VPNMON VPNMON-R2 v2.52 -Mar 27, 2023- Monitor your VPN connection's Health (Thread locked/closed)

[Viktor Jaep]

I've been running it continuously on 388.1 on the AX6000 for months, using Nordvpn... zero issues, @cptnoblivious...

@Viktor Jaep is there a manual command line I could run to check connectivity for you?

I would give a few of these a shot, since it seems to be failing in this area:

(replace tun12 with the correct vpn client slot# - so vpn slot 4 would be "tun14")

ping -I tun12 -q -c 1 -W 2 8.8.8.8

curl --silent --fail --interface tun12 --request GET --url https://ipv4.icanhazip.com

And @Stephen Harrington ... if you're daring enough, you can enable the debug mode, and see if you can catch something in the act? I'll be doing the same tomorrow after upgrading to 388.2 I'm sure...

 

[Stephen Harrington]

@Viktor Jaep, adapted your tests for my single slot which is tun11, and I also use 1.1.1.1 as my test address, so:-

admin@AsusRouter:/jffs/scripts# ping -I tun11 -q -c 1 -W 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.564/9.564/9.564 ms

Seems to work OK.

But ...

admin@AsusRouter:/jffs/scripts# curl --interface tun11 --request GET --url https://ipv4.icanhazip.com
curl: (28) Failed to connect to ipv4.icanhazip.com port 443 after 15023 ms: Couldn't connect to server

Fails, as does my normal eth0 interface ...

admin@AsusRouter:/jffs/scripts# curl --interface eth0 --request GET --url https://ipv4.icanhazip.com
curl: (28) Failed to connect to ipv4.icanhazip.com port 443 after 15036 ms: Couldn't connect to server

So is the issue to do with ipv4.icanhazip.com perhaps?
I can't seem to raise that site in a browser either?

So I'd agree with @sephiclo that it's almost certainly not a Merlin issue?

 

[Viktor Jaep]

So is the issue to do with ipv4.icanhazip.com perhaps?
I can't seem to raise that site in a browser either?

So I'd agree with @sephiclo that it's almost certainly not a Merlin issue?

Stange... this is working for me? Then again, I'm still on 388.1? Can you get to it from your phone/mobile (not on wifi)? I guess make sure this site is not being blacklisted by skynet by chance?

 

[Stephen Harrington]

Can you get to it from your phone/mobile (not on wifi)?

Yep, I can, just returns my (mobile) IP address.

OK! I think I figured it out!
It's banned in my Adguard Home setup. If I disable it, then the curl command works.
Specifically I think it's the "EasyPrivacy" list, as I notice it also doesn't work in my normal browser as UBlock Origin plugin blocks it as well.

 

[Stephen Harrington]

Ok, if I manually add ipv4.icanhazip.com to my AdGuard Home "DNS Allowlist" I have set up and re-enable AGH then the curl command now correctly returns an IP.
Will now turn on vpnmon-r2 and retest and report.

@cptnoblivious and @sephiclo are either of you running Adguard Home (The AMTM install) by any chance? Is that the common thread?

 

[Stephen Harrington]

Ok @Viktor Jaep , I'm up and running again with vpnmon.
Thinking about it, it could be anything like AdGuardHome or Diversion that uses Easylist or has banned ipv4.icanhazip.com that could trigger this "glitch"?
Don't know if it is worth thinking about you polling two separate "IP returners" as a bit of a failsafe, if indeed that is even possible?

 

[Viktor Jaep]

Ok, if I manually add ipv4.icanhazip.com to my AdGuard Home "DNS Allowlist" I have set up and re-enable AGH then the curl command now correctly returns an IP.
Will now turn on vpnmon-r2 and retest and report.

@cptnoblivious and @sephiclo are either of you running Adguard Home (The AMTM install) by any chance? Is that the common thread?

Nice find, @Stephen Harrington!! Thanks alot, @SomeWhereOverTheRainBow! Lol

Ok @Viktor Jaep , I'm up and running again with vpnmon.
Thinking about it, it could be anything like AdGuardHome or Diversion that uses Easylist or has banned ipv4.icanhazip.com that could trigger this "glitch"?
Don't know if it is worth thinking about you polling two separate "IP returners" as a bit of a failsafe, if indeed that is even possible?

I'm definitely going to consider a failsafe...after this! Thanks for your sleuthing. Guess I need to add a note to the OP to make sure people are whitelisting this. Why in the world would easylist put this on their blacklist for crying out loud.

 

[Stephen Harrington]

Why in the world would easylist put this on their blacklist for crying out loud.

Could be lots of reasons, but as we know the various lists aren't foolproof, just a matter of, on balance, being a lot more useful than having no lists at all?

 

[Viktor Jaep]

Could be lots of reasons, but as we know the various lists aren't foolproof, just a matter of, on balance, being a lot more useful than having no lists at all?

It literally just returns your IP address. No ads no nothing.

Well, I tried to find a way to dispute this domain on the easylist website, but of course, they have no easy way of doing this (no pun intended). Unless it gets taken off, this will continue to hinder vpnmon-r2 for those using AGH. I'll see if there's another easy alternative to icanhazip.com (again, no pun intended).

 

[Viktor Jaep]

Could be lots of reasons, but as we know the various lists aren't foolproof, just a matter of, on balance, being a lot more useful than having no lists at all?

As I look into possible alternatives, or checking multiple sources before erroring out, could you please see if any of these are being blocked by the AGH easylist?

https://api.ipify.org/
https://ip.seeip.org
https://api.my-ip.io/ip
https://api.myip.com
https://ipapi.co/ip/
https://api.ip.sb/ip
https://api.country.is/

 

[Stephen Harrington]

Unless it gets taken off, this will continue to hinder vpnmon-r2 for those using AGH.

