Kamoj Kamoj Add-on 5.1 Beta testing poll

[blueliner]

found the issue:

root@R7800:~$ ip route show table novpn
Error: argument "novpn" is wrong: table id value is invalid

and is caused by line 451 in /usr/bin/addon_bypassvpnip.sh :

  [ "$(grep -c "${novpn}$" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables

should be

  [ "$(grep -c "${NOVPN_TABLE}" /etc/iproute2/rt_tables)" -eq "0" ] && [ "$(grep -c "^$TID" /etc/iproute2/rt_tables)" -eq "0" ] && echo "$TID $NOVPN_TABLE" >> /etc/iproute2/rt_tables

after changing it, and doing a /usr/bin/addon_bypassvpnip.sh force, the rules are back.

(but I cannot explain why @blueliner managed to solve it by reinstalling the addon... would one work if first reinstall 5.3b11 and then after reboot upgrade to b12.)
(b11 still was oke, as it had grep -c "novpn$")

Good job digging deeper into this...thanks for the details! I was curious and double-checked my bypassed devices. The bypass is working properly. Now that I think about it, I did not uninstall 5.3b12 when I upgraded Voxel, even though that is what I had done in the past. Could that have something to do with why just reinstalling 5.3b12 worked for me?

Thanks,
BL

 

[R. Gerrits]

I don't think that be an explanation. I never uninstall Kamoj addon before a firmware update.

 

[masta_orc]

for some reason my r9000 is crashing 1-3 times every day… is there any way to save a log of crashes?

 

[KW.]

What a difference of experience Masta orc. I have r9000.

Edit: For some reason I wrote i have had no crashes in weeks. I dont know what i got weeks from. Im sorry. I have no crashes ever. When I have done my resets is to update or if I have blamed Voxel or Kamoj for problems not related from them.

 

[kamoj]

https://www.snbforums.com/threads/r...er-restarts-help-debugging.61558/#post-546419

Will add this function to coming add-on, since I've had this question regularly for 3 years now...
Thank you for reminding me to bring this quest up from the todo-list bottom...

for some reason my r9000 is crashing 1-3 times every day… is there any way to save a log of crashes?

 

[kamoj]

Changes in kamoj-addon beta version 5.3b13
-------------------------------------------------
- VPN Bypassing: Fixed bypassing bug introduced in 5.3b12. (@R. Gerrits)
- Settings: Added option to save system logs to USB/Internal flash
(for router crash/reboot fault finding) (@masta_orc)
- Some "net-wall rule" removed in 5.3b12 restored.

 

[blueliner]

Changes in kamoj-addon beta version 5.3b13
-------------------------------------------------
- VPN Bypassing: Fixed bypassing bug introduced in 5.3b12. (@R. Gerrits)
- Settings: Added option to save system logs to USB/Internal flash
(for router crash/reboot fault finding) (@masta_orc)
- Some "net-wall rule" removed in 5.3b12 restored.

5,3b13 installed OK. OpenVPN came up on restart after install and bypassing appears to work properly.

I have a couple of questions not directly related to this version:

1. I save my DNSCrypt .toml file to the usb and copy it over after each add-on install. Kamoj, is there a way to (save and) have the DNSCrypt config .toml file load automatically like the OpenVPN config files?
2. I get a DNS leak on one of my providers but not the other. Note, I call it a DNS leak because it is using my DNSCrypt servers instead of the VPN's servers. I've asked the VPN about this and am awaiting a response. However, it got me thinking...is there a specific set of config parameters within the Kamoj add-on, or Voxel firmware that should be used as a best practice to guard against DNS leaks?

Thanks,
BL

 

[R. Gerrits]

hmm, if you really want to use VPN provider DNS servers when your VPN tunnel is active, then I see a few issues / requirements.

OpenVPN does allow the VPN provider to push their DNS servers to the client. But on Linux OpenVPN client does not change the DNS resolvers of the system by itself. This needs to be handled by the client --up script, that has to parse the openvpn options to find the DNS servers that are pushed by VPN provider and then write them to /etc/resolv.conf.
We should then also modify the client --down script to put the original DNS servers back, when the VPN is stopped again.

