RT-AX88U VPN Issues

[Skeptical.me]

ASUS RT-AX88U ASUSWRT-Merlin 384.11

2 problems:

1. ExpressVPN is sometimes showing 7 DNS servers on ipleak.net (and other similar sites). Usually I only see one DNS server, I'm only suppose to see 1 ... Accept DNS Configuration is set to Exclusive, and Redirect Internet Traffic is set to All

2. Also most of the time I see the following in the OpenVPN Client:

Connected (Local: 10.48.0.62 - Public: unknown)

"Public Unknown" = no ExpressVPN IP address


Here are parts of the logs that relate to the OpenVPN client 2 I was using to test (I'm not sure how to read it)

(click on image to make it larger)

These are the Custom Configs from the ExpressVPN .ovpn config file:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288

All 5 clients have been working perfectly well until today, and I don't know what has changed to cause this issue.

Any help is really appreciated

 

[octopus]

Update remote-cert-tls and sha512
And Maby add auth-nocache

 

[no_name]

I only used to see 1 DNS Server, this seems to have changed recently for reasons I’m unaware off

The Connected (Local: 10.48.0.62 - Public: unknown) happened to me sometime ago, on the VPN client page compression should be set to none. Soon after, ExpressVPN updated there .ovpn files so compression was disabled

If the Connected (Local: 10.48.0.62 - Public: unknown) persists perhaps someone with far more knowledge than me can help


Sent from my iPad using Tapatalk

 

[Skeptical.me]

Update remote-cert-tls and sha512
And Maby add auth-nocache

Thanks for the reply.

Forgive me for my ignorance, when you say "Update remote-cert-tls and sha512
And Maby add auth-nocache" what would the Custom Config look after these changes? (I've used .ovpn config files for a number of years but still need to learn more).

Thanks for the help.

 

[Skeptical.me]

I only used to see 1 DNS Server, this seems to have changed recently for reasons I’m unaware off

The Connected (Local: 10.48.0.62 - Public: unknown) happened to me sometime ago, on the VPN client page compression should be set to none. Soon after, ExpressVPN updated there .ovpn files so compression was disabled

If the Connected (Local: 10.48.0.62 - Public: unknown) persists perhaps someone with far more knowledge than me can help


Sent from my iPad using Tapatalk

By any chance are you using Diversion? Because if you are and you're getting those results you might have to change Accept DNS Configuration to Exclusive, and Redirect Internet Traffic to All ...

Yes, the Local: 10.48.0.62 - Public: unknown has something to do compression, so I thought. I solved that after someone directed me to add

comp-lzo no
push "comp-lzo no"

to the end of the Custom Configuration and switch Compression to disabled

Bu that solution doesn't appear to be working this time.


Thanks for your help.

 

[Zastoff]

By any chance are you using Diversion? Because if you are and you're getting those results you might have to change Accept DNS Configuration to Exclusive, and Redirect Internet Traffic to All ...

Yes, the Local: 10.48.0.62 - Public: unknown has something to do compression, so I thought. I solved that after someone directed me to add

comp-lzo no
push "comp-lzo no"

to the end of the Custom Configuration and switch Compression to disabled

Bu that solution doesn't appear to be working this time.


Thanks for your help.

Like @no_name suggested Try switch Compression to None not disabled

 

[no_name]

By any chance are you using Diversion? Because if you are and you're getting those results you might have to change Accept DNS Configuration to Exclusive, and Redirect Internet Traffic to All ...

Yes, the Local: 10.48.0.62 - Public: unknown has something to do compression, so I thought. I solved that after someone directed me to add

comp-lzo no
push "comp-lzo no"

to the end of the Custom Configuration and switch Compression to disabled

Bu that solution doesn't appear to be working this time.


Thanks for your help.

With diversion, DNS set to exclusive and policy rules set to all i still get multiple dns servers showing up.

I know nothing about custom configurations but on the off chance, the picture below shows where it says compression set to none

Sent from my iPad using Tapatalk

 

[Xentrk]

Like @no_name suggested Try switch Compression to None not disabled

I made an effort to get rid of warning messages recently on my OpenVPN clients. At the prompting of my provider, they also suggested using no compression and that it is also the general forum recommendation.

OpenVPN client on pfSense has the same options. In tried both options in Asuswrt-Merlin and pfSense firmware. When setting compression to either None or disabled, I get the same message:

 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

I don't understand why comp-lzo is present in local config when I've set it to None or Disabled.

I need to look deeper at the config files on the OS to see what is being written out when None or Disabled is configured. Maybe an OpenVPN bug?

 

[Xentrk]

By any chance are you using Diversion? Because if you are and you're getting those results you might have to change Accept DNS Configuration to Exclusive, and Redirect Internet Traffic to All ...

Yes, the Local: 10.48.0.62 - Public: unknown has something to do compression, so I thought. I solved that after someone directed me to add

comp-lzo no
push "comp-lzo no"

to the end of the Custom Configuration and switch Compression to disabled

Bu that solution doesn't appear to be working this time.


Thanks for your help.

With Accept DNS Configuration = Exclusive, you can verify the DNSVPNx Chain has been created for LAN clients assigned to the tunnel where "x" = vpn client number e.g. DNVPN1:

iptables --line -t nat -nvL DNSVPNx

DNSFILER enabled?

iptables -nvL -t nat --line PREROUTING

 

[Zastoff]

I dont use the same vpn-provider but mine gave me the option to disable compression a few weeks ago.
I had to choose on my vpn provider account page to disable compression (can use compression if i want it)
First tried compression disabled did not work
compression none works for me
Think option None still has a sort of empty frame for compression
Disabled does not
About the many DNS servers on ipleak, Happend to me aswell on some DNS servers Think it happens when they link together DNS servers.
When i used my vpn-providers dns ipv4 servers i got the ipv6 servers aswell even when i dont have ipv6 and even blocked ipv6 DNS servers in DNSCrypt

 

[Martineau]

I don't understand why comp-lzo is present in local config when I've set it to None or Disabled.

