Need help setting up ProtonVPN in AsusWRT-merlin

[orudie]

Hello Support,

I am trying to set up my ASUS router running WRT-Merlin firmware with ProtonVPN. In the VPN Client section I uploaded the .ovpn config which I downloaded from the router section downloads on protonvpn website. I indicate my protonvpn user and password on the same page, but getting authentication failed error message. Below is the log from the router. Please assist.


Mar 4 20:45:01 rc_service: httpd 839:notify_rc start_vpnclient1
Mar 4 20:45:02 ovpn-client1[12966]: OpenVPN 2.5.5 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 1 2022
Mar 4 20:45:02 ovpn-client1[12966]: library versions: OpenSSL 1.1.1m 14 Dec 2021, LZO 2.08
Mar 4 20:45:02 ovpn-client1[12969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 4 20:45:02 ovpn-client1[12969]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 4 20:45:02 ovpn-client1[12969]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 4 20:45:02 ovpn-client1[12969]: TCP/UDP: Preserving recently used remote address: [AF_INET]62.112.9.165:80
Mar 4 20:45:02 ovpn-client1[12969]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Mar 4 20:45:02 ovpn-client1[12969]: UDP link local: (not bound)
Mar 4 20:45:02 ovpn-client1[12969]: UDP link remote: [AF_INET]62.112.9.165:80
Mar 4 20:45:02 ovpn-client1[12969]: TLS: Initial packet from [AF_INET]62.112.9.165:80, sid=9a88716c 9c14baa6
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY KU OK
Mar 4 20:45:03 ovpn-client1[12969]: Validating certificate extended key usage
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY EKU OK
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY OK: depth=0, CN=nl-01.protonvpn.net
Mar 4 20:45:03 ovpn-client1[12969]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Mar 4 20:45:03 ovpn-client1[12969]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mar 4 20:45:03 ovpn-client1[12969]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Mar 4 20:45:03 ovpn-client1[12969]: [nl-01.protonvpn.net] Peer Connection Initiated with [AF_INET]62.112.9.165:80
Mar 4 20:45:04 ovpn-client1[12969]: SENT CONTROL [nl-01.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Mar 4 20:45:09 ovpn-client1[12969]: SENT CONTROL [nl-01.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Mar 4 20:45:09 ovpn-client1[12969]: AUTH: Received control message: AUTH_FAILED
Mar 4 20:45:09 ovpn-client1[12969]: SIGTERM[soft,auth-failure] received, process exiting

 

[dave14305]

Are you using the correct OpenVPN / IKEv2 username & password from the Account settings page?

https://account.protonvpn.com/account#openvpn

 

[octopus]

If your vpn provider use certificates you must click "Username / Password Auth. Only" to NO

 

[orudie]

Are you using the correct OpenVPN / IKEv2 username & password from the Account settings page?

https://account.protonvpn.com/account#openvpn

Thanks this helped. I was using my protonvpn account user/pass instead.

 

[orudie]

If your vpn provider use certificates you must click "Username / Password Auth. Only" to NO

Thanks, changed "Username / Password Auth. Only" to NO and was able to connect

 

[orudie]

Guys, the router is connected to ProtonVPN however, on the computer connected to the router when I point the browser to whatismyip.com and .speedtest.net it shows my real location IP and ISP instead of the ProtonVPN server's IP.

 

[orudie]

I figured it out. Had to change setting Redirect Internet traffic through tunnel: Yes ALL.

All set and works as it should. Thanks guys!

 

[Redskins16]

I have done everything but at Public, it keeps giving unknown see here:

Connected (Local: 10.96.0.3 - Public: unknown)

Also in the log, I see this:

NOTE: setsockopt TCP_NODELAY=1 failed

What I'm doing wrong?

 

[ColinTaylor]

What I'm doing wrong?

No idea without seeing the complete OpenVPN startup log.

 

[Redskins16]

No idea without seeing the complete OpenVPN startup log.

It seems I found the issue. If you have 2 different VPN clients you need to close the one you use in order to use the other one (new one). This was the case with me.

 

[Gary_Dexter]

It seems I found the issue. If you have 2 different VPN clients you need to close the one you use in order to use the other one (new one). This was the case with me.