Currently, neither Voxels firmware nor kamoj's addon is handling this.

So the only explanation for your one VPN is not leaking, is that it is intercepting the DNS traffic on their firewall, and redirecting it to their DNS servers.
But you say you also use DNScrypt, so I find a bit unlikely. Because then they'd have to maintain a list of all DoH servers, and have redirect rules for all those IP-addresses. And even then, I think it shouldn't work, because the certificate for the DNS server would mismatch.

So the way I see it:

Someone needs to modify the current /etc/openvpn/ovpnclient-up.sh and ovpnclient-up.sh down scripts.
(https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh can be used as an example, but needs an alternative for changing resolv.conf as router doesn't have the binary resolvconf)
DNScrypt should be stopped if VPN-tunnel is started.
Optionally, you can use AdGuardHome, but only if you have configured AdGuardHome to use the local router as the only upstream DNS server.

And also, we might want to have this as a configurable option (allow VPN provider to push DNS = yes/no )

 

[kamoj]

Thank you all for the comments.

I want to again say that discussions about DNS "leak" ought to be in it's own thread.
Most people I have had discussions with don't understand what a DNS leak is, and this should not
be explained/discussed in this thread - please. I tried to give info in the FAQ.txt,
but it's download statistics shows that it's not read by most of the downloaders.

Also many VPN providers have their own way of "protecting" it's users.
And soon Firefox will do it for the mass, as well as AdGuard is already beta-testing DNS encryption.
The complexity is increasing all the time.
So please don't involve Voxel or Kamoj in this unless there is a specific bug.

Again, thank you for all input and invaluable experiences and information.

 

[kamoj]

Changes in kamoj-addon beta version 5.3b14
-------------------------------------------------
- DNS Privacy/Ad-Blocking: Added: Edit Dnscrypt 2 Servers
- Some minor fixes.

 

[blueliner]

hmm, if you really want to use VPN provider DNS servers when your VPN tunnel is active, then I see a few issues / requirements.

OpenVPN does allow the VPN provider to push their DNS servers to the client. But on Linux OpenVPN client does not change the DNS resolvers of the system by itself. This needs to be handled by the client --up script, that has to parse the openvpn options to find the DNS servers that are pushed by VPN provider and then write them to /etc/resolv.conf.
We should then also modify the client --down script to put the original DNS servers back, when the VPN is stopped again.

Currently, neither Voxels firmware nor kamoj's addon is handling this.

So the only explanation for your one VPN is not leaking, is that it is intercepting the DNS traffic on their firewall, and redirecting it to their DNS servers.
But you say you also use DNScrypt, so I find a bit unlikely. Because then they'd have to maintain a list of all DoH servers, and have redirect rules for all those IP-addresses. And even then, I think it shouldn't work, because the certificate for the DNS server would mismatch.

So the way I see it:

Someone needs to modify the current /etc/openvpn/ovpnclient-up.sh and ovpnclient-up.sh down scripts.
(https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh can be used as an example, but needs an alternative for changing resolv.conf as router doesn't have the binary resolvconf)
DNScrypt should be stopped if VPN-tunnel is started.
Optionally, you can use AdGuardHome, but only if you have configured AdGuardHome to use the local router as the only upstream DNS server.

And also, we might want to have this as a configurable option (allow VPN provider to push DNS = yes/no )

Thanks for the details and I understand what this script would do, as it is similar to something I've done in a more manual fashion in my other network.. However, I don't think I am capable of correctly modifying the script and messing with this so I guess I will leave well enough alone!

Thanks
BL

 

[blueliner]

Thank you all for the comments.

I want to again say that discussions about DNS "leak" ought to be in it's own thread.
Most people I have had discussions with don't understand what a DNS leak is, and this should not
be explained/discussed in this thread - please. I tried to give info in the FAQ.txt,
but it's download statistics shows that it's not read by most of the downloaders.

Also many VPN providers have their own way of "protecting" it's users.
And soon Firefox will do it for the mass, as well as AdGuard is already beta-testing DNS encryption.
The complexity is increasing all the time.
So please don't involve Voxel or Kamoj in this unless there is a specific bug.

