VPNMON VPNMON-R3 v1.3.8 -Nov 28, 2024- Monitor WAN/Dual-WAN/OpenVPN Health & Reset Multiple OpenVPN Connections (Now available in AMTM!)

[Jack-Sparr0w]

First time looking at this, Is this right? does the VPN custom config file need to be changed?

 

[Jack-Sparr0w]

First time looking at this, Is this right? View attachment 62771

Is there any other config to be done with a basic NordVPN setup no unbound and using skynet Victor list

 

[Viktor Jaep]

First time looking at this, Is this right? does the VPN custom config file need to be changed?

1. It's kind of concerning that if this is very first time you've run this, that it somehow knows your VPN 1 slot has been going 2500 days. That's really weird. If you press the "1" key, it should reset that connection, and reset the time with it as well.

2. Also, it doesn't seem to be getting any city exit information. Can you make sure you're not blocking "https://ipv4.icanhazip.com" ?

3. For each of your VPN slots, you can just add all the Nord VPN IP's to a server list for each particular slot if you want to randomize where it connects to next... or you can just keep it to 1 IP that it will just keep connecting to. I created some documentation here on how to automate this more: https://www.snbforums.com/threads/v...list-generation-tutorials-and-examples.88022/

For instance, my VPN1 slot randomizes against 2382 US-based Nord Servers... my VPN 5 slot randomizes against 86 AirVPN US-based servers. Each night it refreshes these lists to ensure they're up-to-date, and whitelisted in Skynet.

Let me know what specific issues you may be facing?

 

[machinist]

Hello @Viktor Jaep . Thanks for all the work you're continually doing on your scripts here, what an asset you are.

Question: I tested R2 on this awhile back and now want to move over to R3 for my aging AC86U. I have an old RPi 3B laying around. Perhaps a dumb question but would I be served well with running the R3 version from the Raspberry Pi or would running it directly on the router suffice?

 

[Viktor Jaep]

Hello @Viktor Jaep . Thanks for all the work you're continually doing on your scripts here, what an asset you are.

Question: I tested R2 on this awhile back and now want to move over to R3 for my aging AC86U. I have an old RPi 3B laying around. Perhaps a dumb question but would I be served well with running the R3 version from the Raspberry Pi or would running it directly on the router suffice?

You're very welcome! I don't think it would do much use on your RPi because it has to make direct calls to your router's NVRAM for it to do much of its magic. Keep it on the router where your VPN connection(s) are configured.

 

[machinist]

@Viktor Jaep

Series of question to test my understanding - apologies in advance.

What I've done:

- Setup R3 on SCREEN utility and configured.

- Initial VPN setup from inside of VPN Director is basically to configure (4) slots with a single server IP VPN conf file each. Figure it would be an appropriate fallback.

- Have configured the local device I want VPN tunnel on (192.168.1.100) as (4) rules -- each with the corresponding VPN slot, i.e. OPVN1 => Device IP, OVPN2 => Device IP, OVPN3 => Device IP, OVPN4 => Device IP.

Questions:

Is this right? All four connections are now live (Connected). I figure that's part of the point, but now I'm not sure. How is the actual endpoint determined out of the four live connections?

- Under "Edit/R(U)n Server List Automation" I've inserted the AirVPN curl commands for each of the slots, e.g.:

curl --silent --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://airvpn.org/api/status/ | jq --raw-output '.servers[] | select(.country_name=="Netherlands") | .ip_v4_in3, .ip_v4_in4'

But for each of the slots in the Ops Menu I see [0000] under Svrs. What am I doing wrong -- do I need to also populate "Update/Maintain (V)PN Server Lists"? Was under the impression it would auto populate here using the curl scripts?

- When it reports "UNKWN" and "ping error", what does that mean exactly other than the obvious that there's an error?

- Lastly, when exiting the Ops Menu and to keep the script running, I am to hit CTRL + A + D and NOT [e=Exit], right?

That was a lot, thanks Viktor

 

[Viktor Jaep]

Series of question to test my understanding - apologies in advance.

Let's hope I can answer these!

What I've done:

- Setup R3 on SCREEN utility and configured.

- Initial VPN setup from inside of VPN Director is basically to configure (4) slots with a single server IP VPN conf file each. Figure it would be an appropriate fallback.

- Have configured the local device I want VPN tunnel on (192.168.1.100) as (4) rules -- each with the corresponding VPN slot, i.e. OPVN1 => Device IP, OVPN2 => Device IP, OVPN3 => Device IP, OVPN4 => Device IP.

Questions:

Is this right? All four connections are now live (Connected). I figure that's part of the point, but now I'm not sure. How is the actual endpoint determined out of the four live connections?

