VPN "Error - check configuration!" Firmware:386.10 (RT-AC86U)

[gdallas]

I guess it'll be something I have done wrong, but could someone please help me diagnose why my VPN is no longer working since upgrading to 386.10?

I use IPvanish, specifically their Charlotte 6 server in my merlin for a number of years now without issue. But since upgrading to 386.10 it has been unable to connect and I get the "Error - check configuration" message. I have tried an Austrian server, but same issue persists.

I have made sure the CA is populated with the correct key from IP vanish (see attached) and my credential are 100% correct. But still no joy!

Any help would be much appreciated.

Mar 27 18:58:45 rc_service: httpd 1185:notify_rc start_vpnclient1
Mar 27 18:58:45 ovpn-client1[5020]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Mar 27 18:58:45 ovpn-client1[5020]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:33: keysize (2.6.0)
Mar 27 18:58:45 ovpn-client1[5020]: Use --help for more information.
Mar 27 18:58:45 openvpn: Starting OpenVPN client 1 failed!
Mar 27 18:58:45 openvpn-routing: Clearing routing table for VPN client 1

Thanks
G

 

[alecmascot]

The "keysize" needs to be removed for the latest OVPN version.
You can see it in the log.

 

[gdallas]

The "keysize" needs to be removed for the latest OVPN version.
You can see it in the log.

Thank you, alecmascot. I am now connected again!

 

[sdikgetsi]

Thank you, alecmascot. I am now connected again!

I am not tech savvy. I have the same issue on my RT AC 5300 Asus router. What is keysize?

 

[octopus]

I am not tech savvy. I have the same issue on my RT AC 5300 Asus router. What is keysize?

Its in you vpn config file. Remove it.

 

[sdikgetsi]

Thank you. Will do when I get to that Asus router and ExpressVPN.

 

[gdallas]

sdikgetsi, as an example, the below is an IPvanish OVPN config file for a Dubai server. Open your preferred file in notepad, then delete the line that says "keysize 256". Save, then upload that to your Asus Merlin.

client
dev tun
proto udp
remote dxb-c01.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
verify-x509-name dxb-c01.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
<ca>
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAMIGVMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYD
VQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJ
UFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20w
IBcNMjIwNTA5MjAyMDQ1WhgPMjA4MjA0MjQyMDIwNDVaMIGVMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYDVQQKEwhJ
UFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJUFZhbmlz
aCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC30MFY2v8go65jdOYM/nHu9hlHQMbE
ttdTxPIDMFuNS0UUxuHGUeJdVCtkeaDOKH3jHsGBczu1amYwphVv6A1qox1YTrzR
Cbec7CaHL926VcOQQcDAPTmL+JPHhlpR21Xa+woHFGDW90LgASLAPtupXgc6LXfF
wb3vVpDnkyPUp4J0DRo2+lq3UtbHaONbGx8jyzYu/kWSiLUc7X69OedoSwlmsGAC
Qteki2o/b0uKTf84Ei+QEjGUquGJU+LETmo2IP55I+KuyZE6+zIiiegm25jgPDkr
qlw2UrJiLCjUg4VhTdjF9/AUmT5tJbhZUGGx1/l0bGr+44ea7PmB3DELAgMBAAGj
gf0wgfowDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUS/0UJYkd58Fwg9f2nxEcJU4Z
7q4wgcoGA1UdIwSBwjCBv4AUS/0UJYkd58Fwg9f2nxEcJU4Z7q6hgZukgZgwgZUx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJGTDEUMBIGA1UEBxMLV2ludGVyIFBhcmsx
ETAPBgNVBAoTCElQVmFuaXNoMRUwEwYDVQQLEwxJUFZhbmlzaCBWUE4xFDASBgNV
BAMTC0lQVmFuaXNoIENBMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGlwdmFuaXNo
LmNvbYIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAA4IBAQCc9JV7IR8BfBrF/BQT
Xg0SZMZyyMAxR2jfW9qMHKSeJuZVVjfHiqoynEgBCNbn71wZWv3OF/Thu9BJ4GiY
J2Bc9nIa90D1NGYgiOVYLGXfUUqy5FgfrsWh0Go5oYm9l7W9pWfIifwsaZynkY0r
TIHn32FF0H3+wZrGrEUzVL6qi+KD8iR3cBbLT+xUzulMTBp4JYaQnxpV4fZNS0Zs
NrWKFWz4Iz1SSBcsnvUhfWs1aKx4yOJQx33Pc+KwpUI+meTlMjoh+AoTriooKU2M
bOqLQl32y3pR0MP3fX4HDVFRylxdckEc+VryGNHQLUJiIBKBCORih/YiRhtEhpoB
xmkw
-----END CERTIFICATE-----
</ca>

 

[popo nyundo]

Thank you, alecmascot. I am now connected again!

