OpenWrt - wrt3000acm linksys - openvpn - routing

Dear All,

My name is Filipe and I am a new openwrt user. I followed the instructions provide by openwrt in order to install it.

I did the router set up, wireless set up, openvpn set up, interface set up and zone set up.
My geral set up is:

wireless (guest lan) -> openvpn -> wan
wireless (main lan) -> wan

I confirm the VPN is correctly set it up because there is no issue on the logs.

However when I connect the openvpn (enable it) I lost internet access from the both interfaces "guest lan" and "main lan".

Have you an ideia about the reason of this happen?

Many thanks,

Filipe

Please perform the steps under Troubleshooting for your next post

More information is likely required, but given the vague information in your post, two possibilities come to mind:

  1. You've configured openvpn to become the default gateway, which means means access is lost to the openvpn server, which means openvpn dies.
  2. You're pushing or pulling some route that overrides the normal routing table and are destroying your router's routing table, meaning network connectivity goes away (I'd consider this the most likely).

Can you point out the guide you followed for openvpn and your openvpn configuration as well as your network configuration and dns configuration. Also can you clarify if you are an openvpn client or server, or what?

VPN - OpenVPN Client configuration.

config openvpn 'protonvpn'
	option client '1'
	option comp_lzo 'yes'
	option reneg_sec '0'
	option verb '3'
	option persist_key '1'
	option nobind '1'
	option remote_cert_tls 'server'
	list remote '185.183.104.139'
	option port '1194'
	option dev_type 'tun'
	option proto 'udp'
	option fast_io '1'
	option dev 'tun'
	option persist_tun '1'
	option tun_mtu '1500'
	option tun_mtu_extra '32'
	option pull '1'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option key_direction '1'
	option auth_user_pass '/etc/openvpn/protonvpn/userpass.txt'
	option tls_client '1'
	option ca '/etc/openvpn/protonvpn/ca.crt'
	option tls_auth '/etc/openvpn/protonvpn/tlsauth.key'

Firewall rules (some of then are by openwrt default)

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'openvpn'
	option forward 'ACCEPT'
	option network 'openvpn'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'guest'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'guest'
	option src 'openvpn'

config forwarding
	option dest 'wan'
	option src 'openvpn'

config forwarding
	option dest 'openvpn'
	option src 'guest'

The logs attached 21

Many thanks for help and sorry disturb you.

GUI rules22

I followed the instruction given by my VPN provider (ProtonVPN).
The other set up was seeing your forum and instructions.

Probably you are right there is some issue in routing the trafic.

I noticed a few problems, however I also wanted to mention the log... please post the actual text from the log file versus a screenshot when asked for log output.

  • After reviewing your configs, it's not likely the log is required (no need at this point to re-post it in text form), but wanted to mention it for future reference.

Your issue is likely originating from your firewall settings.

  • Masquerade [masq], and likely mtu_fix as well, is only to be set on WAN facing interfaces (i.e. any interface that receives a public IP)
    config zone
        option  name      'guest'
        option  network   'guest'
        option  input     'ACCEPT'
        option  output    'ACCEPT'
        option  forward   'ACCEPT'
    
  • Your default zone should be set to forward 'REJECT' or 'DROP'
    config defaults
        option  input            'ACCEPT'
        option  output           'ACCEPT'
        option  forward          'REJECT'
        option  syn_flood        '1'
        option  flow_offloading  '1'
    

For your VPN config, there's no reason to utilize anything higher than AES-128-CBC for the encryption level, as AES128 will remain uncrackable until at least 2030.

  • You're also missing the log parameter in your config.
    • Add: option log '/tmp/openvpn.log'

  • If your firewall changes don't correct the problem, please change your OpenVPN verbosity to 7 (verb 7) and restart OpenVPN (/etc/init.d/openvpn restart).
    • Once done, please copy the content of /tmp/openvpn.log into a code box

Dear JW0914,

My apologies for the log. The GUI doesn't allow me copy the text so I took a screenshot.

Is it possible to change the cipher? I thought the details needed to match with the server.

I followed your steps careful. But still not working. I changed the VPN verbosity to 7 (should be the last part of this log) and below follows the log as requested.

