OpenVPN Connect used to work on all my devices, now connects but no bytes received

[alexrose12345]

Hi,

My setup is I have an asus router running the latest version of Merlin. As in the title, my laptop, mobile phone and wife's mobile phone can no longer connect to my vpn. The server is up (I can connect to it as a website directly, the DDNS is clearly working fine). Used to work flawlessly. Then started having a problem where we could only ever connect two devices simultaneously. Now I can't even get 1 anymore. My router is on the latest firmware of 3004.388.4 which uses the latest version of openvpn I believe

This happens over wifi at our apartment, my wife's parents' apartment, and additionally on data on my wife's carrier network, my carrier network and my old network. So I'm sure it isn't the network.

Here is my .OPVN config:

Code: Select all

# Config generated by Asuswrt-Merlin 388.4, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp
remote MYROUTER.com 1194
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN PRIVATE KEY-----
[redacted]
-----END PRIVATE KEY-----

</key>

Here is the log from my desktop (with my website redacted):

Code: Select all

[Sep 8, 2023, 19:26:53] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Feb  7 2023 16:08:10
?[Sep 8, 2023, 19:26:53] Frame=512/2048/512 mssfix-ctrl=1250
?[Sep 8, 2023, 19:26:53] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
7 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
?[Sep 8, 2023, 19:26:53] EVENT: RESOLVE ?[Sep 8, 2023, 19:26:53] Contacting 80.2.0.28:1194 via UDP
?[Sep 8, 2023, 19:26:53] EVENT: WAIT ?[Sep 8, 2023, 19:26:53] WinCommandAgent: transmitting bypass route to 80.2.0.28
{
	"host" : "80.2.0.28",
	"ipv6" : false
}

?[Sep 8, 2023, 19:26:53] Connecting to [MYROUTER.com]:1194 (80.2.0.28) via UDPv4
?[Sep 8, 2023, 19:26:53] EVENT: CONNECTING ?[Sep 8, 2023, 19:26:53] Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
?[Sep 8, 2023, 19:26:53] Creds: Username/Password
?[Sep 8, 2023, 19:26:53] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_GUI_VER=OCWindows_3.3.7-2979
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

?[Sep 8, 2023, 19:26:53] SSL Handshake: peer certificate: CN=RT-AX88U, 1024 bit RSA, cipher: TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD

?[Sep 8, 2023, 19:26:53] Session is ACTIVE
?[Sep 8, 2023, 19:26:53] EVENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future?[Sep 8, 2023, 19:26:53] EVENT: GET_CONFIG ?[Sep 8, 2023, 19:26:53] Sending PUSH_REQUEST to server...
?[Sep 8, 2023, 19:26:53] OPTIONS:
0 [route] [192.168.50.0] [255.255.255.0] [vpn_gateway] [500]
1 [redirect-gateway] [def1]
2 [route-gateway] [10.8.0.1]
3 [topology] [subnet]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.8.0.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]
9 [key-derivation] [tls-ekm]

?[Sep 8, 2023, 19:26:53] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: TLS Keying Material Exporter [RFC5705]
  compress: NONE
  peer ID: 0
?[Sep 8, 2023, 19:26:53] EVENT: ASSIGN_IP ?[Sep 8, 2023, 19:26:53] CAPTURED OPTIONS:
Session Name: MYROUTER.com
Layer: OSI_LAYER_3
Remote Address: 80.2.0.28
Tunnel Addresses:
  10.8.0.2/24 -> 10.8.0.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
  192.168.50.0/24 [METRIC=500]
Exclude Routes:
DNS Servers:
Search Domains:

?[Sep 8, 2023, 19:26:54] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
	"allow_local_dns_resolvers" : false,
	"confirm_event" : "2c18000000000000",
	"destroy_event" : "a411000000000000",
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"add_routes" : 
		[
			{
				"address" : "192.168.50.0",
				"gateway" : "",
				"ipv6" : false,
				"metric" : 500,
				"net30" : false,
				"prefix_length" : 24
			}
		],
		"block_ipv6" : false,
		"layer" : 3,
		"mtu" : 0,
		"remote_address" : 
		{
			"address" : "80.2.0.28",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 275,
			"ipv4" : true,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"session_name" : "MYROUTER.com",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "10.8.0.2",
				"gateway" : "10.8.0.1",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			}
		]
	},
	"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{931AEBDE-0773-4809-BAE3-034377726FAE}' index=18 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{931AEBDE-0773-4809-BAE3-034377726FAE}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=18
netsh interface ip set interface 18 metric=1
Ok.
netsh interface ip set address 18 static 10.8.0.2 255.255.255.0 gateway=10.8.0.1 store=active
IPHelper: add route 192.168.50.0/24 18 10.8.0.1 metric=500
netsh interface ip add route 80.2.0.28/32 27 192.168.1.1 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 18 10.8.0.1 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 18 10.8.0.1 store=active
Ok.
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: e417000000000000
?[Sep 8, 2023, 19:26:54] Connected via TUN_WIN
?[Sep 8, 2023, 19:26:54] EVENT: CONNECTED zephyr@MYROUTER.com:1194 (80.2.0.28) via /UDPv4 on TUN_WIN/10.8.0.2/ gw=[10.8.0.1/]?

Then nothing. As you can see it connects. Here's how it looks:



Here are the logs from my router:

Code: Select all

Sep  9 00:26:16 ovpn-server1[2168]: client/[my laptop's ip]:62290 [client] Inactivity timeout (--ping-restart), restarting
Sep  9 00:26:16 ovpn-server1[2168]: client/[my laptop's ip]:62290 SIGUSR1[soft,ping-restart] received, client-instance restarting
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AX88U, emailAddress=me@asusrouter.lan
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=client, emailAddress=me@asusrouter.lan
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_VER=3.git::d3f8b18b
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_PLAT=win
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_NCP=2
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_TCPNL=1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_PROTO=30
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_GUI_VER=OCWindows_3.3.7-2979
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_SSO=webauth,openurl,crtext
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 peer info: IV_BS64DL=1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 TLS: Username/Password authentication succeeded for username 'zephyr' 
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 1024 bit RSA, signature: RSA-SHA1
Sep  9 00:26:55 ovpn-server1[2168]: [my laptop's ip]:52083 [client] Peer Connection Initiated with [AF_INET][my laptop's ip]:52083 (via [AF_INET]80.2.0.28%eth0)
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 MULTI: Learn: 10.8.0.2 -> client/[my laptop's ip]:52083
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 MULTI: primary virtual IP for client/[my laptop's ip]:52083: 10.8.0.2
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.50.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM,key-derivation tls-ekm' (status=1)
Sep  9 00:26:55 ovpn-server1[2168]: client/[my laptop's ip]:52083 PUSH: Received control message: 'PUSH_REQUEST'
Sep  9 00:26:56 ovpn-server1[2168]: client/[my laptop's ip]:52083 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Sep  9 00:26:56 ovpn-server1[2168]: client/[my laptop's ip]:52083 Timers: ping 15, ping-restart 120
Sep  9 00:26:56 ovpn-server1[2168]: client/[my laptop's ip]:52083 Protocol options: protocol-flags tls-ekm

Here is my router configuration:


additionally it appears here in my router and claims to be working but in reality no bytes in:


my phone is on android on version 3.3.4 (9290)
windows is on 3.3.7 (2979) and claims to be up to date
wife's phone iOS is on 3.3.4 (5176)

Any ideas? At my wit's end. Thanks

[alexrose12345]

I'm also unable to ping 10.8.0.1 if that's useful information