Anyone with an RT-AX88U having issues with ExpressVPN?

[jjtwhitby]

Unfortunately if you're wanting to stream US Netflix, HULU, and Amazon Prime you may receive a proxy warning when using policy rules with expressvpn. It has to do with how Expressvpn use shared IP addresses and their DNS to overcome the proxy blocking of these streaming services. When using policy rules the router will use other DNS servers other than Expressvpn's. I hope that makes sense.

Thanks for that info. Up to today I was successfully using Expressvpn with Policy Rules on my Merlin RT-AC86U. I tried to install the identical setup onto my new RT-AX88U with no success so far.
I just completed the complete rundown on the DNSFilter toggling, with no success. Perhaps if I do a complete restore and try again, it may help.

 

[BColston]

Hi,
I just bought the RT-AX88U and tried to get ExpressVPN working for a day and found it very east to fix. I imported the Openvpn file for the USA, input my username and password. Then i found that the Verify Server Certificate was not set. Click on NO save and boom! it connects fine. Tested a few of the USA OpenVPN file and had the same issue but fixed as i said before. I am not sure what they are talking about that you cant watch US Netflix etc as i am in the UK and works fine without DNSFilers. I Have Policy Rules turned on and route just my TV's. Make sure you put DNS as Exclusive and you are set to go. I even done ExpressVPN DNS Leak as its successful. I watch US Netflix, Amazon Prime without any problems.

Ps. I have Asuswrt-Merlin 384.14 installed

Hope that helps

Cheers

Brian

 

[jjtwhitby]

Hi Brian, thank you so very much. My ExpressVPN is now working.
John

 

[BColston]

That good news and happy i could help as was driving me mad too. I did turn on the "Block routed clients if tunnel goes down" but that's just me.
Cheers
Brian

 

[PC Pilot]

Hi Folks,

Would appreciate some guidance. I too have the RT-AX88U running Merlin 384.14 and have been running IP Vanish as my VPN Client setup successfully for over 12 months but with issues related to speed and streaming access which my research identified as being specific to certain providers. As Express VPN was favourably reported in these regards I elected to transfer providers upon expiry of my IP Vanish subscription which occurred a couple of days back.

I have carefully followed the enhanced instructions kindly laid out above by forum members but alas with no success in establishing a connection!

These are my settings in full:

VPN - VPN Client

OpenVPN Client Settings

Client control

Select client instance (1) 1: East London - Express VPN
Service state (1) [ON] Connecting ........
Automatic start at boot time (1)
Yes Selected
No Unselected
Description (1) East London - Express VPN
Import .ovpn file (1) [G:\Current Application Catalogue\Express VPN\my_expressvpn_uk_-_east_london_udp.ovpn]

Network Settings

Interface Type (1) TUN
Protocol (1) UDP
Server Address and Port (1) Address: uk-east-london-ca-version-2.expressnetw.com Port 1195
Accept DNS Configuration (1) Exclusive
Create NAT on tunnel (1)
Yes Selected
No Unselected
Inbound Firewall (1)
Block Selected
Allow Unselected

Authentication Settings

Authorization Mode TLS
Username/Password Authentication
Yes Selected
No Unselected
Username **As provided by Express VPN**
Password **As provided by Express VPN**
Username / Password Auth. Only
Yes Unselected
No Selected

Crypto Settings

Keys and Certificates Edit (Details as inserted by the above .ovpn file? - See below)

Keys and Certificates (Express VPN - Open VPN Certificate Texts):

Item Name: STATIC KEY BOX TEXT

-----BEGIN OpenVPN Static key V1-----
48d9999bd71095b10649c7cb471c1051
b1afdece597cea06909b99303a18c674
01597b12c04a787e98cdb619ee960d90
a0165529dc650f3a5c6fbe77c91c137d
cf55d863fcbe314df5f0b45dbe974d9b
de33ef5b4803c3985531c6c23ca6906d
6cd028efc8585d1b9e71003566bd7891
b9cc9212bcba510109922eed87f5c8e6
6d8e59cbd82575261f02777372b2cd4c
a5214c4a6513ff26dd568f574fd40d6c
d450fc788160ff68434ce2bf6afb00e7
10a3198538f14c4d45d84ab42637872e
778a6b35a124e700920879f1d003ba93
dccdb953cdf32bea03f365760b0ed800
2098d4ce20d045b45a83a8432cc73767
7aed27125592a7148d25c87fdbe0a3f6
-----END OpenVPN Static key V1-----