No issues here. I have 5 concurrent ones running with various devices connected/routed via VPNDirector

 

[Redskins16]

No issues here. I have 5 concurrent ones running with various devices connected/routed via VPNDirector

Yes, but I'm talking about using a main connection to all devices. I thought that maybe you need to see all the IPs of them all to work. not just connected. If you divided them into different devices as you have done then yes they work, but do you see the IPs at Connected (Local: 10.96.0.3 - here --->Public? Or do you see one and the rest are Public: unknown?

 

[user_20240830]

Following best practices to not open new topics while same already exists I ask for same help. Have RT-AX68U with 3004.388.8_2 firmware.

Have config files from VPN provider both for OpenVPN and WireGuard. Being applied those configs do not connect internet to my router. Instead I got locket out of internet and there is no visual contact to the servers outside the ISP. Network tools such as 'ping', 'traceroute' and 'nslookup' show network is accessible but "Enable WireGuard" toggled YES indicates "Stopped" condition.


For reference I'll include WG settings here:


VPN - WireGuard Client


Basic Config

Enable WireGuard - toggle YES

Enable NAT - toggle YES

Inbound Firewall - toggle BLOCK

Killswitch - Block routed clients if tunnel goes down - toggle NO

Import config - [always remains empty though actual config loads all settings provided by VPN]


Interface

Private Key - KEY

MTU (Optional) - EMPTY

Address - 10.2.0.2/32

DNS Server (Optional) - 10.2.0.1


Peer

Server Public Key - PUBKEY

Preshared Key (Optional) - EMPTY

Allowed IPs - 0.0.0.0/0

Endpoint Address : port - 84.17.63.17:51820

Persistent Keepalive - 25


Client Status Log

interface: wgc5

public key: KEYVALUE

private key: (hidden)

listening port: 36982


peer: PUBKEYVALUE

endpoint: 84.17.63.17:51820

allowed ips: 0.0.0.0/0

transfer: 0 B received, 5.93 KiB sent

persistent keepalive: every 25 seconds



Be advised that due to secrecy I've replaced Endpoint Address and Port with other value from the same config for PC.

 

[bennor]

@user_20240830, have you configured VPN Director Rule to route one or more LAN clients to use the Proton VPN connection? See the following discussion which should be relevant and discusses creating VPN Director Rule(s).

Proton Wireguard Client Question

I have an Asus RT-AX86U running version 388.2.2. I currently use Wireguard server on the router so that I can connect to my home network remotely. That's been working perfectly for months. I recently started using Proton VPN at home for privacy, and I'd like to configure my network such that...

www.snbforums.com

 

[ZebMcKayhan]

transfer: 0 B received, 5.93 KiB sent

This line indicates that there are no proper connection with the other end.
If you have other vpn clients on the router make sure they are stopped.

Test your wg config file on a computer or your phone (while connected to your lan) before trying it out on the router. Most likely this config has been set as "out of service" by your vpn provider and you need to generate a new one.

When you find a working config, make sure you are stopping the client on your computer/phone before importing it on the router or it will conflict.

 

[user_20240830]

This line indicates that there are no proper connection with the other end.
If you have other vpn clients on the router make sure they are stopped.

Test your wg config file on a computer or your phone (while connected to your lan) before trying it out on the router. Most likely this config has been set as "out of service" by your vpn provider and you need to generate a new one.

When you find a working config, make sure you are salute out stopping the client on your computer/phone before importing it on the router or it will conflict.

It's hard to tell which config suites best the service. The thing is ProtonVPN is able to select best protocol out of half a dozen present. What really confused me is perfectly normal settings and operation of the same ProtonVPN at Android TV and Android mobile. But both desktop and router are out of reach.

 

[ZebMcKayhan]

It's hard to tell which config suites best the service. The thing is ProtonVPN is able to select best protocol out of half a dozen present. What really confused me is perfectly normal settings and operation of the same ProtonVPN at Android TV and Android mobile. But both desktop and router are out of reach.

According to their website: https://protonvpn.com/support/wireg...1GOzDrU7Z-5dYAQtrglV5TmB8pfRY65Ce1aNuUQoozZmh They ate following the open Wireguard standards so it should work.

Wireguard (standard) is only a single protocol, perhaps their own app is using something proprietary, but you will need to get a config for the open standard as described in the link.

Also, when testing on the router, make sure all other apps you used for this config are stopped as each config file only works on 1 unit at the time.

