Can't get OpenVPN (using ExpressVPN) to run on RT-AC86U

[SomeGuy]

I've checked the forums, but can't seem to find anything on this, other than this earlier thread, which I didn't think was relevant (given that I'm running the most recent firmware), but maybe it is? https://www.snbforums.com/threads/r...stom-configuration-section.42934/#post-366615

Bottom line is that I can't figure out how to get OpenVPN running via ExpressVPN on 384.6.

It shows connected, with a private IP address but an "unknown" public one.

I flashed the stock Asus firmware and OpenVPN works fine, but I can't for the life of me get it working on Merlin.

I had an NT66U, and it worked flawlessly.

Was on chat with ExpressVPN past midnight last night, but they couldn't figure it out (and said that their service has problems with the 86U, which is why it's not on their list of supported routers).

Here's part of the log. Frankly, I don't know what I'm reading, but there are some warnings that sound an awful lot like the above linked post?

Thoughts/suggestions/ideas?? (Bearing in mind I'm a total noob/boob)

Aug 29 07:32:37 rc_service: httpd 744:notify_rc start_vpnclient1
Aug 29 07:32:37 ovpn-client1[27020]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Aug 29 07:32:37 ovpn-client1[27020]: OpenVPN 2.4.6 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 25 2018
Aug 29 07:32:37 ovpn-client1[27020]: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.08
Aug 29 07:32:37 ovpn-client1[27021]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Aug 29 07:32:37 ovpn-client1[27021]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 29 07:32:38 ovpn-client1[27021]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 29 07:32:38 ovpn-client1[27021]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug 29 07:32:38 ovpn-client1[27021]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.41.133.237:1195
Aug 29 07:32:38 ovpn-client1[27021]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Aug 29 07:32:38 ovpn-client1[27021]: UDP link local: (not bound)
Aug 29 07:32:38 ovpn-client1[27021]: UDP link remote: [AF_INET]45.41.133.237:1195
Aug 29 07:32:38 ovpn-client1[27021]: TLS: Initial packet from [AF_INET]45.41.133.237:1195, sid=8b8872c9 fc41c906
Aug 29 07:32:38 ovpn-client1[27021]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 29 07:32:38 ovpn-client1[27021]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Aug 29 07:32:38 ovpn-client1[27021]: VERIFY OK: nsCertType=SERVER
Aug 29 07:32:38 ovpn-client1[27021]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-466-3a, emailAddress=support@expressvpn.com
Aug 29 07:32:38 ovpn-client1[27021]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-466-3a, emailAddress=support@expressvpn.com
Aug 29 07:33:38 ovpn-client1[27021]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Aug 29 07:33:38 ovpn-client1[27021]: TLS Error: TLS handshake failed
Aug 29 07:33:38 ovpn-client1[27021]: SIGUSR1[soft,tls-error] received, process restarting
Aug 29 07:33:38 ovpn-client1[27021]: Restart pause, 5 second(s)

 

[JDB]

Looks like some basic IP connectivity issue https://openvpn.net/index.php/open-...-seconds-check-your-network-connectivity.html


Sent from my iPhone using Tapatalk

 

[SomeGuy]

Looks like some basic IP connectivity issue https://openvpn.net/index.php/open-...-seconds-check-your-network-connectivity.html


Sent from my iPhone using Tapatalk

Thanks. I'll check again tonight, but I had disabled the router firewall and it still wouldn't work (yet it worked with the stock Asus firmware with the firewall active).

The earlier post seemed to talk about an earlier firmware cutting off keysizes, and I notice one of the errors above is "-keysize is DEPRECATED", but no idea how to confirm that.

 

[JDB]

Could be simple UDP vs TCP? Try the one you haven’t yet


Sent from my iPhone using Tapatalk

 

[SomeGuy]

Disabled Router and computer firewalls. No difference.

Tried TCP. Fails and doesn't even appear to be working (at least UDP looks like it's connected, although no public IP address given):

Aug 29 16:59:01 rc_service: httpd 744:notify_rc start_vpnclient1
Aug 29 16:59:01 ovpn-client1[19489]: Options error: --fragment can only be used with --proto udp
Aug 29 16:59:01 ovpn-client1[19489]: Use --help for more information.
Aug 29 17:01:21 rc_service: httpd 744:notify_rc start_vpnclient1
Aug 29 17:01:21 ovpn-client1[19823]: Options error: --fragment can only be used with --proto udp
Aug 29 17:01:21 ovpn-client1[19823]: Use --help for more information.
Aug 29 17:01:44 kernel: klogd started: BusyBox v1.25.1 (2018-07-25 12:37:38 EDT)

ExpressVPN said to disable Cipher Negotiation. Sounded promising, as that's apparently unique to Merlin (https://www.vpnuniversity.com/routers/how-to-setup-openvpn-asuswrt-merlin), but still no dice.