KINDLY help me or is thre sa tutorial gide on how to remove the key

sdikgetsi, as an example, the below is an IPvanish OVPN config file for a Dubai server. Open your preferred file in notepad, then delete the line that says "keysize 256". Save, then upload that to your Asus Merlin.

client
dev tun
proto udp
remote dxb-c01.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
verify-x509-name dxb-c01.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
<ca>
-----BEGIN CERTIFICATE-----
MIIErzCCA5egAwIBAgIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAMIGVMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYD
VQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJ
UFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20w
IBcNMjIwNTA5MjAyMDQ1WhgPMjA4MjA0MjQyMDIwNDVaMIGVMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYDVQQKEwhJ
UFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJUFZhbmlz
aCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC30MFY2v8go65jdOYM/nHu9hlHQMbE
ttdTxPIDMFuNS0UUxuHGUeJdVCtkeaDOKH3jHsGBczu1amYwphVv6A1qox1YTrzR
Cbec7CaHL926VcOQQcDAPTmL+JPHhlpR21Xa+woHFGDW90LgASLAPtupXgc6LXfF
wb3vVpDnkyPUp4J0DRo2+lq3UtbHaONbGx8jyzYu/kWSiLUc7X69OedoSwlmsGAC
Qteki2o/b0uKTf84Ei+QEjGUquGJU+LETmo2IP55I+KuyZE6+zIiiegm25jgPDkr
qlw2UrJiLCjUg4VhTdjF9/AUmT5tJbhZUGGx1/l0bGr+44ea7PmB3DELAgMBAAGj
gf0wgfowDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUS/0UJYkd58Fwg9f2nxEcJU4Z
7q4wgcoGA1UdIwSBwjCBv4AUS/0UJYkd58Fwg9f2nxEcJU4Z7q6hgZukgZgwgZUx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJGTDEUMBIGA1UEBxMLV2ludGVyIFBhcmsx
ETAPBgNVBAoTCElQVmFuaXNoMRUwEwYDVQQLEwxJUFZhbmlzaCBWUE4xFDASBgNV
BAMTC0lQVmFuaXNoIENBMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGlwdmFuaXNo
LmNvbYIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAA4IBAQCc9JV7IR8BfBrF/BQT
Xg0SZMZyyMAxR2jfW9qMHKSeJuZVVjfHiqoynEgBCNbn71wZWv3OF/Thu9BJ4GiY
J2Bc9nIa90D1NGYgiOVYLGXfUUqy5FgfrsWh0Go5oYm9l7W9pWfIifwsaZynkY0r
TIHn32FF0H3+wZrGrEUzVL6qi+KD8iR3cBbLT+xUzulMTBp4JYaQnxpV4fZNS0Zs
NrWKFWz4Iz1SSBcsnvUhfWs1aKx4yOJQx33Pc+KwpUI+meTlMjoh+AoTriooKU2M
bOqLQl32y3pR0MP3fX4HDVFRylxdckEc+VryGNHQLUJiIBKBCORih/YiRhtEhpoB
xmkw
-----END CERTIFICATE-----
</ca>

Your a life saver thank you soo much

 

[fongw2]

This worked perfectly. Was having the same issue after upgrading to 386.10 on my GT-AC2900. I fell back to 386.9 as part of my troubleshooting and it worked so something definitely changed with OVPN in 386.10 where this parameter is no longer required.

