Mullvad + MerlinWRT "Error - check configuration!"

[Numancia]

Help... Getting "Error - check configuration!" when trying to connect MerlinWRT on Asus AX-88U with downloaded config file from Mullvad's OpenVPN config file generator for Android/ChromeOS as per their instructions https://mullvad.net/en/help/asus-merlin-and-mullvad-vpn/#instructions

I have no idea what is causing this because it used to work but I think Mullvad broke something in their OpenVPN config generator because even downgrading and fully resetting router is still causing this connection error message.

 

[RMerlin]

Check the system log, it will tell you why it's failing.

 

[Numancia]

Check the system log, it will tell you why it's failing.

Here's the system log with 386.8 firmware, still at a loss as to what is causing the error though, any help would be greatly appreciated...

Nov 7 17:44:55 rc_service: httpd 1464:notify_rc start_vpnclient1
Nov 7 17:44:55 ovpn-client1[8397]: OpenVPN 2.5.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 13 2022
Nov 7 17:44:55 ovpn-client1[8397]: library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.08
Nov 7 17:44:55 ovpn-client1[8398]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 7 17:44:55 ovpn-client1[8398]: TCP/UDP: Preserving recently used remote address: [AF_INET]91.193.4.50:1301
Nov 7 17:44:55 ovpn-client1[8398]: Socket Buffers: R=[524288->1048576] S=[524288->1048576]
Nov 7 17:44:55 ovpn-client1[8398]: UDP link local: (not bound)
Nov 7 17:44:55 ovpn-client1[8398]: UDP link remote: [AF_INET]91.193.4.50:1301
Nov 7 17:44:55 ovpn-client1[8398]: TLS: Initial packet from [AF_INET]91.193.4.50:1301, sid=d776cfcd a35ce8e1
Nov 7 17:44:55 ovpn-client1[8398]: VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
Nov 7 17:44:55 ovpn-client1[8398]: VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v4, emailAddress=security@mullvad.net
Nov 7 17:44:55 ovpn-client1[8398]: VERIFY KU OK
Nov 7 17:44:55 ovpn-client1[8398]: Validating certificate extended key usage
Nov 7 17:44:55 ovpn-client1[8398]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov 7 17:44:55 ovpn-client1[8398]: VERIFY EKU OK
Nov 7 17:44:55 ovpn-client1[8398]: VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=ch-zrh-304.mullvad.net, emailAddress=security@mullvad.net
Nov 7 17:44:55 ovpn-client1[8398]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Nov 7 17:44:55 ovpn-client1[8398]: [ch-zrh-304.mullvad.net] Peer Connection Initiated with [AF_INET]91.193.4.50:1301
Nov 7 17:44:56 ovpn-client1[8398]: SENT CONTROL [ch-zrh-304.mullvad.net]: 'PUSH_REQUEST' (status=1)
Nov 7 17:44:58 ovpn-client1[8398]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.15.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.15.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1301::100d/64 fdda:d0d0:cafe:1301::,ifconfig 10.15.0.15 255.255.0.0,peer-id 5,cipher AES-256-GCM'
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: compression parms modified
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: --socket-flags option modified
Nov 7 17:44:58 ovpn-client1[8398]: NOTE: setsockopt TCP_NODELAY=1 failed
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: route options modified
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: route-related options modified
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: peer-id set
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: adjusting link_mtu to 1625
Nov 7 17:44:58 ovpn-client1[8398]: OPTIONS IMPORT: data channel crypto options modified
Nov 7 17:44:58 ovpn-client1[8398]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 7 17:44:58 ovpn-client1[8398]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 7 17:44:58 ovpn-client1[8398]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 7 17:44:58 ovpn-client1[8398]: GDG6: remote_host_ipv6=n/a
Nov 7 17:44:58 ovpn-client1[8398]: net_route_v6_best_gw query: dst ::
Nov 7 17:44:58 ovpn-client1[8398]: net_route_v6_best_gw result: via :: dev lo
Nov 7 17:44:58 ovpn-client1[8398]: TUN/TAP device tun11 opened
Nov 7 17:44:58 ovpn-client1[8398]: TUN/TAP TX queue length set to 1000
Nov 7 17:44:58 ovpn-client1[8398]: /usr/sbin/ip link set dev tun11 up mtu 1500
Nov 7 17:44:58 ovpn-client1[8398]: /usr/sbin/ip link set dev tun11 up
Nov 7 17:44:58 ovpn-client1[8398]: /usr/sbin/ip addr add dev tun11 10.15.0.15/16
Nov 7 17:44:58 ovpn-client1[8398]: /usr/sbin/ip link set dev tun11 up mtu 1500
Nov 7 17:44:58 ovpn-client1[8398]: /usr/sbin/ip link set dev tun11 up
Nov 7 17:44:58 ovpn-client1[8398]: /usr/sbin/ip -6 addr add fdda:d0d0:cafe:1301::100d/64 dev tun11
Nov 7 17:44:58 ovpn-client1[8398]: Linux ip -6 addr add failed: external program exited with error status: 2
Nov 7 17:44:58 ovpn-client1[8398]: Exiting due to fatal error

