VPNMON [BETA] VPNMON-R2 BETA is CLOSED. Thank you all for your help!!

[Viktor Jaep]

VPNMON-R2 BETA is CLOSED.

Final v2.55 was released on May 14, 2023 -- full release available here:

VPNMON - VPNMON-R2 v2.55 -May 14, 2023- Monitor your VPN connection's Health (New: AirVPN, AMTM, KILLMON, supporting WeVPN/Nord/SurfShark/PerfectPrivacy) (#3)

v2.55 - Now with even more SuperRandom(tm) goodness!! Updated May 14, 2023 Executive Summary: VPNMON-R2 is an all-in-one script that works for any VPN service of your choice, but is optimized for NordVPN, SurfShark VPN, WeVPN and Perfect Privacy VPN services. It can also compliment @JackYaz's...

www.snbforums.com

--------------------------------------------

Records from last beta chatter below...

Calling all beta testers! As more features get added, the script keeps getting more complex, but better by the day thanks to your excellent suggestions and feedback! Some new functionality has been added, and wanted to throw this out to the community for any other feedback before I complete this release after things look solid.

What's new?:
v2.55b4 - (Revisions as of May 6, 2023)
- MAJOR: Added major functionality to integrate more closely with Unbound! Unbound allows you to become your own DNS resolver, so you don't have to rely on other DNS providers (like from your ISP, Google, Quad9, etc.), and helps somewhat with privacy - because who knows what they log on their end, right? The downside with Unbound is that the traffic you generate for your own DNS lookups to root servers or other authoritative servers is not encrypted... which would allow your ISP (or others) to still snoop on your plaintext port 53 DNS queries. So here's the good news -- this Unbound modification (thanks to @Martineau/Swinson) forces all plaintext port 53 traffic that Unbound generates for DNS lookups over your VPN tunnel instead! This means your internet activity is even more secure from your ISP (or others) prying eyes. Please note, this is not an end-all-be-all fix to keep all DNS lookups private, but it certainly helps get you closer. This update will now require that Unbound is installed and running, and will download and/or apply other scripts to the following files:

• /jffs/scripts/nat-start
• /jffs/scripts/openvpn-event
• /jffs/scripts/post-mount
• /jffs/addons/unbound/unbound_DNS_via_OVPN.sh

-NOTE: VPNMON-R2 does not play any role in manipulating Unbound or the associated scripts in any way... it continues to function as it normally does. Except now, as openvpn events fire off as VPN tunnels are disconnected or established, this will allow these scripts to work in harmony with each other to force Unbound traffic over the VPN tunnel. Playing with these scripts and modifications isn't for the feint of heart, and may take some serious troubleshooting skills to get it configured right if something doesn't work straight out of the gate.
- ADDED: Per one of @Martineau's old suggestions in the threads, when enabling this feature in the configuration menu, I've also added a command in the POST-MOUNT file that will disable Unbounds's VPN binding upon a router reboot as a fail-safe so that DNS resolutions aren't impacted as they would still be trying to get out over a VPN tunnel that is no longer in existence.
- MAJOR: Added functionality to integrate with Unbound! This update will now force Unbound to accept and apply the newest VPN slot to its config after a VPN reset, so that all unencrypted port 53 DNS traffic to the root servers now gets forced out over your VPN connection, instead of out over the open Internet for your ISP (or others) to snoop on. Please note, this is not an end-all-be-all fix to keep all DNS lookups private, but it certainly helps get you closer.
- CHANGED: As soon as the VPN goes down and a reset commences, I am calling the Unbound vpn=disable function in order to prevent DNS resolution issues. While dealing with a VPN reset, heard some screams from the fam that the internet wasn't reachable... aside from the lack of patience, I decided to make sure that VPN binding is turned off right away, and gets turned back on after another tunnel has been established.

CAVEAT: This is still highly experimental -- I'm still learning the ropes on how Unbound functions, and determining its capabilities, strengths and weaknesses (with many thanks to @Tech9, @SomeWhereOverTheRainBow, @chongnt, @Twiglets, @dave14305 and @bennor). This may break browsing, DNS resolutions, whatnot... I'll be eating my own dogfood, and running this alongside of you on a heavily used family network... Please share your feedback, as I'm sure my family members will be as well.