Item Name: CERTIFICATE AUTHORITY KEY BOX TEXT

-----BEGIN CERTIFICATE-----
MIIF+DCCA+CgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBhDELMAkGA1UEBhMCVkcx
DDAKBgNVBAgMA0JWSTETMBEGA1UECgwKRXhwcmVzc1ZQTjETMBEGA1UECwwKRXhw
cmVzc1ZQTjEWMBQGA1UEAwwNRXhwcmVzc1ZQTiBDQTElMCMGCSqGSIb3DQEJARYW
c3VwcG9ydEBleHByZXNzdnBuLmNvbTAeFw0xNTEwMjEwMDAwMDBaFw0yNjA0MDEy
MTEyMDBaMIGEMQswCQYDVQQGEwJWRzEMMAoGA1UECAwDQlZJMRMwEQYDVQQKDApF
eHByZXNzVlBOMRMwEQYDVQQLDApFeHByZXNzVlBOMRYwFAYDVQQDDA1FeHByZXNz
VlBOIENBMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGV4cHJlc3N2cG4uY29tMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxzXvHZ25OsESKRMQFINHJNqE
9kVRLWJS50oVB2jxobudPhCsWvJSApvar8CB2RrqkVMhXu2HT3FBtDL91INg070q
AyjjRpzEbDPWqQ1+G0tk0sjiJt2mXPJK2IlNFnhe6rTs09Pkpcp8qRhfZay/dIlm
agohQAr4JvYL1Ajg9A3sLb8JkY03H6GhOF8EKYTqhrEppCcg4sQKQhNSytRoQAm8
Ta+tnTYIedwWpqjUXP9YXFOvljPaixfYug24eAkpTjeuWTcELSyfnuiBeK+z9+5O
YunhqFt2QZMq33kLFZGMN2gHRCzngxxphurypsPRo7jiFgQI1yLt8uZsEZ+otGEK
91jjKfOC+g9TBy2RUtxk1neWcQ6syXDuc3rBNrGA8iM0ZoEqQ1BC8xWr3NYlSjqN
+1mgpTAX3/Dxze4GzHd7AmYaYJV8xnKBVNphlMlg1giCAu5QXjMxPbfCgZiEFq/u
q0SOKQJeT3AI/uVPSvwCMWByjyMbDpKKAK8Hy3UT5m4bCNu8J7bxj+vdnq0A2HPw
tF0FwBl/TIM3zNsyFrZZ0j6jLRT50mFsgDBKcD4L/J5rjdCsKPu5rodhxe38rCx2
GknP1Zkov4yoVCcR48+CQwg3oBkq0/EflvWUvcYApzs9SomUM/g+8Q/V0WOfJmFW
uxN9YntZlnzHRSRjrvMCAwEAAaNzMHEwHQYDVR0OBBYEFIzmQGj8xS+0LLklwqHD
45VVOZRJMB8GA1UdIwQYMBaAFIzmQGj8xS+0LLklwqHD45VVOZRJMA8GA1UdEwEB
/wQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBFjANBgkqhkiG
9w0BAQ0FAAOCAgEAbHfuMKtojm1NgX7qSU2Rm2B5L8G0FuFP0L40dj8O5WHt45j2
z8coMK90vrUnQEZNQmRzot7v3XjVzVlxBWYSsCEApTsSDNi/4BNFP8H/BUUtJuy2
GFTO4wDVJnqNkZOHBmyVD75s1Y+W8a+zB4jkMeDEhOHZdwQ0l1fJDDgXal5f1UT5
F5WH6/RwHmWTwX4GxuCiIVtx70CjkXqhM8yZtTp1UtHLRNYcNSIes0vrAPHPgoA5
z9B8UvsOjuP+mfcjzi0LGGrY+2pJu0BKO2dRnarIZZABETIisI3FokoTszx5jpRP
yxyUTuRDKWHrvi0PPtOmC8nFahfugWFUi6uBsqCaSeuex+ahnTPCq0b1l0Ozpg0Y
eE8CW1TL9Y92b01up2c+PP6wZOIm3JyTH+L5smDFbh80V42dKyGNdPXMg5IcJhj3
YfAy4k8h/qbWY57KFcIzKx40bFsoI7PeydbGtT/dIoFLSZRLW5bleXNgG9mXZp27
0UeEC6CpATCS6uVl8LVT1I02uulHUpFaRmTEOrmMxsXGt6UAwYTY55K/B8uuID34
1xKbeC0kzhuN2gsL5UJaocBHyWK/AqwbeBttdhOCLwoaj7+nSViPxICObKrg3qav
GNCvtwy/fEegK9X/wlp2e2CFlIhFbadeXOBr9Fn8ypYPP17mTqe98OJYM04=
-----END CERTIFICATE-----