I need to look deeper at the config files on the OS to see what is being written out when None or Disabled is configured. Maybe an OpenVPN bug?

Set the 'Log verbosity' to "param" mode (4) , and hopefully all of the parameters should be dumped to Syslog.

FYI Certain VPN ISPs such as 'Vpnbook' apparently never have a public IP (see /usr/sbin/gettunnelip.sh)… at least not for the two STUN servers.

 

[Xentrk]

I dont use the same vpn-provider but mine gave me the option to disable compression a few weeks ago.
I had to choose on my vpn provider account page to disable compression (can use compression if i want it)
First tried compression disabled did not work
compression none works for me
Think option None still has a sort of frame for to be abled for compression
Disabled does not
About the many DNS servers on ipleak, Happend to me aswell on some DNS servers Think it happens when they link together DNS servers.
When i used my vpn-providers dns ipv4 servers i got the ipv6 servers aswell even when i dont have ipv6 and even blocked ipv6 DNS servers in DNSCrypt

I noticed a change with TorGuard recently. They appear to be using Cloudflare 1.1.1.1 near the location of the VPN server. So when I run an ipleak test, I see many cloudflare servers listed due to the load balancing and redundancy they have built in.

 

[Skeptical.me]

With Accept DNS Configuration = Exclusive, you can verify the DNSVPNx Chain has been created for LAN clients assigned to the tunnel where "x" = vpn client number e.g. DNVPN1:

iptables --line -t nat -nvL DNSVPNx

DNSFILER enabled?

iptables -nvL -t nat --line PREROUTING

It's strange what is happening as ExpressVPN was working perfectly ok, and I upgraded Merlin then is issue started.

Here is a screenshot of the VPN Client (click on it for larger view):

And here is the results of ipleak.net scan (click on image for larger image):

Usually there's only one dns server.

 

[no_name]

It's strange what is happening as ExpressVPN was working perfectly ok, and I upgraded Merlin then is issue started.

Here is a screenshot of the VPN Client (click on it for larger view):

And here is the results of ipleak.net scan (click on image for larger image):

Usually there's only one dns server.

I have the same setup as you, the only difference is I haven’t renamed the client instance or the description

These are my results using ipleak.net

These are the results using https://www.expressvpn.com/dns-leak-test

I’m not worried about the multiple servers being shown, another person mentioned it could be for load balancing.

If you haven’t done already I would download fresh copies of the .ovpn files from ExpressVPN and start over. Also is it just the one client you have running


Sent from my iPad using Tapatalk

 

[Skeptical.me]

I have the same setup as you, the only difference is I haven’t renamed the client instance or the description

These are my results using ipleak.net

These are the results using https://www.expressvpn.com/dns-leak-test

I’m not worried about the multiple servers being shown, another person mentioned it could be for load balancing.

If you haven’t done already I would download fresh copies of the .ovpn files from ExpressVPN and start over. Also is it just the one client you have running

Sent from my iPad using Tapatalk

Hi, thanks for the reply.

Using the ExpressVPN DNS Leak page (https://www.expressvpn.com/dns-leak-test) I receive the following result:

No DNS leaks detected
You’re using ExpressVPN’s secure DNS servers.

All DNS requests are going through ExpressVPN's encrypted, private servers.

And I'm able to watch HULU, Prime Video, and US Netflix from Australia.

So no DNS is leaking, because if it was leaking I wouldn't be able to watch those streaming services, the VPN warning would show.

I use all 5 VPN clients. I use 3 VPN services 1. ExpressVPN, 2. ProtonVPN, and 3. TorGuard

 

[no_name]

Hi, thanks for the reply.

Using the ExpressVPN DNS Leak page (https://www.expressvpn.com/dns-leak-test) I receive the following result:

No DNS leaks detected
You’re using ExpressVPN’s secure DNS servers.

All DNS requests are going through ExpressVPN's encrypted, private servers.

And I'm able to watch HULU, Prime Video, and US Netflix from Australia.

So no DNS is leaking, because if it was leaking I wouldn't be able to watch those streaming services, the VPN warning would show.

I use all 5 VPN clients. I use 3 VPN services 1. ExpressVPN, 2. ProtonVPN, and 3. TorGuard

I asked incase you were using more than three ExpressVPN clients at the same which is the maximum ExpressVPN allows and could account for the (Local: 10.48.0.62 - Public: unknown).

I had a setting wrong when I mirrored your setup, so just to confirm like you there’s no DNS leak with this setup

Sent from my iPad using Tapatalk

 

[Xentrk]

It's strange what is happening as ExpressVPN was working perfectly ok, and I upgraded Merlin then is issue started.

Here is a screenshot of the VPN Client (click on it for larger view):

And here is the results of ipleak.net scan (click on image for larger image):

Usually there's only one dns server.

384.11 had a major change with DNS DoT. Review the settings on the WAN page.

Do you have Cloudflare DNS Client installed or DoT installed in your browser? That would take precedence over the router settings unless you have DNSFILTER set to Router.

I suspect this may have something to do with the workarounds to avoid VPN blocks. I would ask them about the issue to get their take. Sometimes a friendly phone can result in some insider information that you would normally not get over a support ticket.

There are several tools to lookup ip address ownership on the internet. My two favorites are:

https://bgp.he.net/
https://ipinfo.io/