My openvpn client connects fine as per the logs below, tun0 gets established, tcpdump shows traffic gets sent over tun0, but no reply comes back.
It has to be an encryption issue ? as no UDP 1195 pack comes back either, so I presume the expressvpn end is dropping the packet.
Has anyone done this with expressvpn before ?
Sun Jan 14 16:27:54 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: You have disabled Replay Protection (--no-replay) which may make OpenVPN less secure
Sun Jan 14 16:27:54 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1300)
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: TCP/UDP: Preserving recently used remote address: [AF_INET]169.50.128.202:1195
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: UDP link local: (not bound)
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: UDP link remote: [AF_INET]169.50.128.202:1195
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: TLS: Initial packet from [AF_INET]169.50.128.202:1195, sid=e8394cb0 9c6b9882
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY KU OK
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: Validating certificate extended key usage
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY EKU OK
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1562-1a, emailAddress=support@expressvpn.com
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1398', remote='link-mtu 1606'
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1300', remote='tun-mtu 1500'
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'no-replay' is present in local config but missing in remote config, local='no-replay'
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Sun Jan 14 16:27:55 2018 daemon.notice openvpn(expressvpn)[32052]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jan 14 16:27:55 2018 daemon.notice openvpn(expressvpn)[32052]: [Server-1562-1a] Peer Connection Initiated with [AF_INET]169.50.128.202:1195
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: SENT CONTROL [Server-1562-1a]: 'PUSH_REQUEST' (status=1)
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.81.0.1,route 10.81.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.81.1.242 10.81.1.241'
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: route options modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Preserving previous TUN/TAP instance: tun0
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Initialization Sequence Completed
root@LEDE:/tmp/etc# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:00:41.884370 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2387, length 64
16:00:42.884435 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2388, length 64
16:00:43.884480 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2389, length 64
16:00:44.881307 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2390, length 64
Any ideas to further debug ?