Custom firmware for R7800 to extend its functionality

382 posts / 0 new
Last post
Webdrifter
Webdrifter's picture
Hello, Voxel

Hello, Voxel

I have a R7800 working together with a EX8000 (Nighthawk X6S) Extender as a Mesh Network.

Both updated to their latest original Netgear Firmware.

Would things still work, and even better, if I upgraded my R7800 with your Firmware.

Do you know of a similar upgrade for the EX8000 (Or do you maybe plan to make one?)

 

 

 

e38BimmerFN
e38BimmerFN's picture
IF it works, don't fix it.

IF it works, don't fix it. Youl can update to Voxels FW. However again, if things are working well, don't bother it. 

Voxel doesn't have any FW for the EX extender models. I don't believe there are any plans as he doesn't work on extenders nor has an extender to work with. Usually nothing is really needed on Extenders. They work or they don't. They only work as well as the main host router does. The EX 8000 and 7700 are solid working extenders. 

 

kinakuta
kinakuta's picture
Hi everyone,

Hi everyone,

I've been using Voxel's firmware for a long time now on my R7800 and I love it. But I just upgraded my Internet service from a 50mbit to 100mbit line. 

Curiously, I get 100mbit with the stock firmware and no VPN connection. On Voxel's firmware I only get 57mbit without and 23mbit with an OpenVPN client connection. That is way too slow. I'm using NordVPN and they can do much higher speeds, also the R7800 hardware is capable of doing more than 23mbit. I wouldn't complain if I got 75mbit, due to the encryption overhead, but 23-27mbit on average it pretty slow.

Any suggestions?

Voxel
Voxel's picture
It is really too slow. I have

It is really too slow. I have 200/200Mbit real connection (198/190 reported by speedtest) and about 110/70Mbit for speed using OpenVPN (connected to my remote server). Check your opvn config. Best result if using AES-128-CBC and lz4_v2 (if NordVPN supports this).

 

Try to play with ovpn settings (your ovpn config). Maybe sndbuf/rcvbuf. I set it to 0 (system defaults).

Voxel.

kinakuta
kinakuta's picture
Good to know, thanks. Nordcom

Good to know, thanks. Nordcom doesn't seem to support anything below AES-256-CBC, but I'll check the other settings.

This is my current config, anything you would change, except for the encryption level?

client
dev tun
proto udp
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
 
kinakuta
kinakuta's picture
Also, maybe it's not in the

Also, maybe it's not in the openVPN settings, because I get only half the speed of my connection using the VPN-bypass, where I should get full speed as the routing goes directly through to the gateway router. So something in the Netgear config is slowing it down.

Voxel
Voxel's picture
First you should resolve the

First you should resolve the problem with your limited speed w/o OpenVPN. You should have real 100Mbit. Maybe backup settings->factory reset->restore settings.

 

In your config. I do not use NordVPN. But good service should push optimal options itself (pushing them).

 

I would play with (testing after resolving your limited speed w/o OpenVPN):

1. Removing any tun-mtu, tun-mtu-extra, mssfix from ovpn and from /etc/init.d/openvpn-client  (line OPT_ARGS="--dev tun21 --fast-io --nice -20 ...")

2. Playing with sndbuf/rcvbuf. Starting from setting them to zero (i.e. to use system defaults). The same modification of /etc/init.d/openvpn-client

3. "comp-lzo" -> compress lz4-v2

4. remote-random - I'd select concrete server, what is faster for your location.

5. AES-256-CBC. In general AES-128-GCM provides the same level of security (OpenVPN 2.4.x). And at least  (if not supported by OpenVPN server) AES-256-GCM works much faster on Intel-based  servers. CBC - serial operations. GCM could be performed with parallelization. So CBC->GCM as a test. 

 

P.S.

GCM:

see e.g. https://www.privateinternetaccess.com/helpdesk/kb/articles/what-s-the-difference-between-aes-cbc-and-aes-gcm
Voxel.

kinakuta
kinakuta's picture
Hey Voxel,

Hey Voxel,

thank you for your helpful reply. I've played around with a few settings and also change Wifi Channels on the router, which might have helped.

As you said, most settings get pushed from the server and there is only so much I can change. For example, I do get AES-256-GCM, even if I try 128 in the config. But it does seem to accept the optimized compression setting. I now get 37mbit, which is a great improvement, though still far from the speed I would expect. 

I also restored to factory settings and then imported the saved settings from backup, which didn't really change anything. 

I read somewhere that Netgear is now offering an openVPN client on the stock firmware, but only a few vpn providers (strange). Have you seen this and have you made any speed tests with the regular stock firmware?

