Anyone with an RT-AX88U having issues with ExpressVPN?

[Skeptical.me]

Hi,

So, I have this shinny brand new beast of a router the RT-AX88U.

I just tried to setup OpenVPN Client No. 1 with an ExpressVPN .ovpn config file. I went over the clients settings and checked the Custom Config a few times over, as well as check my username and password is correct. However, I just can't connect. I do not receive an error message at all, I just can't connect.

If anyone here has experienced the same thing, I'd appreciate a reply.

Thanks for any help at all

 

[Skeptical.me]

I have tried

https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/

Instructions for Asuswrt-Merlin
The Asuswrt-Merlin firmware is different from the regular Asus router firmware. To configure ExpressVPN on Asuswrt-Merlin:

1. Log in to your router dashboard.
2. Under Advanced Settings, select VPN on the left-side menu.
3. Along the top, select OpenVPN Clients.
4. Next to Import .ovpn file, click Browse… and upload the configuration file you downloaded above.
5. After the file upload is complete, scroll down to Basic Settings copy the ExpressVPN manual configuration username and password you found above.
6. Scroll down to Advanced Settings. Set Accept DNS Configuration to Strict if you intend to use ExpressVPN on all devices connected to the router or Exclusive if you only intend to use ExpressVPN on select devices.
7. Under Custom Configuration, enter the following text and click Apply.

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
# log /tmp/vpn.log

But this got the error:

Connected (Local: XX.XXX.X.XXX - Public: unknown)

So, I added the following that is suggested to overcome this "Public: unknown" error (meaning I had no VPN IP Address and therefore no internet connection) elsewhere on this forum:

comp-lzo no
push "comp-lzo no"

And turned Compression to Disabled

But I got the same result.


Then I tried the following with, and without, the added code above, and although I get a Public IP showing, and have Accept DNS Configuration set to Exclusive, I get 7 DNS servers showing on ipleak.net:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"

Only one DNS server is supposed to show.

 

[Xentrk]

I have tried

https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/

Instructions for Asuswrt-Merlin
The Asuswrt-Merlin firmware is different from the regular Asus router firmware. To configure ExpressVPN on Asuswrt-Merlin:

1. Log in to your router dashboard.
2. Under Advanced Settings, select VPN on the left-side menu.
3. Along the top, select OpenVPN Clients.
4. Next to Import .ovpn file, click Browse… and upload the configuration file you downloaded above.
5. After the file upload is complete, scroll down to Basic Settings copy the ExpressVPN manual configuration username and password you found above.
6. Scroll down to Advanced Settings. Set Accept DNS Configuration to Strict if you intend to use ExpressVPN on all devices connected to the router or Exclusive if you only intend to use ExpressVPN on select devices.
7. Under Custom Configuration, enter the following text and click Apply.

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
# log /tmp/vpn.log

But this got the error:

Connected (Local: XX.XXX.X.XXX - Public: unknown)

So, I added the following that is suggested to overcome this "Public: unknown" error (meaning I had no VPN IP Address and therefore no internet connection) elsewhere on this forum:

comp-lzo no
push "comp-lzo no"

And turned Compression to Disabled

But I got the same result.


Then I tried the following with, and without, the added code above, and although I get a Public IP showing, and have Accept DNS Configuration set to Exclusive, I get 7 DNS servers showing on ipleak.net:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"

Only one DNS server is supposed to show.

Try setting DNS1 and DNS2 on the WAN page. Then, set Accept DNS Configuration to Disabled. Strict setting behavior was changed recently. VPN will now use WAN DNS.

Similarly, try setting Accept DNS Configuration to Exclusive and see if that works. But as you know, Diversion won’t work with that setting when using Policy Rules. But worth a try just to see if that helps get the tunnel working.

Edit: sorry, I see you got the tunnel working using Accept DNS Configuration = Exclusive. That means you are using the DNS pushed by your provider. The comp-lzo should not have any impact on DNS. Go back to ExpressVPN and ask them what DNS servers they provide when using the tunnel. Check the Asuswrt-Merlin change log to see if other changes were made on how VPN clients are using VPN. I read it tomorrow to catch up but not in a position to do so now.

 

[RMerlin]

Post the System Log content. It will tell you what's wrong.

 

[Skeptical.me]

Post the System Log content. It will tell you what's wrong.

