ASUS RT-AC86U - ExpressVPN disconnecting

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

beatles1312

New Around Here
Hello guys,

i have a ASUS RT-AC86U with Merlin 384.19 build. I've been struggling to get a stable connection with ExpressVPN for weeks. I setup the OpenVPN Client like with every other VPN Provider but i always getting disconnect after a few hours. Sometimes it's working for 2 hours and sometimes for 13 hours. In the System protcol i always get the following error:

Nov 20 07:44:25 ovpn-client2[9925]: RESOLVE: Cannot resolve host address: germany-frankfurt-1-ca-version-2.expressnetw.com:1195 (Temporary failure in name resolution)
Nov 20 07:44:25 ovpn-client2[9925]: Could not determine IPv4/IPv6 protocol
Nov 20 07:44:25 ovpn-client2[9925]: SIGUSR1[soft,init_instance] received, process restarting
Nov 20 07:44:25 ovpn-client2[9925]: Restart pause, 5 second(s)
Nov 20 07:44:30 ovpn-client2[9925]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Nov 20 07:44:30 ovpn-client2[9925]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 20 07:45:10 ovpn-client2[9925]: RESOLVE: Cannot resolve host address: germany-frankfurt-1-ca-version-2.expressnetw.com:1195 (Temporary failure in name resolution)
Nov 20 07:45:50 ovpn-client2[9925]: RESOLVE: Cannot resolve host address: germany-frankfurt-1-ca-version-2.expressnetw.com:1195 (Temporary failure in name resolution)
Nov 20 07:45:50 ovpn-client2[9925]: Could not determine IPv4/IPv6 protocol
Nov 20 07:45:50 ovpn-client2[9925]: SIGUSR1[soft,init_instance] received, process restarting
Nov 20 07:45:50 ovpn-client2[9925]: Restart pause, 5 second(s)


Then i'm switch the Off/On toggle in the OpenVPN Client and it getting connected again. It's working great again, but also only for a few hours, then the same error message.

With other VPN Service providers i never had any problems. I can get connected to NordVPN for weeks without any problem with the same setup.

This is the Custom Configuration:

fast-io
remote-random
pull
tls-client
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288

The ExpressVPN Support can't help, so i'm trying here if anyone can help me with this issue :)

Thanks and have an nice day!
 

Attachments

Butterfly Bones

Very Senior Member

beatles1312

New Around Here
Thanks a lot for your reply! I never runned a script on my ASUS Router. I need a little bit help from you please.

I connected with "WinSCP" to my Router.
I created the "vpncheck.sh" file in " /jffs/scripts " with the code you posted. Permission set to 0755.
I created an folder in this directory named " services-start " and created into this folder a new file (without ending?) with the code you posted in the other thread.

Now i don't know what to do. I attached you some Screenshots what i have done.

Must i activate in the ASUS Control Panel under Administration -> System the " Enable JFFS custom scripts and configs " toggle?

I would be very happy if i can get this working with your help! :)
 

Attachments

eibgrad

Very Senior Member
Here is what I did to solve that problem with my VPN provider. This is fairly common with commercial VPN servers. See this link to a detailed message of how I set it up. Good Luck!
https://www.snbforums.com/threads/i...econnect-the-vpn-on-a-timer.66517/post-620720
Interesting solution, although I wonder if this isn't treating the symptom(s) rather than the problem.

Determining why any given VPN is unreliable is made difficult by the number of variables in the configuration (VPN provider itself, available servers, PBR active/inactive, DNS config, etc.). And without being there to observe the failure as it happens, you're left w/ a few scattered remnants in the syslog to draw your conclusions.

With that in mind, make sure you have your VPN configured in a way most likely to avoid known problems. For example, one of the worst things you can do is have only *one* server specified in your configuration. VPN providers are NOT like your ISP. Your ISP has only one option available to you, so it *has* to be reliable. But your VPN provider knows you have other options (i.e., servers), so taking one offline for whatever reason (maintenance, overloaded CPU, etc.) is not a big deal; just use a different server. But if you've NOT configured for more than one server, you're treating your VPN provider as if he was your ISP, which is a mistake.

Also, there's the issue of DNS. When using Exclusive for "Accept DNS configuration", this causes *only* the DNS servers of the VPN provider to be used. But under certain conditions, I've seen where the connection gets lost and the OpenVPN client repeatedly attempts to reestablish the connection, but can't because DNS is still pointing to the VPN! And the situation is exacerbated by the fact the DNS servers are typically within the same scope as the tunnel (i.e., in the *private* IP space), so there's no hope that name resolution could possibly revert to the WAN/ISP and get things rolling again.

