What's new

VPNMON VPNMON-R2 v2.52 -Mar 27, 2023- Monitor your VPN connection's Health (Thread locked/closed)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I've been running it continuously on 388.1 on the AX6000 for months, using Nordvpn... zero issues, @cptnoblivious...
@Viktor Jaep is there a manual command line I could run to check connectivity for you?
I would give a few of these a shot, since it seems to be failing in this area:

(replace tun12 with the correct vpn client slot# - so vpn slot 4 would be "tun14")
Code:
ping -I tun12 -q -c 1 -W 2 8.8.8.8

Code:
curl --silent --fail --interface tun12 --request GET --url https://ipv4.icanhazip.com

And @Stephen Harrington ... if you're daring enough, you can enable the debug mode, and see if you can catch something in the act? I'll be doing the same tomorrow after upgrading to 388.2 I'm sure... :(
 
@Viktor Jaep, adapted your tests for my single slot which is tun11, and I also use 1.1.1.1 as my test address, so:-

Code:
admin@AsusRouter:/jffs/scripts# ping -I tun11 -q -c 1 -W 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.564/9.564/9.564 ms

Seems to work OK.

But ...

Code:
admin@AsusRouter:/jffs/scripts# curl --interface tun11 --request GET --url https://ipv4.icanhazip.com
curl: (28) Failed to connect to ipv4.icanhazip.com port 443 after 15023 ms: Couldn't connect to server

Fails, as does my normal eth0 interface ...

Code:
admin@AsusRouter:/jffs/scripts# curl --interface eth0 --request GET --url https://ipv4.icanhazip.com
curl: (28) Failed to connect to ipv4.icanhazip.com port 443 after 15036 ms: Couldn't connect to server

So is the issue to do with ipv4.icanhazip.com perhaps?
I can't seem to raise that site in a browser either?

So I'd agree with @sephiclo that it's almost certainly not a Merlin issue?
 
So is the issue to do with ipv4.icanhazip.com perhaps?
I can't seem to raise that site in a browser either?

So I'd agree with @sephiclo that it's almost certainly not a Merlin issue?
Stange... this is working for me? Then again, I'm still on 388.1? Can you get to it from your phone/mobile (not on wifi)? I guess make sure this site is not being blacklisted by skynet by chance?
 
Can you get to it from your phone/mobile (not on wifi)?
Yep, I can, just returns my (mobile) IP address.

OK! I think I figured it out!
It's banned in my Adguard Home setup. If I disable it, then the curl command works.
Specifically I think it's the "EasyPrivacy" list, as I notice it also doesn't work in my normal browser as UBlock Origin plugin blocks it as well.
 
Ok, if I manually add ipv4.icanhazip.com to my AdGuard Home "DNS Allowlist" I have set up and re-enable AGH then the curl command now correctly returns an IP.
Will now turn on vpnmon-r2 and retest and report.

@cptnoblivious and @sephiclo are either of you running Adguard Home (The AMTM install) by any chance? Is that the common thread?
 
Ok @Viktor Jaep , I'm up and running again with vpnmon.
Thinking about it, it could be anything like AdGuardHome or Diversion that uses Easylist or has banned ipv4.icanhazip.com that could trigger this "glitch"?
Don't know if it is worth thinking about you polling two separate "IP returners" as a bit of a failsafe, if indeed that is even possible?
 
Ok, if I manually add ipv4.icanhazip.com to my AdGuard Home "DNS Allowlist" I have set up and re-enable AGH then the curl command now correctly returns an IP.
Will now turn on vpnmon-r2 and retest and report.

@cptnoblivious and @sephiclo are either of you running Adguard Home (The AMTM install) by any chance? Is that the common thread?
Nice find, @Stephen Harrington!! Thanks alot, @SomeWhereOverTheRainBow! Lol

Ok @Viktor Jaep , I'm up and running again with vpnmon.
Thinking about it, it could be anything like AdGuardHome or Diversion that uses Easylist or has banned ipv4.icanhazip.com that could trigger this "glitch"?
Don't know if it is worth thinking about you polling two separate "IP returners" as a bit of a failsafe, if indeed that is even possible?
I'm definitely going to consider a failsafe...after this! Thanks for your sleuthing. Guess I need to add a note to the OP to make sure people are whitelisting this. Why in the world would easylist put this on their blacklist for crying out loud.
 
Why in the world would easylist put this on their blacklist for crying out loud.
Could be lots of reasons, but as we know the various lists aren't foolproof, just a matter of, on balance, being a lot more useful than having no lists at all?
 
Could be lots of reasons, but as we know the various lists aren't foolproof, just a matter of, on balance, being a lot more useful than having no lists at all?
It literally just returns your IP address. No ads no nothing.

Well, I tried to find a way to dispute this domain on the easylist website, but of course, they have no easy way of doing this (no pun intended). Unless it gets taken off, this will continue to hinder vpnmon-r2 for those using AGH. I'll see if there's another easy alternative to icanhazip.com (again, no pun intended).
 
Last edited:
Could be lots of reasons, but as we know the various lists aren't foolproof, just a matter of, on balance, being a lot more useful than having no lists at all?
As I look into possible alternatives, or checking multiple sources before erroring out, could you please see if any of these are being blocked by the AGH easylist?

Code:
https://api.ipify.org/
https://ip.seeip.org
https://api.my-ip.io/ip
https://api.myip.com
https://ipapi.co/ip/
https://api.ip.sb/ip
https://api.country.is/
 
Unless it gets taken off, this will continue to hinder vpnmon-r2 for those using AGH.

@Viktor Jaep

Probably some other rogue domain on the same IP/ASN or whatever and your link has just been caught up in it as "collateral damage"?

