Devices connect to my openvpn server correctly but no traffic from server to client

[alexrose12345]

Hi,

I have a RT-AX88U running the latest version of Merlin (3004.338.4). My laptop, mobile phone and wife's mobile phone can no longer connect to my vpn. The server is up (I can connect to it via DDNS fine). Used to work flawlessly. Started having a problem where we could only ever connect 2 devices simultaneously. Now I can't even get 1 on. UDP 1194 is port forwarded and firewall whitelisted

This happens over wifi at our apartment, at my in laws' apartment, on my wife's mobile network and my mobile network.

Here is my .OPVN config:

# Config generated by Asuswrt-Merlin 388.4, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp
remote MYROUTER.com 1194
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
((certificates and keys redacted))

Here's the client log (website redacted):

[Sep 8, 2023, 19:26:53] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Feb  7 2023 16:08:10
?[Sep 8, 2023, 19:26:53] Frame=512/2048/512 mssfix-ctrl=1250
?[Sep 8, 2023, 19:26:53] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
7 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
?[Sep 8, 2023, 19:26:53] EVENT: RESOLVE ?[Sep 8, 2023, 19:26:53] Contacting 80.2.0.28:1194 via UDP
?[Sep 8, 2023, 19:26:53] EVENT: WAIT ?[Sep 8, 2023, 19:26:53] WinCommandAgent: transmitting bypass route to 80.2.0.28
{
    "host" : "80.2.0.28",
    "ipv6" : false
}

?[Sep 8, 2023, 19:26:53] Connecting to [MYROUTER.com]:1194 (80.2.0.28) via UDPv4
?[Sep 8, 2023, 19:26:53] EVENT: CONNECTING ?[Sep 8, 2023, 19:26:53] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
?[Sep 8, 2023, 19:26:53] Creds: Username/Password
?[Sep 8, 2023, 19:26:53] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_GUI_VER=OCWindows_3.3.7-2979
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

?[Sep 8, 2023, 19:26:53] SSL Handshake: peer certificate: CN=RT-AX88U, 1024 bit RSA, cipher: TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

?[Sep 8, 2023, 19:26:53] Session is ACTIVE
?[Sep 8, 2023, 19:26:53] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future?[Sep 8, 2023, 19:26:53] EVENT: GET_CONFIG ?[Sep 8, 2023, 19:26:53] Sending PUSH_REQUEST to server...
?[Sep 8, 2023, 19:26:53] OPTIONS:
0 [route] [192.168.50.0] [255.255.255.0] [vpn_gateway] [500]
1 [redirect-gateway] [def1]
2 [route-gateway] [10.8.0.1]
3 [topology] [subnet]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.8.0.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]
9 [key-derivation] [tls-ekm]

?[Sep 8, 2023, 19:26:53] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: TLS Keying Material Exporter [RFC5705]
  compress: NONE
  peer ID: 0
?[Sep 8, 2023, 19:26:53] EVENT: ASSIGN_IP ?[Sep 8, 2023, 19:26:53] CAPTURED OPTIONS:
Session Name: MYROUTER.com
Layer: OSI_LAYER_3
Remote Address: 80.2.0.28
Tunnel Addresses:
  10.8.0.2/24 -> 10.8.0.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
  192.168.50.0/24 [METRIC=500]
Exclude Routes:
DNS Servers:
Search Domains:

?[Sep 8, 2023, 19:26:54] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
    "allow_local_dns_resolvers" : false,
    "confirm_event" : "2c18000000000000",
    "destroy_event" : "a411000000000000",
    "tun" :
    {
        "adapter_domain_suffix" : "",
        "add_routes" :
        [
            {
                "address" : "192.168.50.0",
                "gateway" : "",
                "ipv6" : false,
                "metric" : 500,
                "net30" : false,
                "prefix_length" : 24
            }
        ],
        "block_ipv6" : false,
        "layer" : 3,
        "mtu" : 0,
        "remote_address" :
        {
            "address" : "80.2.0.28",
            "ipv6" : false
        },
        "reroute_gw" :
        {
            "flags" : 275,
            "ipv4" : true,
            "ipv6" : false
        },
        "route_metric_default" : -1,
        "session_name" : "MYROUTER.com",
        "tunnel_address_index_ipv4" : 0,
        "tunnel_address_index_ipv6" : -1,
        "tunnel_addresses" :
        [
            {
                "address" : "10.8.0.2",
                "gateway" : "10.8.0.1",
                "ipv6" : false,
                "metric" : -1,
                "net30" : false,
                "prefix_length" : 24
            }
        ]
    },
    "wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{931AEBDE-0773-4809-BAE3-034377726FAE}' index=18 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{931AEBDE-0773-4809-BAE3-034377726FAE}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=18
netsh interface ip set interface 18 metric=1
Ok.
netsh interface ip set address 18 static 10.8.0.2 255.255.255.0 gateway=10.8.0.1 store=active
IPHelper: add route 192.168.50.0/24 18 10.8.0.1 metric=500
netsh interface ip add route 80.2.0.28/32 27 192.168.1.1 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 18 10.8.0.1 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 18 10.8.0.1 store=active
Ok.
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: e417000000000000
?[Sep 8, 2023, 19:26:54] Connected via TUN_WIN
?[Sep 8, 2023, 19:26:54] EVENT: CONNECTED zephyr@MYROUTER.com:1194 (80.2.0.28) via /UDPv4 on TUN_WIN/10.8.0.2/ gw=[10.8.0.1/]?

As you can see it connects. Here's how it looks (bytes go out, none come in)

Router logs:

Sep  9 00:26:16 ovpn-server1[2168]: client/[my laptop's ip]:62290 [client] Inactivity timeout (--ping-restart), restarting
Sep  9 00:26:16 ovpn-server1[2168]: client/[my laptop's ip]:62290 SIGUSR1[soft,ping-restart] received, client-instance restarting
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress=me@asusrouter.lan
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_VER=3.git::d3f8b18b
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_PLAT=win
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_NCP=2
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_TCPNL=1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_PROTO=30
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_GUI_VER=OCWindows_3.3.7-2979
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_SSO=webauth,openurl,crtext
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_BS64DL=1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 TLS: Username/Password authentication succeeded for username 'zephyr'
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 [client] Peer Connection Initiated with [AF_INET][my laptop's ip]:52083 (via [AF_INET]80.2.0.28%eth0)
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 MULTI: Learn: 10.8.0.2 -> client/[my laptop's ip]:52083
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 MULTI: primary virtual IP for client/[my laptop's ip]:52083: 10.8.0.2
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.50.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 PUSH: Received control message: 'PUSH_REQUEST'
Sep  9 00:26:56 ovpn-server1[2168]: client/[my laptop's ip]:52083 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Sep  9 00:26:56 ovpn-server1[2168]: client/[my laptop's ip]:52083 Timers: ping 15, ping-restart 120
Sep  9 00:26:56 ovpn-server1[2168]: client/[my laptop's ip]:52083 Protocol options: protocol-flags tls-ekm

Router config:

it appears here and claims to be working but in reality no bytes in:

android is on version 3.3.4 (9290)
windows is on 3.3.7 (2979)
iOS is on 3.3.4 (5176)

Any ideas? At my wit's end

 

[alexrose12345]

If it helps, I cannot ping 10.8.0.1 even though it claims it's connected, which is the gateway

 

[torch]

Advertise DNS to clients?

 

[alexrose12345]

Advertise DNS to clients?

Makes no difference either way. I have tried using a TLS key too, nothing

 

[elorimer]

The server sets compression to "disable". The client log says "none". That's not the same. Edit the client.ovpn to delete the compression line and try again.

While you are at it, you might regenerate your certificates and re-export the client. 2.6 has deprecated/renamed/changed some things.

 

[alexrose12345]

Having investigated for hours on IRC, tried TLS and so on and so forth, and talked to RMerlin about it on irc, I figured that my friend in a different country was able to connect with the same certificate, and the traceroute fails on the first hop so it isn't an MTU issue, and is probably a DPI firewall blocking me

 

[ragtap]

Got exactly the same issue.
Have you resolved it?