To deal w/ both of the above problems, I recommend that you specify several alternative servers (remote directives) in the Custom Config field. I use ExpressVPN as well, and here's mine.

Code:
server-poll-timeout 10
remote-random
remote us-new-york-2-ca-version-2.expressnetw.com 1195
remote usa-atlanta-ca-version-2.expressnetw.com 1195
remote usa-chicago-ca-version-2.expressnetw.com 1195
remote usa-dallas-2-ca-version-2.expressnetw.com 1195
remote usa-dallas-ca-version-2.expressnetw.com 1195
remote usa-denver-ca-version-2.expressnetw.com 1195
remote usa-losangeles-1-ca-version-2.expressnetw.com 1195
remote usa-losangeles-3-ca-version-2.expressnetw.com 1195
#remote usa-losangeles-ca-version-2.expressnetw.com 1195
remote usa-losangeles5-ca-version-2.expressnetw.com 1195
remote usa-miami-2-ca-version-2.expressnetw.com 1195
remote usa-miami-ca-version-2.expressnetw.com 1195
remote usa-newjersey-1-ca-version-2.expressnetw.com 1195
remote usa-newjersey-3-ca-version-2.expressnetw.com 1195
remote usa-newyork-ca-version-2.expressnetw.com 1195
remote usa-saltlakecity-ca-version-2.expressnetw.com 1195
remote usa-sanfrancisco-ca-version-2.expressnetw.com 1195
remote usa-seattle-ca-version-2.expressnetw.com 1195
remote usa-tampa-1-ca-version-2.expressnetw.com 1195
remote usa-washingtondc-ca-version-2.expressnetw.com 1195
route 1.1.1.1 255.255.255.255 vpn_gateway
route 1.0.0.1 255.255.255.255 vpn_gateway
route 9.9.9.9 255.255.255.255 vpn_gateway
mssfix 1450
verb 4
The one remote directive commented out is the one specified in the GUI. The OpenVPN client will randomly select among all possible servers, but wait no more than 10 seconds for any connection attempt to complete before trying another.

Notice the route directives too. Those are the same DNS servers I have specified in DNSMasq.

Code:
no-resolv
server=1.1.1.1
server=1.0.0.1
server=9.9.9.9
The no-resolve directive tells DNSMasq to *only* use those DNS servers and ignore all other possible sources (e.g., those passed from your ISP). By adding route directives matching these servers to the OpenVPN client config, I force them over the VPN. And I always specify "Disabled" for the "Accept DNS configuration" option.

Now will this solve your problem? Hard to say. But I find that too many ppl are not correctly configuring their OpenVPN client and DNS to minimize these kinds of issues. Ultimately, you may very well need to force a total restart as suggested by @Butterfly Bones if you're experiencing something out of the ordinary. But as I said, that's not really addressing the fundamental problem.

And one last thing. Be careful w/ these additional directives the OpenVPN provider likes to suggest be added to the Custom Config field. More times than not, they are completely unnecessary, either because they are redundant (the OpenVPN client already has specified them) or not germane (note the use of remote-random, but no use of multiple remote directives; that strongly suggests the VPN provider is expecting you to NOT rely on just one server!). In some cases, these additional directives might even cause harm (a common one is the 'reneg-sec 0' directive, intended to reduce overhead to the VPN provider at the expense of your security). I strongly suggest you ignore these additional directives unless and until they prove necessary. The OpenVPN client is designed to handle 99% of most cases w/o you or the VPN provider needing to *tweak* it.

Using the above, I've personally found ExpressVPN to work very well.
 

CaptainSTX

Part of the Furniture
Are you modifying the settings from from Express VPN? I have found that simply downloading the OVPN file from either StrongVPN or PIA and then uploading it into the client within Merlin's firmware works fine. All I add is my username and password.

Previously I tried a number of custom settings and for the most part they made no difference or the provider's server just ignored them. Start with just the basic file and if that gives you a stable connection you can try your custimizations.
 

beatles1312

New Around Here
Interesting solution, although I wonder if this isn't treating the symptom(s) rather than the problem.

Determining why any given VPN is unreliable is made difficult by the number of variables in the configuration (VPN provider itself, available servers, PBR active/inactive, DNS config, etc.). And without being there to observe the failure as it happens, you're left w/ a few scattered remnants in the syslog to draw your conclusions.