 

[RMerlin]

Right there:

Aug 29 16:59:01 ovpn-client1[19489]: Options error: --fragment can only be used with --proto udp

Remove that fragment option, and double check if your provider requires UDP or TCP.

 

[SomeGuy]

Hi Merlin! Not trying to be a pest. I literally went through every option one by one trying to figure it out, but I'm totally stumped (as I have no clue what I'm doing).

I deleted the "fragment 1300" command. Apparently, provider requires UDP.

Now the log files looks as attached, with DNS set to "strict".

I've also attached a log for a different VPN server, as the provider told me to use specific DNS settings in the WAN.

PS: Not sure if it matters, but speedtest is saying "latency test error".

[edited to delete attachments]

 

[SomeGuy]

FYI, just heard back from ExpressVPN who said they can't guarantee their OpenVPN service will work with Asuswrt-Merlin, but they'd have their development team look into it.

I just tried it again and it works fine with the stock firmware, but when I load up Merlin again, it stops working.

 

[RMerlin]

Connection is correctly established without any error according to these logs. Don't forget to enable Policy mode to redirect your traffic.

 

[z3r0k3wl]

I have had no issues running ExpressVPN openvpn on my RT-AC86U. In fact I'm running two separate tunnels. The instructions for Asus Merlin are on the site but in case you can't find it here are the steps.

1. Go to your ExpressVPN account and select setup for Asus (Including Merlin)
2. Download the appropriate openvpn config file.
3. Upload it to whichever VPN Client instance you want use.
4. Copy your username and password from your ExpressVPN account to your VPN Client Authentication settings.
5. Set Accept DNS Configuration to Exclusive
6. Set Redirect Internet traffic to Policy Rules (Strict)
7. Add whatever clients you want routed through to VPN tunnel to the table.

Nothing further required.

 

[SomeGuy]

Thanks guys, that helps with the motivation...my wife is ready to kill me for not "leaving well enough alone"!

I've enabled Policy mode and have tried redirecting all traffic, the entire subnet, specific IP addresses (in case, somehow, it was a software firewall), etc., but nothing seems to work or make a difference. Although it's a good point that the Policy mode is one of the differences that might explain why the stock firmware works.

The only reason I don't think it's actually connecting, is because it says "unknown" for the public IP address when you look at the VPN status screen...I assume there should be something there? And the other weird thing is that even if I don't have the kill switch on, I still can't surf the internet without it failing to connect to any site (and with a message along the lines of "can't detect proxy settings" if I bring up the windows connection wizard).

Thanks for the confirmation/directions z3, but I swear I've done that. I had no issues with the N66U, but clearly, given your experience and Merlin's point re: the connection, it's something on my end.

The only thing I can think of is that it's a refurbished unit, and when I went through the initial settings, it asked me to update the firmware (stock), which I did. I then installed Merlin without a factory reset (which it said I didn't have to do as I wasn't on old enough stock firmware). I then reinstalled stock and then Merlin again (going back and forth a few times), all without a factory reset. So, maybe something got glitched as a result of what the last guy did and me not doing a factory reset (although I'm nearly certain it was factory reset before it arrived to me as it went through the entire "welcome" process)? I can't imagine it being a hardware error, though.

I'll factory reset tonight and start over, setting up the VPN as the first thing I do and report back. Again, the quick/helpful responses are much appreciated!

 

[SomeGuy]

Firstly, thanks again for all the pointers.

Secondly, to clarify, when I say "refurbished", I mean I bought an AC-86U "refurbished" from NewEgg (albeit for $20 more than the current price): https://www.newegg.ca/Product/Product.aspx?Item=N82E16833320351&cm_re=ac86u-_-33-320-351-_-Product. I'm not trying to convert a TM-AC1900 or anything like that.

Thirdly, I did a factory reset (initialize) and did nothing but setup an SSID and password, before following the steps above to setup the OpenVPN. There has been no change in behaviour. It still doesn't work. I tried using two different .ovpn files, and tried two different computers.

I still don't show a public IP address with the VPN, and I still can't access the internet even with no kill switch installed. The screen says DNS address could not be found and then goes to another screen with windows diagnostic saying can't auto detect proxy setting.

I notice on the VPN status screen, that it keeps resetting...

I also think I've setup the VPN right...I've checked it multiple times...

Question: Is it at all possible that it could be a hardware fault or otherwise attributable to buying a refurbished router? It makes me wonder that so many recently released routers. have been returned so quickly.