@Viktor Jaep

Probably some other rogue domain on the same IP/ASN or whatever and your link has just been caught up in it as "collateral damage"?

Now you are aware and can warn the user base it's not a huge deal, just took me way longer than it should have to give the issue some serious attention and then figure out what was the hell was going on in my usual ham-fisted way - apologies for leaping to premature conclusions and getting you chasing your tail with the 388.1/beta 2/388.2 furphy I wildly threw in there. The old "correlation is not causation" chestnut!

I know a lot of the lists tend to pinch from each other so I'm wondering if Diversion is soon to be affected as well?

could you please see if any of these are being blocked by the AGH easylist?

Looks like 6 out of the 7 work in some form or other - some return more info than just a pure IP but I guess you know that

https://api.ipify.org/ = OK
https://ip.seeip.org = ** BLOCKED **
https://api.my-ip.io/ip = OK
https://api.myip.com = OK
https://ipapi.co/ip/ = OK
https://api.ip.sb/ip = OK
https://api.country.is/ =OK

 

[Stephen Harrington]

@Viktor Jaep

Drilling down into this a bit further now I've got the time -

https://ipv4.icanhazip.com

is actually being blocked by one of the "default" AdGuardHome filters that are in a standard install, the one called funnily enough "AdGuard DNS Filter". I picked up that it was also being blocked by "EasyList" because that is what the UBlock Origin plugin pointed to in my default Chrome browser. I don't know where the AdGuard people get the entries that make up that filter ...

 

[Viktor Jaep]

@Viktor Jaep

Drilling down into this a bit further now I've got the time -

https://ipv4.icanhazip.com

is actually being blocked by one of the "default" AdGuardHome filters that are in a standard install, the one called funnily enough "AdGuard DNS Filter". I picked up that it was also being blocked by "EasyList" because that is what the UBlock Origin plugin pointed to in my default Chrome browser. I don't know where the AdGuard people get the entries that make up that filter ...

Thanks for the sleuthing work! Perhaps @SomeWhereOverTheRainBow could please give us some guidance on whether there's a mechanism for something like this to be removed from their list, or if I simply need to give some guidance to whitelist this?

 

[SomeWhereOverTheRainBow]

Thanks for the sleuthing work! Perhaps @SomeWhereOverTheRainBow could please give us some guidance on whether there's a mechanism for something like this to be removed from their list, or if I simply need to give some guidance to whitelist this?

Users can easily add this to their allow list on adguardhome, or just don't use the filter list hosting the false positive. Sadly, we have no control over what the developers on those list place inside their lists unless you feel like spelunking. In that case, I imagine it would be easy to reach out to the developer of the list to inform them of the false positive.

 

[SomeWhereOverTheRainBow]

@Viktor Jaep

Drilling down into this a bit further now I've got the time -

https://ipv4.icanhazip.com

is actually being blocked by one of the "default" AdGuardHome filters that are in a standard install, the one called funnily enough "AdGuard DNS Filter". I picked up that it was also being blocked by "EasyList" because that is what the UBlock Origin plugin pointed to in my default Chrome browser. I don't know where the AdGuard people get the entries that make up that filter ...

Here is what I use.

https://api.ipify.org

or even

/usr/sbin/ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }' ###relies on making sure you have the wan_ifname correct.
/usr/sbin/ip -4 addr list $(nvram get wan_ifname) | grep inet | awk -F '[ \t]+|/' '{print $3}' ###also relies on having correct ifname

 

[cptnoblivious]

The fact that it's adguard makes sense.

My setup is double natted. Internet -- AX58 (192.168.50.x resolves using Canadian Shield) -- AX68 (192.168.51.x resolves using DNS on 50.x network)

That's why vpnmon-r2 on the AX68 fails.

I'll put an allow rule on the Adguard home systems that run on the 50.x network today ... once I wake up / have had a bit of coffee

Great sleuthing

 

[cptnoblivious]

OK, straightforward fix. No more looping! Thanks @Viktor Jaep , @Stephen Harrington , @SomeWhereOverTheRainBow !

For anyone who runs into this and is unfamiliar with whitelisting here's what I did:

Adguard home web interface | Filters | Custom filtering rules​

Add: @@||ipv4.icanhazip.com^​

Hit "Apply"​

That should do it

Edit: If anyone is using pihole, the same regex expression should work, in case you have this issue!
Thanks to @SomeWhereOverTheRainBow - Correction, pihole does not use the same formatting

 

[Viktor Jaep]

OK, straightforward fix. No more looping! Thanks @Viktor Jaep , @Stephen Harrington , @SomeWhereOverTheRainBow !

For anyone who runs into this and is unfamiliar with whitelisting here's what I did:

Adguard home web interface | Filters | Custom filtering rules​

Add: @@||ipv4.icanhazip.com^​

Hit "Apply"​

That should do it

Edit: If anyone is using pihole, the same regex expression should work, in case you have this issue!

Thanks for that! I've added some guidance under the instructions in the OP... whether people actually read it/find it is another matter.

 

[SomeWhereOverTheRainBow]

OK, straightforward fix. No more looping! Thanks @Viktor Jaep , @Stephen Harrington , @SomeWhereOverTheRainBow !

For anyone who runs into this and is unfamiliar with whitelisting here's what I did:

Adguard home web interface | Filters | Custom filtering rules​

Add: @@||ipv4.icanhazip.com^​

Hit "Apply"​

That should do it

Edit: If anyone is using pihole, the same regex expression should work, in case you have this issue!

Pihole does not support that formatting in the whitelisting section. only the blocklist format is supported.

 

[Viktor Jaep]

Upgraded the ol' AX6000 to 388.2 this morning... no issues to report with VPNMON-R2! (As expected from the banter above)