With that in mind, make sure you have your VPN configured in a way most likely to avoid known problems. For example, one of the worst things you can do is have only *one* server specified in your configuration. VPN providers are NOT like your ISP. Your ISP has only one option available to you, so it *has* to be reliable. But your VPN provider knows you have other options (i.e., servers), so taking one offline for whatever reason (maintenance, overloaded CPU, etc.) is not a big deal; just use a different server. But if you've NOT configured for more than one server, you're treating your VPN provider as if he was your ISP, which is a mistake.

Also, there's the issue of DNS. When using Exclusive for "Accept DNS configuration", this causes *only* the DNS servers of the VPN provider to be used. But under certain conditions, I've seen where the connection gets lost and the OpenVPN client repeatedly attempts to reestablish the connection, but can't because DNS is still pointing to the VPN! And the situation is exacerbated by the fact the DNS servers are typically within the same scope as the tunnel (i.e., in the *private* IP space), so there's no hope that name resolution could possibly revert to the WAN/ISP and get things rolling again.

To deal w/ both of the above problems, I recommend that you specify several alternative servers (remote directives) in the Custom Config field. I use ExpressVPN as well, and here's mine.

Code:
server-poll-timeout 10
remote-random
remote us-new-york-2-ca-version-2.expressnetw.com 1195
remote usa-atlanta-ca-version-2.expressnetw.com 1195
remote usa-chicago-ca-version-2.expressnetw.com 1195
remote usa-dallas-2-ca-version-2.expressnetw.com 1195
remote usa-dallas-ca-version-2.expressnetw.com 1195
remote usa-denver-ca-version-2.expressnetw.com 1195
remote usa-losangeles-1-ca-version-2.expressnetw.com 1195
remote usa-losangeles-3-ca-version-2.expressnetw.com 1195
#remote usa-losangeles-ca-version-2.expressnetw.com 1195
remote usa-losangeles5-ca-version-2.expressnetw.com 1195
remote usa-miami-2-ca-version-2.expressnetw.com 1195
remote usa-miami-ca-version-2.expressnetw.com 1195
remote usa-newjersey-1-ca-version-2.expressnetw.com 1195
remote usa-newjersey-3-ca-version-2.expressnetw.com 1195
remote usa-newyork-ca-version-2.expressnetw.com 1195
remote usa-saltlakecity-ca-version-2.expressnetw.com 1195
remote usa-sanfrancisco-ca-version-2.expressnetw.com 1195
remote usa-seattle-ca-version-2.expressnetw.com 1195
remote usa-tampa-1-ca-version-2.expressnetw.com 1195
remote usa-washingtondc-ca-version-2.expressnetw.com 1195
route 1.1.1.1 255.255.255.255 vpn_gateway
route 1.0.0.1 255.255.255.255 vpn_gateway
route 9.9.9.9 255.255.255.255 vpn_gateway
mssfix 1450
verb 4
The one remote directive commented out is the one specified in the GUI. The OpenVPN client will randomly select among all possible servers, but wait no more than 10 seconds for any connection attempt to complete before trying another.

Notice the route directives too. Those are the same DNS servers I have specified in DNSMasq.

Code:
no-resolv
server=1.1.1.1
server=1.0.0.1
server=9.9.9.9
The no-resolve directive tells DNSMasq to *only* use those DNS servers and ignore all other possible sources (e.g., those passed from your ISP). By adding route directives matching these servers to the OpenVPN client config, I force them over the VPN. And I always specify "Disabled" for the "Accept DNS configuration" option.

Now will this solve your problem? Hard to say. But I find that too many ppl are not correctly configuring their OpenVPN client and DNS to minimize these kinds of issues. Ultimately, you may very well need to force a total restart as suggested by @Butterfly Bones if you're experiencing something out of the ordinary. But as I said, that's not really addressing the fundamental problem.

And one last thing. Be careful w/ these additional directives the OpenVPN provider likes to suggest be added to the Custom Config field. More times than not, they are completely unnecessary, either because they are redundant (the OpenVPN client already has specified them) or not germane (note the use of remote-random, but no use of multiple remote directives; that strongly suggests the VPN provider is expecting you to NOT rely on just one server!). In some cases, these additional directives might even cause harm (a common one is the 'reneg-sec 0' directive, intended to reduce overhead to the VPN provider at the expense of your security). I strongly suggest you ignore these additional directives unless and until they prove necessary. The OpenVPN client is designed to handle 99% of most cases w/o you or the VPN provider needing to *tweak* it.

Using the above, I've personally found ExpressVPN to work very well.
Thanks a lot for your very helpful reply! Much appreciated!

Please forgive me for my dumb question.