Again, thank you for all input and invaluable experiences and information.

Kamoj,

I hear what you're saying about the DNS leak comments and will keep that in mind. I just found it odd that I got a leak on one VPN and apparently not the other...yet on my other (non-Voxel) network neither seems to leak (if not using DNSCrypt). That made me curious if there was "best settings" within the add-on and if I was using them.

Anyway, Voxel/Kamoj is the only firmware I've used that actually doesn't leak (at least with one of my VPNs) when using DNSCrypt. So I think I will keep using both that OpenVPN and DNSCrypt - and I'm really happy about that!

 

[KW.]

Update and working very fine! Thanks Kamoj! When we talk about DNS it so easy walks away to the question about DNS leaks I don't want to end there. What I want to do is to mention my feelings about this addon and DNS. I think it's one of the big leaps forward from when I just started to use this addon. The control I now have over my DNS. And for me that only do what Kamojs button lets me do... It's been working great. Just now I for fun turned off all my crypts and so on and checked. I was back to my VPN:s DNS.

Usually when I have my own setup. Never have any other DNS then what I myself have choosed been showing up. So for me it's been working without a hitch. And as "DNSleak" is a bit of a trigger word for looming danger Im happy that I from my experience am assured that its no problem at my home. All other internet habits of theoretically using my mail with my VPN, maybe even have the VPN on and paying my bills do worry me more in this aspect. So if "they" find me I wont blame the DNS

One thing is sure I never really have had control over my DNS before this great project let me have it. I am on repeat but the DNS-control is one of the things I really like with this addon.

 

[kamoj]

Changes in kamoj-addon beta version 5.3b15
-------------------------------------------------
- DNS Privacy/Ad-Blocking: Fixed to Survive reboot: Edit Dnscrypt 2 Servers

 

[blueliner]

Hello,

Installed 5.3b15 and activated AdGuard Home. Great job with that. Easy to set up and its a good addition to the functionality of the add-on! Not sure if I will continue running it in place of DNSCrypt but I might as that will free up one of my RaspberryPis.

I did a couple of reboots to see how things restarted. I did have some errors on router reboot with both AdGuard and OpenVPN. Maybe they are related to timing on reboot because both services will manually restart without these errors? I also notice that the AdGuard log shows Greenwich Mean Time instead of my local time like the router and OpenVPN logs. The errors are:

AdGuard:
AdGuardHome v0.102.0 port: 5300. DNS Servers: 4. Is installed but not running, but is on in nvram.
2020/06/30 15:47:14 [error] Couldn't load filter 4 contents due to stat /tmp/addons/adguard_home/data/filters/4.txt: no such file or directory
2020/06/30 15:47:14 [error] Couldn't load filter 1593521037 contents due to stat /tmp/addons/adguard_home/data/filters/1593521037.txt: no such file or directory
And after another reboot:
2020/06/30 17:10:55 [info] SafeBrowsing: failed: couldn't initialize HTTP client or transport, cause: timeout exceeded: 3680 ms

OpenVPN:
Tue Jun 30 10:36:06 2020 ERROR: Linux route add command failed: external program exited with error status: 1
Same error after second reboot...but no error message if restarting manually.

The only concerning thing for me is that I had to manually start both of these services on the first reboot I did in order for them to work. I adjusted the start-up delay on OpenVPN and even though I still got the error message the VPN appeared to be working OK on the next reboot.

Thanks,
BL

 

[kamoj]

Thank you for the report!!!

Both your observations are normal, i.e. no errors.

The Adguard "[error] " are not errors, just logs because it's running in RAM and can not find previous data/filters.
Different errors depending on your settings and filters.
The GMT time in Adguard is an known error that is widely know and talked about on the net.
Nothing me or Voxel will fix . I have a fix for it, but it slows down the router, so I don't use it.