Item Name: CLIENT CERTIFICATE AUTHORITY KEY BOX TEXT

-----BEGIN CERTIFICATE-----
MIIDTjCCAregAwIBAgIDKzZvMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMM
Rm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG
9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAgFw0xNjExMDMwMzA2MThaGA8yMDY2
MTEwMzAzMDYxOFowgYoxCzAJBgNVBAYTAlZHMQwwCgYDVQQIDANCVkkxEzARBgNV
BAoMCkV4cHJlc3NWUE4xEzARBgNVBAsMCkV4cHJlc3NWUE4xHDAaBgNVBAMME2V4
cHJlc3N2cG5fY3VzdG9tZXIxJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAZXhwcmVz
c3Zwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrOYt/KOi2
uMDGev3pXg8j1SO4J/4EVWDF7vJcKr2jrZlqD/zuAFx2W1YWvwumPO6PKH4PU962
1aNdiumaUkv/RplCfznnnxqobhJuTE2oA+rS1bOq+9OhHwF9jgNXNVk+XX4d0toS
T5uGE6Z3OdmPBur8o5AlCf78PDSAwpFOw5HrgLqOEU4hTweC1/czX2VsvsHv22HR
I6JMZgP8gGQii/p9iukqfaJvGdPciL5p1QRBUQIi8P8pNvEp1pVIpxYj7/LOUqb2
DxFvgmp2v1IQ0Yu88SWsFk84+xAYHzfkLyS31Sqj5uLRBnJqx3fIlOihQ50GI72f
wPMwo+OippvVAgMBAAGjPzA9MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgSw
MB0GA1UdDgQWBBSkBM1TCX9kBgFsv2RmOzudMXa9njANBgkqhkiG9w0BAQsFAAOB
gQA+2e4b+33zFmA+1ZQ46kWkfiB+fEeDyMwMLeYYyDS2d8mZhNZKdOw7dy4Ifz9V
qzp4aKuQ6j61c6k1UaQQL0tskqWVzslSFvs9NZyUAJLLdGUc5TT2MiLwiXQwd4Uv
H6bGeePdhvB4+ZbW7VMD7TE8hZhjhAL4F6yAP1EQvg3LDA==
-----END CERTIFICATE-----

