vpnmgr vpnmgr - Manage and update VPN Client configurations for NordVPN and PIA

[Jack Yaz]

Is your roadmap published anywhere?

It would be interesting to see what is in the pipeline.

hastily jotted ideas in notepad on my computer

 

[L&LD]

And... any screenshots?

 

[Stephen Harrington]

@Jack Yaz I've just switched VPN providers to NordVPN so I've been having a look at this script in the past few days, after also replicating my present Merlin/AMTM setup from an RT-AC86U to a new RT-AX86U recently. Figured since I use just about all your other scripts it would be remiss of me not to add this one!

I seem to have had a few instances where either after a reboot or scheduled "refresh", the new NordVPN node picked seems to be "dead", even though showing as connected.
I then have to manually "kick" the connection via Option 5 in the SSH menu (and while I think of it is there any reason that command doesn't seem to be in the web GUI?)

Does your script do any kind of connectivity check / sanity check once it picks a new "node" from the NordVPN list?
Certainly in my neck of the woods (Sydney, Australia) there seems to be quite a few dead ones, or servers where the throughput is pretty low, even though the load is also seemingly low which makes it a good choice in theory ...

Do you have any plans to make the actual server selection more fail-safe and intelligent? (hint, hint)
It would be nice if after picking a new server VPNMGR checked it was a) alive and passing data and b) had a minimum throughput (user configurable) otherwise the script would have a go at picking a better one? Maybe it could tie in with spdMerlin somehow?

 

[Jack Yaz]

@Jack Yaz I've just switched VPN providers to NordVPN so I've been having a look at this script in the past few days, after also replicating my present Merlin/AMTM setup from an RT-AC86U to a new RT-AX86U recently. Figured since I use just about all your other scripts it would be remiss of me not to add this one!

I seem to have had a few instances where either after a reboot or scheduled "refresh", the new NordVPN node picked seems to be "dead", even though showing as connected.
I then have to manually "kick" the connection via Option 5 in the SSH menu (and while I think of it is there any reason that command doesn't seem to be in the web GUI?)

Does your script do any kind of connectivity check / sanity check once it picks a new "node" from the NordVPN list?
Certainly in my neck of the woods (Sydney, Australia) there seems to be quite a few dead ones, or servers where the throughput is pretty low, even though the load is also seemingly low which makes it a good choice in theory ...

Do you have any plans to make the actual server selection more fail-safe and intelligent? (hint, hint)
It would be nice if after picking a new server VPNMGR checked it was a) alive and passing data and b) had a minimum throughput (user configurable) otherwise the script would have a go at picking a better one? Maybe it could tie in with spdMerlin somehow?

vpnmgr uses the NordVPN API to use a server NordVPN suggest. If its returning dead servers then you should report that to them as it will affect more than just vpnmgr.

How are you testing the connectivity after a reboot? If the VPN client connects then it's unlikely a server fault, do you see any errors in syslog/openvpn log?

Hitting Save in the WebUI will trigger the same as option 5 iirc, but will reload all servers.

 

[Stephen Harrington]

How are you testing the connectivity after a reboot? If the VPN client connects then it's unlikely a server fault, do you see any errors in syslog/openvpn log?

Hmmm ... OK thanks @Jack Yaz for the thoughts - I'll look at this further and try and get some more data next time it crops up.
I haven't been looking in the OVPN logs, but I suspect it will look OK as you say.

My Synology NAS is the only client being routed out via the VPN, and so far around 3-4 times I get an email from it complaining it can't renew the its dynamic DNS, and also if i have any downloads (torrents) in progress they just stall. But mostly it is all just happy and picks up the new tunnel/dns, renews the dynamic DNS OK and continues. So now you've got me thinking not a router thing at all ... perhaps?

 

[eleVator]

I think that script lets you failover between VPN clients, it wouldn't let you get a new nordvpn server in a failure condition. it could help you in the meantime, if you have multiple clients set up (1 tcp and 1 udp if both nord to avoid conflict)

Yes but whatever i tried to do, the updating part of your script just kept me offline, something was not working right with nordVPN, so i had to disable vpn client script for now.

