1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

RT-AX88U VPN Issues

Discussion in 'Asuswrt-Merlin' started by Skeptical.me, May 16, 2019.

  1. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    428
    Location:
    Australia
    ASUS RT-AX88U ASUSWRT-Merlin 384.11

    2 problems:

    1. ExpressVPN is sometimes showing 7 DNS servers on ipleak.net (and other similar sites). Usually I only see one DNS server, I'm only suppose to see 1 ... Accept DNS Configuration is set to Exclusive, and Redirect Internet Traffic is set to All

    2. Also most of the time I see the following in the OpenVPN Client:

    Code:
    Connected (Local: 10.48.0.62 - Public: unknown) 
    "Public Unknown" = no ExpressVPN IP address


    Here are parts of the logs that relate to the OpenVPN client 2 I was using to test (I'm not sure how to read it)

    (click on image to make it larger)

    [​IMG]

    These are the Custom Configs from the ExpressVPN .ovpn config file:

    Code:
    fast-io
    remote-random
    pull
    tls-client
    verify-x509-name Server name-prefix
    ns-cert-type server
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    keysize 256
    sndbuf 524288
    rcvbuf 524288

    All 5 clients have been working perfectly well until today, and I don't know what has changed to cause this issue.

    Any help is really appreciated :)
     
    Last edited: May 16, 2019
  2. octopus

    octopus Very Senior Member

    Joined:
    Jul 17, 2012
    Messages:
    1,202
    Update remote-cert-tls and sha512
    And Maby add auth-nocache
     
    Skeptical.me and no_name like this.
  3. no_name

    no_name Regular Contributor

    Joined:
    Sep 11, 2018
    Messages:
    116
    Location:
    UK
    [​IMG]

    I only used to see 1 DNS Server, this seems to have changed recently for reasons I’m unaware off

    The Connected (Local: 10.48.0.62 - Public: unknown) happened to me sometime ago, on the VPN client page compression should be set to none. Soon after, ExpressVPN updated there .ovpn files so compression was disabled

    If the Connected (Local: 10.48.0.62 - Public: unknown) persists perhaps someone with far more knowledge than me can help


    Sent from my iPad using Tapatalk
     
    Skeptical.me likes this.
  4. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    428
    Location:
    Australia
    Thanks for the reply.

    Forgive me for my ignorance, when you say "Update remote-cert-tls and sha512
    And Maby add auth-nocache"
    what would the Custom Config look after these changes? (I've used .ovpn config files for a number of years but still need to learn more).

    Thanks for the help.
     
  5. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    428
    Location:
    Australia
    By any chance are you using Diversion? Because if you are and you're getting those results you might have to change Accept DNS Configuration to Exclusive, and Redirect Internet Traffic to All ...

    Yes, the Local: 10.48.0.62 - Public: unknown has something to do compression, so I thought. I solved that after someone directed me to add

    Code:
    comp-lzo no
    push "comp-lzo no"
    to the end of the Custom Configuration and switch Compression to disabled

    Bu that solution doesn't appear to be working this time.


    Thanks for your help.
     
  6. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    269
    Like @no_name suggested Try switch Compression to None not disabled
     
    Last edited: May 16, 2019
  7. no_name

    no_name Regular Contributor

    Joined:
    Sep 11, 2018
    Messages:
    116
    Location:
    UK
    With diversion, DNS set to exclusive and policy rules set to all i still get multiple dns servers showing up.

    I know nothing about custom configurations but on the off chance, the picture below shows where it says compression set to none

    [​IMG]


    Sent from my iPad using Tapatalk
     
    Zastoff likes this.
  8. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,361
    Location:
    The Land of Smiles
    I made an effort to get rid of warning messages recently on my OpenVPN clients. At the prompting of my provider, they also suggested using no compression and that it is also the general forum recommendation.

    OpenVPN client on pfSense has the same options. In tried both options in Asuswrt-Merlin and pfSense firmware. When setting compression to either None or disabled, I get the same message:

    Code:
     WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    I don't understand why comp-lzo is present in local config when I've set it to None or Disabled. :confused:

    I need to look deeper at the config files on the OS to see what is being written out when None or Disabled is configured. Maybe an OpenVPN bug?
     
    no_name likes this.
  9. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,361
    Location:
    The Land of Smiles
    With Accept DNS Configuration = Exclusive, you can verify the DNSVPNx Chain has been created for LAN clients assigned to the tunnel where "x" = vpn client number e.g. DNVPN1:
    Code:
    iptables --line -t nat -nvL DNSVPNx
    DNSFILER enabled?
    Code:
    iptables -nvL -t nat --line PREROUTING
    
