in my home network.
  1. To avoid using Netgear's certificates, I have a custom router.subdomain.com URL forward to my NGINX reverse proxy which sits on another box in my LAN to use my own certs which I trust.
  2. I run a personal Wireguard server on another network device that runs OpenWRT in my LAN and made a guide that should be pretty portable to this release for anyone that wants to VPN back home, to effectively "automate" the client creation process - https://www.reddit.com/r/WireGuard/comments/eo33pw/automating_peer_creation_on_openwrt_via_cli/ - Please take note of my added comment at the end. I found an interesting feature in Wireguard after implementing the script and included the changes required to make it work for multiple clients
Cheers,
lateparty
WG: Thanks. Will check.

Certificates: But use of other certificates cannot help to other users...

Voxel.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top