Jack Yaz
Part of the Furniture
hastily jotted ideas in notepad on my computer
vpnmgr vpnmgr - Manage and update VPN Client configurations for NordVPN and PIA
- Thread starter Jack Yaz
- Start date
Stephen Harrington
Very Senior Member
@Jack Yaz I've just switched VPN providers to NordVPN so I've been having a look at this script in the past few days, after also replicating my present Merlin/AMTM setup from an RT-AC86U to a new RT-AX86U recently. Figured since I use just about all your other scripts it would be remiss of me not to add this one!
I seem to have had a few instances where either after a reboot or scheduled "refresh", the new NordVPN node picked seems to be "dead", even though showing as connected.
I then have to manually "kick" the connection via Option 5 in the SSH menu (and while I think of it is there any reason that command doesn't seem to be in the web GUI?)
Does your script do any kind of connectivity check / sanity check once it picks a new "node" from the NordVPN list?
Certainly in my neck of the woods (Sydney, Australia) there seems to be quite a few dead ones, or servers where the throughput is pretty low, even though the load is also seemingly low which makes it a good choice in theory ...
Do you have any plans to make the actual server selection more fail-safe and intelligent? (hint, hint)
It would be nice if after picking a new server VPNMGR checked it was a) alive and passing data and b) had a minimum throughput (user configurable) otherwise the script would have a go at picking a better one? Maybe it could tie in with spdMerlin somehow?
I seem to have had a few instances where either after a reboot or scheduled "refresh", the new NordVPN node picked seems to be "dead", even though showing as connected.
I then have to manually "kick" the connection via Option 5 in the SSH menu (and while I think of it is there any reason that command doesn't seem to be in the web GUI?)
Does your script do any kind of connectivity check / sanity check once it picks a new "node" from the NordVPN list?
Certainly in my neck of the woods (Sydney, Australia) there seems to be quite a few dead ones, or servers where the throughput is pretty low, even though the load is also seemingly low which makes it a good choice in theory ...
Do you have any plans to make the actual server selection more fail-safe and intelligent? (hint, hint)
It would be nice if after picking a new server VPNMGR checked it was a) alive and passing data and b) had a minimum throughput (user configurable) otherwise the script would have a go at picking a better one? Maybe it could tie in with spdMerlin somehow?
Last edited:
Jack Yaz
Part of the Furniture
vpnmgr uses the NordVPN API to use a server NordVPN suggest. If its returning dead servers then you should report that to them as it will affect more than just vpnmgr.@Jack Yaz I've just switched VPN providers to NordVPN so I've been having a look at this script in the past few days, after also replicating my present Merlin/AMTM setup from an RT-AC86U to a new RT-AX86U recently. Figured since I use just about all your other scripts it would be remiss of me not to add this one!
I seem to have had a few instances where either after a reboot or scheduled "refresh", the new NordVPN node picked seems to be "dead", even though showing as connected.
I then have to manually "kick" the connection via Option 5 in the SSH menu (and while I think of it is there any reason that command doesn't seem to be in the web GUI?)
Does your script do any kind of connectivity check / sanity check once it picks a new "node" from the NordVPN list?
Certainly in my neck of the woods (Sydney, Australia) there seems to be quite a few dead ones, or servers where the throughput is pretty low, even though the load is also seemingly low which makes it a good choice in theory ...
Do you have any plans to make the actual server selection more fail-safe and intelligent? (hint, hint)
It would be nice if after picking a new server VPNMGR checked it was a) alive and passing data and b) had a minimum throughput (user configurable) otherwise the script would have a go at picking a better one? Maybe it could tie in with spdMerlin somehow?
How are you testing the connectivity after a reboot? If the VPN client connects then it's unlikely a server fault, do you see any errors in syslog/openvpn log?
Hitting Save in the WebUI will trigger the same as option 5 iirc, but will reload all servers.
Stephen Harrington
Very Senior Member
Hmmm ... OK thanks @Jack Yaz for the thoughts - I'll look at this further and try and get some more data next time it crops up.
I haven't been looking in the OVPN logs, but I suspect it will look OK as you say.
My Synology NAS is the only client being routed out via the VPN, and so far around 3-4 times I get an email from it complaining it can't renew the its dynamic DNS, and also if i have any downloads (torrents) in progress they just stall. But mostly it is all just happy and picks up the new tunnel/dns, renews the dynamic DNS OK and continues. So now you've got me thinking not a router thing at all ... perhaps?
eleVator
Regular Contributor
Yes but whatever i tried to do, the updating part of your script just kept me offline, something was not working right with nordVPN, so i had to disable vpn client script for now.
As previous poster writes, i do not think the VPN nodes are dead, since restarting the VPN service with scmerlin brings back the connection.
Sanity checks would be awesome, bundled with speed tests and auto switching to better node.
Last edited:
Hello @Jack Yaz ,
Thanks for this addon ! I used it a lot when I was using NordVpn, but now that I switched to ProtonVpn, I'm sad I cannot use it anymore.
Do you think you can add ProtonVpn to your script ? I know they have an API here:
I was not able to find any documentation though.
Thanks for this addon ! I used it a lot when I was using NordVpn, but now that I switched to ProtonVpn, I'm sad I cannot use it anymore.
Do you think you can add ProtonVpn to your script ? I know they have an API here:
I was not able to find any documentation though.
JR Godwin
Regular Contributor
Whilst I can see the option to refresh the vpn connection / server in the CLI side of things, I'm trying to figure out how I would just simply refresh the server on the web side without changing any of the other configuration settings. Sometimes I get connected to a server and the upload speed is in the 1-3 mbps range, vs 80-150 mbps range most have.