I reset my VPN Client firstly, then i uploaded the ovpn file "my_expressvpn_germany_-_frankfurt_-_1_udp". Fill in Username/Password. Leave the DNS Settings to "Releaxed" and put this in my Custom Configurations:

Code:
server-poll-timeout 10
remote-random
remote germany-darmstadt-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
remote germany-nuremberg-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-2-ca-version-2.expressnetw.com 1195
route 1.1.1.1 255.255.255.255 vpn_gateway
route 1.0.0.1 255.255.255.255 vpn_gateway
route 9.9.9.9 255.255.255.255 vpn_gateway
mssfix 1450
verb 4
Then i click Apply and connect. The VPN Client is connected, i see the ExpressVPN IP adress, but the Internet is not working anymore. What i have done wrong? Also where can i find the "DNSmasq"?

Please forgive me for my newbie questions, that's my first time i use scripts etc. I'm very thankful for any help!
 

eibgrad

Very Senior Member
Thanks a lot for your very helpful reply! Much appreciated!

Please forgive me for my dumb question.

I reset my VPN Client firstly, then i uploaded the ovpn file "my_expressvpn_germany_-_frankfurt_-_1_udp". Fill in Username/Password. Leave the DNS Settings to "Releaxed" and put this in my Custom Configurations:

Code:
server-poll-timeout 10
remote-random
remote germany-darmstadt-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
remote germany-nuremberg-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-2-ca-version-2.expressnetw.com 1195
route 1.1.1.1 255.255.255.255 vpn_gateway
route 1.0.0.1 255.255.255.255 vpn_gateway
route 9.9.9.9 255.255.255.255 vpn_gateway
mssfix 1450
verb 4
Then i click Apply and connect. The VPN Client is connected, i see the ExpressVPN IP adress, but the Internet is not working anymore. What i have done wrong? Also where can i find the "DNSmasq"?

Please forgive me for my newbie questions, that's my first time i use scripts etc. I'm very thankful for any help!
Nothing in the above should have prevented a connection unless those remote directives are just wrong (protocol, port, etc.).

The router directives are ineffective w/o changes to DNSMasq. You need to create a custom config file in order to make them effective.

 

beatles1312

New Around Here
I removed the DNS Settings from the Custom Settings:

Code:
route 1.1.1.1 255.255.255.255 vpn_gateway
route 1.0.0.1 255.255.255.255 vpn_gateway
route 9.9.9.9 255.255.255.255 vpn_gateway
Then i added only following in the Custom Settings:

Code:
server-poll-timeout 10
remote-random
remote germany-darmstadt-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
remote germany-nuremberg-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-2-ca-version-2.expressnetw.com 1195
mssfix 1450
verb 4
The Client is connected but i can't open any website. I attached again Screenshots of my setup. Maybe anyone seeing an mistake? Of course i also restartet the Router many times.
I will follow also your link for the DNSmasq. Thanks for your help! :)
 

Attachments

beatles1312

New Around Here
Sorry, forgot to post the system log in my last reply. I couldn't upload the .txt file so i convert it to .pdf
Thanks for your help!
 

Attachments

eibgrad

Very Senior Member
I don't see any obvious mistakes. However, I did notice that on my ExpressVPN setup using dd-wrt, I had specified the Fragment field (something not present w/ Merlin) to 1300. And thus why it's not in my custom config field. So try adding back that directive.

Code:
fragment 1300
 

beatles1312

New Around Here
Unbelievable, i added "fragment 1300" to the custom configuration and now the Internet is working. Thanks a lot for this!

Now my custom configuration looks like this:

Code:
server-poll-timeout 10
remote-random
remote germany-darmstadt-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
remote germany-nuremberg-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-2-ca-version-2.expressnetw.com 1195
mssfix 1450
verb 4
fragment 1300
Just for my understanding, if i get the same issue that i posted in my first posting, the VPN Client will now connecting to an different German Server. Before the new custom setting it was only try to connect to the same Server that caused the issue and now the Client will try also the other Server Locations i have put in the custom configuration, right?

My next step is to work out your suggestet DNSmasq. If i setup the DNSMasq script, which DNS Setting should i use in the VPN Client? (Disabled, Relaxed, Strict Exclusive)

Thanks a lot for your help!
 

eibgrad

Very Senior Member
Unbelievable, i added "fragment 1300" to the custom configuration and now the Internet is working. Thanks a lot for this!