Also the OpenVPN "error" is not an error.
I think the "complete log looks like this:
... Connection is UP: tun21 ...
...
route: SIOC[ADD|DEL]RT: File exists
Tue Jun 30 10:36:06 2020 ERROR: Linux route add command failed: external program exited with error status: 1 "

PS
Only showing by you suspicious lines makes it very difficult to understand and find faults.
If you don't want to show your logs here, you can share with me in PM, please.
PPS
Always see the add-on Router Information page for errors, i.e. OpenVPN, DNSCrypt, Wireguard a.o,
and report together with problem reports. That page is full of function analyses.

Hello,

Installed 5.3b15 and activated AdGuard Home. Great job with that. Easy to set up and its a good addition to the functionality of the add-on! Not sure if I will continue running it in place of DNSCrypt but I might as that will free up one of my RaspberryPis.

I did a couple of reboots to see how things restarted. I did have some errors on router reboot with both AdGuard and OpenVPN. Maybe they are related to timing on reboot because both services will manually restart without these errors? I also notice that the AdGuard log shows Greenwich Mean Time instead of my local time like the router and OpenVPN logs. The errors are:

AdGuard:
AdGuardHome v0.102.0 port: 5300. DNS Servers: 4. Is installed but not running, but is on in nvram.
2020/06/30 15:47:14 [error] Couldn't load filter 4 contents due to stat /tmp/addons/adguard_home/data/filters/4.txt: no such file or directory
2020/06/30 15:47:14 [error] Couldn't load filter 1593521037 contents due to stat /tmp/addons/adguard_home/data/filters/1593521037.txt: no such file or directory
And after another reboot:
2020/06/30 17:10:55 [info] SafeBrowsing: failed: couldn't initialize HTTP client or transport, cause: timeout exceeded: 3680 ms

OpenVPN:
Tue Jun 30 10:36:06 2020 ERROR: Linux route add command failed: external program exited with error status: 1
Same error after second reboot...but no error message if restarting manually.

The only concerning thing for me is that I had to manually start both of these services on the first reboot I did in order for them to work. I adjusted the start-up delay on OpenVPN and even though I still got the error message the VPN appeared to be working OK on the next reboot.

Thanks,
BL

 

[kamoj]

Changes in kamoj-addon beta version 5.3b16
-------------------------------------------------
- DNS Privacy/Ad-Blocking: DNSCrypt 2: Added: Extended logging (Dedicated to @KW.)
Sets logging level to 0 (verbose), and keeps the log between DNSCrypt 2 restarts.

 

[masta_orc]

thanks for adding this function @kamoj

after all it seems that my r9000 (using wireguard) only crashes/reboot if i use adguard home.
i switched back to DNSCrypt 2 and my r9000 didn't crash/reboot anymore... maybe anyone else can reproduce that issue?

https://www.snbforums.com/threads/r...er-restarts-help-debugging.61558/#post-546419

Will add this function to coming add-on, since I've had this question regularly for 3 years now...
Thank you for reminding me to bring this quest up from the todo-list bottom...

 

[blueliner]

thanks for adding this function @kamoj

after all it seems that my r9000 (using wireguard) only crashes/reboot if i use adguard home.
i switched back to DNSCrypt 2 and my r9000 didn't crash/reboot anymore... maybe anyone else can reproduce that issue?

Hello,

Thanks for looking at the error messages. I did look through the FAQ but didn't find anything that pointed me to the cause(s) other than the fact that VPN was still working. The first error message for AdGuard Home is from the router information page - it does indeed have a lot of useful information. Is there a way to make that the default page when opening the router admin page?

If I understand correctly, these are not really a problem so I don't plan on doing anything else. If there is something that needs to be looked into in regard to the add-on, I can send the complete log files (they are saved)...just let me know.

BL

 

[blueliner]

thanks for adding this function @kamoj

after all it seems that my r9000 (using wireguard) only crashes/reboot if i use adguard home.
i switched back to DNSCrypt 2 and my r9000 didn't crash/reboot anymore... maybe anyone else can reproduce that issue?

When I first installed AdGuard Home (and quit using DNSCrypt-2), my R9000 cpu temperature went to 79c and then the unit rebooted. I haven't had a problem with it since, and temps are back to normal at 68 to 72c. If I get reboots again I will give DNSCrypt-2 a try and see if it makes a difference.

BL