Fri Aug 10 11:56:54 2018 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Aug 10 11:56:54 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Fri Aug 10 11:56:55 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Aug 10 11:56:55 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Aug 10 11:56:55 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.104.139:1194
Fri Aug 10 11:56:55 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Aug 10 11:56:55 2018 UDP link local: (not bound)
Fri Aug 10 11:56:55 2018 UDP link remote: [AF_INET]185.183.104.139:1194
Fri Aug 10 11:56:55 2018 write UDP: Network unreachable (code=101)
Fri Aug 10 11:56:55 2018 Network unreachable, restarting
Fri Aug 10 11:56:55 2018 SIGUSR1[soft,network-unreachable] received, process restarting
Fri Aug 10 11:56:55 2018 Restart pause, 5 second(s)
Fri Aug 10 11:57:00 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.104.139:1194
Fri Aug 10 11:57:00 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Aug 10 11:57:00 2018 UDP link local: (not bound)
Fri Aug 10 11:57:00 2018 UDP link remote: [AF_INET]185.183.104.139:1194
Fri Aug 10 11:57:00 2018 TLS: Initial packet from [AF_INET]185.183.104.139:1194, sid=47b06cfc e6a9b151
Fri Aug 10 11:57:00 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Aug 10 11:57:00 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA 
Fri Aug 10 11:57:00 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 11:57:00 2018 VERIFY KU OK
Fri Aug 10 11:57:00 2018 Validating certificate extended key usage
Fri Aug 10 11:57:00 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 11:57:00 2018 VERIFY EKU OK 
Fri Aug 10 11:57:00 2018 VERIFY OK: depth=0, CN=ch-02. protonvpn. com
Fri Aug 10 11:57:00 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 11:57:00 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 11:57:00 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 11:57:00 2018 [ch-02.protonvpn. com] Peer Connection Initiated with [AF_INET]185.183.104.139:1194
Fri Aug 10 11:57:02 2018 SENT CONTROL [ch-02.protonvpn. com]: 'PUSH_REQUEST' (status=1)
Fri Aug 10 11:57:02 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.21 255.255.255.0,peer-id 9,cipher AES-256-GCM'
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: explicit notify parm(s) modified
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Aug 10 11:57:02 2018 Socket Buffers: R=[163840->327680] S=[163840->327680]
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: route options modified
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: route-related options modified
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: peer-id set
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: adjusting link_mtu to 1656
Fri Aug 10 11:57:02 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Aug 10 11:57:02 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 10 11:57:02 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 11:57:02 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 11:57:02 2018 TUN/TAP device tun0 opened
Fri Aug 10 11:57:02 2018 TUN/TAP TX queue length set to 100
Fri Aug 10 11:57:02 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 10 11:57:02 2018 /sbin/ifconfig tun0 10.8.8.21 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Fri Aug 10 11:57:02 2018 /sbin/route add -net 185.183.104.139 netmask 255.255.255.255 gw 192.168.1.1
Fri Aug 10 11:57:02 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 11:57:02 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 11:57:02 2018 Initialization Sequence Completed
Fri Aug 10 11:58:03 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:58:13 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:58:23 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:58:34 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:58:44 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:58:53 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:02 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:02 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:02 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:03 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:03 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:14 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:24 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:34 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 11:59:43 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:00:01 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:02 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:03 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:03 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:04 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:06 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:08 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:11 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:12 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:13 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:16 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:28 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:29 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:30 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:31 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)
Fri Aug 10 12:00:43 2018 [ch-02.protonvpn. com] Inactivity timeout (--ping-restart), restarting
Fri Aug 10 12:00:43 2018 SIGUSR1[soft,ping-restart] received, process restarting
Fri Aug 10 12:00:43 2018 Restart pause, 5 second(s)
Fri Aug 10 12:00:48 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:00:48 2018 Socket Buffers: R=[163840->327680] S=[163840->327680]
Fri Aug 10 12:00:48 2018 UDP link local: (not bound)
Fri Aug 10 12:00:48 2018 UDP link remote: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:00:48 2018 TLS: Initial packet from [AF_INET]185.183.104.139:1194, sid=c551befc 8cc31eb2
Fri Aug 10 12:00:48 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:00:48 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:00:48 2018 VERIFY KU OK
Fri Aug 10 12:00:48 2018 Validating certificate extended key usage
Fri Aug 10 12:00:48 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:00:48 2018 VERIFY EKU OK
