What's new

Kamoj Kamoj Addon 5.5 Beta for Netgear R7800/R8900/R9000 with Voxel FW

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi Kamoj

Many thanks for the update version and the speed with which you produced it. It is much appreciated.

I can confirm that it worls and has solved the problem

PS I had custom settings in the main Internet Setup (Voxel) page but had not put anything in your Settings: DHCP DNS Options: Custom DNS. I have added those custom settings in your settings page (not sure if it does anything extra to the custom DNS on the main internet settings) but can confirm it does not cause any problems with 5.5b16

Regards
 
I'm glad it worked for you!

Some info about the "Settings: DHCP DNS Options: Custom DNS" setting:
https://www.snbforums.com/threads/voxel-fw-use-local-dns.60414/
https://www.snbforums.com/threads/r7800-wifi-router-login-dns-relay.50389/
Hi Kamoj

Many thanks for the update version and the speed with which you produced it. It is much appreciated.

I can confirm that it worls and has solved the problem

PS I had custom settings in the main Internet Setup (Voxel) page but had not put anything in your Settings: DHCP DNS Options: Custom DNS. I have added those custom settings in your settings page (not sure if it does anything extra to the custom DNS on the main internet settings) but can confirm it does not cause any problems with 5.5b16

Regards
 
PS I had custom settings in the main Internet Setup (Voxel) page but had not put anything in your Settings: DHCP DNS Options: Custom DNS. I have added those custom settings in your settings page (not sure if it does anything extra to the custom DNS on the main internet settings) but can confirm it does not cause any problems with 5.5b16

When changing DNS in Internet setup -> clients (that are configured via DHCP) on your network still get the router IP as DNS server; The router then sends the requests to the server you configured in Internet setup.
(Or if you have configured DNSCrypt, then this is used instead.)

When changing DNS in Kamoj Custom DNS -> clients (that are configured via DHCP) on your network will directly use those DNS servers.
(DNSCrypt will not have any effect)

If you are also using Adguard Home via Kamoj, then both of those settings become kind of useless. And everything on your network will use the DNS servers that are configured in Adguard Home.
(firewall rules will be intercepting all outbound DNS requests and redirect to Adguard Home)
 
Last edited:
Changes in kamoj-addon beta version 2022-01-17 5.5b16
---------------------------------------------------------------
- VPN supervision fails when "Router it-self bypass VPN" is set. (@Panner)
Hello,

Thank you for the latest update to 5.5b16. I haven't had any more issues on my R9000 since reinstalling the addon and using my normal settings.

Howerver, initially with addon 5.5b I didn't have router itself set to bypass VPN. Doing that on 5.5b15, I can confirm the same issue on my R9000 as reported by Panner. I will try it with 5.5b16 as well.

I also found that I only have what my Android phones will call a "limited connection" to the internet when I switch my Guest network 2.4 and 5 GHz wifi to bypass the VPN. It seems they cannot access DNS so they can't use the internet. This is with addon set for the router to go through VPN.

The Netgear Guest network setup page also has the selection checked to block Guests from accessing other devices on the network. Perhaps the problem is that my DNS servers are local network devices (Adguard Home on the router and DNSCrypt/PiHole on a RaspberryPi)? These devices are listed under the optional DNS servers in the addon. I tried adding dhcp-option=ath11,3,192.168.1.10 and dhcp-option=ath01,3,192.168.1.10 in the DNSMasq configuration to point to a server but that didn't help. If I manually add internet DNS servers like 8.8.8.8 to my devices, they can use the internet. Deselecting the Guest network VPN bypass also gives guest devices full access to the internet. I didn't try it when I had the router itself set to bypass VPN, nor did I try it with the Netgear Guest setup check box for blocking access to other network devices deselected . I will look at this more when I am home in a few days.

Also as information, I have not noticed the same GUI delay issues reported by Primitivo, but I have only been using OpenVPN - and I may have missed it because I haven't been home much lately.

Best wishes,
BL
 
Hello,

Thank you for the latest update to 5.5b16. I haven't had any more issues on my R9000 since reinstalling the addon and using my normal settings.