Now you are aware and can warn the user base it's not a huge deal, just took me way longer than it should have to give the issue some serious attention and then figure out what was the hell was going on in my usual ham-fisted way - apologies for leaping to premature conclusions and getting you chasing your tail with the 388.1/beta 2/388.2 furphy I wildly threw in there. The old "correlation is not causation" chestnut!

I know a lot of the lists tend to pinch from each other so I'm wondering if Diversion is soon to be affected as well?

could you please see if any of these are being blocked by the AGH easylist?

Looks like 6 out of the 7 work in some form or other - some return more info than just a pure IP but I guess you know that :)

Code:
https://api.ipify.org/ = OK
https://ip.seeip.org = ** BLOCKED **
https://api.my-ip.io/ip = OK
https://api.myip.com = OK
https://ipapi.co/ip/ = OK
https://api.ip.sb/ip = OK
https://api.country.is/ =OK
 
Last edited:
@Viktor Jaep

Drilling down into this a bit further now I've got the time - is actually being blocked by one of the "default" AdGuardHome filters that are in a standard install, the one called funnily enough "AdGuard DNS Filter". I picked up that it was also being blocked by "EasyList" because that is what the UBlock Origin plugin pointed to in my default Chrome browser. I don't know where the AdGuard people get the entries that make up that filter ...
 
@Viktor Jaep

Drilling down into this a bit further now I've got the time - is actually being blocked by one of the "default" AdGuardHome filters that are in a standard install, the one called funnily enough "AdGuard DNS Filter". I picked up that it was also being blocked by "EasyList" because that is what the UBlock Origin plugin pointed to in my default Chrome browser. I don't know where the AdGuard people get the entries that make up that filter ...
Thanks for the sleuthing work! Perhaps @SomeWhereOverTheRainBow could please give us some guidance on whether there's a mechanism for something like this to be removed from their list, or if I simply need to give some guidance to whitelist this?
 
Thanks for the sleuthing work! Perhaps @SomeWhereOverTheRainBow could please give us some guidance on whether there's a mechanism for something like this to be removed from their list, or if I simply need to give some guidance to whitelist this?
Users can easily add this to their allow list on adguardhome, or just don't use the filter list hosting the false positive. Sadly, we have no control over what the developers on those list place inside their lists unless you feel like spelunking. In that case, I imagine it would be easy to reach out to the developer of the list to inform them of the false positive.
 
@Viktor Jaep

Drilling down into this a bit further now I've got the time - is actually being blocked by one of the "default" AdGuardHome filters that are in a standard install, the one called funnily enough "AdGuard DNS Filter". I picked up that it was also being blocked by "EasyList" because that is what the UBlock Origin plugin pointed to in my default Chrome browser. I don't know where the AdGuard people get the entries that make up that filter ...
Here is what I use.


or even

Code:
/usr/sbin/ip -o -4 addr list $(nvram get wan_ifname) | awk 'NR==1{ split($4, ip_addr, "/"); print ip_addr[1] }' ###relies on making sure you have the wan_ifname correct.
/usr/sbin/ip -4 addr list $(nvram get wan_ifname) | grep inet | awk -F '[ \t]+|/' '{print $3}' ###also relies on having correct ifname
 
Last edited:
The fact that it's adguard makes sense.

My setup is double natted. Internet -- AX58 (192.168.50.x resolves using Canadian Shield) -- AX68 (192.168.51.x resolves using DNS on 50.x network)

That's why vpnmon-r2 on the AX68 fails.

I'll put an allow rule on the Adguard home systems that run on the 50.x network today ... once I wake up / have had a bit of coffee :)

Great sleuthing :)
 
OK, straightforward fix. No more looping! Thanks @Viktor Jaep , @Stephen Harrington , @SomeWhereOverTheRainBow !

For anyone who runs into this and is unfamiliar with whitelisting here's what I did:
Adguard home web interface | Filters | Custom filtering rules​
Add: @@||ipv4.icanhazip.com^​
Hit "Apply"​

That should do it :)

Edit: If anyone is using pihole, the same regex expression should work, in case you have this issue!
Thanks to @SomeWhereOverTheRainBow - Correction, pihole does not use the same formatting :)
 
Last edited:
OK, straightforward fix. No more looping! Thanks @Viktor Jaep , @Stephen Harrington , @SomeWhereOverTheRainBow !

For anyone who runs into this and is unfamiliar with whitelisting here's what I did:
Adguard home web interface | Filters | Custom filtering rules​
Add: @@||ipv4.icanhazip.com^​
Hit "Apply"​

That should do it :)

Edit: If anyone is using pihole, the same regex expression should work, in case you have this issue!

Thanks for that! I've added some guidance under the instructions in the OP... whether people actually read it/find it is another matter. ;)
 
OK, straightforward fix. No more looping! Thanks @Viktor Jaep , @Stephen Harrington , @SomeWhereOverTheRainBow !

For anyone who runs into this and is unfamiliar with whitelisting here's what I did:
Adguard home web interface | Filters | Custom filtering rules​
Add: @@||ipv4.icanhazip.com^​
Hit "Apply"​

That should do it :)

Edit: If anyone is using pihole, the same regex expression should work, in case you have this issue!
Pihole does not support that formatting in the whitelisting section. only the blocklist format is supported.
 
Upgraded the ol' AX6000 to 388.2 this morning... no issues to report with VPNMON-R2! (As expected from the banter above) :)
 
Similar threads
Thread starter Title Forum Replies Date
Ripshod (Not specifically) VPNMON-R3 1.11 failure domino effect Asuswrt-Merlin AddOns 20

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top