I didn't see this reply, thanks. I'll re-install a ExpressVPN .ovpn config and re-do what I've done above, and post the logs asap. Thanks @RMerlin

 

[D_Day]

I didn't see this reply, thanks. I'll re-install a ExpressVPN .ovpn config and re-do what I've done above, and post the logs asap. Thanks @RMerlin

It takes quite a while to connect on my 86U possibly 5 mins sometimes

 

[Skeptical.me]

Post the System Log content. It will tell you what's wrong.

I don't know why, and I don't know how. But using the following Custom Config has now worked:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"

I added the following code to the Custom Configuration:

comp-lzo no
push "comp-lzo no"

Accept DNS Configuration set to Exclusive

Compression set to Disabled

Redirect Internet traffic set to All

I am now seeing the VPN's IP address, and single DNS server address on ipleak.net, as opposed to the 7 DNS servers I was seeing before.

Diversion, and Skynet working as well. No problems.

@RMerlin @Xentrk

 

[Xentrk]

@Skeptical.me

I have not seen a lot of VPN performance posts on the forum for the RT-AX88U.

I would like to ask a big favor and ask that you run the OpenVPN estimate performance test on the RT-AX88U using the method @sfx2000 outlines in the post below.

https://www.snbforums.com/threads/openvpn-estimate-performance-via-openvpn.33416/

Perhaps you can post the results in the thread and give a link in this thread. The AES-128-GCM and AES-2566-GCM ciphers are of particular interest for the test since those appear to be faster than the CBC cipher from my testing.

Also, a speed test comparison using your previous router and the RT-AX88U using one of the speed test websites would also be welcome. Since distance to the VPN server has an impact on speed, can you please test using a server in your regsion and one in the US just to get a comparison. For example, if I test speed using a server in Bangkok, I get 2x the speed when compared to a server in US. So, it would be good to see the difference.

Thanks for helping.

 

[RMerlin]

I have not seen a lot of VPN performance posts on the forum for the RT-AX88U.

That's because it's identical to the RT-AC86U, for which there were many benchmarks and test results posted already.

 

[Skeptical.me]

That's because it's identical to the RT-AC86U, for which there were many benchmarks and test results posted already.

Really, damn. I was expecting some better results. Maybe it's the placebo effect but I think I'm noticing increases in my VPN bandwidth. However, this could also be the result of installing an older ISP modem that has been "tweaked" for a better VDSL2 connection.


Sent from my iPhone using Tapatalk Pro

 

[monakh]

I wanted to thank the OP for this thread since I was having trouble with connecting my AX88U to my VPN provider, as well. For some reason, the scripts didn't work out of the box (as they used to on my AC5300).

Here are the results for Xentrk (they seem skewed?):

ASUSWRT-Merlin RT-AX88U 384.13-0 Wed Jul 31 17:30:47 UTC 2019
/tmp/home/root# openvpn --genkey --secret /tmp/secret
/tmp/home/root# time openvpn --test-crypto --secret /tmp/secret
--verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Sat Sep 7 11:25:29 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real 0m 4.27s
user 0m 4.25s
sys 0m 0.01s

3200/4.27 = 749.42 Mbps

--ncp-disable messes with the results?

 

[Xentrk]

I wanted to thank the OP for this thread since I was having trouble with connecting my AX88U to my VPN provider, as well. For some reason, the scripts didn't work out of the box (as they used to on my AC5300).

Here are the results for Xentrk (they seem skewed?):

ASUSWRT-Merlin RT-AX88U 384.13-0 Wed Jul 31 17:30:47 UTC 2019
/tmp/home/root# openvpn --genkey --secret /tmp/secret
/tmp/home/root# time openvpn --test-crypto --secret /tmp/secret
--verb 0 --tun-mtu 20000 --cipher aes-256-cbc
Sat Sep 7 11:25:29 2019 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
real 0m 4.27s
user 0m 4.25s
sys 0m 0.01s

3200/4.27 = 749.42 Mbps

--ncp-disable messes with the results?

I added RT-AX88U to the blog post on OpenVPN performance based on results from another forum member.

Here are the results.

AES-128-GCM: 3200/2.71 = 1181 Mbps
AES-256-CBC: 3200/3.21 = 996 Mbps

GCM ciphers appear to perform better.

I set up an AC86U for a site and didn’t see the performance increase that others reported. I suspect geo distance from the server is the primary culprit. My Intel i5 pfSense build with AES-NI enabled beats it hands down using the same endpoint though.