As previous poster writes, i do not think the VPN nodes are dead, since restarting the VPN service with scmerlin brings back the connection.
Sanity checks would be awesome, bundled with speed tests and auto switching to better node.

 

[royoky]

Hello @Jack Yaz ,

Thanks for this addon ! I used it a lot when I was using NordVpn, but now that I switched to ProtonVpn, I'm sad I cannot use it anymore.
Do you think you can add ProtonVpn to your script ? I know they have an API here:

https://api.protonmail.ch/vpn/logicals

I was not able to find any documentation though.

 

[Pak Kriss]

Hello @Jack Yaz ,

Thanks for this addon ! I used it a lot when I was using NordVpn, but now that I switched to ProtonVpn, I'm sad I cannot use it anymore.
Do you think you can add ProtonVpn to your script ? I know they have an API here:

https://api.protonmail.ch/vpn/logicals

I was not able to find any documentation though.

Thanks for that link

I was looking for something like that hoping this could be added to the current vpnmgr script

Just switched from Proton to Nord because of @Jack Yaz vpnmgr

Makes everything much more easy

 

[JR Godwin]

Whilst I can see the option to refresh the vpn connection / server in the CLI side of things, I'm trying to figure out how I would just simply refresh the server on the web side without changing any of the other configuration settings. Sometimes I get connected to a server and the upload speed is in the 1-3 mbps range, vs 80-150 mbps range most have.

Just click on the Save button without making any changes?

 

[Jack Yaz]

Whilst I can see the option to refresh the vpn connection / server in the CLI side of things, I'm trying to figure out how I would just simply refresh the server on the web side without changing any of the other configuration settings. Sometimes I get connected to a server and the upload speed is in the 1-3 mbps range, vs 80-150 mbps range most have.

Just click on the Save button without making any changes?

Yup, Save will refresh all servers iirc. I'll look at making a button or link to refresh individual servers in future

 

[Wishmaster1965]

I am using nord vpn, was working fine until recently. I select UK- London and apply and upon switching to the VPN Client tab I see connnecting but it does not connect.

I have VPN start at boot time on.

i rebuilt my router lastnight but still it does not connect.

Any Ideas ?

 

[princi]

Hi Jack,

I don’t use this script so I’m not exactly sure how it switches between VPN clients, but I do have one question:

would it be possible two run two VPN clients at once with the network Route bound to a particular WiFi SSID - or for that matter - a particular LAN port?

I know this is do-able, just a matter of how easy it is to setup.

Cheers…

 

[Jack Yaz]

I am using nord vpn, was working fine until recently. I select UK- London and apply and upon switching to the VPN Client tab I see connnecting but it does not connect.

I have VPN start at boot time on.

i rebuilt my router lastnight but still it does not connect.

Any Ideas ?

do you see any errors in system log from openvpn with the reason why its not connecting?

 

[Wishmaster1965]

do you see any errors in system log from openvpn with the reason why its not connecting?

May 21 16:30:39 RT-AC88U-EB98 vpnmgr: VPN client 5 updated successfully (UK2278 Standard UDP)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: OpenVPN 2.5.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 30 2021
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.08
May 21 16:30:41 RT-AC88U-EB98 custom_script: Running /jffs/scripts/service-event-end (args: restart vpnclient5)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.35.30.215:1194
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Socket Buffers: R=[122880->245760] S=[122880->245760]
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: UDP link local: (not bound)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: UDP link remote: [AF_INET]89.35.30.215:1194
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: TLS: Initial packet from [AF_INET]89.35.30.215:1194, sid=2427bdbd bca55f0b
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY KU OK
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: Validating certificate extended key usage
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY EKU OK
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=0, CN=uk2278.nordvpn.com
May 21 16:30:44 RT-AC88U-EB98 ovpn-client5[12246]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
May 21 16:30:44 RT-AC88U-EB98 ovpn-client5[12246]: [uk2278.nordvpn.com] Peer Connection Initiated with [AF_INET]89.35.30.215:1194
May 21 16:30:45 RT-AC88U-EB98 ovpn-client5[12246]: SENT CONTROL [uk2278.nordvpn.com]: 'PUSH_REQUEST' (status=1)
May 21 16:30:46 RT-AC88U-EB98 ovpn-client5[12246]: AUTH: Received control message: AUTH_FAILED
May 21 16:30:46 RT-AC88U-EB98 ovpn-client5[12246]: SIGTERM received, sending exit notification to peer
May 21 16:30:49 RT-AC88U-EB98 ovpn-client5[12246]: SIGTERM[soft,exit-with-notification] received, process exiting