Just click on the Save button without making any changes?
Just click on the Save button without making any changes?
Jack Yaz
Part of the Furniture
Yup, Save will refresh all servers iirc. I'll look at making a button or link to refresh individual servers in future
Wishmaster1965
Regular Contributor
I am using nord vpn, was working fine until recently. I select UK- London and apply and upon switching to the VPN Client tab I see connnecting but it does not connect.
I have VPN start at boot time on.
i rebuilt my router lastnight but still it does not connect.
Any Ideas ?
I have VPN start at boot time on.
i rebuilt my router lastnight but still it does not connect.
Any Ideas ?
Last edited:
Hi Jack,
I don’t use this script so I’m not exactly sure how it switches between VPN clients, but I do have one question:
would it be possible two run two VPN clients at once with the network Route bound to a particular WiFi SSID - or for that matter - a particular LAN port?
I know this is do-able, just a matter of how easy it is to setup.
Cheers…
I don’t use this script so I’m not exactly sure how it switches between VPN clients, but I do have one question:
would it be possible two run two VPN clients at once with the network Route bound to a particular WiFi SSID - or for that matter - a particular LAN port?
I know this is do-able, just a matter of how easy it is to setup.
Cheers…
Jack Yaz
Part of the Furniture
do you see any errors in system log from openvpn with the reason why its not connecting?
Wishmaster1965
Regular Contributor
Code:
May 21 16:30:39 RT-AC88U-EB98 vpnmgr: VPN client 5 updated successfully (UK2278 Standard UDP)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: OpenVPN 2.5.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 30 2021
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12244]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.08
May 21 16:30:41 RT-AC88U-EB98 custom_script: Running /jffs/scripts/service-event-end (args: restart vpnclient5)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: TCP/UDP: Preserving recently used remote address: [AF_INET]89.35.30.215:1194
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: Socket Buffers: R=[122880->245760] S=[122880->245760]
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: UDP link local: (not bound)
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: UDP link remote: [AF_INET]89.35.30.215:1194
May 21 16:30:41 RT-AC88U-EB98 ovpn-client5[12246]: TLS: Initial packet from [AF_INET]89.35.30.215:1194, sid=2427bdbd bca55f0b
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY KU OK
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: Validating certificate extended key usage
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY EKU OK
May 21 16:30:42 RT-AC88U-EB98 ovpn-client5[12246]: VERIFY OK: depth=0, CN=uk2278.nordvpn.com
May 21 16:30:44 RT-AC88U-EB98 ovpn-client5[12246]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
May 21 16:30:44 RT-AC88U-EB98 ovpn-client5[12246]: [uk2278.nordvpn.com] Peer Connection Initiated with [AF_INET]89.35.30.215:1194
May 21 16:30:45 RT-AC88U-EB98 ovpn-client5[12246]: SENT CONTROL [uk2278.nordvpn.com]: 'PUSH_REQUEST' (status=1)
May 21 16:30:46 RT-AC88U-EB98 ovpn-client5[12246]: AUTH: Received control message: AUTH_FAILED
May 21 16:30:46 RT-AC88U-EB98 ovpn-client5[12246]: SIGTERM received, sending exit notification to peer
May 21 16:30:49 RT-AC88U-EB98 ovpn-client5[12246]: SIGTERM[soft,exit-with-notification] received, process exitingI see Auth Failed but I can successfuly login to nordvpn with the same credentials
Wishmaster1965
Regular Contributor
I am due another rebuild of my router next week just in case this is transient
Jack Yaz
Part of the Furniture
Make sure you're using the correct vpn credentials and not those for the nord account
Wishmaster1965
Regular Contributor
Bueno
JR Godwin
Regular Contributor
Jack
It seems that when vpnmgr cycles the vpn connection, it doesn't maintain "all" the settings that are in on the client.
For one of my vpn's, I have the Inbound Firewall setting set to allow over on the VPN client tab, but I notice that it gets set back to "Block" typically after a cycling.
It's also not one of the options on the vpnmgr page, so dunno if it always being set to block was deliberate, oversight, or bug.
It seems that when vpnmgr cycles the vpn connection, it doesn't maintain "all" the settings that are in on the client.
For one of my vpn's, I have the Inbound Firewall setting set to allow over on the VPN client tab, but I notice that it gets set back to "Block" typically after a cycling.
It's also not one of the options on the vpnmgr page, so dunno if it always being set to block was deliberate, oversight, or bug.
Jack Yaz
Part of the Furniture
I'll have to double check but block would make sense as a default. Can you let me know why you need to allow inbound connections on your VPN client?
JR Godwin
Regular Contributor
Gaming. Xbox....having some issues connecting with certain game services at the moment and they seem to be corrected when going through vpn.....although I give up being in an open NAT situation to double NAT, can't argue with it because under normal circumstances I can't play at all, and can under the vpn one.
Similar threads
Similar threads
Similar threads
-
Updated Hue Utility - huetil Control and manage your Hue system from Asuswrt-Merlin or Raspbian- Started by JGrana
- Replies: 1
-
Solved Skynet running slow with install/update issues from AMTM?- Started by John Fitzgerald
- Replies: 10
-
Is it possible to update all addons through the GUI?- Started by thelonelycoder
- Replies: 2
-
Is it possible to update all addons through the GUI?
- Started by johndoe85
- Replies: 8
-
Solved Latest entware update borked up Unbound
- Started by Viktor Jaep
- Replies: 25
-
-
-
DDNS does not update dyndns.org when WAN IP changes
- Started by jbodnar
- Replies: 11
-
Unbound Unbound graphical statistics tab doesn't update all groups
- Started by Skywise
- Replies: 4
-