This sounds right! If you want, you can provide some screenshots of how you configured your VPN director, and what VPNMON-R3 is looking like right now? But from the sound of it, you have 4 different devices all pointing to different VPN end points, correct? VPN Director is in charge of routing that traffic across the appropriate VPN slot, which is how it determines the actual endpoint for each device.

- Under "Edit/R(U)n Server List Automation" I've inserted the AirVPN curl commands for each of the slots, e.g.:

curl --silent --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://airvpn.org/api/status/ | jq --raw-output '.servers[] | select(.country_name=="Netherlands") | .ip_v4_in3, .ip_v4_in4'

But for each of the slots in the Ops Menu I see [0000] under Svrs. What am I doing wrong -- do I need to also populate "Update/Maintain (V)PN Server Lists"? Was under the impression it would auto populate here using the curl scripts?

Congrats on getting that CURL statement correct. I tested it, and it brings back results. In order for the "SVRS" item to show more that "[0000]", just hit the execute command on that same screen. So for instance, on slot 5, you would hit "x5". It will show you the results of the query and tell you how many servers are now assigned to that slot.

It will optionally refresh the server lists each night when you have item 5 enabled under the configuration menu, if you are resetting your VPN nightly (using the R key) from the main operations menu:

- When it reports "UNKWN" and "ping error", what does that mean exactly other than the obvious that there's an error?

When you see these, it just means that your router is having trouble getting a ping back from the VPN end point. Usually they are few and far between... if it keeps happening, then it will figure that this endpoint is no good, and will disconnect and reconnect to another server in your server list.

- Lastly, when exiting the Ops Menu and to keep the script running, I am to hit CTRL + A + D and NOT [e=Exit], right?

Correct... if you're using Screen. I start VPNMON-R3 using the command "vpnmon-r3 -screen -now", which will run an instance under screen. You can use this command to see the UI, and to exit, CTRL-A + D. The "e" command will just kill the script.

That was a lot, thanks Viktor

Glad to help! Let me know if you have any other questions...

 

[machinist]

This sounds right! If you want, you can provide some screenshots of how you configured your VPN director, and what VPNMON-R3 is looking like right now? But from the sound of it, you have 4 different devices all pointing to different VPN end points, correct? VPN Director is in charge of routing that traffic across the appropriate VPN slot, which is how it determines the actual endpoint for each device.

At the moment I have 1 device that has to be routed through the VPN. Number of devices will increase, but for now it's only the one. All other traffic on the network goes out through WAN.

So, I've setup a rule for each OVPN interface to target the device on ...200 -- ignore slot 5, it's not active as I plan on using it for Unbound and DNS like I've seen on another post of yours

Thoughts?

Follow-up: When the R3 checks for ping health and it finds one of the connections to be above the custom value of, say, 200ms - but it _is_ still connected to it. It then shuts it down, finds another, and reconnects. What happens to the connection in the interim? Does the built in killswitch take over, or does the connection resume over WAN? Let me know if I'm asking the wrong question, please.

In order for the "SVRS" item to show more that "[0000]", just hit the execute command on that same screen. So for instance, on slot 5, you would hit "x5". It will show you the results of the query and tell you how many servers are now assigned to that slot.

Damnit, missed that. It works!

When you see these, it just means that your router is having trouble getting a ping back from the VPN end point. Usually they are few and far between... if it keeps happening, then it will figure that this endpoint is no good, and will disconnect and reconnect to another server in your server list.

Got it.

It will optionally refresh the server lists each night when you have item 5 enabled under the configuration menu, if you are resetting your VPN nightly (using the R key) from the main operations menu:

About that - is there any reason to enable this when it already checks/pings the connections in your specified interval? Or is it more a case of either/or, so as to not set an interval and then have it reset every night?

Correct... if you're using Screen. I start VPNMON-R3 using the command "vpnmon-r3 -screen -now", which will run an instance under screen. You can use this command to see the UI, and to exit, CTRL-A + D. The "e" command will just kill the script.

vpnmon-r3 -screen -now

Excellent, just what I needed. My next question was how to easily navigate in and out of the Ops Menu.

Thanks for the patience.

 

[Viktor Jaep]

View attachment 62972

At the moment I have 1 device that has to be routed through the VPN. Number of devices will increase, but for now it's only the one. All other traffic on the network goes out through WAN.

So, I've setup a rule for each OVPN interface to target the device on ...200 -- ignore slot 5, it's not active as I plan on using it for Unbound and DNS like I've seen on another post of yours

Thoughts?

Personally, I think what you're doing is a bit overkill. You really just need 1 VPN slot set up for this particular scenario. For instance, on my end, I have all devices in our entire house going through VPN slot 1, and a select few are excluded which hit the WAN directly.