Edit: use this app to test on Android: https://play.google.com/store/apps/details?id=com.wireguard.android

 

[user_20240830]

According to their website: https://protonvpn.com/support/wireg...1GOzDrU7Z-5dYAQtrglV5TmB8pfRY65Ce1aNuUQoozZmh They ate following the open Wireguard standards so it should work.

Wireguard (standard) is only a single protocol, perhaps their own app is using something proprietary, but you will need to get a config for the open standard as described in the link.

Also, when testing on the router, make sure all other apps you used for this config are stopped as each config file only works on 1 unit at the time.

Edit: use this app to test on Android: https://play.google.com/store/apps/details?id=com.wireguard.android

Sorry for taking so long to reply - been AFK for all this time. If you mean that one should use various VPN servers for segregated units (Android TV, Android, Linux, router etc.) then yes - I do use segregated servers with different config files on them. Using WireGuard on my router doesn't go ON at all. Upon config completion and press "Apply" in web interface of router nothing happens. All I got as a response was "Connecting" followed by "Error - check configuration file". Configs are given by VPN provider. All I change is loginassword pair provided by them. Got totally stuck here.

 

[ZebMcKayhan]

If you mean that one should use various VPN servers for segregated units (Android TV, Android, Linux, router etc.) then yes - I do use segregated servers with different config files on them.

I just means that you could use some other device to test the actual config file you are trying to use on your router. this is to check so there is nothing wrong with the config file.

its not much really it takes for the tunnel to start and get handshake data, basically the endpoint : port needs to be reachable and correct and the keys needs to be correct, both of them. Then the rest is needed to actually be able to use the tunnel properly. but as far as I can see, you dont even get the handshake.

the config file you imported to the router gui, you can open it in a normal text editor to look at it. you should compare all fields with what the router imported in the GUI to make sure something have not happened or gone wrong. an illegal character somewhere could be all it takes for the tunnel to not work.

All I change is loginassword pair provided by them.

Wireguard does not have any login/password. it uses only pre-shared keys.

 

[user_20240830]

I just means that you could use some other device to test the actual config file you are trying to use on your router. this is to check so there is nothing wrong with the config file.

its not much really it takes for the tunnel to start and get handshake data, basically the endpoint : port needs to be reachable and correct and the keys needs to be correct, both of them. Then the rest is needed to actually be able to use the tunnel properly. but as far as I can see, you dont even get the handshake.

the config file you imported to the router gui, you can open it in a normal text editor to look at it. you should compare all fields with what the router imported in the GUI to make sure something have not happened or gone wrong. an illegal character somewhere could be all it takes for the tunnel to not work.


Wireguard does not have any login/password. it uses only pre-shared keys.

My wrong: I'd been describing both connection modes at once: OpenVPN and WireGuard at the same time! Nevertheless you've got the point here: the neverending "TLS handshake error" like in log from my router:

2024-07-23T04:35:27.045Z | WARN  | API:ERROR | Certificate potentialBlock=true cause=javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
     Caused by: CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
     Caused by: CertPathValidatorException: Trust anchor for certification path not found.
2024-07-23T04:35:27.046Z | INFO  | CONN.GUEST_HOLE | alternatives failed, keepGuestHole=false
2024-07-23T04:35:44.259Z | INFO  | APP | MemoryMonitor: pss: 62MB, private: 60MB, rss: 150MB (Stale)
2024-07-23T04:36:01.225Z | INFO  | API:REQUEST | POST https://vpn-api.proton.me/data/v1/stats/multiple (auth qihxp...)
2024-07-23T04:36:11.380Z | WARN  | API:ERROR | Timeout potentialBlock=true cause=java.net.SocketTimeoutException: Read timed out
2024-07-23T04:36:11.454Z | INFO  | API:REQUEST | GET https://vpn-api.proton.me/tests/ping (auth qihxp...)
2024-07-23T04:36:16.719Z | WARN  | API:ERROR | Timeout potentialBlock=true cause=java.net.SocketTimeoutException: Read timed out
2024-07-23T04:36:16.797Z | INFO  | API:REQUEST | POST https://54.93.35.126/data/v1/stats/multiple (auth qihxp...)

