Netbug, Appreciate your posting. I went another 8 hours with mine today, with little to show for afterwards. I'd hoped the gemlins would be gone today, but no. I like to stay with the stock settings the vpn provider builds in his configs, but learned from past research here, that sometimes you can get results experimenting with 'relaxed' setting on a config as opposed to strict. Making everything stop, is as good a killswitch we can get in these boxes instead of taking the fall to WAN/ISP. I like to use https.
www.doileak.com, which gives decent test results, and there are other leak sites. If you shut down all the ads, cookies, etc coming in/going out of your computer, tablets, phones etc, you've done what you can. My 34 year old never saw a screen not filled with ads, but won't make time to learn basic routing and firewall skills, yet. This strange client tunnel behavior is worse than anything I've dealt with for a while. Failing GUI and faltering openvpn configs is deeper than I care to get into the acane art, since there's no explanation for any of it. I found similar issues listed on an Asus site; hopefully they're noticing/investigating. I don't get how the GUI and faltering tunnels are connected, but it seems connected on my unit. I don't usually set DNS in WAN to anything (not a purist in case anyone yelps). You don't have to set anything since the router usually takes care of it, but depends on how your tablets, phones are set up or will behave. It's hard to test how much leakage is going to the ISP but it's difficult to obscure much from them while testing. My gear is all in-house and never goes elsewhere, but it's why we try to secure these things. I've never had ill effects, errors or leakage by pointing to the VPN provider's network at 10.10.10 etc, and their 'smart' DNS handles everything in the tunnel, usually, when the GUI and configs aren't stalling about. The IPs in ours are all set in LAN DHCP, the DNS/WINS server fields point directly to 10.10. etc, in the provider configs, with a secondary of 8.8.8.8, to get lost in everyone's google's noise if a tunnel fails. I've had surprisingly poor luck lately with Opennic DNS. Many secure sites won't allow sign ins, clock times from other sites don't always sync as well as they could. Forget netflix on a laptop, tablet or box, unless your VPN provider makes quiet arrangements; only a few are left that can do so. If if your device or router leaks, you and the VPN provider are picked up and blacklisted by netflix and buds. Just an example, an Opennic DNS we used for a long time, showed we were making DNS queries from Antarctica, Oceania or Nigeria; that won't do, so google DNS was the least of our worries. A couple of our in-house units won't work without setting google's DNS internally. I tried an older android tablet today, it leaked and was a bit too slow, given the GUI/tunnel issues. The older android units aren't supposed to leak as much as the new ones, but I get to play with new ones only when the grandkids call to say their phones aren't working very well. The AC3200 did fairly well for the first 3 hours today, then murphy's law kicked it back to yesterday. The openvpn configs wouldn't load or save, then they wouldn't turn on. Both client1/client2 buttons took many clicks before changing, then the GUI locked up. The config 'ON' button exhibited the same balky behavior. I reset the configs to default, saved, rebooted, then loaded the configs, keys and certs from scratch, several times. It's a broken record and not a good sign. Last I removed the power, waited 15 minutes then did all again, but no change. The router has a fan sitting near it that keeps it at a steady 50C, so it's not overheating. It's like the innards are stuck in mud. If there are no IP or range conflicts/collisons, since one can't easily run two openvpn configs in one normal Asus router, it's the end of my tests for a while. I'm rolling back to 380.68, then the backup router is going into service. If this is a result of someone's hacking attempts directed at openvpn or Asus, it's new, nasty, and I hope they're caught soon. (Didn't mean to go on). Good luck to all of us.