Follow-up: When the R3 checks for ping health and it finds one of the connections to be above the custom value of, say, 200ms - but it _is_ still connected to it. It then shuts it down, finds another, and reconnects. What happens to the connection in the interim? Does the built in killswitch take over, or does the connection resume over WAN? Let me know if I'm asking the wrong question, please.

If you aren't using the built-in killswitch (which I don't use either), then when the VPN connection is killed, all traffic would temporarily get routed over the WAN until the VPN tunnel comes back up. Depending on the process, it might take a good 30sec-1min for things to get killed and reconnect. If your killswitch is enabled, then as soon as the VPN goes down, all traffic no longer is allowed to exit via the WAN until the VPN tunnel comes back up.

About that - is there any reason to enable this when it already checks/pings the connections in your specified interval? Or is it more a case of either/or, so as to not set an interval and then have it reset every night?

The reason for this is to refresh your connection with a different server, so that your connection rotates on a regular basis. In my case, I connect to one of 2000+ servers across the US. The other thing this does is get a new refreshed list of servers from your VPN provider. They might delete some servers, add new ones, etc. Your old list wouldn't know about these, and may try to connect to a dead server. You can then optionally whilelist all these servers in Skynet as well (using option #7 in the config).

Thanks for the patience.

Glad to be of help!

 

[machinist]

The reason for this is to refresh your connection with a different server, so that your connection rotates on a regular basis. In my case, I connect to one of 2000+ servers across the US. The other thing this does is get a new refreshed list of servers from your VPN provider. They might delete some servers, add new ones, etc. Your old list wouldn't know about these, and may try to connect to a dead server. You can then optionally whilelist all these servers in Skynet as well (using option #7 in the config).

If I may:

If I set it to reset once a day (under 'R'), is it both a reset of the server list or is it also a connection reset (switch to a different VPN server IP from the new and updated list)?

EDIT: That has to be the case, if I'm understanding you right.

When the nightly reset happens, I suppose it will work the same way as when auto switching VPN from high ping, as in it will allow traffic out through WAN in the interim for the 30-60 seconds?

Is there a way to completely disallow this? I'd want the connection to completely sever and not allow anything out that is not through the VPN tunnel. I am using the built in kill-switch in Merlin. Will that suffice for this?

 

[Viktor Jaep]

If I may:

Just this once I guess...

If I set it to reset once a day (under 'R'), is it both a reset of the server list or is it also a connection reset (switch to a different VPN server IP from the new and updated list)?

The Server List will be refreshed only if you have this option (below) set to "enabled". If you don't, it will just reset your connection, and choose a random server from your list.

 

[machinist]

Just this once I guess...

Where do I donate?

You're too quick. I updated the reply above, if you didn't catch it

 

[Viktor Jaep]

If I may:

If I set it to reset once a day (under 'R'), is it both a reset of the server list or is it also a connection reset (switch to a different VPN server IP from the new and updated list)?

EDIT: That has to be the case, if I'm understanding you right.

Correct. It refreshes the list, then chooses a random server to connect to.

When the nightly reset happens, I suppose it will work the same way as when auto switching VPN from high ping, as in it will allow traffic out through WAN in the interim for the 30-60 seconds?

Same principle, but it does not refresh the list in this case. It just chooses a different server from the existing list.

Is there a way to completely disallow this? I'd want the connection to completely sever and not allow anything out that is not through the VPN tunnel. I am using the built in kill-switch in Merlin. Will that suffice for this?

Using the built-in Killswitch should work for you in this case. I havent tried the new Killswitch implementation. Best way to tell is to test it out. Try resetting the connection, and see if you can browse the Internet while the VPN connection is down?

 

[iTyPsIDg]

I'm not sure if this is the best thread for this comment, but it does seem somewhat related.

As you may recall, I use Nord's SmartDNS for my DNS servers. My WAN IP doesn't change very often; however, when it does, my DNS stops working as you must register your WAN IP with Nord to use SmartDNS.

I thought I remembered someone creating a script to monitor for WAN IP changes, but I can't find it. Would there be a way to log a WAN IP change and automatically change the WAN DNS servers to a different set, then send out a notification that the WAN IP changed so that I can connect to my.nordaccount.com and store the new IP before switching the DNS servers back?

I hope that makes sense. Essentially, when this happens I can't resolve any DNS names and that means even VPNMON-R3 stops working.

My typical workaround is to switch my DNS servers to Quad9, run curl icanhazip.com, then compare that to my last email from Nord about the previous WAN IP I registered to see if it changed, then if it did change use a guest network I have with no VPN attached to connect to my Nord account, register the new IP, then switch the DNS servers back to SmartDNS.

