Need help setting up ProtonVPN in AsusWRT-merlin

[orudie]

Hello Support,

I am trying to set up my ASUS router running WRT-Merlin firmware with ProtonVPN. In the VPN Client section I uploaded the .ovpn config which I downloaded from the router section downloads on protonvpn website. I indicate my protonvpn user and password on the same page, but getting authentication failed error message. Below is the log from the router. Please assist.


Mar 4 20:45:01 rc_service: httpd 839:notify_rc start_vpnclient1
Mar 4 20:45:02 ovpn-client1[12966]: OpenVPN 2.5.5 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 1 2022
Mar 4 20:45:02 ovpn-client1[12966]: library versions: OpenSSL 1.1.1m 14 Dec 2021, LZO 2.08
Mar 4 20:45:02 ovpn-client1[12969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 4 20:45:02 ovpn-client1[12969]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 4 20:45:02 ovpn-client1[12969]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mar 4 20:45:02 ovpn-client1[12969]: TCP/UDP: Preserving recently used remote address: [AF_INET]62.112.9.165:80
Mar 4 20:45:02 ovpn-client1[12969]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Mar 4 20:45:02 ovpn-client1[12969]: UDP link local: (not bound)
Mar 4 20:45:02 ovpn-client1[12969]: UDP link remote: [AF_INET]62.112.9.165:80
Mar 4 20:45:02 ovpn-client1[12969]: TLS: Initial packet from [AF_INET]62.112.9.165:80, sid=9a88716c 9c14baa6
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY KU OK
Mar 4 20:45:03 ovpn-client1[12969]: Validating certificate extended key usage
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (str) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.8.2.2, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (oid) 1.3.6.1.5.5.7.3.2, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY EKU OK
Mar 4 20:45:03 ovpn-client1[12969]: VERIFY OK: depth=0, CN=nl-01.protonvpn.net
Mar 4 20:45:03 ovpn-client1[12969]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Mar 4 20:45:03 ovpn-client1[12969]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mar 4 20:45:03 ovpn-client1[12969]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Mar 4 20:45:03 ovpn-client1[12969]: [nl-01.protonvpn.net] Peer Connection Initiated with [AF_INET]62.112.9.165:80
Mar 4 20:45:04 ovpn-client1[12969]: SENT CONTROL [nl-01.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Mar 4 20:45:09 ovpn-client1[12969]: SENT CONTROL [nl-01.protonvpn.net]: 'PUSH_REQUEST' (status=1)
Mar 4 20:45:09 ovpn-client1[12969]: AUTH: Received control message: AUTH_FAILED
Mar 4 20:45:09 ovpn-client1[12969]: SIGTERM[soft,auth-failure] received, process exiting

 

[dave14305]

Are you using the correct OpenVPN / IKEv2 username & password from the Account settings page?

https://account.protonvpn.com/account#openvpn

 

[octopus]

If your vpn provider use certificates you must click "Username / Password Auth. Only" to NO

 

[orudie]

Are you using the correct OpenVPN / IKEv2 username & password from the Account settings page?

https://account.protonvpn.com/account#openvpn

Thanks this helped. I was using my protonvpn account user/pass instead.

 

[orudie]

If your vpn provider use certificates you must click "Username / Password Auth. Only" to NO

Thanks, changed "Username / Password Auth. Only" to NO and was able to connect

 

[orudie]

Guys, the router is connected to ProtonVPN however, on the computer connected to the router when I point the browser to whatismyip.com and .speedtest.net it shows my real location IP and ISP instead of the ProtonVPN server's IP.

 

[orudie]

I figured it out. Had to change setting Redirect Internet traffic through tunnel: Yes ALL.

All set and works as it should. Thanks guys!

 

[Redskins16]

I have done everything but at Public, it keeps giving unknown see here:

Connected (Local: 10.96.0.3 - Public: unknown)

Also in the log, I see this:

NOTE: setsockopt TCP_NODELAY=1 failed

What I'm doing wrong?

 

[ColinTaylor]

What I'm doing wrong?

No idea without seeing the complete OpenVPN startup log.

 

[Redskins16]

No idea without seeing the complete OpenVPN startup log.

It seems I found the issue. If you have 2 different VPN clients you need to close the one you use in order to use the other one (new one). This was the case with me.

 

[Gary_Dexter]

It seems I found the issue. If you have 2 different VPN clients you need to close the one you use in order to use the other one (new one). This was the case with me.