Glad I found this after I tried the upgrade again and got the same error though I still don't see where in the log that 'keysize' needs to be removed as mine only shows this error and I could not find the 'allow-compression yes' parameter anywhere:

Apr 3 20:38:16 ovpn-client1[8460]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Apr 3 20:38:16 ovpn-client1[8460]: OpenVPN 2.6.0 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Apr 3 20:38:16 ovpn-client1[8460]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.08

On a side note, I guess contacting IPVanish to tell them this parameter is no longer required in the new version of OVPN would make no sense since someone might require it to run an older versions of OVPN?

 

[Viktor Jaep]

On a side note, I guess contacting IPVanish to tell them this parameter is no longer required in the new version of OVPN would make no sense since someone might require it to run an older versions of OVPN?

These VPN providers are so slow to move on their documentation... even NordVPN is way behind on getting theirs updated. That's why it's important to scan through forums like this to learn the best practices.

 

[Cleanev]

Even ExpressVPN stopped working - removing keysize 256 from configuration does not work on 388.2 however if I move back to 388.1 and it works - questions I am getting from these so called SE’s makes me wonder what level of expertise they have in supporting their clients.

 

[RMerlin]

Even ExpressVPN stopped working - removing keysize 256 from configuration does not work on 388.2 however if I move back to 388.1 and it works - questions I am getting from these so called SE’s makes me wonder what level of expertise they have in supporting their clients.

Again, look at your system log. It will tell you why it's failing to connect.

 

[Cleanev]

Thanks @RMerlin - I have gone thru making all the changes after reading 388.2 and as per ExpressVPN’s own guidance to either remove or comment keysize 256 entry. With aforementioned entry I get Configuration error when trying to start VPN whereas post removal or commenting it loads but never get an IP from VPN provider.

ovpn-client1[6778]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:43: keysize (2.6.2)
ovpn-client1[6778]: Use --help for more information.
openvpn: Starting OpenVPN client 1 failed!
openvpn-routing: Clearing routing table for VPN client 1

Edit— added logs

 

[RMerlin]

The log says you still have the keysize entry.

 

[Quoc Huynh]

Thanks @RMerlin - I have gone thru making all the changes after reading 388.2 and as per ExpressVPN’s own guidance to either remove or comment keysize 256 entry. With aforementioned entry I get Configuration error when trying to start VPN whereas post removal or commenting it loads but never get an IP from VPN provider.

ovpn-client1[6778]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:43: keysize (2.6.2)
ovpn-client1[6778]: Use --help for more information.
openvpn: Starting OpenVPN client 1 failed!
openvpn-routing: Clearing routing table for VPN client 1

Edit— added logs

I was confused like you @RMerlin. However, after re-reading @Cleanev post, I think he meant that he had removed the "--keysize", the VPN connected, but could not retrieved an IP from the VPN provider.

By the way, @Cleanev could you please post screenshots and/or text of your VPN Client page, especially the Custom configuration section, and the syslog related to your VPN issue? (remember to hide any username/password, etc. before posting)

 

[Cleanev]

Thanks for your assistance @RMerlin & @Quoc Huynh. Below is possibly all the information that you asked for. Let me know if there is anything else that you may need.

I redid complete configuration by importing latest config file from EVPN - once client state is turned on the only thing that shows up is - Connected (Local: 10.159.0.38 - Internet not redirected) - this is shown in attached PDF of VPN client page.

Custom configuration from EVPN configuration is as below where I have commented ‘keysize 256’. Unless I do this client will not even load showing configuration error

fast-io
remote-random
pull
tls-client
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
cipher AES-256-CBC
#keysize 256
sndbuf 524288
rcvbuf 524288

