Openvpn client issues to expressvpn

whyza · January 14, 2018, 7:09am

My openvpn client connects fine as per the logs below, tun0 gets established, tcpdump shows traffic gets sent over tun0, but no reply comes back.

It has to be an encryption issue ? as no UDP 1195 pack comes back either, so I presume the expressvpn end is dropping the packet.

Has anyone done this with expressvpn before ?

Sun Jan 14 16:27:54 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: You have disabled Replay Protection (--no-replay) which may make OpenVPN less secure
Sun Jan 14 16:27:54 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1300)
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: TCP/UDP: Preserving recently used remote address: [AF_INET]169.50.128.202:1195
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: UDP link local: (not bound)
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: UDP link remote: [AF_INET]169.50.128.202:1195
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: TLS: Initial packet from [AF_INET]169.50.128.202:1195, sid=e8394cb0 9c6b9882
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY KU OK
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: Validating certificate extended key usage
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY EKU OK
Sun Jan 14 16:27:54 2018 daemon.notice openvpn(expressvpn)[32052]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1562-1a, emailAddress=support@expressvpn.com
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1398', remote='link-mtu 1606'
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1300', remote='tun-mtu 1500'
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'no-replay' is present in local config but missing in remote config, local='no-replay'
Sun Jan 14 16:27:55 2018 daemon.warn openvpn(expressvpn)[32052]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Sun Jan 14 16:27:55 2018 daemon.notice openvpn(expressvpn)[32052]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Jan 14 16:27:55 2018 daemon.notice openvpn(expressvpn)[32052]: [Server-1562-1a] Peer Connection Initiated with [AF_INET]169.50.128.202:1195
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: SENT CONTROL [Server-1562-1a]: 'PUSH_REQUEST' (status=1)
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.81.0.1,route 10.81.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.81.1.242 10.81.1.241'
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: route options modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Preserving previous TUN/TAP instance: tun0
Sun Jan 14 16:27:56 2018 daemon.notice openvpn(expressvpn)[32052]: Initialization Sequence Completed


root@LEDE:/tmp/etc# tcpdump -n -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
16:00:41.884370 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2387, length 64
16:00:42.884435 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2388, length 64
16:00:43.884480 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2389, length 64
16:00:44.881307 IP 10.81.1.242 > 172.217.25.142: ICMP echo request, id 9085, seq 2390, length 64

Any ideas to further debug ?

whyza · January 14, 2018, 7:10am

config file

cat /var/etc/openvpn-expressvpn.conf 
auth-nocache
client
nobind
no-replay
persist-key
persist-tun
pull
tls-client
auth SHA512
auth-user-pass /etc/openvpn/userpass.txt
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
cipher AES-256-CBC
comp-lzo yes
dev tun
dh dh1024.pem
key /etc/openvpn/client.key
key-direction 1
keysize 256
port 1195
proto udp
remote netherlands-amsterdam-2-ca-version-2.expressnetw.com
remote-cert-tls server
reneg-sec 0
tls-auth /etc/openvpn/tlsauth.key
tun-mtu 1300
verb 10

whyza · January 14, 2018, 7:15am

tcpdump on internet port while pinging

root@LEDE:~# tcpdump -n -i eth0 port 1195
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:12:50.978838 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 145
17:12:51.049748 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 177
17:12:51.230285 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 145
17:12:51.977594 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 145
17:12:52.049705 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 177
17:12:52.229679 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 145
17:12:53.046656 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 177
17:12:53.353172 IP 169.50.128.202.1195 > 192.168.0.6.42555: UDP, length 113
17:12:53.978517 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 145
17:12:54.049728 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 177
17:12:54.233803 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 145
17:12:55.049769 IP 192.168.0.6.42555 > 169.50.128.202.1195: UDP, length 177

you can see one small packet come back...presumably a control packet

stangri · January 14, 2018, 11:13am

Please don't crosspost/post more than one thread about the issue. I've replied in your other thread.

spindoctor · August 10, 2018, 11:43am

Here is my working conf file for expressvpn.

client
fast-io
ifconfig-nowarn
mute-replay-warnings
nobind
persist-key
persist-tun
auth SHA512
auth-user-pass /etc/openvpn/expressvpn/auth
ca /etc/openvpn/expressvpn/ca2.crt
cert /etc/openvpn/expressvpn/client.crt
cipher AES-256-CBC
compress lzo
dev tun
fragment 1300
keepalive 10 120
key /etc/openvpn/expressvpn/client.key
key-direction 1
keysize 256
log /tmp/openvpn.log
port 1195
proto udp
redirect-gateway def1
remote netherlands-amsterdam-2-ca-version-2.expressnetw.com
remote-cert-tls server
resolv-retry infinite
status /tmp/openvpn-status.log
tls-auth /etc/openvpn/expressvpn/ta.key
verb 3