Kamoj Kamoj Add-on 5.1 Beta testing poll

[R. Gerrits]

Source of problems seems to be the bug fixes in new-wall (both Voxel and Kamoj), in conjunction with an old bug fix
in kamoj openvpn-client. I never knew what the real problem was, so I have a fix in openvpn-client that might not work
as it should anymore.

as for the issue of jrbmw, this cannot be explained by the changes in netwall.
If I see the contents of his ip route, then your code should have extracted the wan-gateway-ip and wan-interface-name without issues and should have added the default route based on those to things to table novpn.
(in my opinion, there should be more routes added to novpn, hence I used a different approach. But still for most users, your version should work.)

Also your bugfix for openvpn-client should have nothing to do with it and is still required to properly cleanup, as far as I can tell.

 

[jrbmw]

Thers are some clever people on this forum contributing to novices like me and to the experts as well . Ive said it before and once again
Thanks to you all
Best Regards

 

[R. Gerrits]

But, I suspect that ppl might expect that bypassed devices are not affected by the killswitch. i.e. that if you add a device to the bypass list, that then for that device traffic is allowed to flow from br0 to brwan (or ppp0).

this part is easily solved by editing /etc/init.d/openvpn-client and changing

  if [ "$killswitch_onoff" = "1" ]; then
        echo '#!/bin/sh' >"$tmpfirewall"
        iptables="iptables -I FORWARD -i br0 -o ${WAN_IF} -m state --state NEW -j REJECT"
        echo -e "$iptables" >>"$tmpfirewall"
        chmod +x "$tmpfirewall"
    else

into

  if [ "$killswitch_onoff" = "1" ]; then
        echo '#!/bin/sh' >"$tmpfirewall"
        iptables="iptables -I FORWARD -i br0 -o ${WAN_IF} -m state --state NEW -j REJECT"
        echo -e "$iptables" >>"$tmpfirewall"
        echo 'no_vpn_file="/tmp/addons/no_vpn_file"' >>"$tmpfirewall"
        echo 'if [ -s "$no_vpn_file" ]; then' >>"$tmpfirewall"
        echo '  sort -r <"$no_vpn_file" | while read -r excludeip excludemac; do' >>"$tmpfirewall"
        echo '    iptables -I FORWARD -i br0 -s ${excludeip} -j br0_fwd' >>"$tmpfirewall"
        echo '  done' >>"$tmpfirewall"
        echo 'fi'  >>"$tmpfirewall"
        chmod +x "$tmpfirewall"
    else

edit: for the people that also use aegis, this simple fix also seems to bypasses aegis protection (only for clients that bypass vpn).
apparently the firewall-start-openvpnkillswitch.sh is apparently later executed than firewall-start.sh...
Needs some more thinking...

the other issue (/tmp/openvpn/firewall-start-openvpnkillswitch.sh not being recreated at boot while killswitch is on), that is something for @kamoj to look at.

 

[blueliner]

You lose the password etc if you have a usb device with the configurations inserted when rebooting.
That is by Voxel firmware design. If you use the kamoj built-in configuration id/password is not lost.
So rename the usb directory "openvpn-client" to something else, please.

Kill switch may need to be rewritten after the new net-wall.
Let's hope for a tip from @R. Gerrits again!

Thank you. I thought that was the case with the OpenVPN username/password but wasn't sure. And thanks to you and all involved with this...perhaps there may still be a few bugs to fix but Voxel/Kamaj has made a huge difference in the usability of my R9000.!

 

[microchip]

@kamoj

Noticed a small issue here. The reporting of CPU frequency is wrong. The first 3 are reporting in KHz while it should be in MHz. I don't think the CPU of the router does 600 KHz speed for example

Core 0: 1.725 GHz (100.0 %) Core 1: 1.725 GHz (100.0 %) (384KHz 600KHz 800KHz 1.000MHz 1.400MHz 1.725MHz)

 

[seecoolguy]

Correct, when I go to the menu for VPNBypass menu doesn't show a list of devices of what is going through the VPN and what is not.

Running:
Nighthawk(R) X4S R7800
Router Firmware Version (Voxel) V1.0.2.77SF
Kamoj Add-on V5.3b5

Tested with Voxel v1.0.2.76sf and Kamoj v5.3b4......doesent bypass
Tested with Voxel v1.02.77sf and Kamoj v 5.3b4 and Kamoj 5.3b5 ....doesent bypass
Tested with Voxel v1.0.2.76sf and Kamoj v5.3b5......doesent bypass
Can anyone confirm bypass on ovpn works ?

 

[Tom Brough]

Anyone noticed the download links for the add on have gone? If anyone's got a copy of the latest b5 version downloaded, can you PM it over to me. Cheers.

 

[KW.]

Anyone noticed the download links for the add on have gone? If anyone's got a copy of the latest b5 version downloaded, can you PM it over to me. Cheers.