Item Name: CLIENT KEY BOX TEXT

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqzmLfyjotrjAxnr96V4PI9UjuCf+BFVgxe7yXCq9o62Zag/8
7gBcdltWFr8Lpjzujyh+D1PettWjXYrpmlJL/0aZQn85558aqG4SbkxNqAPq0tWz
qvvToR8BfY4DVzVZPl1+HdLaEk+bhhOmdznZjwbq/KOQJQn+/Dw0gMKRTsOR64C6
jhFOIU8Hgtf3M19lbL7B79th0SOiTGYD/IBkIov6fYrpKn2ibxnT3Ii+adUEQVEC
IvD/KTbxKdaVSKcWI+/yzlKm9g8Rb4Jqdr9SENGLvPElrBZPOPsQGB835C8kt9Uq
o+bi0QZyasd3yJTooUOdBiO9n8DzMKPjoqab1QIDAQABAoIBAHgsekC0SKi+AOcN
OZqJ3pxqophE0V7fQX2KWGXhxZnUZMFxGTc936deMYzjZ1y0lUa6x8cgOUcfqHol
3hDmw9oWBckLHGv5Wi9umdb6DOLoZO62+FQATSdfaJ9jheq2Ub2YxsRN0apaXzB6
KDKz0oM0+sZ4Udn9Kw6DfuIELRIWwEx4w0v3gKW7YLC4Jkc4AwLkPK03xEA/qImf
kCmaMPLhrgVQt+IFfP8bXzL7CCC04rNU/IS8pyjex+iUolnQZlbXntF7Bm4V2mz0
827ZVqrgAb/hEQRlsTW3rRkVh+rrdoUE7BCZRTFmRCbLoShjN6XuSf4sAus8ch4U
EN12gN0CgYEA4o/tSvij1iPaXLmt4KOEuxqmSGB8MLKhFde8lBbNdrDgxiIH9bH7
khKx15XRTX0qLDbs8b2/UJygZG0Aa1kIBqZTXTgeMAuxPRTesALJPdqQ/ROnbJcd
FkI7gllrAG8VB0fH4wTRsRd0vWEB6YlCdE107u6LEsLAHxOj9Q5819cCgYEAwXjx
9RkQ2qITBx5Ewib8YsltA0n3cmRomPicLlsnKV5DfvyCLpFIsZ1h3f9dUpfxRLwz
p8wcoLiq9cCoOGdu1udw/yBTqmhaXWhUK/g77f9Ze2ZB1OEhuyKLYJ1vW/h/Z/a1
aPCMxZqsDTPCePsuO8Cez5gqs8LjM3W7EyzRxDMCgYEAvhHrDFt975fSiLoJgo0M
PIAGAnBXn+8sLwv3m/FpW+rWF8LTFK/Fku12H5wDpNOdvswxijkauIE+GiJMGMLv
dcyx4WHECaC1h73reJRNykOEIZ0Md5BrCZJ1JEzp9Mo8RQhWTEFtvfkkqgApP4g0
pSeaMx0StaGG1kt+4IbP+68CgYBrZdQKlquAck/Vt7u7eyDHRcE5/ilaWtqlb/xi
zz7h++3D5C/v4b5UumTFcyg+3RGVclPKZcfOgDSGzzeSd/hTW46iUTOgeOUQzQVM
kzPRXdoyYgVRQtgSpY5xR3O1vjAbahwx8LZ0SvQPMBhYSDbV/Isr+fBacWjl/Aip
EEwxeQKBgQDdrAEnVlOFoCLw4sUjsPoxkLjhTAgI7CYk5NNxX67Rnj0tp+Y49+sG
Uhl5sCGfMKkLShiON5P2oxZa+B0aPtQjsdnsFPa1uaZkK4c++SS6AetzYRpVDLmL
p7/1CulE0z3O0sBekpwiuaqLJ9ZccC81g4+2j8j6c50rIAct3hxIxw==
-----END RSA PRIVATE KEY-----

Cipher Negotiation Enable (with fallback)
Negotiable ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
Legacy/fallback cipher AES-256-CBC
TLS control channel security (tls-auth / tls-crypt) Outgoing Auth (1)
Auth digest SHA512

Advanced Settings

Log verbosity (0-6, default=3) 6 (was set to 3 but revised to 6 for reasons of verbosity see log details provided below)
Compression Disabled
TLS Renegotiation Time (in seconds, -1 for default) -1
Connection Retry attempts (-1 for infinite) 15
Verify Server Certificate (NB. Neither Radio Button for Yes or Now has been selected by the .ovpn file not sure if this is correct??)
Yes Unselected
No Unselected
Force Internet traffic through tunnel Policy Rules (see rules below as setup previously with the IPVanish setup)
Block routed clients if tunnel goes down
Yes Unselected
No Selected

Rules for routing client traffic through the tunnel (Max Limit: 100)

Description (1) LAN IP
Source IP (1) 192.168.50.1/24
Destination IP (1) 0.0.0.0
Iface (1) VPN

