VPNMON VPNMON-R3 v1.5.0 -Aug 3, 2025- Monitor OpenVPN/Wireguard WAN/Dual-WAN Health & Random Reset Multiple Connections (Available in AMTM!)

[Viktor Jaep]

VPNMON-R3 v1.5.0
Updated August 3, 2025

Executive Summary: VPNMON-R3 (vpnmon-r3.sh) is an all-in-one script that is optimized to maintain multiple OpenVPN and Wireguard connections and is able to provide for the capabilities to randomly reconnect using a specified server list containing the servers of your choice. Special care has been taken to ensure that only the connections you want to have monitored are tended to. This script will check the health of up to 5 VPN and 5 Wireguard connections on a regular interval to see if monitored connections are stable, and sends a ping to a host of your choice through each active connection. If it finds that a connection has been lost, it will execute a series of commands that will kill that single client, and randomly picks one of your specified servers to reconnect to for each client. It also monitors your WAN/Dual-WAN connection and drops back until your WAN connection comes back up to reconnect your VPN/WG tunnels.

VPNMON-R3 is free to use under the GNU General Public License version 3 (GPL 3.0).

This project is hosted on GitHub

Changelog [here] / Jump to [Latest Release Notes] / What's new: Wireguard Integration + More, spdMerlin Integration + API failure protection, Bug fixes & Enhancements, AMTM Email Notifications, Skynet Whitelisting, Reset > Ping Value, WAN/Dual-WAN Monitoring, Pause on -RESET, Added Connected Time, Added PING stats, Added Unbound-over-VPN, Added Server List Automation, Initial Beta Release!

Examples & Tutorials -- further help on how to create custom CURL+JQ statements for your VPN Client Slot Server Lists available here, and likewise for your WG Client Server Lists available here

Screenshot:

Assumptions​

• Functional VPN Environment -- You must already have a working VPN/WG client environment. This means, your VPN/WG client(s) must already be in working order using your current provider. When you slide that VPN/WG client switch to the "ON" position in your Merlin Firmware UI, your client must be able to make a successful connection. Make sure each client works (up to 5) if you want these to be monitored by VPNMON-R3.
• VPN Director has been configured -- You must have allocated which devices you want to talk to which VPN/WG connections using the VPN Director function within the Merlin Firmware.
• VPN/WG Server IP List Creation -- In order to generate server lists for your individual clients, you must be able to gather the IP addresses of the VPN servers from your VPN provider that you want each VPN client to make a connection with. These IP addresses need to be entered in (or copied into) each of the (up to) 5 server lists using the VPNMON-R3 "Update/Maintain VPN/WG Server Lists" functionality. Please note: there is automation built into VPNMON-R3 that helps you maintain these lists on a nightly basis.
• Standard Configuration Basics -- As with practically running any custom script on your router, you must at least have an external USB drive installed, formatted with a swap file and with Entware enabled using AMTM. Last, you must also have enabled JFFS scripting through your Merlin Firmware UI.

Use-case​

• You may be running multiple VPN/WG connections dedicated to specific devices on your network (TV/Streaming, family devices, IoT devices, testing, etc.).
• You may be using multiple providers, say NordVPN on one connection, and AirVPN on another, or a mix of OVPN and WG.
• You may want control over which selection of VPN servers these VPN clients can reconnect to.
• You want a monitoring tool to ensure each of your monitored connections remain healthy, and will initiate a reconnection if any ping or curl test fails across the tunnel, giving you peace of mind that your VPN/WG environment will achieve maximum uptime.

How is this script supposed to run?​

It is highly recommended to run this script from a SCREEN utility window running directly on the router itself, reachable through its own SSH window... but could very well just run from a PC that's connected directly to the Asus router, as it loops and checks the connection every 60 seconds. Instructions:

1. Download and install directly using your favorite SSH tools, copy & paste this command (or install directly from AMTM!):
   

   curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/VPNMON-R3/main/vpnmon-r3.sh" -o "/jffs/scripts/vpnmon-r3.sh" && chmod 755 "/jffs/scripts/vpnmon-r3.sh"

   
   
2. To initially configure this script, open up a dedicated SSH window, and simply execute the script:
   

   sh /jffs/scripts/vpnmon-r3.sh -setup

   
   
   
3. Once you've successfully configured the various options, you can run the script using this command:
   

   sh /jffs/scripts/vpnmon-r3.sh

   
   
   
4. To make life easier, can now also just launch or reconnect to VPNMON-R3 with the -screen switch to allow it run in the background without needing a dedicated SSH window connection. Type:
   

   vpnmon-r3 -screen

 

[Viktor Jaep]

Instructions & Directions

Operations Menu
From the main UI, you can press (S)how Operations Menu, as shown below. This gives you quick access to: Resetting/Stopping individual VPN/WG Client Slots, enable/disable monitored VPN/WG slots, maintain your server lists assigned to each VPN/WG Client Slot, run server list automations, open the Setup/Config menu, view event logs, enable/disable auto start settings on router reboot, set a scheduler to reset your VPN connections, adjusting your timer loop preference and configuring the max # of milliseconds a VPN ping can get to before it forces a reset.

Setup/Configuration Menu
The Main Setup and Configuration Menu allows you to enter the Custom Configuration Options Menu, force re-install Entware Dependencies, checking and installing updates to the script, and an uninstall option.