Howerver, initially with addon 5.5b I didn't have router itself set to bypass VPN. Doing that on 5.5b15, I can confirm the same issue on my R9000 as reported by Panner. I will try it with 5.5b16 as well.

I also found that I only have what my Android phones will call a "limited connection" to the internet when I switch my Guest network 2.4 and 5 GHz wifi to bypass the VPN. It seems they cannot access DNS so they can't use the internet. This is with addon set for the router to go through VPN.

The Netgear Guest network setup page also has the selection checked to block Guests from accessing other devices on the network. Perhaps the problem is that my DNS servers are local network devices (Adguard Home on the router and DNSCrypt/PiHole on a RaspberryPi)? These devices are listed under the optional DNS servers in the addon. I tried adding dhcp-option=ath11,3,192.168.1.10 and dhcp-option=ath01,3,192.168.1.10 in the DNSMasq configuration to point to a server but that didn't help. If I manually add internet DNS servers like 8.8.8.8 to my devices, they can use the internet. Deselecting the Guest network VPN bypass also gives guest devices full access to the internet. I didn't try it when I had the router itself set to bypass VPN, nor did I try it with the Netgear Guest setup check box for blocking access to other network devices deselected . I will look at this more when I am home in a few days.

Also as information, I have not noticed the same GUI delay issues reported by Primitivo, but I have only been using OpenVPN - and I may have missed it because I haven't been home much lately.

Best wishes,
BL
Hello, I should add to my last post that the only devices having a problem accessing the internet are those connected to the Guest wifi network. All other network connected devices (Lan and non-guest wifi) work normally. So I don't see this as a defect in the addon, but something I have done with how I have it setup.

I expect changing my addon DNS servers to something outside my network would solve the problem or perhaps allowing them access to other network devices would do so....but I want to keep Guest network devices isolated. Guests can use outside DNS servers if needed for internet access in this case, but I am not sure how to do that without giving that access to other devices. I want all other devices to use my locally hosted DNS.

Best wishes,
BL
 
I also found that I only have what my Android phones will call a "limited connection" to the internet when I switch my Guest network 2.4 and 5 GHz wifi to bypass the VPN. It seems they cannot access DNS so they can't use the internet. This is with addon set for the router to go through VPN.

Could you have a look at the output of:
Code:
ebtables -L

it should have rules to accept all traffic to port 53 -> so it even should allow DNS traffic to a locally run Pihole / AdGuard instance.

are you sure Android is using plain DNS? and doesn't try to use DoH? because that might be blocked if you run DoH/DoT on your local network
 
Could you have a look at the output of:
Code:
ebtables -L

it should have rules to accept all traffic to port 53 -> so it even should allow DNS traffic to a locally run Pihole / AdGuard instance.

are you sure Android is using plain DNS? and doesn't try to use DoH? because that might be blocked if you run DoH/DoT on your local network
Hello,

I am still on 5.5b15. I ran ebtables -L with the router and the Guest network set to go through the VPN. I have attached the output as "ebtables output". A VPN leak test web site showed my VPN ip and my AdGuard - PiHole DNS.

Then I switched to bypassing the VPN for both the router and the 2.4 & 5 GHz Guest wifi network. In this case my devices still connected to the internet. The VPN leaktest site showed my isp ip and my AdGuard - PiHole DNS. I re-ran ebtables -L and attached the output as "ebtables output bypassing".

Finally, I switched off the Router bypassing - so the router was set to go through the VPN and the Guest network was still bypassing the VPN. In this case I lost internet connection and was not able to run the leaktest. The output of ebtables -L looks the same and is attached. Switching the router to go back through the VPN and/or switching the Guest network back to the VPN will restore internet to devices on the Guest network.

Here is my OpenVPN settings:
Screenshot_2022-01-21_12-53-58.png


I also checked the Android device Private DNS settings - they are all turned off. Checks show all the mobile devices get DNS from AdGuard and PiHole when connected to the internet (as set in the router). That is the case regardless of whether or not they use the VPN - the VPN uses AdGuard and PiHole instead of its own DNS (I wish that wasn't the case but I have never bothered to look at it).