Also, I recently tested Wireguard with NordVPN and it's really really fast, though still in development. Do you think that could be implemented in your firmware? It looks like that could be an openVPN alternative for some use cases, like watching Netflix etc, because it's so fast.

Best,
Randy

Webdrifter
Webdrifter's picture
Hello Voxel,

Hello Voxel,

On your this website I see R7800-V1.0.2.67SF.img as the latest release.

However on your website I already find R7800-V1.0.2.67.1SF.img.

Can we consider the last one a stable release?

Voxel
Voxel's picture
However on your website I

However on your website I already find R7800-V1.0.2.67.1SF.img.

Can we consider the last one a stable release?

 

Yes. 

See https://www.snbforums.com/threads/custom-firmware-build-for-r7800-v-1-0-2-67sf-1-0-2-67-1sf.56921/

Voxel

Voxel
Voxel's picture
I now get 37mbit, which is a

I now get 37mbit, which is a great improvement, though still far from the speed I would expect. 

 

Kamoj intends to release his add-on with OpenVPN handling including NordVPN.

 

https://www.snbforums.com/threads/poll-for-openvpn-provider-to-be-supported-by-voxel-firmware.56627/

 

Have you seen this and have you made any speed tests with the regular stock firmware?

No. I do not think it is fast. And really as far as I know single provider is supported.

Also, I recently tested Wireguard with NordVPN and it's really really fast, though still in development. Do you think that could be implemented in your firmware?

I am not sure it is possible. Wireguard requirements: kernel >= 3.10. NG is using modified 3.4.103. My own changes on the level of kernel are troublesome because of possible incompatibility with kernel objects from NG pre-built binaries (in their GPL).

Voxel.

kinakuta
kinakuta's picture
Wow, that sounds great and I

Wow, that sounds great and I see the NordVPN is in the lead... :-)

DD-WRT supports Wireguard and I think there is a version for the R7800 out there, I just would prefer to stick with your firmware, as DD-WRT's openVPN implementation is not specific to the router and therefore is not as fast. So maybe there is a way...just saying ;-)

 

Voxel
Voxel's picture
 For example, I do get AES

 For example, I do get AES-256-GCM, even if I try 128 in the config. 

 

BTW, try the following options to get AES-128-GCM:

ncp-disable
cipher AES-128-GCM

 

and check OpenVPN client log re: what cipher is used now. IMO it should speed up.

Voxel.

 

 

 

 

kinakuta
kinakuta's picture
Thanks, I just tried that.

Thanks, I just tried that. But I still only get 35Mbit/s...strange. Here's the log:

Wed Jul  3 14:42:52 2019 OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Jul  3 14:42:52 2019 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Wed Jul  3 14:42:52 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Jul  3 14:42:52 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul  3 14:42:52 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jul  3 14:42:52 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jul  3 14:42:52 2019 nice -20 succeeded
Wed Jul  3 14:42:52 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]104.222.153.29:1194
Wed Jul  3 14:42:52 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jul  3 14:42:52 2019 UDP link local: (not bound)
Wed Jul  3 14:42:52 2019 UDP link remote: [AF_INET]104.222.153.29:1194
Wed Jul  3 14:42:53 2019 TLS: Initial packet from [AF_INET]104.222.153.29:1194, sid=4d0c38b3 f96378d9
Wed Jul  3 14:42:53 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Wed Jul  3 14:42:53 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Wed Jul  3 14:42:53 2019 VERIFY KU OK
Wed Jul  3 14:42:53 2019 Validating certificate extended key usage
Wed Jul  3 14:42:53 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jul  3 14:42:53 2019 VERIFY EKU OK
Wed Jul  3 14:42:53 2019 VERIFY OK: depth=0, CN=us2676.nordvpn.com
Wed Jul  3 14:42:53 2019 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1582', remote='link-mtu 1634'
Wed Jul  3 14:42:53 2019 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-GCM', remote='cipher AES-256-CBC'
Wed Jul  3 14:42:53 2019 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA512'
Wed Jul  3 14:42:53 2019 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Wed Jul  3 14:42:53 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Jul  3 14:42:53 2019 [us2676.nordvpn.com] Peer Connection Initiated with [AF_INET]104.222.153.29:1194
Wed Jul  3 14:42:54 2019 SENT CONTROL [us2676.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Jul  3 14:42:54 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.51 255.255.255.0,peer-id 43'
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: compression parms modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Jul  3 14:42:54 2019 Socket Buffers: R=[212992->425984] S=[212992->425984]
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: route options modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: route-related options modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: peer-id set
Wed Jul  3 14:42:54 2019 OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Jul  3 14:42:54 2019 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Jul  3 14:42:54 2019 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Wed Jul  3 14:42:54 2019 TUN/TAP device tun21 opened
Wed Jul  3 14:42:54 2019 TUN/TAP TX queue length set to 1000
Wed Jul  3 14:42:54 2019 /sbin/ifconfig tun21 10.8.8.51 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Wed Jul  3 14:42:54 2019 /etc/openvpn/ovpnclient-up.sh tun21 1500 1585 10.8.8.51 255.255.255.0 init
RTNETLINK answers: File exists
Wed Jul  3 14:42:54 2019 /sbin/route add -net 104.222.153.29 netmask 255.255.255.255 gw 192.168.1.1
Wed Jul  3 14:42:54 2019 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Wed Jul  3 14:42:54 2019 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Wed Jul  3 14:42:54 2019 Initialization Sequence Completed

