RT-AX88U - 388.2_2 - Previously Working VPN Client (NordVPN) no longer functions - Suggestions for NordVPN Working Settings July 2023

[PC Pilot]

Following update to the current Merlin (388.2_2 - 05.05.23) Firmware on 22.05.23 neither VPN Client (Express VPN & NordVPN) made a successful connection reporting "Error - Authentication failure!"

Inspecting the System Logs indicated a 'keysize' issue in respect of the Express VPN and this was successfully resolved by removal of the line "keysize 256" from the Custom Configuration entry.

However the NordVPN is clearly a different issue and with my rudimentary skillset I have not as yet been able to isolate the problem despite:

1: Reviewing the System logs

2: Replacing the OpenVPN Client Config File with a new and entirely different one as before configured to the previously working standard. <see attached txt files>

3: Added a fall back Cipher line (data-ciphers-fallback BF-CBC) as suggested as a resolution.

4: Added a Push line (push "route 192.168.x.1 255.255.255.0" ...where x is my LAN IP) also suggested as a resolution.

This is the original working setup as advised here. Service state as reported when working: [ON] Connected (Local 10.8.1.7 - Public 152.89.207.235)

Select client instance (2) 2: UK2238 - NordVPN
Service state (2) [OFF] Error - Authentication failure!
Automatic start at boot time (2)
Yes Selected
No Unselected
Description (2) UK2238 - NordVPN
Import .ovpn file (2) [uk2238.nordvpn.com.udp.ovpn]

Network Settings

Interface Type (2) TUN
Protocol (2) UDP
Server Address and Port (2) Address: 178.239.162.171 Port 1194
Create NAT on tunnel (2)
Yes Selected
No Unselected
Inbound Firewall (2)
Block Selected
Allow Unselected
Accept DNS Configuration (2) Disabled
Redirect Internet traffic through tunnel (2) VPN Director (policy rules)
Killswitch - Block routed clients if tunnel goes down
Yes Unselected
No Selected

Authentication Settings

Authorization Mode TLS
Username/Password Authentication
Yes Selected
No Unselected
Username MYEMAILADDRESS
Password MYPASSWORD
Username / Password Auth. Only
Yes Unselected
No Selected

Keys & Certificates: As provided in current NordVPN OpenVPN Client Config file <uk2238.nordvpn.com.udp.ovpn> NB. NordVPN has now replaced "udp1194.com" with "udp.vpn" original file was <uk2508.nordvpn.com.udp1194.ovpn> see attached .txt files

Data ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
TLS control channel security (tls-auth / tls-crypt) Outgoing Auth (1)
Auth digest SHA512

Advanced Settings

Log verbosity (0-6, default=3) 3
Compression Disabled
TLS Renegotiation Time (in seconds, -1 for default) 0
Connection Retry attempts (0 for infinite) 0
Verify Server Certificate Name No


Custom Configuration:

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

This is an extract from the System Log from earlier in the day

Jul 10 15:05:57 ovpn-client2[5961]: OpenVPN 2.6.3 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 10 15:05:57 ovpn-client2[5961]: library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.08
Jul 10 15:05:57 ovpn-client2[5962]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Jul 10 15:05:57 ovpn-client2[5962]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 10 15:05:57 ovpn-client2[5962]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Jul 10 15:05:57 ovpn-client2[5962]: TCP/UDP: Preserving recently used remote address: [AF_INET]178.239.162.171:1194
Jul 10 15:05:57 ovpn-client2[5962]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Jul 10 15:05:57 ovpn-client2[5962]: UDPv4 link local: (not bound)
Jul 10 15:05:57 ovpn-client2[5962]: UDPv4 link remote: [AF_INET]178.239.162.171:1194
Jul 10 15:05:57 ovpn-client2[5962]: TLS: Initial packet from [AF_INET]178.239.162.171:1194, sid=7758f20c 9aac4229
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA8
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY KU OK
Jul 10 15:05:57 ovpn-client2[5962]: Validating certificate extended key usage
Jul 10 15:05:57 ovpn-client2[5962]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY EKU OK
Jul 10 15:05:57 ovpn-client2[5962]: VERIFY OK: depth=0, CN=uk2238.nordvpn.com
Jul 10 15:05:57 ovpn-client2[5962]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Jul 10 15:05:57 ovpn-client2[5962]: [uk2238.nordvpn.com] Peer Connection Initiated with [AF_INET]178.239.162.171:1194
Jul 10 15:05:57 ovpn-client2[5962]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jul 10 15:05:57 ovpn-client2[5962]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Jul 10 15:05:58 ovpn-client2[5962]: SENT CONTROL [uk2238.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jul 10 15:06:03 ovpn-client2[5962]: SENT CONTROL [uk2238.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jul 10 15:06:03 ovpn-client2[5962]: AUTH: Received control message: AUTH_FAILED
Jul 10 15:06:03 ovpn-client2[5962]: SIGTERM received, sending exit notification to peer
Jul 10 15:06:06 ovpn-client2[5962]: SIGTERM[soft,exit-with-notification] received, process exiting

Can anyone identify the problem and suggest a working remedy??

Your help and advice much appreciated. Thanks in advance..

PC Pilot

 

[ColinTaylor]

Solution here:

Release - Asuswrt-Merlin 388.2 is now available for select models

Got it, but still only Asus can help...😅 Asus can't help because their firmware doesn't have that page. AFAIK that page was added by RMerlin.

www.snbforums.com

 

[PC Pilot]

Solution here:

Release - Asuswrt-Merlin 388.2 is now available for select models

Got it, but still only Asus can help...😅 Asus can't help because their firmware doesn't have that page. AFAIK that page was added by RMerlin.

www.snbforums.com

Brilliant, thanks Colin for the extremely swift and accurate heads up...

Such is the randomness of Google search strings that that one eluded me despite my hours of research!!

I find it particularly shocking that having only become a NordVPN customer on 20.05.23 that it took me two further days to locate working settings (and, for added prudence, to flash the router to the current Merlin release) before applying and tweaking the revised settings to finally get me up and running. Naturally, the relevant page relating to the Asuswrt Merlin firmware setup was so appallingly dated to be of absolutely no use whatsoever, as was the case with the uploaded openvpn config file which populated numerous incorrect settings. THEN, to find that in less than a month after giving my custom, that they should simply replace the authentication process on 14.06.23 without ANY form of prior notification is beyond extremely poor customer care!!

The 'red herring' of course pointing me toward the Merlin update was the simultaneous issue experienced with the failed authentication of the Express VPN Client setup. In hindsight I guess this change was likely Merlin related as the update would have incorporated a more recent version of Open VPN and likely removed previous support for this particular 'custom setting' and hence my focus on the systems log regards to solving the NordVPN issue!

Anyway, thanks again Colin, I'm a happy bunny once more with both VPN Clients working as intended!!

Cheers mate,

PC Pilot