Description (2) Plex WinTV X299
Source IP (2) 192.168.50.16
Destination IP (2) 0.0.0.0
Iface (2) WAN

Description (3) Plex WinTV X58
Source IP (3) 192.168.50.21
Destination IP (3) 0.0.0.0
Iface (3) WAN

Description (4) Plex X99
Source IP (4) 192.168.50.55
Destination IP (4) 0.0.0.0
Iface (4) WAN

Description (5) iCloud SMTP
Source IP (5) 0.0.0.0
Destination IP (5) 17.36.205.74
Iface (5) WAN

Description (6) Compuserve SMTP
Source IP (6) 0.0.0.0
Destination IP (6) 188.125.73.29
Iface (6) WAN

Description (7) Plusnet SMTP
Source IP (7) 0.0.0.0
Destination IP (7) 212.159.8.107
Iface (7) WAN

Description (8) Plusnet SMTP
Source IP (8) 0.0.0.0
Destination IP (8) 212.159.9.107
Iface (8) WAN

 

[PC Pilot]

…………..settings continued (apologies for the length, just wanted to be accurate in settings detail ) NB. I have attached the OpenVPN related contents extracted from the System Log as a separate text file


Custom Configuration

Custom Configuration box: TEXT INSERTED AS BELOW
fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lz

Thanks in advance, I am keen to identify the error(s) and effect a resolution

Best regards

PC Pilot

 

[SheikhSheikha]

add above the verify-x509 the following line:

auth-nochache

 

[RMerlin]

Don't copy-paste all of this in the custom settings section, import the ovpn file instead. Otherwise, some of these will conflict with what is set on the webui.

BTW, it's "auth-nocache".

 

[PC Pilot]

add above the verify-x509 the following line:

auth-nochache

SheikhSheikha thanks for the advice (together with the "quotes" as noted by RMerlin) when added to the custom configuration above the verify-x509 line it works !! Thanks for the steer...

Don't copy-paste all of this in the custom settings section, import the ovpn file instead. Otherwise, some of these will conflict with what is set on the webui.

BTW, it's "auth-nocache".

RMerlin thanks as always for your Sage advice ... I had tried with the file import alone but as others had discovered previously there appear to be ommissions/errors which cause failure.... I am open to your expertise and knowledge in this respect and wonder if (whilst it is now connected) this is causing conflict. I would be grateful if you could clarify (in reference to my settings shown above + the added "auth-nocache" line in the Custom Configuration box of course) where I should look to properly resolve any webui conflict? Obviously I want to get everything correct if at all possible.

Thank you both for the valuable .....and extremely rapid contributions. The snbforums are such a wonderful resource !!

A very happy

PC Pilot​

 

[SheikhSheikha]

SheikhSheikha thanks for the advice (together with the "quotes" as noted by RMerlin) when added to the custom configuration above the verify-x509 line it works !! Thanks for the steer...

RMerlin thanks as always for your Sage advice ... I had tried with the file import alone but as others had discovered previously there appear to be ommissions/errors which cause failure.... I am open to your expertise and knowledge in this respect and wonder if (whilst it is now connected) this is causing conflict. I would be grateful if you could clarify (in reference to my settings shown above + the added "auth-nocache" line in the Custom Configuration box of course) where I should look to properly resolve any webui conflict? Obviously I want to get everything correct if at all possible.

Thank you both for the valuable .....and extremely rapid contributions. The snbforums are such a wonderful resource !!

A very happy

PC Pilot​

Indeed, sorry, typo

 

[RMerlin]

When you import the ovpn file, anything that is not recognized by the router will be added to the custom section. The parts that are recognized will be applied to the webui settings - like the LZO compression settings for instance.

 

[PC Pilot]

When you import the ovpn file, anything that is not recognized by the router will be added to the custom section. The parts that are recognized will be applied to the webui settings - like the LZO compression settings for instance.