What will happen -- Once you've enabled this feature in the config, when VPNMON-R2 does a VPN reset, this will cause an "openvpn-event" caused by openvpn itself, and will kick off the script inside this file. Specifically, it calls to either stop or start the binding of your VPN with Unbound using the "/jffs/addons/unbound/unbound_DNS_via_OVPN.sh" script. This script has some specific mods in there that interfaces directly with Unbound itself, and innovative iptables rules to ensure traffic flows out and back over your VPN connection instead of your WAN connection. This will theoretically prevent your ISP (or others) from snooping on your unencrypted port 53 DNS resolution requests to the root servers made possible by Unbound.

NOTE: There are a number of good tools out there to help test your settings.

1. https://dnscheck.tools -- shows what your Public VPN exit is, and who your DNS resolver is.
2. @eibgrad's DNSMON tool -- excellent tool that shows you where your port 53 traffic originates from and returns to

Beta Download:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.55b4.sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod 755 "/jffs/scripts/vpnmon-r2.sh"

Stable Release:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.53.sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod 755 "/jffs/scripts/vpnmon-r2.sh"

Significant Screenshots:

On the second config page, you'll find the ability to enable the Unbound integration functionality.

 

[SomeWhereOverTheRainBow]

I thought I'd put this into its own thread for visibility reasons... Calling all WeVPN beta testers! VPNMON-R2 v2.20b1 officially supports WeVPN, including SuperRandom(r) and Multi-Country SuperRandom(r)!! I'm looking to see if one of you might be able to please give this a whirl, make sure it behaves OK with WeVPN client slots, is populating your slots with the right info, randomly making a new connection when dropped/reset, and that the SuperRandom functionality works. If you wouldn't mind posting or PM'ing me a screenshot to make sure everything looks right on your end in the UI? Thank you!! That saves me having to spend $$$ on a WeVPN subscription, but I will if necessary. Lol

Please note: WeVPN does not provide server loads (yet), and will incorporate that when it becomes available. Also, they don't provide straight IP addresses for their VPN hosts, which makes it more difficult to make it compatible with Skynet, so these two options are grayed out.

Beta Download:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.20b1.sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod a+rx "/jffs/scripts/vpnmon-r2.sh"

Stable Release:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.15sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod a+rx "/jffs/scripts/vpnmon-r2.sh"

I am getting there. Let you know soon how it is!

 

[Don->]

I thought I'd put this into its own thread for visibility reasons... Calling all WeVPN beta testers! VPNMON-R2 v2.20b1 officially supports WeVPN, including SuperRandom(r) and Multi-Country SuperRandom(r)!! I'm looking to see if one of you might be able to please give this a whirl, make sure it behaves OK with WeVPN client slots, is populating your slots with the right info, randomly making a new connection when dropped/reset, and that the SuperRandom functionality works. If you wouldn't mind posting or PM'ing me a screenshot to make sure everything looks right on your end in the UI? Thank you!! That saves me having to spend $$$ on a WeVPN subscription, but I will if necessary. Lol

Please note: WeVPN does not provide server loads (yet), and will incorporate that when it becomes available. Also, they don't provide straight IP addresses for their VPN hosts, which makes it more difficult to make it compatible with Skynet, so these two options are grayed out.

Beta Download:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.20b1.sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod a+rx "/jffs/scripts/vpnmon-r2.sh"

Stable Release:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.15sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod a+rx "/jffs/scripts/vpnmon-r2.sh"

There is a typo in the stable release i think it should be ........../vpnmon-r2-2.15.sh" - a missing "."

 

[Viktor Jaep]

There is a typo in the stable release i think it should be ........../vpnmon-r2-2.15.sh" - a missing "."

Nice find! Fixed!

 

[IKNOWNOTHING]

Viktor Jaep,

Excellent work on vpnmon-r2. I really love the script and it is perfect for recovering from dropped VPN connections. I would suggest a minor change in your next version. I used to run several vpn's simultaniously each in another country, but vpnmon-r2 resets all vpn's that startup on boot. Would it be possible to only reset the vpn's that were entered as available vpn slots while configuration vpnmon-r2?

thanks in advance

 

[Viktor Jaep]

Viktor Jaep,

Excellent work on vpnmon-r2. I really love the script and it is perfect for recovering from dropped VPN connections. I would suggest a minor change in your next version. I used to run several vpn's simultaniously each in another country, but vpnmon-r2 resets all vpn's that startup on boot. Would it be possible to only reset the vpn's that were entered as available vpn slots while configuration vpnmon-r2?

thanks in advance

Thanks @IKNOWNOTHING, that is a really great request! I didn't even think of that until you just mentioned this, because yes, it does kill all 5 client slots no matter how many you actually have configured. I'll get that in before the next release.