NOTE: I also don't have my WAN IP correctly listed in the browser because I live in a building that uses private IPs for all the residents. The WAN IP is correct when viewed from VPNMON-R3, but incorrect on the router homepage.

 

[Viktor Jaep]

I'm not sure if this is the best thread for this comment, but it does seem somewhat related.

As you may recall, I use Nord's SmartDNS for my DNS servers. My WAN IP doesn't change very often; however, when it does, my DNS stops working as you must register your WAN IP with Nord to use SmartDNS.

I thought I remembered someone creating a script to monitor for WAN IP changes, but I can't find it. Would there be a way to log a WAN IP change and automatically change the WAN DNS servers to a different set, then send out a notification that the WAN IP changed so that I can connect to my.nordaccount.com and store the new IP before switching the DNS servers back?

I hope that makes sense. Essentially, when this happens I can't resolve any DNS names and that means even VPNMON-R3 stops working.

My typical workaround is to switch my DNS servers to Quad9, run curl icanhazip.com, then compare that to my last email from Nord about the previous WAN IP I registered to see if it changed, then if it did change use a guest network I have with no VPN attached to connect to my Nord account, register the new IP, then switch the DNS servers back to SmartDNS.

Did you mean WICENS?

[WICENS] WAN IP Change Email Notification Script

WICENS - WAN IP Change Email Notification Script v1.00 Jan2021 v.1.13 Sep 24,2021 v2.0 Oct 16,2021 v2.20 Oct 19,2021 v2.41 Nov 4,2021 v2.50 Nov 6,2021 v2.66 Jan 4,2022 v2.70 Feb 13,2022 v2.80 Jun 8,2022 v2.85 Jun 26 2022 v3.00 Sep 16 2022 Oct 27 2022 v3.10 Apr 6 2023 v3.20 Apr 10 2023 v3.30 Apr...

www.snbforums.com

Any possibility of getting a static WAN IP? That might solve all your issues.

 

[iTyPsIDg]

Did you mean WICENS?

[WICENS] WAN IP Change Email Notification Script

WICENS - WAN IP Change Email Notification Script v1.00 Jan2021 v.1.13 Sep 24,2021 v2.0 Oct 16,2021 v2.20 Oct 19,2021 v2.41 Nov 4,2021 v2.50 Nov 6,2021 v2.66 Jan 4,2022 v2.70 Feb 13,2022 v2.80 Jun 8,2022 v2.85 Jun 26 2022 v3.00 Sep 16 2022 Oct 27 2022 v3.10 Apr 6 2023 v3.20 Apr 10 2023 v3.30 Apr...

www.snbforums.com

Any possibility of getting a static WAN IP? That might solve all your issues.

I think that was it. No chance of a static IP. I just added this to my post: NOTE: I also don't have my WAN IP correctly listed in the browser because I live in a building that uses private IPs for all the residents. The WAN IP is correct when viewed from VPNMON-R3, but incorrect on the router homepage.

I'll read through it more later to see if it can work. The big issue is DNS stops working when the WAN IP changes. Then, nothing else works.

 

[Viktor Jaep]

I think that was it. No chance of a static IP. I just added this to my post: NOTE: I also don't have my WAN IP correctly listed in the browser because I live in a building that uses private IPs for all the residents. The WAN IP is correct when viewed from VPNMON-R3, but incorrect on the router homepage.

I'll read through it more later to see if it can work. The big issue is DNS stops working when the WAN IP changes. Then, nothing else works.

Just not sure how you can automate this process, since you have to manually register your new WAN IP with Nord in order to get a new set of DNS IPs. As long as your WAN IP keeps changing, I don't see any way around this. At least with WICENS, you'd get notified immediately.

 

[iTyPsIDg]

Just not sure how you can automate this process, since you have to manually register your new WAN IP with Nord in order to get a new set of DNS IPs. As long as your WAN IP keeps changing, I don't see any way around this. At least with WICENS, you'd get notified immediately.

Yeah, I don't expect to automate the entire process. If I could just get to the point of swapping the DNS servers when it happens to some saved backup and then sending an email, I could do the rest manually without having to first see if that was the problem I'm experiencing. The SmartDNS servers are only needed for streaming, so having internet is more important than always using SmartDNS.

I don't know if WICENS could notify me immediately without caching the Gmail servers IPs to send an email. I'll check in on that thread and see how it would handle the situation.

 

[iTyPsIDg]

It looks like WICENS could do what I need. I just need to know how to change the DNS servers via a script. It works with Double NAT and you can use a custom script.