Fri Aug 10 12:00:48 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:00:49 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:00:49 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:00:49 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:00:49 2018 [ch-02.protonvpn. com] Peer Connection Initiated with [AF_INET]185.183.104.139:1194
Fri Aug 10 12:00:50 2018 SENT CONTROL [ch-02.protonvpn. com]: 'PUSH_REQUEST' (status=1)
Fri Aug 10 12:00:52 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.28 255.255.255.0,peer-id 72,cipher AES-256-GCM'
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: explicit notify parm(s) modified
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Aug 10 12:00:52 2018 Socket Buffers: R=[327680->327680] S=[327680->327680]
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: route options modified
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: route-related options modified
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: peer-id set
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: adjusting link_mtu to 1656
Fri Aug 10 12:00:52 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Aug 10 12:00:52 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 10 12:00:52 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:00:52 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:00:52 2018 Preserving previous TUN/TAP instance: tun0
Fri Aug 10 12:00:52 2018 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Fri Aug 10 12:00:52 2018 /sbin/route del -net 185.183.104.139 netmask 255.255.255.255
Fri Aug 10 12:00:52 2018 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Fri Aug 10 12:00:52 2018 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Fri Aug 10 12:00:52 2018 Closing TUN/TAP interface
Fri Aug 10 12:00:52 2018 /sbin/ifconfig tun0 0.0.0.0
Fri Aug 10 12:00:53 2018 TUN/TAP device tun0 opened
Fri Aug 10 12:00:53 2018 TUN/TAP TX queue length set to 100
Fri Aug 10 12:00:53 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 10 12:00:53 2018 /sbin/ifconfig tun0 10.8.8.28 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Fri Aug 10 12:00:53 2018 /sbin/route add -net 185.183.104.139 netmask 255.255.255.255 gw 192.168.1.1
Fri Aug 10 12:00:53 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 12:00:53 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 12:00:53 2018 Initialization Sequence Completed
Fri Aug 10 12:00:53 2018 write UDP: Operation not permitted (code=1)
Fri Aug 10 12:01:02 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:11 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:21 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:27 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:28 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:29 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:32 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:38 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:48 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:01:59 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:02:08 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:02:18 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:02:28 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:02:38 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:02:48 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:03:04 2018 TLS: new session incoming connection from [AF_INET]185.183.104.139:1194
Fri Aug 10 12:03:04 2018 TLS: new session incoming connection from [AF_INET]185.183.104.139:1194
Fri Aug 10 12:03:06 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:03:06 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:03:06 2018 VERIFY KU OK
Fri Aug 10 12:03:06 2018 Validating certificate extended key usage
Fri Aug 10 12:03:06 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:03:06 2018 VERIFY EKU OK
Fri Aug 10 12:03:06 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:03:07 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:03:07 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:03:07 2018 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Fri Aug 10 12:03:07 2018 TLS: tls_multi_process: untrusted session promoted to trusted
Fri Aug 10 12:03:07 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:04:07 2018 [ch-02.protonvpn. com] Inactivity timeout (--ping-restart), restarting
Fri Aug 10 12:04:07 2018 SIGUSR1[soft,ping-restart] received, process restarting
Fri Aug 10 12:04:07 2018 Restart pause, 5 second(s)
Fri Aug 10 12:04:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:04:12 2018 Socket Buffers: R=[163840->327680] S=[163840->327680]
Fri Aug 10 12:04:12 2018 UDP link local: (not bound)
Fri Aug 10 12:04:12 2018 UDP link remote: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:04:12 2018 TLS: Initial packet from [AF_INET]185.183.104.139:1194, sid=3f2ffe18 f6a05e84
Fri Aug 10 12:04:12 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:04:12 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:04:12 2018 VERIFY KU OK
Fri Aug 10 12:04:12 2018 Validating certificate extended key usage
Fri Aug 10 12:04:12 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:04:12 2018 VERIFY EKU OK
Fri Aug 10 12:04:12 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:04:13 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:04:13 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:04:13 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:04:13 2018 [ch-02.protonvpn. com] Peer Connection Initiated with [AF_INET]185.183.104.139:1194
Fri Aug 10 12:04:14 2018 SENT CONTROL [ch-02.protonvpn. com]: 'PUSH_REQUEST' (status=1)
Fri Aug 10 12:04:14 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.57 255.255.255.0,peer-id 51,cipher AES-256-GCM'
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: explicit notify parm(s) modified
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Aug 10 12:04:14 2018 Socket Buffers: R=[327680->327680] S=[327680->327680]
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: route options modified
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: route-related options modified
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: peer-id set
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: adjusting link_mtu to 1656