Which results in the following log:

2024-07-23T05:02:12.044Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Sending handshake initiation
2024-07-23T05:02:12.045Z | ERROR | PROTOCOL | TCP/TLS error send conn: use of closed network connection
2024-07-23T05:02:12.045Z | ERROR | PROTOCOL | peer(s2Eo…6gjo) - Failed to send handshake initiation: use of closed network connection
2024-07-23T05:02:12.046Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Routine: sequential sender - stopped
2024-07-23T05:02:12.046Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Routine: sequential receiver - stopped
2024-07-23T05:02:12.047Z | INFO  | PROTOCOL | Interface state was Up, requested Down, now Down
2024-07-23T05:02:12.048Z | INFO  | PROTOCOL | TCP/TLS: Close
2024-07-23T05:02:12.048Z | INFO  | PROTOCOL | TCP/TLS: Open 0
2024-07-23T05:02:12.048Z | INFO  | PROTOCOL | UDP bind has been updated
2024-07-23T05:02:12.049Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Starting
2024-07-23T05:02:12.052Z | INFO  | PROTOCOL | Routine: receive incoming makeReceiveFunc - started
2024-07-23T05:02:12.053Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Routine: sequential sender - started
2024-07-23T05:02:12.053Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Routine: sequential receiver - started
2024-07-23T05:02:12.048Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Sending keepalive packet
2024-07-23T05:02:12.054Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Sending handshake initiation
2024-07-23T05:02:12.141Z | INFO  | PROTOCOL | TCP dial result: <nil>
2024-07-23T05:02:12.142Z | INFO  | PROTOCOL | TLS: Starting handshake
2024-07-23T05:02:12.215Z | INFO  | API:REQUEST | POST https://vpn-api.proton.me/data/v1/stats/multiple (auth qihxp...)
2024-07-23T05:02:17.143Z | INFO  | PROTOCOL | TLS: Handshake result: read tcp 10.129.88.16:38216->212.92.104.225:5995: i/o timeout
2024-07-23T05:02:17.246Z | ERROR | PROTOCOL | TCP/TLS error recv getConn: read tcp 10.129.88.16:38216->212.92.104.225:5995: i/o timeout
2024-07-23T05:02:17.246Z | ERROR | PROTOCOL | peer(s2Eo…6gjo) - Failed to send handshake initiation: use of closed network connection
2024-07-23T05:02:17.247Z | INFO  | PROTOCOL | Failed to receive makeReceiveFunc packet: read tcp 10.129.88.16:38216->212.92.104.225:5995: i/o timeout
2024-07-23T05:02:17.247Z | INFO  | PROTOCOL | Interface state was Down, requested Up, now Up
2024-07-23T05:02:17.579Z | INFO  | PROTOCOL | Routine: receive incoming makeReceiveFunc - stopped
2024-07-23T05:02:18.167Z | INFO  | PROTOCOL | peer(s2Eo…6gjo) - Sending handshake initiation
2024-07-23T05:02:18.167Z | ERROR | PROTOCOL | peer(s2Eo…6gjo) - Failed to send handshake initiation: use of closed network connection
2024-07-23T05:02:18.855Z | WARN  | API:ERROR | Connection potentialBlock=true cause=java.net.UnknownHostException: Unable to resolve host "vpn-api.proton.me": No address associated with hostname
     Caused by: GaiException: android_getaddrinfo failed: EAI_NODATA (No address associated with hostname)
2024-07-23T05:02:19.751Z | INFO  | API | netzone: 176.59.166.0, mcc: RU
2024-07-23T05:02:19.803Z | INFO  | API:REQUEST | GET https://vpn-api.proton.me/vpn/v1/logicals?WithTranslations=ru&WithEntriesForProtocols=WireGuardUDP%2CWireGuardTCP%2COpenVPNUDP%2COpenVPNTCP%2CWireGuardTLS&WithPartnerLogicals=true&WithState=true (auth lhy7q...)
2024-07-23T05:02:19.813Z | WARN  | API:ERROR | Connection potentialBlock=true cause=java.net.UnknownHostException: Unable to resolve host "vpn-api.proton.me": No address associated with hostname

No even slightest idea how to walk it around? Because the Proton VPN support gives up on this one. Not the first year.
Could it be DNS assignment problem? I put it manually to 'WAN DNS Setting' in 'WAN - Internet Connection'. 1.ISP-DNS, 2.Google-DNS!