     
    Last edited: May 16, 2019
  10. Zastoff

    Zastoff Senior Member

    Joined:
    Nov 21, 2017
    Messages:
    269
    I dont use the same vpn-provider but mine gave me the option to disable compression a few weeks ago.
    I had to choose on my vpn provider account page to disable compression (can use compression if i want it)
    First tried compression disabled did not work
    compression none works for me
    Think option None still has a sort of empty frame for compression
    Disabled does not
    About the many DNS servers on ipleak, Happend to me aswell on some DNS servers Think it happens when they link together DNS servers.
    When i used my vpn-providers dns ipv4 servers i got the ipv6 servers aswell even when i dont have ipv6 and even blocked ipv6 DNS servers in DNSCrypt
     
    Last edited: May 16, 2019
    no_name likes this.
  11. Martineau

    Martineau Part of the Furniture

    Joined:
    Jul 8, 2012
    Messages:
    2,274
    Location:
    UK
    Set the 'Log verbosity' to "param" mode (4) , and hopefully all of the parameters should be dumped to Syslog.

    upload_2019-5-16_14-32-25.png

    FYI Certain VPN ISPs such as 'Vpnbook' apparently never have a public IP (see /usr/sbin/gettunnelip.sh)… at least not for the two STUN servers.
     
    Xentrk likes this.
  12. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,361
    Location:
    The Land of Smiles
    I noticed a change with TorGuard recently. They appear to be using Cloudflare 1.1.1.1 near the location of the VPN server. So when I run an ipleak test, I see many cloudflare servers listed due to the load balancing and redundancy they have built in.
     
    no_name and Zastoff like this.
  13. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    428
    Location:
    Australia
    It's strange what is happening as ExpressVPN was working perfectly ok, and I upgraded Merlin then is issue started.

    Here is a screenshot of the VPN Client (click on it for larger view):

    [​IMG]


    And here is the results of ipleak.net scan (click on image for larger image):

    [​IMG]

    Usually there's only one dns server.
     
  14. no_name

    no_name Regular Contributor

    Joined:
    Sep 11, 2018
    Messages:
    116
    Location:
    UK
    I have the same setup as you, the only difference is I haven’t renamed the client instance or the description

    [​IMG]

    These are my results using ipleak.net

    [​IMG]

    These are the results using https://www.expressvpn.com/dns-leak-test

    [​IMG]

    I’m not worried about the multiple servers being shown, another person mentioned it could be for load balancing.

    If you haven’t done already I would download fresh copies of the .ovpn files from ExpressVPN and start over. Also is it just the one client you have running


    Sent from my iPad using Tapatalk
     
    Skeptical.me likes this.
  15. Skeptical.me

    Skeptical.me Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    428
    Location:
    Australia

    Hi, thanks for the reply.

    Using the ExpressVPN DNS Leak page (https://www.expressvpn.com/dns-leak-test) I receive the following result:


    Code:
    No DNS leaks detected
    You’re using ExpressVPN’s secure DNS servers.
    
    All DNS requests are going through ExpressVPN's encrypted, private servers.
    And I'm able to watch HULU, Prime Video, and US Netflix from Australia.

    So no DNS is leaking, because if it was leaking I wouldn't be able to watch those streaming services, the VPN warning would show.

    I use all 5 VPN clients. I use 3 VPN services 1. ExpressVPN, 2. ProtonVPN, and 3. TorGuard
     
  16. no_name

    no_name Regular Contributor

    Joined:
    Sep 11, 2018
    Messages:
    116
    Location:
    UK
    I asked incase you were using more than three ExpressVPN clients at the same which is the maximum ExpressVPN allows and could account for the (Local: 10.48.0.62 - Public: unknown).

    I had a setting wrong when I mirrored your setup, so just to confirm like you there’s no DNS leak with this setup

    [​IMG]


    Sent from my iPad using Tapatalk
     
    Skeptical.me likes this.
  17. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,361
    Location:
    The Land of Smiles
    384.11 had a major change with DNS DoT. Review the settings on the WAN page.

    Do you have Cloudflare DNS Client installed or DoT installed in your browser? That would take precedence over the router settings unless you have DNSFILTER set to Router.

    :eek: I suspect this may have something to do with the workarounds to avoid VPN blocks. I would ask them about the issue to get their take. Sometimes a friendly phone can result in some insider information that you would normally not get over a support ticket.

    There are several tools to lookup ip address ownership on the internet. My two favorites are:

    https://bgp.he.net/
    https://ipinfo.io/
     
    Last edited: May 17, 2019
    no_name likes this.