Starting for the first time after full configuration here’s the log from system log:
Apr 23 10:21:16 openvpn: Resetting VPN client 1 to default settings
Apr 23 10:22:46 rc_service: httpd 1592:notify_rc start_vpnclient1
Apr 23 10:22:46 custom_script: Running /jffs/scripts/service-event (args: start vpnclient1)
Apr 23 10:22:46 ovpn-client1[14173]: OpenVPN 2.6.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Apr 23 10:22:46 ovpn-client1[14173]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.08
Apr 23 10:22:46 ovpn-client1[14174]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Apr 23 10:22:46 ovpn-client1[14174]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 23 10:22:46 ovpn-client1[14174]: TCP/UDP: Preserving recently used remote address: [AF_INET]191.101.174.248:1195
Apr 23 10:22:46 ovpn-client1[14174]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Apr 23 10:22:46 ovpn-client1[14174]: UDPv4 link local: (not bound)
Apr 23 10:22:46 ovpn-client1[14174]: UDPv4 link remote: [AF_INET]191.101.174.248:1195
Apr 23 10:22:46 ovpn-client1[14174]: TLS: Initial packet from [AF_INET]191.101.174.248:1195, sid=afe5c82b e05b3a4c
Apr 23 10:22:46 ovpn-client1[14174]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY OK: nsCertType=SERVER
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-8904-0a, emailAddress=support@expressvpn.com
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-8904-0a, emailAddress=support@expressvpn.com
Apr 23 10:22:46 ovpn-client1[14174]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Apr 23 10:22:46 ovpn-client1[14174]: [Server-8904-0a] Peer Connection Initiated with [AF_INET]191.101.174.248:1195
Apr 23 10:22:46 ovpn-client1[14174]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Apr 23 10:22:46 ovpn-client1[14174]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Apr 23 10:22:47 ovpn-client1[14174]: SENT CONTROL [Server-8904-0a]: 'PUSH_REQUEST' (status=1)
Apr 23 10:22:47 ovpn-client1[14174]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.159.0.1,comp-lzo no,route 10.159.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.159.0.38 10.159.0.37,peer-id 20,cipher AES-256-GCM'
Apr 23 10:22:47 ovpn-client1[14174]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 23 10:22:47 ovpn-client1[14174]: OPTIONS IMPORT: route options modified
Apr 23 10:22:47 ovpn-client1[14174]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 23 10:22:47 ovpn-client1[14174]: TUN/TAP device tun11 opened
Apr 23 10:22:47 ovpn-client1[14174]: TUN/TAP TX queue length set to 1000
Apr 23 10:22:47 ovpn-client1[14174]: /usr/sbin/ip link set dev tun11 up mtu 1500
Apr 23 10:22:47 ovpn-client1[14174]: /usr/sbin/ip link set dev tun11 up
Apr 23 10:22:47 ovpn-client1[14174]: /usr/sbin/ip addr add dev tun11 local 10.159.0.38 peer 10.159.0.37
Apr 23 10:22:47 ovpn-client1[14174]: ovpn-up 1 client tun11 1500 0 10.159.0.38 10.159.0.37 init
Apr 23 10:22:47 openvpn-routing: Add pushed route: /usr/sbin/ip route add 10.159.0.1/255.255.255.255 via 10.159.0.37 dev tun11 table ovpnc1
Apr 23 10:22:47 openvpn-routing: Routing all traffic through ovpnc1
Apr 23 10:22:47 ovpn-client1[14174]: Data Channel: cipher 'AES-256-GCM', peer-id: 20, compression: 'stub'
Apr 23 10:22:47 ovpn-client1[14174]: Timers: ping 10, ping-restart 60

 

[RMerlin]

What do you have configured under "Redirect Internet traffic"?

 

[Cleanev]

Have it as shown in 2 snapshots for VPN Client tab and VPN Director tab. I am thinking of rebuilding starting from scratch at some point
.

 

[joe scian]

anyone had issues connecting OVPN using UDP. I had issues connecting my cameras remotely using UDP protocol when upgraded to 388.2 on AX-86U. Used to work perfectly - I had to change to TCP protocol and then everything works ok again.

 

[Quoc Huynh]

Thanks for your assistance @RMerlin & @Quoc Huynh. Below is possibly all the information that you asked for. Let me know if there is anything else that you may need.

I redid complete configuration by importing latest config file from EVPN - once client state is turned on the only thing that shows up is - Connected (Local: 10.159.0.38 - Internet not redirected) - this is shown in attached PDF of VPN client page.