Voxel
Voxel's picture
Timings from kamoj (NordVPN):

Timings from kamoj (NordVPN):

 

128-GCM-mssfix1460: 
DL=80818/83664/86805 (Kbps)
 
256-GCM-mssfix1460: 
DL=70631/75282/78104 (Kbps)
 
256-CBC-mssfix1460: 
DL=75252/76491/78496 (Kbps)
 
My results are not so good but with AES-128-GCM I have 47/100Mbps (my real speed is 200/200). But NordVPN server I use is far from my location (other country). AES-256-CBC results are 37/72.

Voxel.

 
kinakuta
kinakuta's picture
Interesting, thank you for

Interesting, thank you for sharing. I also get 37 with and 75 without OpenVPN, using NordVPN and 256-CBC. I wasn't able to get anything beyond 50, which is a shame, considering I'm paying for 100mbit and getting less than half. 

That's why I thought Wireguard would help. It's incredibly fast and NordVPN is currently testing it in Beta, but I suspect they will soon offer it as a regular service alongside OpenVPN, IPSec etc.

kamoj
kamoj's picture
Voxel FW easy gives 100+ Mbps

Voxel FW easy gives 100+ Mbps. Maximum seems to be around 120 Mbps at 256-CBC.

I have tried several VPN providers, like PIA and NordVPN, and done 100:s of tests.
The important things is to find the best server to connect to.
I'm working on an add-on to Voxel FW, that checks server load, bandwidth and ping times to find a good server.

NordVPN today:

AES-256-CBC-mssfix1450: min/mean/max (of 100+ tests)
DL=47861/70071/107437 (Kbps)

kinakuta
kinakuta's picture
Sounds great. I always

Sounds great. I always connect to a specific server in the U.S., which of course means that it's slower when there are a lot of people on the server. So auto-selection would be great. When do you expect to release the add-on?

kamoj
kamoj's picture
End of August - maybe.

End of August - maybe.

I'm working on 3 add-ons simultaeously + adaptions needed to work with Voxel FW (rewritten openvpn-client),
and mainatain compatibility with r9000/R8900 as well.

I'm working too much including travelling away from home and then no router to test with.
Then I need to squeeze in some vacation...

Probably I'll first release the revamped "debug addon" as a separate add-on, to get feedback asap about the new interface.

Thank you for your interest!

kinakuta
kinakuta's picture
Wow, very cool, sounds

Wow, very cool, sounds amazing. Let me know if you need a tester :-)

Voxel
Voxel's picture
New version of my custom

New version of my custom firmware build: 1.0.2.68SF.

Changes (vs 1.0.2.67.1SF):

1. Kernel vulnerability: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 are fixed:

2. unbound package (used in stubby) is upgraded 1.9.1->1.9.2.
3. yaml package (used in stubby) is upgraded 0.2.1->0.2.2.
4. libjson-c package is upgraded 0.12.1->0.13.1.
5. liblz4 package is upgraded 1.8.3->1.9.1.
6. util-linux package is upgraded 2.33.1->2.34.
7. sysstat package is upgraded 11.6.4->12.0.5.
8. gdbm package is upgraded 1.11->1.18.1.
9. uClibc: sync with GNU C library patch is added.
10. zlib package is optimized.
11. ReadyCLOUD install script is changed (cosmetic changes).
12. Host tools: three components are upgraded (bison, mpfr, scons).

The link is:

https://www.voxel-firmware.com (thanks to vladlenas for his help with hosting).

P.S. Main accent of this release is fixing CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. The rest is maintenance movement (keeping up-to-date).

Voxel.

Pages