Hi RMerlin… That is interesting, after the .ovpn file was uploaded the entries in Custom Configuration setting did not contain the 'verify-x509-name Server name-prefix' line at all, and it did not connect. While troubleshooting I identified the missing line whilst cross referencing against the working configuration referred to in post #7, assuming that I must have omitted it even though I actually had no recollection of manually adding the custom entries! The missing line along with both comp-lzo no & push "comp-lzo no" compression related entries referred to in Skeptical.me's post detailing his working configuration were thus added (before my comprehensive post) and tested, establishing that a VPN connection could still not be achieved.

Whilst your concise explanation was appropriately informative I remain unclear as to whether any (or indeed which) of the listed entries contained in the custom configuration are superfluous and so should be removed to prevent conflict with the previously reported webui settings. For example given that the webui 'compression' setting is set to 'disabled' what effect/conflict do the comp-lzo no & push "comp-lzo no" entries add/cause? …….& so would you therefore advise that they be removed? ...or as it is working now should I just leave it alone?

Apologies for any ignorance shown but keen to learn and so get it right!

Thanks again

PC Pilot

 

[RMerlin]

Hi RMerlin… That is interesting, after the .ovpn file was uploaded the entries in Custom Configuration setting did not contain the 'verify-x509-name Server name-prefix' line at all

Because that setting is controlled by the "Verify Server Certificate Name" setting on the webui.

The missing line along with both comp-lzo no & push "comp-lzo no" compression

That push directive makes no sense to me, it should be used server-side, not client-side. Importing the ovpn should set Compression to "None", which is the same thing as "comp-lzo no". If something is wonky with their config, then try setting it to Disabled instead.

 

[PC Pilot]

Thanks RMerlin, I believe you have a point in respect of the ExpressVPN config being 'wonky'..... others have already commented to that effect both on this thread and elsewhere on these forums IIRC!! With regards to the "Verify Server Certificate Name" setting you may have noticed my remark on the detailed settings....

Verify Server Certificate (NB. Neither Radio Button for Yes or No has been selected by the .ovpn file not sure if this is correct??)

To be honest this rather perplexed me as I have always found these Yes/No radio buttons to "toggle" to one or the other and have never come across one with neither (or for that matter both) selection present..... I guess this is evidence of the 'wonky' config!

If I am understanding you correctly, I believe that you are advising that the "Verify Server Certificate" webui radio button should be set to "Yes" and the corresponding line (verify-x509-name Server name-prefix) be removed from the custom config entries. Similarly that the compression setting should optimally be set to 'None' from the present 'Disabled' and the corresponding entry (push "comp-lzo no" compression) also removed from the custom config entries ?

I notice that you have recently released V384.16, I would like to convey my personal thanks for the excellent Merlin firmware and your ongoing support through this forum, we are all truly indebted to you and for your amazing work! I will upgrade in the coming days so as to keep everything at its optimum.

On that subject (and marginally off-topic ) I have a (minor) recurring issue with the Lets Encrypt Certification (WAN>DDNS>Webui SSL Certificate & also Administration>System>Local Access Config) for easy secure access to the Webui from the desktop via shortcut (https://<DDNS>:8443/ or https://192.168.xxx.xxx:8443/). NB. Have setup a VPN Server for remote access security....

For some while this has failed to function properly and currently the certificate is due to expire on 14.04.20 reporting as "OK" and not correctly as "Active". Despite various attempts resolve (including a full reset from factory settings) these have thus far been unsuccessful . As I will be upgrading to the latest firmware what advice can you offer to successfully resolve the issue? Am I best to reset the RT- AX88U again to factory settings and re-configure afresh from the 'vanilla' base or will this make no difference from the regular upgrade process? What else can I do/should I be aware of?

Many thanks again

PC Pilot

 

[RMerlin]

If I am understanding you correctly, I believe that you are advising that the "Verify Server Certificate" webui radio button should be set to "Yes" and the corresponding line (verify-x509-name Server name-prefix) be removed from the custom config entries.

Newer versions of my firmware support more options than just enabling/disabling of that option. It is now possible to set it to name type and to specify the desired prefix. If your firmware does not offer that, then you will indeed need to have the x509 verification lines in the custom sections, and to leave the webui setting set to "No".

For some while this has failed to function properly and currently the certificate is due to expire on 14.04.20 reporting as "OK" and not correctly as "Active". Despite various attempts resolve (including a full reset from factory settings) these have thus far been unsuccessful .