 

[IKNOWNOTHING]

@Viktor Jaep Wow, what a great and friendly response! Thank you very much. I will be looking out for it

 

[Viktor Jaep]

@Viktor Jaep Wow, what a great and friendly response! Thank you very much. I will be looking out for it

Hey @IKNOWNOTHING ... I've thrown Beta 2 out there that takes care of your issue with only killing the configured number of VPN slots now. Please let me know how it works out for you, OK?

Beta Download:

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R2/master/vpnmon-r2-2.20b2.sh" -o "/jffs/scripts/vpnmon-r2.sh" && chmod a+rx "/jffs/scripts/vpnmon-r2.sh"

 

[Viktor Jaep]

New BETA is available... enjoy!

See the [OP]!

 

[SomeWhereOverTheRainBow]

New BETA is available... enjoy!

See the [OP]!

 

[kuki68ster]

Hello,

After installing the beta i got the following error, when trying to access amtm:

ASUSWRT-Merlin RT-AX86U 386.7_2 Sun Jul 24 21:37:08 UTC 2022
Asus@RT-AX86U-B968:/tmp/home/root# amtm
/usr/sbin/amtm: /jffs/addons/amtm/availUpd.txt: line 10: syntax error: unterminated quoted string
Asus@RT-AX86U-B968:/tmp/home/root#

The router is working as it should, apart from the error...

Apart from reinstalling from scratch amtm, what can i do?

Thanks for the help

 

[Viktor Jaep]

Hello,

After installing the beta i got the following error, when trying to access amtm:

ASUSWRT-Merlin RT-AX86U 386.7_2 Sun Jul 24 21:37:08 UTC 2022
Asus@RT-AX86U-B968:/tmp/home/root# amtm
/usr/sbin/amtm: /jffs/addons/amtm/availUpd.txt: line 10: syntax error: unterminated quoted string
Asus@RT-AX86U-B968:/tmp/home/root#

The router is working as it should, apart from the error...

Apart from reinstalling from scratch amtm, what can i do?

Thanks for the help

This is what mine currently comes back with... what does your availUpd.txt look like?

vpnmonUpate="<- v2.22"
vpnmonMD5="d6eca2e4d7c8d1b320b1c0c8e9b34c96"

 

[Viktor Jaep]

The next daily beta - v2.24b5 is now available... this is what's new:

- CHANGED: Revamped the reset conditions screens, which now display on a cleared page, instead of appending the reset output to the main UI.
- FIXED: I "may" have repaired the elusive unbound operand error that would occasionally appear on the main UI. FYI: @monakh!

See the [OP] for the download link!

 

[Viktor Jaep]

The next daily beta - v2.24b6 is now available - here's what's new:

- CHANGED: Joined the reset condition checks together into their own function in order to allow the (R)eset command to work instantaneously, instead of waiting for a cycle to finish.

See the [OP] for the download link!

 

[monakh]

Alright, here's an update from me on B3 / AXE16000.

As you know, I have been trying really hard to capture the "WAN down" issue via the troubleshooting script, but running it at the same time as B3 effectively resulted in random reboots within minutes of running the two together. In any event, I have given up on trying to discern exactly what "State: 2" means because it NEVER changes, at least not during the failures I have been experiencing.

So, today, I updated to B6 and have left out the troubleshooting script, let's see if the router stays stable. I think this AXE16000 hardware is just too new. It will take time to sort out all the various different kinks. You're ahead of the curve, though, methinks.

As an aside, it's very odd that the script only pulls recommended servers from a single city only. In my case, it is NY (used to be Tel Aviv, if you recall from a couple of days back). Is there a way to check if it's just me/my location or something else at play? When I go to the Nord recommended server site via the web browser, I get a different city every time.