Exciting I guess you on to something. I think we found a leak that something big is going on and maybe a new release is coming. Have no sources to confirm this but....

I guess we have to wait for the man to confirm. But I feel its something good.

 

[Tom Brough]

Normally there's a few older versions on there too... Typical now I need to redownload it I can't .... Haha

 

[sreggy]

Dear,
I've tryed to access to http://ge.tt/... to download a the preview of 5.3 but I'm able only to visualize the FAQ.txt and not to download the add-on.
Can anyone help me?

Thanks in advance.
Regards
stefano

 

[Tume]

Dear,
I've tryed to access to http://ge.tt/... to download a the preview of 5.3 but I'm able only to visualize the FAQ.txt and not to download the add-on.
Can anyone help me?

Thanks in advance.
Regards
stefano

Same to me and I send PM to @kamoj also.

 

[kamoj]

Changes in kamoj-addon beta version 5.3b6
-------------------------------------------------
- AdGuard Home: Added 2 DNSCrypt servers + MVPS filter default ON/activated.
- AdGuard Home: Changed default statistics life time from 1 to 7 days.
- AdGuard Home: Changed update interval for filters from 24h to 12h.
- Router Information: Corrected available CPU scaling frequencies. (@microchip)
- Bandwidth Usage: Added date for when counters were started/reset. (@Droidrat)
- Bandwidth Usage: Some bug-fixes
- DNSCrypt: Disabled if Stubby is enabled at boot.
- OpenVPN Client: Speeded up start when DNSCrypt is not used
- OpenVPN Client: Enable killswitch also for ppp0 (@R. Gerrits)
- OpenVPN Client: Don't delete existing directory if also on USB (@blueliner)
- OpenVPN Client: Start Killswitch also when OpenVPN Client does not start (@blueliner)
- OpenVPN Client: Added option: No Killswitch for Bypass devices (@R. Gerrits)
(Let OpenVPN bypassing devices override the killswitch)
NOTA BENE: This also bypasses Aegis protection (only for clients that bypass vpn).
The problem is that Aegis (@HELLO_wORLD) uses the Voxel standard firewall-start.sh.
- VPN Bypassing: Bug fixed: Bypassing not working when default route missing. (@masta_orc @R. Gerrits)
- Wireguard Client: Don't delete existing directory if also on USB
- speedtest.sh : Now working with ppp0
- Settings: Added: "Router Analytics / Data Collection / Phone Home" section (@kamoj @NetBytes @HELLO_wORLD @R. Gerrits)
- Settings: Added: Enable: Router Analytics Data Collection form (Advanced : Firmware Update)
- Settings: Added: Disable: Collection of RAE Router Analytics (Amazon Cloudfront) data
- Settings: Added: Disable: Streamboost QoS Data Collection service
- Settings: Added: Disable: Traffic Meter service
- Settings: Added: Disable: USB Printer drivers
- Installer: Some fixes
- FAQ.txt updated

 

[blueliner]

Wow, that is really a lot of changes/fixes in a short time. 5.3b6 installed without a hitch for me and the VPN/Bypass (using no killswitch for bypassed devices) seems to be working. Will post again if there is anything else to update...but this is looking great.

Thanks,
BL

 

[HELLO_wORLD]

Nice

However, about aegis:

(Let OpenVPN bypassing devices override the killswitch)
NOTA BENE: This also bypasses Aegis protection (only for clients that bypass vpn).
The problem is that Aegis (@HELLO_wORLD) uses the Voxel standard firewall-start.sh.
To fix this, rename the Aegis file and run net-wall restart :
\mv /opt/scripts/firewall-start.sh /opt/scripts/firewall-start-xaegis.sh && net-wall restart

With that quick fix, aegis will regenerate firewall-start.sh (but not remove created firewall-start-xaegis.sh.
So this should work, but aegis would not be able to clean its rules when called from firewall-start-xaegis.sh.
The principle of multiple firewall-start-xxx.sh is great but as you said not enabled on vanilla @Voxel ’s firmware.

I will have aegis changing a little @Voxel ’s net-wall when @kamoj is not installed to detect firewall-start-xxx.sh the same way as the add-on allows.
In parallel, it might be good for @Voxel to update his net-wall to use multiples firewall-start.sh so it would be harmonized and work the same way with or without @kamoj add-on.
It net-wall this:

if [ -x /opt/scripts/firewall-start.sh ]; then
/opt/scripts/firewall-start.sh

Needs to be replaced by that:

ls --color=never /opt/scripts/firewall-start*.sh | while read FWS; do [ -x "$FWS" ] && "$FWS"; done

This is the substitution I will have aegis make when @kamoj ’s addon will not be detected.

PS: I am working hard on aegis. I simplified the code and improved the design. I am redoing the whole status section to allow easy HTML output.