A lot of people are having problems with LE. Personally I think people shouldn't bother with it. It only works when using the public hostname to access your router. And people doing so for remote access of their webui are greatly increasing the risks of their router getting compromised by a hacker - people should never enable WAN access to their webui unless they have a very, VERY good reason to do so. Use a VPN for remote access.

 

[PC Pilot]

Thank you again RMerlin for your swift response.... I will update from 384.14 to 384.16 by the regular method then and having done so re-apply the .ovpn config file to see if the newer firmware options are picked up directly (webui radio button set to 'Yes') for the time being with the older 384.14 firmware to leave the custom (verify-x509-name Server name-prefix) entry as is but to set the webui radio button to 'No'...…..

Similarly that the compression setting should optimally be set to 'None' from the present 'Disabled' and the corresponding entry (push "comp-lzo no" compression) also removed from the custom config entries ?

Have I understood you correctly here?

A lot of people are having problems with LE. Personally I think people shouldn't bother with it. It only works when using the public hostname to access your router. And people doing so for remote access of their webui are greatly increasing the risks of their router getting compromised by a hacker - people should never enable WAN access to their webui unless they have a very, VERY good reason to do so. Use a VPN for remote access.

Point well made! I had not realised that such issues were being widely experienced, so will abandon it as you suggest (as noted it was always only ever considered a 'minor' niggle). Fortunately, I had already received excellent advice from yourself (and others) to the merits of a VPN Server for secure remote access so as to negate enabling WAN access and the related security implications noted..

Best regards,

PC Pilot

 

[intr0]

"A lot of people are having problems with LE. Personally I think people shouldn't bother with it. It only works when using the public hostname to access your router. And people doing so for remote access of their webui are greatly increasing the risks of their router getting compromised by a hacker..."

I joined earlier today specifically to respond to IPv6 settings when using an OpenVPN Client, though I first saw this thread upon returning so I wanted to say indeed, issuing any certificates through any CA (at least all that are public and adhere to CT (certificate transparency) standards and log each and every cert they give out to a (very public) log tells anyone taking the time to mine those logs that person/organization(x) has a public facing domain at, say, example[dot]asusccom[dot]com. Now, knowing what that address is used for by way of the domain, it's simple to mine any cert issuer's logs for just `asusccom` or is it asuscomm? Idk, regardless... The point is that malicious hackers exist and LE's logs (the only CA used by stock ASUS routers) are a prime target to store a custom built list of attack vectors (people's networks) to exploit for far worse things than a simple just-to-see if they can type reason (for lack of a better phrase).

I'm happy that I was accepted by the site's admin as a member. I did my first install of Merlin's release for the AX58U. I'm looking forward getting to know it over the next few days. Now, on to finding the IPv6 settings with OpenVPN thread... Enjoy your days and nights everyone!​

 

[RMerlin]

Thank you again RMerlin for your swift response.... I will update from 384.14 to 384.16 by the regular method then and having done so re-apply the .ovpn config file to see if the newer firmware options are picked up directly (webui radio button set to 'Yes') for the time being with the older 384.14 firmware to leave the custom (verify-x509-name Server name-prefix) entry as is but to set the webui radio button to 'No'...…..

Right. Re-import the ovpn while using the latest version, and see how it goes.

 

[RMerlin]

issuing any certificates through any CA (at least all that are public and adhere to CT (certificate transparency) standards

Does CT also apply to DV certificates? I was expecting it to mostly apply to OV/EV certificats.

 

[intr0]

Does CT also apply to DV certificates? I was expecting it to mostly apply to OV/EV certificats.

It does apply to DV certs, including those issued by, e.g., CloudFlare, for free which use sni[dot]cloudflaressl[dot]com in addition to one wildcard dns and one non-wildcard dns relative to the domain it's issued for. Netlify If used as a free host uses LE's service and doesn't include itself in the cert, only using a wildcard and a non-wildcard. It's standard across the CA field now. Hardenize[dot]com uses CT monitoring for good by mining issues to phishing domains and maintaining a free public list and a more comprehensive list for members.