Edit: Here's the log--on second thought, I don't think it's the troubleshooting script, could be AMTM:

Spoiler: Sys Log

A couple of days back:
Sep 27 23:07:37 kernel: Hardware name: GTAXE16000_2GB (DT)
Sep 27 23:07:37 kernel: pstate: 200f0010 (nzCv q A32 LE aif)
Sep 27 23:07:37 kernel: pc : 00000000f7c1c9d8
Sep 27 23:07:37 kernel: lr : 0000000080808080
Sep 27 23:07:37 kernel: sp : 00000000ffd0f920
Sep 27 23:07:37 kernel: x12: 0000000000000000
Sep 27 23:07:37 kernel: x11: 0000000000000000 x10: 000000000007e66c
Sep 27 23:07:37 kernel: x9 : 00000000f6afd008 x8 : 00000000000a387e
Sep 27 23:07:37 kernel: x7 : 0000000000000010 x6 : 0000000000000000
Sep 27 23:07:37 kernel: x5 : 00000000000a3884 x4 : 00000000fefefeff
Sep 27 23:07:37 kernel: x3 : 0000000000000000 x2 : 0000000000000000
Sep 27 23:07:37 kernel: x1 : 0000000000000107 x0 : 0000000000000000
Sep 27 23:13:46 kernel: Ax:4x:Bx:Bx:7x:2x not mesh client, can't delete it
May 5 08:05:21 syslogd started: BusyBox v1.25.1
May 5 08:05:21 crashlog: ^A
May 5 08:05:21 crashlog: <4>INFO MerlinSupport::merlin16_serdes_init(): END Merlin Initialization procedure
May 5 08:05:21 crashlog: <4>MerlinSupport::merline_speed_set_core(): Step 7 Config Speed to 2
May 5 08:05:21 crashlog: <4>--- Step 8 PLL/PMD setup configuration for speed 0, mode 13.

Just now:
Sep 29 21:02:07 kernel: Ax:4x:Bx:Bx:8x:9x not mesh client, can't delete it
May 5 08:05:21 syslogd started: BusyBox v1.25.1
May 5 08:05:21 kernel: klogd started: BusyBox v1.25.1 (2022-08-13 16:53:39 EDT)
May 5 08:05:21 kernel: Booting Linux on physical CPU 0x0000000000 [0x420f1000]
May 5 08:05:21 kernel: Linux version 4.19.183 (merlin@ubuntu-dev) (gcc version 9.2.0 (Buildroot 2019.11.1)) #1 SMP PREEMPT Sat Aug 13 16:53:54 EDT 2022
May 5 08:05:21 kernel: Machine model: GTAXE16000_2GB

I am getting this "not mesh client" quite a bit but it's only when I run either AMTM or VPNMON that the router reboots after that error (my money is on AMTM at the moment). No clue what that means!

 

[Viktor Jaep]

As you know, I have been trying really hard to capture the "WAN down" issue via the troubleshooting script, but running it at the same time as B3 effectively resulted in random reboots within minutes of running the two together. In any event, I have given up on trying to discern exactly what "State: 2" means because it NEVER changes, at least not during the failures I have been experiencing.

I really appreciate the report, @monakh! Have you been able to look at the log it generates under /jffs/scripts/wan0mon.log? That would be the smoking gun, if there are instances where it flips to a different state than 2 that would somehow cause vpnmon-r2 to fall into that weird loop? State:2 means "connected", which is the normal state it should be in.

Random reboots would be a MAJOR concern. A simple script like this should not be causing reboots. I would definitely look into this further! Or even post some event logs into the main thread for RMerlin or others to dissect?

So, today, I updated to B6 and have left out the troubleshooting script, let's see if the router stays stable. I think this AXE16000 hardware is just too new. It will take time to sort out all the various different kinks. You're ahead of the curve, though, methinks.

The hardware may be new, but the Merlin firmware running on there is new as well. Definitely some opportunities to see if we can find any behaviors or bugs that we can report to RMerlin.

As an aside, it's very odd that the script only pulls recommended servers from a single city only. In my case, it is NY (used to be Tel Aviv, if you recall from a couple of days back). Is there a way to check if it's just me/my location or something else at play? When I go to the Nord recommended server site via the web browser, I get a different city every time.