Thanks,
BL
 

Attachments

  • ebtables output.txt
    1.2 KB · Views: 85
  • ebtables output bypassing.txt
    1.3 KB · Views: 83
  • ebtables output no internet.txt
    1.3 KB · Views: 83
Finally, I switched off the Router bypassing - so the router was set to go through the VPN and the Guest network was still bypassing the VPN. In this case I lost internet connection and was not able to run the leaktest.
What is the upstream DNS for your Pi-hole ? your router or some servers on the internet.
If the latter, how is Pi-Hole connecting to internet? Direct or via VPN?
If the first, which DNS is your router using?

My suspicion is that somehow in your DNS chain, you are using the DNS servers from your ISP.
if Router (or Pi-hole) goes via VPN, then those might not be reachable.

If that is the case, you could add some ip rule statements to force traffic to those ISP DNS servers to always go direct.
(but that would mean editing /usr/bin/addon_bypassvpnip.sh)

You could try that manually via: (replace 1.2.3.4 with the IP of your ISP DNS)
ip rule add to 1.2.3.4 table novpn

(or if you add it in it the script ip rule add to 1.2.3.4 table $NOVPN_TABLE
for instance add it just before the section
#---------------------------------------------
# Bypass VPN for router itself:
)
 
What is the upstream DNS for your Pi-hole ? your router or some servers on the internet.
If the latter, how is Pi-Hole connecting to internet? Direct or via VPN?
If the first, which DNS is your router using?

My suspicion is that somehow in your DNS chain, you are using the DNS servers from your ISP.
if Router (or Pi-hole) goes via VPN, then those might not be reachable.

If that is the case, you could add some ip rule statements to force traffic to those ISP DNS servers to always go direct.
(but that would mean editing /usr/bin/addon_bypassvpnip.sh)

You could try that manually via: (replace 1.2.3.4 with the IP of your ISP DNS)
ip rule add to 1.2.3.4 table novpn

(or if you add it in it the script ip rule add to 1.2.3.4 table $NOVPN_TABLE
for instance add it just before the section
#---------------------------------------------
# Bypass VPN for router itself:
)
Hello,

R. Gerrits, thank you for taking the time to help me look into this. My Netgear Internet setup servers had all three spaces filled with public DNS (ControlID, DNSwatch, Freenom as those seem fastest for me). My R9000 Adguard uses ControlID. I started running AdGuard to test it in the Addon and never turned it off. PiHole runs on a RaspberryPi that is set to bypass the router VPN (and not running its own VPN). It uses a local instance of DNSCrypt-proxy for its DNS. The various public DNSCrypt servers are accessed via DNSCrypt's anonymous relays. PiHole is set to use only the DNSCrypt server and Cloudflared tunnel DOH servers as secondary DNS. I do not have anything listing my isp DNS that I know of unless it is pulled into something like /etc/resolv.conf somehow (but I don't see it there) and I have never seen the isp DNS show up on a leaktest when using the Addon.

I did change the Netgear Internet setup DNS to those of my isp and then I had to leave for a couple hours. I hate to admit it but I forgot to check if the Guest devices had internet or not. Anyway I went ahead modified the ip rules when I got back...

I took your suggestion to place: ip rule add to 1.2.3.4 table $NOVPN_TABLE into the script before
#---------------------------------------------
# Bypass VPN for router itself:

I then rebooted the router and checked my Guest wifi access. It worked when setting the Guest network to bypass and not to bypass the VPN! It also worked whether or not the router itself was set to bypass the VPN! I switched my Netgear Internet setup DNS back to the three I had originally used and everything still works. And at least the one VPN leaktest I ran for the router showed only my VPN DNS.

I am not going to pretend that I understand this, but I am just going to say WOW and THANK YOU, and keep my fingers crossed!

I will post a follow-up when I update the Add-on or if anything changes with this.