Configuration Options
The number of options are short & sweet. Here you can specify how many VPN/WG Client Slots you have available (some routers only have 2 due to NVRAM size limitations), which custom host you want to use to PING against, how large you want your event log to grow to, whether or not you want to enable the Unbound-over-VPN integration, and whether or not you want your custom server list queries to refresh when your connection gets reset using the -reset switch. Also the ability to monitor your WAN connection for failures, adding your VPN Server IP lists to the Skynet whitelist, and enabling email notifications based on success or failure. One of the newest additions for those running it, is giving a helping hand to spdMerlin when tunnels get reset.

VPN Client Monitoring
Pressing the (M) key from the main UI, you will have the option to choose which individual VPN/WG Client Slots you want VPNMON-R3 to monitor. Once enabled, each item will show a green "Y", and VPNMON-R3 will probe these connections to test and ensure they can PING and CURL to determine their health. Should one of these commands fail, VPNMON-R3 will reset its connection.

 

[Viktor Jaep]

VPN Server List Maintenance
Each VPN/WG Client Slot has an associated VPN Server List. Each list is used as a preferred list of VPN/WG servers that each Client Slot can make connections to. To edit a certain list, press the (#) for the associated Server List. IMPORTANT NOTE: If you don't specify a server list, VPNMON-R3 will just try to reconnect to the currently configured Server Hostname/IP of your Client Slot.

Wireguard Server lists go beyond a single list of IP addresses, and contain 5 comma-delimited fields: Connection Name, Endpoint IP, Endpoint Port, Private Key and Public Key.

When you press a (#) to edit a Server List, the NANO text editor will present you with the contents of the list. Here, you can enter your preferred list of IPv4 VPN Server IP addresses (or valid hostnames) in a single column as shown below for OVPN. Please don't include any other text or info. Once you're done editing, press CTRL-O + ENTER to save the file. Then press CRTL-X to exit.

Wireguard works much in the same fashion:

VPN/WG Client Slot Server List Automation
This functionality allows you to enter a CURL statement that queries your particular Provider for a specific list of VPN Server IP addresses... for the country or city of your choice. It then automatedly dumps those results into your Client Slot Server List files, and is a good way to refresh these to your liking. These lists will automatically refresh on reset when you have enabled this option under the config menu. Recently added, is now also the ability to import your list contents into Skynet for whitelisting purposes.

I have created a thread of sample CURL statements that you can run with and modify if you are interested in automating this function a bit more... It shows examples from the various VPN Providers that are supported in VPNMON-R3 , like dumping all of NordVPN's Atlanta servers into a single column, for example:

curl --silent --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://api.nordvpn.com/v1/servers?limit=16354 | jq --raw-output '.[] | select(.locations[0].country.city.name == "Atlanta") | .station'

But you can basically get as CrAzY or as creative as you want, as long as it generates a single column of IP addresses/hostnames. I have a created a post with more guidance and examples here:

VPNMON - VPNMON-R3 Custom OVPN Server List Generation Tutorials and Examples

FULL DISCLOSURE: I absolutely SUCK at JQuery... 😋 It's not like SQL at all, which I'm pretty decent with. I think the reason I am no good at this is because the sources this data comes from is always structured very differently in JSON, so there's always a completely different way at getting at...

www.snbforums.com

When it comes to Wireguard, wanted to send huge thanks to @iTyPsIDg for taking on the Wireguard Custom Server List Generation and Automation page:

VPNMON - VPNMON-R3 Custom WireGuard Server List Generation Tutorials and Examples

This thread will share the same essence as VPNMON-R3 Custom OVPN Server List Generation Tutorials and Examples; however, this is for generating WireGuard server lists. I currently only have Nord and Proton as VPN providers, so I'll focus on those for now. Current VPN Providers Supported that...

www.snbforums.com

 

[Viktor Jaep]

<RESERVED>

 

[Viktor Jaep]

Welcome to another new VPNMON-R3 sub... yep, we again hit the 25 page / 500 post limit... Hopefully someday these limits will relaxed a bit... it's such a PITA.

OK... CONTINUING WITH THE CONVERSATIONS!

 

[Viktor Jaep]

Proof is in the pudding... @ZebMcKayhan

(1) There are NO OVPN connections currently enabled
(2) Unbound over WG DNS resolver is reporting the same as the public IP!

 

[ZebMcKayhan]

Proof is in the pudding... @ZebMcKayhan

(1) There are NO OVPN connections currently enabled
(2) Unbound over WG DNS resolver is reporting the same as the public IP!

View attachment 67283

I did manage to test this yesterday as well. And when wg is stopped unbound falls back to wan. A prohibit rule could be added if some would rather have it broken.

More rules with lower priority could be used if we want fallback to other wg clients.

And on the subject of priority. Perhaps this rule should not be so high as 11 but should probably be higher than vpndirector soif the user adds an broad vpndirector rule unbound will not be affected. On 388 fw vpn director wgc1 is only prio 10000 but this may have changed in the 102 fw.

 

[SomeWhereOverTheRainBow]

Proof is in the pudding... @ZebMcKayhan

(1) There are NO OVPN connections currently enabled
(2) Unbound over WG DNS resolver is reporting the same as the public IP!

View attachment 67283