Custom configuration from EVPN configuration is as below where I have commented ‘keysize 256’. Unless I do this client will not even load showing configuration error

fast-io
remote-random
pull
tls-client
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
cipher AES-256-CBC
#keysize 256
sndbuf 524288
rcvbuf 524288

Starting for the first time after full configuration here’s the log from system log:
Apr 23 10:21:16 openvpn: Resetting VPN client 1 to default settings
Apr 23 10:22:46 rc_service: httpd 1592:notify_rc start_vpnclient1
Apr 23 10:22:46 custom_script: Running /jffs/scripts/service-event (args: start vpnclient1)
Apr 23 10:22:46 ovpn-client1[14173]: OpenVPN 2.6.2 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Apr 23 10:22:46 ovpn-client1[14173]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.08
Apr 23 10:22:46 ovpn-client1[14174]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Apr 23 10:22:46 ovpn-client1[14174]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 23 10:22:46 ovpn-client1[14174]: TCP/UDP: Preserving recently used remote address: [AF_INET]191.101.174.248:1195
Apr 23 10:22:46 ovpn-client1[14174]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Apr 23 10:22:46 ovpn-client1[14174]: UDPv4 link local: (not bound)
Apr 23 10:22:46 ovpn-client1[14174]: UDPv4 link remote: [AF_INET]191.101.174.248:1195
Apr 23 10:22:46 ovpn-client1[14174]: TLS: Initial packet from [AF_INET]191.101.174.248:1195, sid=afe5c82b e05b3a4c
Apr 23 10:22:46 ovpn-client1[14174]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY OK: nsCertType=SERVER
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-8904-0a, emailAddress=support@expressvpn.com
Apr 23 10:22:46 ovpn-client1[14174]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-8904-0a, emailAddress=support@expressvpn.com
Apr 23 10:22:46 ovpn-client1[14174]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Apr 23 10:22:46 ovpn-client1[14174]: [Server-8904-0a] Peer Connection Initiated with [AF_INET]191.101.174.248:1195
Apr 23 10:22:46 ovpn-client1[14174]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Apr 23 10:22:46 ovpn-client1[14174]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Apr 23 10:22:47 ovpn-client1[14174]: SENT CONTROL [Server-8904-0a]: 'PUSH_REQUEST' (status=1)
Apr 23 10:22:47 ovpn-client1[14174]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.159.0.1,comp-lzo no,route 10.159.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.159.0.38 10.159.0.37,peer-id 20,cipher AES-256-GCM'
Apr 23 10:22:47 ovpn-client1[14174]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 23 10:22:47 ovpn-client1[14174]: OPTIONS IMPORT: route options modified
Apr 23 10:22:47 ovpn-client1[14174]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 23 10:22:47 ovpn-client1[14174]: TUN/TAP device tun11 opened
Apr 23 10:22:47 ovpn-client1[14174]: TUN/TAP TX queue length set to 1000
Apr 23 10:22:47 ovpn-client1[14174]: /usr/sbin/ip link set dev tun11 up mtu 1500
Apr 23 10:22:47 ovpn-client1[14174]: /usr/sbin/ip link set dev tun11 up
Apr 23 10:22:47 ovpn-client1[14174]: /usr/sbin/ip addr add dev tun11 local 10.159.0.38 peer 10.159.0.37
Apr 23 10:22:47 ovpn-client1[14174]: ovpn-up 1 client tun11 1500 0 10.159.0.38 10.159.0.37 init
Apr 23 10:22:47 openvpn-routing: Add pushed route: /usr/sbin/ip route add 10.159.0.1/255.255.255.255 via 10.159.0.37 dev tun11 table ovpnc1
Apr 23 10:22:47 openvpn-routing: Routing all traffic through ovpnc1
Apr 23 10:22:47 ovpn-client1[14174]: Data Channel: cipher 'AES-256-GCM', peer-id: 20, compression: 'stub'
Apr 23 10:22:47 ovpn-client1[14174]: Timers: ping 10, ping-restart 60

Hi @Cleanev ,

Thank you for your detailed comment! According to the log, it is quite strange to me that the VPN connection was initially setup Peer Connection Initiated with [AF_INET]191.101.174.248:1195 with the public VPN IP of 191.101.174.248 via port 1195. Moreover, your local VPN IP is also matched with 10.159.0.38 as in the log and the screenshot.

If @RMerlin or other forum members do not have any suggestion, I think that a reset may help.

P/s: There is an deprecated parameter in your VPN custom configuration section WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. You should change it to avoid any incompatibility in the future.

Edited to add that ExpressVPN has a website to check IP address. You may try to check whether your VPN was already connected or not:

https://www.expressvpn.com/what-is-my-ip