 

[HELLO_wORLD]

NB:
The substitution in net-wall would have to take care of this part too:

        elif [ -x /root/firewall-start.sh ]; then
                /root/firewall-start.sh
        fi

So this block:

        # Run own script with own iptables rules providing backward compatibility
        if [ -x /opt/scripts/firewall-start.sh ]; then
                /opt/scripts/firewall-start.sh
        elif [ -x /root/firewall-start.sh ]; then
                /root/firewall-start.sh
        fi

By that one:

        # Run own script with own iptables rules providing backward compatibility
        for FWS in $(ls --color=never /opt/scripts/firewall-start*.sh); do [ -x "$FWS" ] && { "$FWS"; FWS_FOUND=1; }; done
        [ -z $FWS_FOUND ] && [ -x /root/firewall-start.sh ] && /root/firewall-start.sh

 

[jrbmw]

@kamoj
Thanks for latest update.Ovpn bypass working ok for me now

 

[R. Gerrits]

Nice

However, about aegis:

With that quick fix, aegis will regenerate firewall-start.sh (but not remove created firewall-start-xaegis.sh.

Also, I just noticed that kamoj's addon does a "sort -r" so it then still executes firewall-start-xaegis.sh before all the other scripts, so that workaround also doesn't work.)
(one would assume that sorting in reverse order, would also put firewall-start.sh at the end, but it doesn't)

I think the best solution is that @kamoj changes "sort -r" into "sort -u -c"
Then first all the scripts firewall-start-*.sh are exectuted in normal alfabetical order.
and after that firewall-start.sh is executed.
(apparently a hyphen is earlier in the "alphabet" then a dot.)

This works as long as we keep the standard that all additional scripts have a hyphen after firewall-start.

See this example:

root@R7800:~$ find /opt/scripts/ -type f -name "firewall-start*.sh" -exec test -x{} \; -print | sort -u -c
/opt/scripts/firewall-start-adguardhome-tun0.sh
/opt/scripts/firewall-start-adguardhome.sh
/opt/scripts/firewall-start-bwusage.sh
/opt/scripts/firewall-start-bypassvpnports.sh
/opt/scripts/firewall-start-openvpnkillswitch.sh
/opt/scripts/firewall-start.sh
/opt/scripts/firewall-startlog.sh

(firewall-startlog.sh is an example that would be executed after firewall-start.sh, because it doesn't have a hyphen)

 

[R. Gerrits]

hmm, apparently that does work with the sort binary in entware, but not with the sort binary in the firmware...

root@R7800:~$ find /opt/scripts/ -type f -name "firewall-start*.sh" -exec test -x{} \; -print | /usr/bin/sort -u -c
/usr/bin/sort: -:2: disorder: /opt/scripts/firewall-start-adguardhome-tun0.sh

then an alternative solution:

keep the original Voxel code in net-wall, but just before add a line:

find /opt/scripts/ -type f -name "firewall-start*.sh" -exec test -x{} \; -print | grep -vF "/opt/scripts/firewall-start.sh" | sort | xargs -n1 sh

(do we need the sort command, or is the output of find already always sorted??)

This would execute all firewall-start*.sh scripts, except firewall-start.sh.
And then firewall-start.sh would be executed by the Voxel code.

 

[HELLO_wORLD]

Why not keep simple?
That:

for FWS in $(ls --color=never /opt/scripts/firewall-start*.sh); do [ -x "$FWS" ] && { "$FWS"; FWS_FOUND=1; }; done
[ -z $FWS_FOUND ] && [ -x /root/firewall-start.sh ] && /root/firewall-start.sh

works well, and could replace the @kamoj code in his net-wall. Ultimately being in both @Voxel and @kamoj net-wall
It works with and without Entware, it is simple and short, fast and also sorts well with firewall-start.sh at the end (so I don’t even have to change so much in aegis for that).

hmm, apparently that does work with the sort binary in entware, but not with the sort binary in the firmware...

root@R7800:~$ find /opt/scripts/ -type f -name "firewall-start*.sh" -exec test -x{} \; -print | /usr/bin/sort -u -c
/usr/bin/sort: -:2: disorder: /opt/scripts/firewall-start-adguardhome-tun0.sh

then an alternative solution:

keep the original Voxel code in net-wall, but just before add a line:

find /opt/scripts/ -type f -name "firewall-start*.sh" -exec test -x{} \; -print | grep -vF "/opt/scripts/firewall-start.sh" | sort | xargs -n1 sh

(do we need the sort command, or is the output of find already always sorted??)

This would execute all firewall-start*.sh scripts, except firewall-start.sh.
And then firewall-start.sh would be executed by the Voxel code.

 

[R. Gerrits]

I see that it behaves the same as my original suggestion of using "sort -u -c"
so then it is indeed a more simple solution.