The way I understand it, these would be the fastest/lowest load/lowest latency servers that are closest to you from a connection standpoint. I'm going to guess that the main pipe that traffic takes coming from across the pond/Tel Aviv exits in NY. The NordVPN API I use basically gives me a list of about 30 servers that it sorts in fastest order, and I pick the top 5 to use. I noticed that even the vast majority of these 30 servers are all located in the same city. It did the same thing for me when I was testing locally to Atlanta, and when picking other countries. These are what NordVPN programmatically recommends... so who am I to argue, right? LOL. It would be interesting to see what location these recommended servers are that it recommends using a tool like this https://www.iplocation.net/ip-lookup -- and I would also be scratching my head if they're not all NY servers.

 

[monakh]

Aha, I FORGOT to mention the 'smoking gun'. There is NO log being generated as part of the script. Sorry, should have led with that! I have started it again, let's see what happens. What I meant to say earlier is that I have given up on what state: 2 means because it never seems to change even though the WAN goes offline (an entry in the log and everything yet it doesn't change).

I updated the post above with some sys log entries. If I were to guess, it would be a memory leak being caused by something (but only when the scripts are running). I have been checking the scMerlin stats once in a while and the remaining memory is in double-digits MB. When I left the router alone without running AMTM, VPNMON or the WAN-check script, there were no reboots for two days.

OK, the connection points to the cities in terms of speed/load/latency make sense. Wish I could diversify though!

Edit: K 20 minutes later, memory is down to < 200 MB. It's definitely a memory leak. The question is what? It's only happening when I run the scripts (they are both running in their own screen). Can't be screen, that's decades-old solid code!

 

[Viktor Jaep]

Aha, I FORGOT to mention the 'smoking gun'. There is NO log being generated as part of the script. Sorry, should have led with that! I have started it again, let's see what happens.

So yeah, it would need to run continuously to be able to generate any log entries should the router be changing wan states...

I updated the post above with some sys log entries. If I were to guess, it would be a memory leak being caused by something (but only when the scripts are running). I have been checking the scMerlin stats once in a while and the remaining memory is in double-digits MB. When I left the router alone without running AMTM, VPNMON or the WAN-check script, there were no reboots for two days.

Wow... I don't know what to make of it. Mesh client means that it's looking for a secondary router to join to the mesh, or perhaps you had a mesh client before that it's not liking and can't get rid of? I would recommend posting this in the main Merlin thread, and seeing if someone might be able to help analyze that... it may need to get run by RMerlin.

OK, the connection points to the cities in terms of speed/load/latency make sense. Wish I could diversify though!

That's why I created SuperRandom(r)!!

Edit: K 20 minutes later, memory is down to < 200 MB. It's definitely a memory leak. The question is what? It's only happening when I run the scripts (they are both running in their own screen). Can't be screen, that's decades-old solid code!

Again... more tell-tale signs that we may be dealing with some bugs here. I'd run that by the main thread as well... You might be able to use the tool Top or HTop to see if you can find out what's taking up that memory?

 

[monakh]

And another ten minutes after that, reboot. Looks like it's only happening now with the scripts. Let me revert back to the stable v2.22 just to rule out VPNMON. Let's do the basic troubleshooting before I mention it in the Merlin thread, he's super-no-nonsense, I need to have my ducks in a row

Can super-random work in tandem with recommended servers? That would awesome!

 

[Viktor Jaep]

And another ten minutes after that, reboot. Looks like it's only happening now with the scripts. Let me revert back to the stable v2.22 just to rule out VPNMON. Let's do the basic troubleshooting before I mention it in the Merlin thread, he's super-no-nonsense, I need to have my ducks in a row

I don't know of anything in any script that would cause a crash... I once built a proof of concept script that exposed a flaw in the AC86U that proved that a simple NVRAM GET statement would hang the script... but it didn't reboot anything. I don't think reversion is going to help either... but let me know how it goes, and yes... definitely have your ducks in a row. lol

Also know you are basically running a preview version for the AXE16000... nobody else is on that level of code yet. So I'm sure he's going to be very interested in hearing about this. And the memory leak behavior as well!

Can super-random work in tandem with recommended servers? That would awesome!

I think the next step here would be to allow you to pick which cities you'd like to get recommended servers from. Right now, I'm just giving you the fastest ones available.