Best wishes,
BL
 
Your analyzes is fantastic - as always!
Thank you for all your help to me and the community!
What is the upstream DNS for your Pi-hole ? your router or some servers on the internet.
If the latter, how is Pi-Hole connecting to internet? Direct or via VPN?
If the first, which DNS is your router using?

My suspicion is that somehow in your DNS chain, you are using the DNS servers from your ISP.
if Router (or Pi-hole) goes via VPN, then those might not be reachable.

If that is the case, you could add some ip rule statements to force traffic to those ISP DNS servers to always go direct.
(but that would mean editing /usr/bin/addon_bypassvpnip.sh)

You could try that manually via: (replace 1.2.3.4 with the IP of your ISP DNS)
ip rule add to 1.2.3.4 table novpn

(or if you add it in it the script ip rule add to 1.2.3.4 table $NOVPN_TABLE
for instance add it just before the section
#---------------------------------------------
# Bypass VPN for router itself:
)
 
There is an easy way to add IP's to bypass VPN. The add-on always had this support:
# - Enable Telnet in web GUI: http://www.routerlogin.net/debug.htm
# - Start a command window or your telnet client and connect to the router, e.g:
# - telnet www.routerlogin.net and login with your normal router password
# Create a setting in the router flash-memory with e.g. the following commands:
Code:
nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202"
nvram commit
addon_bypassvpnip.sh force
# You can add several ip-addresses to bypass the VPN.
# Separate each IP using a single space between them, as in the example above.
# This even survives a firmware and addon update!

Hello,

R. Gerrits, thank you for taking the time to help me look into this. My Netgear Internet setup servers had all three spaces filled with public DNS (ControlID, DNSwatch, Freenom as those seem fastest for me). My R9000 Adguard uses ControlID. I started running AdGuard to test it in the Addon and never turned it off. PiHole runs on a RaspberryPi that is set to bypass the router VPN (and not running its own VPN). It uses a local instance of DNSCrypt-proxy for its DNS. The various public DNSCrypt servers are accessed via DNSCrypt's anonymous relays. PiHole is set to use only the DNSCrypt server and Cloudflared tunnel DOH servers as secondary DNS. I do not have anything listing my isp DNS that I know of unless it is pulled into something like /etc/resolv.conf somehow (but I don't see it there) and I have never seen the isp DNS show up on a leaktest when using the Addon.

I did change the Netgear Internet setup DNS to those of my isp and then I had to leave for a couple hours. I hate to admit it but I forgot to check if the Guest devices had internet or not. Anyway I went ahead modified the ip rules when I got back...

I took your suggestion to place: ip rule add to 1.2.3.4 table $NOVPN_TABLE into the script before
#---------------------------------------------
# Bypass VPN for router itself:

I then rebooted the router and checked my Guest wifi access. It worked when setting the Guest network to bypass and not to bypass the VPN! It also worked whether or not the router itself was set to bypass the VPN! I switched my Netgear Internet setup DNS back to the three I had originally used and everything still works. And at least the one VPN leaktest I ran for the router showed only my VPN DNS.

I am not going to pretend that I understand this, but I am just going to say WOW and THANK YOU, and keep my fingers crossed!

I will post a follow-up when I update the Add-on or if anything changes with this.

Best wishes,
BL
 
Changes in kamoj-addon beta version 2022-01-23 5.5b17
---------------------------------------------------------------
- System Information: Added date to "Netgear release info"
- System Information: "Netgear release info": Corrected output of release numbers ending with ".0*"
- VPN Bypassing: Added "Bypass specified IPs" (@blueliner)
nvram parameter NO_VPN_LST_ALWAYS is merged to "kamoj_bypass_vpn_ips" and removed.
 
There is an easy way to add IP's to bypass VPN. The add-on always had this support:
# - Enable Telnet in web GUI: http://www.routerlogin.net/debug.htm
# - Start a command window or your telnet client and connect to the router, e.g:
# - telnet www.routerlogin.net and login with your normal router password
# Create a setting in the router flash-memory with e.g. the following commands:
Code:
nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202"
nvram commit
addon_bypassvpnip.sh force
# You can add several ip-addresses to bypass the VPN.
# Separate each IP using a single space between them, as in the example above.
# This even survives a firmware and addon update!
Thank you Kamoj. I did not know about this.