I see Auth Failed but I can successfuly login to nordvpn with the same credentials

 

[Wishmaster1965]

I am due another rebuild of my router next week just in case this is transient

 

[Jack Yaz]

May 21 16:30:39 RT-AC88U-EB98 vpnmgr: VPN client 5 updated successfully (UK2278 Standard UDP)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: OpenVPN 2.5.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 30 2021
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.08
May 21 16:30:41 RT-AC88U-EB98 custom_script: Running /jffs/scripts/service-event-end (args: restart vpnclient5)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.35.30.215:1194
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Socket Buffers: R=[122880->245760] S=[122880->245760]
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: UDP link local: (not bound)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: UDP link remote: [AF_INET]89.35.30.215:1194
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: TLS: Initial packet from [AF_INET]89.35.30.215:1194, sid=2427bdbd bca55f0b
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY KU OK
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: Validating certificate extended key usage
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY EKU OK
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=0, CN=uk2278.nordvpn.com
May 21 16:30:44 RT-AC88U-EB98 ovpn-client5[12246]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
May 21 16:30:44 RT-AC88U-EB98 ovpn-client5[12246]: [uk2278.nordvpn.com] Peer Connection Initiated with [AF_INET]89.35.30.215:1194
May 21 16:30:45 RT-AC88U-EB98 ovpn-client5[12246]: SENT CONTROL [uk2278.nordvpn.com]: 'PUSH_REQUEST' (status=1)
May 21 16:30:46 RT-AC88U-EB98 ovpn-client5[12246]: AUTH: Received control message: AUTH_FAILED
May 21 16:30:46 RT-AC88U-EB98 ovpn-client5[12246]: SIGTERM received, sending exit notification to peer
May 21 16:30:49 RT-AC88U-EB98 ovpn-client5[12246]: SIGTERM[soft,exit-with-notification] received, process exiting

I see Auth Failed but I can successfuly login to nordvpn with the same credentials

Make sure you're using the correct vpn credentials and not those for the nord account

 

[Wishmaster1965]

Bueno

 

[JR Godwin]

Jack

It seems that when vpnmgr cycles the vpn connection, it doesn't maintain "all" the settings that are in on the client.

For one of my vpn's, I have the Inbound Firewall setting set to allow over on the VPN client tab, but I notice that it gets set back to "Block" typically after a cycling.

It's also not one of the options on the vpnmgr page, so dunno if it always being set to block was deliberate, oversight, or bug.

 

[Jack Yaz]

Jack

It seems that when vpnmgr cycles the vpn connection, it doesn't maintain "all" the settings that are in on the client.

For one of my vpn's, I have the Inbound Firewall setting set to allow over on the VPN client tab, but I notice that it gets set back to "Block" typically after a cycling.

It's also not one of the options on the vpnmgr page, so dunno if it always being set to block was deliberate, oversight, or bug.

I'll have to double check but block would make sense as a default. Can you let me know why you need to allow inbound connections on your VPN client?

 

[JR Godwin]

I'll have to double check but block would make sense as a default. Can you let me know why you need to allow inbound connections on your VPN client?

Gaming. Xbox....having some issues connecting with certain game services at the moment and they seem to be corrected when going through vpn.....although I give up being in an open NAT situation to double NAT, can't argue with it because under normal circumstances I can't play at all, and can under the vpn one.