Fri Aug 10 12:04:14 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Aug 10 12:04:14 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 10 12:04:14 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:04:14 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:04:14 2018 Preserving previous TUN/TAP instance: tun0
Fri Aug 10 12:04:14 2018 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Fri Aug 10 12:04:14 2018 /sbin/route del -net 185.183.104.139 netmask 255.255.255.255
Fri Aug 10 12:04:14 2018 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Fri Aug 10 12:04:14 2018 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Fri Aug 10 12:04:14 2018 Closing TUN/TAP interface
Fri Aug 10 12:04:14 2018 /sbin/ifconfig tun0 0.0.0.0
Fri Aug 10 12:04:15 2018 TUN/TAP device tun0 opened
Fri Aug 10 12:04:15 2018 TUN/TAP TX queue length set to 100
Fri Aug 10 12:04:15 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 10 12:04:15 2018 /sbin/ifconfig tun0 10.8.8.57 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Fri Aug 10 12:04:15 2018 /sbin/route add -net 185.183.104.139 netmask 255.255.255.255 gw 192.168.1.1
Fri Aug 10 12:04:15 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 12:04:15 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 12:04:15 2018 Initialization Sequence Completed
Fri Aug 10 12:04:15 2018 write UDP: Operation not permitted (code=1)
Fri Aug 10 12:04:24 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:04:33 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:04:44 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:04:54 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:03 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:14 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:22 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:22 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:23 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:26 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:30 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:40 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:05:49 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:06:00 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:06:09 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:06:19 2018 TLS: new session incoming connection from [AF_INET]185.183.104.139:1194
Fri Aug 10 12:06:19 2018 TLS: new session incoming connection from [AF_INET]185.183.104.139:1194
Fri Aug 10 12:06:22 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:06:22 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:06:22 2018 VERIFY KU OK
Fri Aug 10 12:06:22 2018 Validating certificate extended key usage
Fri Aug 10 12:06:22 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:06:22 2018 VERIFY EKU OK
Fri Aug 10 12:06:22 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:06:22 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:06:22 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:06:22 2018 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Fri Aug 10 12:06:22 2018 TLS: tls_multi_process: untrusted session promoted to trusted
Fri Aug 10 12:06:22 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:07:22 2018 [ch-02.protonvpn. com] Inactivity timeout (--ping-restart), restarting
Fri Aug 10 12:07:22 2018 SIGUSR1[soft,ping-restart] received, process restarting
Fri Aug 10 12:07:22 2018 Restart pause, 5 second(s)
Fri Aug 10 12:07:27 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:07:27 2018 Socket Buffers: R=[163840->327680] S=[163840->327680]
Fri Aug 10 12:07:27 2018 UDP link local: (not bound)
Fri Aug 10 12:07:27 2018 UDP link remote: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:07:27 2018 TLS: Initial packet from [AF_INET]185.183.104.139:1194, sid=205f1f79 e9141240
Fri Aug 10 12:07:27 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:07:27 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:07:27 2018 VERIFY KU OK
Fri Aug 10 12:07:27 2018 Validating certificate extended key usage
Fri Aug 10 12:07:27 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:07:27 2018 VERIFY EKU OK
Fri Aug 10 12:07:27 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:07:28 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:07:28 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:07:28 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:07:28 2018 [ch-02.protonvpn. com] Peer Connection Initiated with [AF_INET]185.183.104.139:1194
Fri Aug 10 12:07:29 2018 SENT CONTROL [ch-02.protonvpn. com]: 'PUSH_REQUEST' (status=1)
Fri Aug 10 12:07:29 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.67 255.255.255.0,peer-id 38,cipher AES-256-GCM'
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: explicit notify parm(s) modified
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Aug 10 12:07:29 2018 Socket Buffers: R=[327680->327680] S=[327680->327680]
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: route options modified
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: route-related options modified
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: peer-id set
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: adjusting link_mtu to 1656
Fri Aug 10 12:07:29 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Aug 10 12:07:29 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 10 12:07:29 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:07:29 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:07:29 2018 Preserving previous TUN/TAP instance: tun0
Fri Aug 10 12:07:29 2018 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Fri Aug 10 12:07:29 2018 /sbin/route del -net 185.183.104.139 netmask 255.255.255.255
Fri Aug 10 12:07:29 2018 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Fri Aug 10 12:07:29 2018 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Fri Aug 10 12:07:29 2018 Closing TUN/TAP interface
Fri Aug 10 12:07:29 2018 /sbin/ifconfig tun0 0.0.0.0
Fri Aug 10 12:07:30 2018 TUN/TAP device tun0 opened
Fri Aug 10 12:07:30 2018 TUN/TAP TX queue length set to 100
Fri Aug 10 12:07:30 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 10 12:07:30 2018 /sbin/ifconfig tun0 10.8.8.67 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