 

[monakh]

Wow, approaching X86 performance on ARM with the crypto extensions! That's impressive!

This is the primary reason I switched from my AC5300 to the AX88U (the former's dual-core CPU doesn't support the above-mentioned extensions), I couldn't stream 4K video over OpenVPN from either Netflix or Vudu. That's no longer the case.

Sent from my GM1917 using Tapatalk

 

[RMerlin]

GCM ciphers appear to perform better.

You are comparing a 128-bit cipher with a 256-bit cipher.

Something is wrong with the test-crypto option in OpenVPN since the move to OpenSSL 1.1 BTW. It reports like three times the performance of OpenSSL 1.0, which is definitely not right.

 

[jjtwhitby]

Was successful resolution found for using ExpressVPN on the Merlin Asus RT-AX88U (384.14)? I spent most of the afternoon with ExpressVPN Chat and after several hours of using multiple setting changes, they said they would forward the issue to their engineers.

 

[Makaveli]

I use express vpn and have no issues connecting.

Wow, approaching X86 performance on ARM with the crypto extensions! That's impressive!

This is the primary reason I switched from my AC5300 to the AX88U (the former's dual-core CPU doesn't support the above-mentioned extensions), I couldn't stream 4K video over OpenVPN from either Netflix or Vudu. That's no longer the case.

Sent from my GM1917 using Tapatalk

yup the Cortex A53 supports AES the cpu in the older router does not.

Only the HND platform uses this processor.

 

[jjtwhitby]

I use express vpn and have no issues connecting.

Would you be able to share your setup with me? It was a very frustrating afternoon with my new router.


yup the Cortex A53 supports AES the cpu in the older router does not.

Only the HND platform uses this processor.

I use express vpn and have no issues connecting.




yup the Cortex A53 supports AES the cpu in the older router does not.

Only the HND platform uses this processor.

 

[Skeptical.me]

Was successful resolution found for using ExpressVPN on the Merlin Asus RT-AX88U (384.14)? I spent most of the afternoon with ExpressVPN Chat and after several hours of using multiple setting changes, they said they would forward the issue to their engineers.

I'm not sure what you're after but this is the resolution I have.

Code:

Add the following to the bottom of the ExpressVPN Configuration in the OpenVPN Profile:

comp-lzo no
push "comp-lzo no"


Then make sure to use these settings:

Accept DNS Configuration set to Exclusive

Compression set to Disabled

Redirect Internet traffic set to All

Also, try toggling the DNSFilter (LAN>DNSFilter) using various servers including the router itself.

These are the things I used to solve my issue with Expressvpn. Admittedly ExpressVPN, while an excellent service especially for streaming, is sometimes troublesome while setting up in Merlin.

 

[jjtwhitby]

I'm not sure what you're after but this is the resolution I have.

Code:

Add the following to the bottom of the ExpressVPN Configuration in the OpenVPN Profile:

comp-lzo no
push "comp-lzo no"


Then make sure to use these settings:

Accept DNS Configuration set to Exclusive

Compression set to Disabled

Redirect Internet traffic set to All

Also, try toggling the DNSFilter (LAN>DNSFilter) using various servers including the router itself.

These are the things I used to solve my issue with Expressvpn. Admittedly ExpressVPN, while an excellent service especially for streaming, is sometimes troublesome while setting up in Merlin.

Many thanks for you speedy reply. I have activated your suggestions and I am now in the process of trying the DNSFilter combinations. With regards to Internet traffic, I am using Policy Rules so that my Sonos system can connect to a local Toronto Radio station via Tunein while still using an Expressvpn server residing in the USA. I will gladly convey my results when completed, most likely tomorrow.

 

[Skeptical.me]

Many thanks for you speedy reply. I have activated your suggestions and I am now in the process of trying the DNSFilter combinations. With regards to Internet traffic, I am using Policy Rules so that my Sonos system can connect to a local Toronto Radio station via Tunein while still using an Expressvpn server residing in the USA. I will gladly convey my results when completed, most likely tomorrow.

Unfortunately if you're wanting to stream US Netflix, HULU, and Amazon Prime you may receive a proxy warning when using policy rules with expressvpn. It has to do with how Expressvpn use shared IP addresses and their DNS to overcome the proxy blocking of these streaming services. When using policy rules the router will use other DNS servers other than Expressvpn's. I hope that makes sense.