 

[SomeGuy]

Sorry for flooding the thread, but just wanted to report back that I picked up a new AC86U tonight, but no difference.

Last Q re: Routes.

Does this give any hints whether something is wrong?

Without VPN:

With VPN:

 

[octopus]

Change this and see if it works then.
Aug 30 17:39:26 ovpn-client1[3251]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead
"remote-cert-tls server"

 

[HowIFix]

@SomeGuy Look this:

• Get Public IP when use Compression "Disabled" or "None" in NordVPN and ExpressVPN

Your Screenshot: (See the Compression option)

Spoiler: Click

Other: (The correct way to use the Policy Rules and this is not the solution, click on the link above)

Spoiler: Click

 

[octopus]

I cant see any compress options in PUSH string. Wort a try.

Aug 30 17:37:26 ovpn-client1[2609]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.91.0.1,route 10.91.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.91.0.158 10.91.0.157'

 

[SomeGuy]

Sending out a teary digital hug to HowIFix!! And high fives to the rest!!!

The Fix (from the thread):

Proof of the Fix (on mine):

 

[SomeGuy]

And here's a PSA for anyone stumbling across this thread in the future (although, now that I know what to look for, I see it's all over the Internet).

I was having two issues: (1) I couldn't get a Public IP address using the VPN, and (2) I was having intermittent internet issues even with no kill switch setup (but which I was falsely attributing to the VPN issue).

You guys fixed (1) for me (as per above), and I now realize what has been happening with (2). The 2.4G band is intermittently dropping the connection. I ran a program to monitor it overnight. The 2.4 G band was only working for ~30% of the time.

May explain why a newly released router was already returned and "refurbished".

 

[HowIFix]

@SomeGuy Try this:

The generally accepted wireless settings based on feedback from this site are:

Wireless 2.4GHz General
Channel bandwidth: 20 MHz (Manually set)
Control Channel: 1 or 6 or 11 (Manually set)

Wireless 2.4 GHz Professional
Turbo QAM: Disable (Only helps with clients that support it and there are not very many)
Airtime Fairness: Disable (Causes connectivity issues for various devices, including wireless printers)
Multi-User MIMO: Disable (Not an option on all models)
Explicit Beamforming: Disable (Non-standard, might cause compatibility issues with some clients)
Universal Beamforming: Disable (Non-standard, might cause compatibility issues with some clients)


Wireless 5 GHz General
Channel bandwidth: 20/40/80 MHz
Control Channel: 36 or 40 or 44 (Manually set)

Wireless 5 GHz Professional
Airtime Fairness: Disable
Multi-User MIMO: Disable (FWIW I got better 5 GHz speeds with MU-MIMO disabled)
Universal Beamforming: Disable (Non-standard, might cause compatibility issues with some clients)

Maybe some USB3 creates interference 2.4G devices like this:

Finally figured it out, connecting anything USB3 to the Shield TV creates massive interference on all 2.4G devices BT and WiFi. Even with shielded extension cables and ferrite cores it was unusable.

After making some suggested changes as can be seen with the posted screenshot of the wireless professional tab, the wired and wireless workstations are able to ping the server without any "Destination host unreachable." messages. I had my doubts that interference was causing what I was experiencing, but at the moment, I am shocked. So it's possible it's a bluetooth and/or USB 3 device was causing this?!
I'll try the pings a few more times over the next day or so as this issue has been so inconsistent and i've been pulling my hair out trying to narrow it down. Thanks!

If I find out it's one of the user's bluetooth speakers that she uses to play music, I am going to smash it into tiny little bits! Hours wasted!!!

 

[SomeGuy]

HowIFix it...you are on fire!!

My Sonos was acting up yesterday, which was PIS&ING me off, as I partly upgraded to this router to deal with that issue, but I was going to leave that for another day.

Guess what? As soon as I turned off USB3 on the refurbished router, 100% "uptime" (I didn't run it for long...but as soon as I turned it back on, immediate drops) on the 2.4 band and no Sonos issues.

Same hardware version on the refurbished and my new router (1.5), but I've had 100% uptime so far on the 2.4 band on the new router, and no Sonos issues.

No idea what's wrong with the refurbished router, but something seems messed up.

So I'll return the refurbished one, and spend the rest of my Friday night listening to music and watching a little TV.

Thanks x 100!!!!

PS: I know off-topic, but looks like there might be problems with some of the 86Us. The non refurbished one shows 99.8% uptime over the last 9 hours, whereas the refurbished one was ~30%. Again, just in case anyone is having the same issue with the 2.4 band and interference caused by the USB3.