Now my custom configuration looks like this:

Code:
server-poll-timeout 10
remote-random
remote germany-darmstadt-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195
remote germany-nuremberg-ca-version-2.expressnetw.com 1195
remote germany-frankfurt-2-ca-version-2.expressnetw.com 1195
mssfix 1450
verb 4
fragment 1300
Just for my understanding, if i get the same issue that i posted in my first posting, the VPN Client will now connecting to an different German Server. Before the new custom setting it was only try to connect to the same Server that caused the issue and now the Client will try also the other Server Locations i have put in the custom configuration, right?

My next step is to work out your suggestet DNSmasq. If i setup the DNSMasq script, which DNS Setting should i use in the VPN Client? (Disabled, Relaxed, Strict Exclusive)

Thanks a lot for your help!
Basically, yes.

As I said initially, trying to determine exactly what's causing your problems is not easy, esp. when all I have are your descriptions. These changes are my attempt to remove issues that *might* be affecting the reliability of your VPN connection. OpenVPN has the ability to be self-healing in many cases. But sometimes the things we do undermine that capability, such as leaving the VPN only *one* server option.

As far as DNSMasq, I'm suggesting you use "Disabled" for "Accept DNS configuration" so any DNS servers pushed by the OpenVPN server are ignored, and that you rely solely on the DNS servers specified in DNSMasq (presumably publicly available ones like Cloudflare or Quad9). When the VPN is inactive, they are accessed over the WAN/ISP. When the VPN is active, they are accessed over the VPN.

In the end, you may end up NOT being able to prevent your current problems and need to follow @Butterfly Bones suggestions for a watchdog process that can restart the VPN. But let's first try to correct some obvious mistakes and see if it makes a difference.
 

beatles1312

New Around Here
Basically, yes.

As I said initially, trying to determine exactly what's causing your problems is not easy, esp. when all I have are your descriptions. These changes are my attempt to remove issues that *might* be affecting the reliability of your VPN connection. OpenVPN has the ability to be self-healing in many cases. But sometimes the things we do undermine that capability, such as leaving the VPN only *one* server option.

As far as DNSMasq, I'm suggesting you use "Disabled" for "Accept DNS configuration" so any DNS servers pushed by the OpenVPN server are ignored, and that you rely solely on the DNS servers specified in DNSMasq (presumably publicly available ones like Cloudflare or Quad9). When the VPN is inactive, they are accessed over the WAN/ISP. When the VPN is active, they are accessed over the VPN.

In the end, you may end up NOT being able to prevent your current problems and need to follow @Butterfly Bones suggestions for a watchdog process that can restart the VPN. But let's first try to correct some obvious mistakes and see if it makes a difference.
The VPN connection has been connected for over 24 hours. As long as never before. No errors or abnormalities in the system log. Let's see how it goes on ... I haven't had the time to look at DNSMasq. Please forgive me the stupid newbie question, what is the difference between "DNSMasq" and the DNS Options under Advanced Settings -> WAN -> WAN DNS Settings? What would happen if I enter alternative DNS servers here and disable the DNS settings in the VPN client? Probably too simply thought of me ...

I will watch over the next few days how long the VPN connection lasts and then I will try @Butterfly Bones his solution.

Have you tried to use a different server location to rule out that it’s a problem on the ExpressVPN side?
Of course, i tried nearly all of the European Locations and the same issue happens on every Server Location. But Thanks anyway for your suggestion! :)
 

eibgrad

Very Senior Member
The VPN connection has been connected for over 24 hours. As long as never before. No errors or abnormalities in the system log. Let's see how it goes on ... I haven't had the time to look at DNSMasq. Please forgive me the stupid newbie question, what is the difference between "DNSMasq" and the DNS Options under Advanced Settings -> WAN -> WAN DNS Settings? What would happen if I enter alternative DNS servers here and disable the DNS settings in the VPN client?

DNSMasq is a lightweight, combo DHCP+DNS server designed for embedded systems. Its small footprint and miserly use of system resources makes it a popular choice for providing these services to the router. By default, the router configures the network clients w/ DNSMasq as their DNS server. It acts as a local name resolution and caching proxy, and forwards your DNS queries to public DNS servers as needed. When you configure the DNS settings on the WAN page, you are in effect configuring DNSMasq. And to the extent certain options are available on that page (like designating your preferred public DNS servers), that'll work too. But I'm so used to making numerous changes to DNSMasq that are NOT available on that page, that most of the time I end up having to create a custom config file anyway, and so I pretty much leave the settings on that page alone.
 

beatles1312

New Around Here
Thanks a lot @eibgrad for all your very informative & helpful comments! I appreciate your knowledge. I will try by myself how ExpressVPN is now working on my Router and if i need help i will update this thread :)
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top