As an update after my last post with R. Gerrits' help - - all has been running well.

Best wishes,
BL
 
Hi there,
I would like to thank you all, Kamoj, and the team of ppl supporting him for this great add-on, as well as Voxel for making it possible to have a (properly working?) Netgear product. ;)
Before updating to the current box I have been using Linksys box(es) with Tomato installed (WRTg54 and E4200).
I have been using this Netgear R9000 with VPN (and VPN-passthrough), and found them different (and sometimes better) than Tomato setup.

The combination of Voxel (entware) and Kamoj add-on make a strong set of tools to play with.
As speeds have gone up (I have a 1000 Mbit(down)/500 Mbit (up)) connection through a coaxial connection to the ISP, I am interested in investigating the performance and stability of the Voxel/Kamoj add-on.

I have been using the Kamoj V5.4b35, and I have been noticing that Adguard, add-on kept starting on 192.168.1.1 recently. (and making it impossible to use the internet, i.e. I had to shutdown Adguard, and couldn't reconfigure)
The setup was working until ca. 1 week ago.

My box and current FW are:
R9000
Voxel V1.0.4.53HF
Kamoj Add-on V5.4b35

I will update to newest FW (Voxel and Kamoj) and issue if the issue continues.
BR
 
Hi there,
I would like to thank you all, Kamoj, and the team of ppl supporting him for this great add-on, as well as Voxel for making it possible to have a (properly working?) Netgear product. ;)
Before updating to the current box I have been using Linksys box(es) with Tomato installed (WRTg54 and E4200).
I have been using this Netgear R9000 with VPN (and VPN-passthrough), and found them different (and sometimes better) than Tomato setup.

The combination of Voxel (entware) and Kamoj add-on make a strong set of tools to play with.
As speeds have gone up (I have a 1000 Mbit(down)/500 Mbit (up)) connection through a coaxial connection to the ISP, I am interested in investigating the performance and stability of the Voxel/Kamoj add-on.

I have been using the Kamoj V5.4b35, and I have been noticing that Adguard, add-on kept starting on 192.168.1.1 recently. (and making it impossible to use the internet, i.e. I had to shutdown Adguard, and couldn't reconfigure)
The setup was working until ca. 1 week ago.

My box and current FW are:
R9000
Voxel V1.0.4.53HF
Kamoj Add-on V5.4b35

I will update to newest FW (Voxel and Kamoj) and issue if the issue continues.
BR
Great, thank you very much for the report!

Since you are an experienced user, I think you can help a lot with the development of the addon.
I'm always open to suggestions of especially how to make things easier for the users.
Looking forward to hear from you again, once you have updated to v5.5b17+.
 
There is an easy way to add IP's to bypass VPN. The add-on always had this support:
Code:
nvram set NO_VPN_LST_ALWAYS="192.168.1.201 192.168.1.202"
nvram commit
addon_bypassvpnip.sh force
# You can add several ip-addresses to bypass the VPN.
I thought this option would only add bypass rules for all traffic FROM the specified IPs.
The solution that blueliner needed, was to add bypass rules for all traffic TO the specified IPs.

didn't yet look at b17 though, to see how you changed it.
 
5.5b17 just added a GUI for the already existing function.
I thought this option would only add bypass rules for all traffic FROM the specified IPs.
The solution that blueliner needed, was to add bypass rules for all traffic TO the specified IPs.

didn't yet look at b17 though, to see how you changed it.
 
Good day everyone! I'm new here and I just finished installing Kamoj 5.5b17 addon. I even configured my VPN with Surfshark. Are there any documentation for explaining the function of these settings? I'm trying to make sure my configuration settings are optimal for OpenVPN Client, Wireguard Client and or DNS Privacy/Ad-Blocking? Any help would be greatly appreciated. Thanks.
 

Attachments

  • Screenshot 2022-02-01 122206.jpg
    Screenshot 2022-02-01 122206.jpg
    81.8 KB · Views: 100

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top