 

[ColinTaylor]

Did you remove the tun-ipv6 parameter from the configuration as directed in the Mullvad instructions?

 

[Numancia]

Did you remove the tun-ipv6 parameter from the configuration as directed in the Mullvad instructions?

Yes, this is my custom configuration at the bottom of the VPN Client page...

resolv-retry infinite
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
fast-io
remote-random
comp-lzo no

 

[ColinTaylor]

The problem appears to be that Mullvad are pushing IPv6 settings to the router. Is your router using IPv6?

 

[RMerlin]

Asuswrt-Merlin's OpenVPN client does not support IPv6. If your provider is pushing IPv6 options, you have to add config lines to tell your router to ignore them.

    pull-filter ignore "ifconfig-ipv6"
    pull-filter ignore "route-ipv6"

 

[Numancia]

Asuswrt-Merlin's OpenVPN client does not support IPv6. If your provider is pushing IPv6 options, you have to add config lines to tell your router to ignore them.

    pull-filter ignore "ifconfig-ipv6"
    pull-filter ignore "route-ipv6"

Not the only one having this issue...

https://www.reddit.com/r/mullvadvpn/comments/tvfkln

Tried your suggestions as well as those under troubleshooting section (as per above post) for Mullvad with Merlin - "Exiting due to fatal error" / IPv6 issues / DNS leaks" but it didn't fix the issue. It is now "connecting" but says "connected to my ISP's IP - Internet not redirected"

Asus Merlin and Mullvad VPN

How to setup your Asus router running Merlin to connect to the Mullvad VPN servers.

mullvad.net

I think my ISP, Videotron, may have changed something recently. According to this tweet people are having problems running a VPN with Videotron...

https://twitter.com/x/status/1584561580632514561

 

[RMerlin]

It is now "connecting" but says "connected to my ISP's IP - Internet not redirected"

That's a different issue, and unrelated to your provider. As the message says, you did not tell your client to redirect the Internet traffic. There's a setting just a few options below that says "Redirect Internet traffic" that you need to configure.

 

[Yooshaw]

Yes, this is my custom configuration at the bottom of the VPN Client page...

resolv-retry infinite
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
fast-io
remote-random
comp-lzo no

I don't see where you inserted the config to ignore IPV6

In addition, check the server name/IP you are connecting to - Mullvad has been changing some servers lately.

 

[junn0]

Same error happening here using the same router as you. I think the issue is with Mullvad as when I use IVPN's ovpn config there is no issue.

 

[Karmatron]

Try changing/adding the following in the Custom Configuration field:

replace proto udp with proto udp4.
replace proto tcp with proto tcp4.
add pull-filter ignore "route-ipv6"
add pull-filter ignore "ifconfig-ipv6"

 

[junn0]

Try changing/adding the following in the Custom Configuration field:

replace proto udp with proto udp4.
replace proto tcp with proto tcp4.
add pull-filter ignore "route-ipv6"
add pull-filter ignore "ifconfig-ipv6"

This certainly did the trick! Thank you!

 

[Numancia]

Asuswrt-Merlin's OpenVPN client does not support IPv6. If your provider is pushing IPv6 options, you have to add config lines to tell your router to ignore them.

    pull-filter ignore "ifconfig-ipv6"
    pull-filter ignore "route-ipv6"

Thank you, adding these two lines to my custom configuration fixed my problem.

I also upgraded my AX-88U with the latest firmware 388.1 and noticed there is now a tab for Wireguard under VPN -> VPN Client... Do you know if someone has created a setup guide for Merlin with Wireguard and Mullvad VPN, can't find it on their site.