No issues here. I have 5 concurrent ones running with various devices connected/routed via VPNDirector

 

[Redskins16]

No issues here. I have 5 concurrent ones running with various devices connected/routed via VPNDirector

Yes, but I'm talking about using a main connection to all devices. I thought that maybe you need to see all the IPs of them all to work. not just connected. If you divided them into different devices as you have done then yes they work, but do you see the IPs at Connected (Local: 10.96.0.3 - here --->Public? Or do you see one and the rest are Public: unknown?

 

[user_20240830]

Following best practices to not open new topics while same already exists I ask for same help. Have RT-AX68U with 3004.388.8_2 firmware.

Have config files from VPN provider both for OpenVPN and WireGuard. Being applied those configs do not connect internet to my router. Instead I got locket out of internet and there is no visual contact to the servers outside the ISP. Network tools such as 'ping', 'traceroute' and 'nslookup' show network is accessible but "Enable WireGuard" toggled YES indicates "Stopped" condition.


For reference I'll include WG settings here:


VPN - WireGuard Client


Basic Config

Enable WireGuard - toggle YES

Enable NAT - toggle YES

Inbound Firewall - toggle BLOCK

Killswitch - Block routed clients if tunnel goes down - toggle NO

Import config - [always remains empty though actual config loads all settings provided by VPN]


Interface

Private Key - KEY

MTU (Optional) - EMPTY

Address - 10.2.0.2/32

DNS Server (Optional) - 10.2.0.1


Peer

Server Public Key - PUBKEY

Preshared Key (Optional) - EMPTY

Allowed IPs - 0.0.0.0/0

Endpoint Address : port - 84.17.63.17:51820

Persistent Keepalive - 25


Client Status Log

interface: wgc5

public key: KEYVALUE

private key: (hidden)

listening port: 36982


peer: PUBKEYVALUE

endpoint: 84.17.63.17:51820

allowed ips: 0.0.0.0/0

transfer: 0 B received, 5.93 KiB sent

persistent keepalive: every 25 seconds



Be advised that due to secrecy I've replaced Endpoint Address and Port with other value from the same config for PC.

 

[bennor]

@user_20240830, have you configured VPN Director Rule to route one or more LAN clients to use the Proton VPN connection? See the following discussion which should be relevant and discusses creating VPN Director Rule(s).

Proton Wireguard Client Question

I have an Asus RT-AX86U running version 388.2.2. I currently use Wireguard server on the router so that I can connect to my home network remotely. That's been working perfectly for months. I recently started using Proton VPN at home for privacy, and I'd like to configure my network such that...

www.snbforums.com

 

[ZebMcKayhan]

transfer: 0 B received, 5.93 KiB sent

This line indicates that there are no proper connection with the other end.
If you have other vpn clients on the router make sure they are stopped.

Test your wg config file on a computer or your phone (while connected to your lan) before trying it out on the router. Most likely this config has been set as "out of service" by your vpn provider and you need to generate a new one.

When you find a working config, make sure you are stopping the client on your computer/phone before importing it on the router or it will conflict.

 

[user_20240830]

This line indicates that there are no proper connection with the other end.
If you have other vpn clients on the router make sure they are stopped.

Test your wg config file on a computer or your phone (while connected to your lan) before trying it out on the router. Most likely this config has been set as "out of service" by your vpn provider and you need to generate a new one.

When you find a working config, make sure you are salute out stopping the client on your computer/phone before importing it on the router or it will conflict.

It's hard to tell which config suites best the service. The thing is ProtonVPN is able to select best protocol out of half a dozen present. What really confused me is perfectly normal settings and operation of the same ProtonVPN at Android TV and Android mobile. But both desktop and router are out of reach.

 

[ZebMcKayhan]

It's hard to tell which config suites best the service. The thing is ProtonVPN is able to select best protocol out of half a dozen present. What really confused me is perfectly normal settings and operation of the same ProtonVPN at Android TV and Android mobile. But both desktop and router are out of reach.

According to their website: https://protonvpn.com/support/wireg...1GOzDrU7Z-5dYAQtrglV5TmB8pfRY65Ce1aNuUQoozZmh They ate following the open Wireguard standards so it should work.

Wireguard (standard) is only a single protocol, perhaps their own app is using something proprietary, but you will need to get a config for the open standard as described in the link.

Also, when testing on the router, make sure all other apps you used for this config are stopped as each config file only works on 1 unit at the time.

Edit: use this app to test on Android: https://play.google.com/store/apps/details?id=com.wireguard.android