Fri Aug 10 12:07:30 2018 /sbin/route add -net 185.183.104.139 netmask 255.255.255.255 gw 192.168.1.1
Fri Aug 10 12:07:30 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 12:07:30 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
Fri Aug 10 12:07:30 2018 Initialization Sequence Completed
Fri Aug 10 12:07:30 2018 write UDP: Operation not permitted (code=1)
Fri Aug 10 12:07:30 2018 write UDP: Operation not permitted (code=1)
Fri Aug 10 12:07:39 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:07:49 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:07:59 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:08:08 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:08:19 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:08:29 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:08:39 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:08:49 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:08:59 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:09:09 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:09:19 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:09:29 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:10:02 2018 TLS: new session incoming connection from [AF_INET]185.183.104.139:1194
Fri Aug 10 12:10:02 2018 TLS: new session incoming connection from [AF_INET]185.183.104.139:1194
Fri Aug 10 12:10:04 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:10:04 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:10:04 2018 VERIFY KU OK
Fri Aug 10 12:10:04 2018 Validating certificate extended key usage
Fri Aug 10 12:10:04 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:10:04 2018 VERIFY EKU OK
Fri Aug 10 12:10:04 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:10:05 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:10:05 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:10:05 2018 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Fri Aug 10 12:10:05 2018 TLS: tls_multi_process: untrusted session promoted to trusted
Fri Aug 10 12:10:05 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:11:05 2018 [ch-02.protonvpn. com] Inactivity timeout (--ping-restart), restarting
Fri Aug 10 12:11:05 2018 SIGUSR1[soft,ping-restart] received, process restarting
Fri Aug 10 12:11:05 2018 Restart pause, 5 second(s)
Fri Aug 10 12:11:10 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:11:10 2018 Socket Buffers: R=[163840->327680] S=[163840->327680]
Fri Aug 10 12:11:10 2018 UDP link local: (not bound)
Fri Aug 10 12:11:10 2018 UDP link remote: [AF_INET]185.183.104.139:1194
Fri Aug 10 12:11:10 2018 TLS: Initial packet from [AF_INET]185.183.104.139:1194, sid=fb3dd3b6 65a2fb36
Fri Aug 10 12:11:10 2018 VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Fri Aug 10 12:11:10 2018 VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Fri Aug 10 12:11:10 2018 VERIFY KU OK
Fri Aug 10 12:11:10 2018 Validating certificate extended key usage
Fri Aug 10 12:11:10 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 10 12:11:10 2018 VERIFY EKU OK
Fri Aug 10 12:11:10 2018 VERIFY OK: depth=0, CN=ch-02.protonvpn. com
Fri Aug 10 12:11:10 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:11:10 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Fri Aug 10 12:11:10 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 10 12:11:10 2018 [ch-02.protonvpn. com] Peer Connection Initiated with [AF_INET]185.183.104.139:1194
Fri Aug 10 12:11:11 2018 SENT CONTROL [ch-02.protonvpn. com]: 'PUSH_REQUEST' (status=1)
Fri Aug 10 12:11:11 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.67 255.255.255.0,peer-id 9,cipher AES-256-GCM'
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: explicit notify parm(s) modified
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Fri Aug 10 12:11:11 2018 Socket Buffers: R=[327680->327680] S=[327680->327680]
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: route options modified
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: route-related options modified
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: peer-id set
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: adjusting link_mtu to 1656
Fri Aug 10 12:11:11 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Aug 10 12:11:11 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 10 12:11:11 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:11:11 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 10 12:11:11 2018 Preserving previous TUN/TAP instance: tun0
Fri Aug 10 12:11:11 2018 Initialization Sequence Completed
Fri Aug 10 12:11:16 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:17 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:19 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:23 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:33 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:43 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:47 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:11:57 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:12:08 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:12:18 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:12:28 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:12:38 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:12:48 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:12:58 2018 write to TUN/TAP : Invalid argument (code=22)
Fri Aug 10 12:13:09 2018 write to TUN/TAP : Invalid argument (code=22)

Please put all code, config, and log output within code boxes... three ways to do so.

Logs should be grabbed via SSH

Contact ProtonVPN, as they likely have a script that auto chooses the cipher based on the client config's cipher setting.

  • There's zero benefit to utilizing AES256, or AES192 for that matter.
    • Even if one was the target of a nation state, it would be far more efficient to set the rekey value to every 5min rather than a higher cipher. All a higher cipher does is provide a massive decrease in throughput, a heavily taxed CPU, and zero encryption benefit.
      • To show CPU processing speed difference, run the following on your router:
        • openssl speed aes-128-cbc && openssl speed aes-192-cbc && openssl speed aes-256-cbc
      • I noticed the TLS cipher string is using AES-256-GCM [ECDHE-RSA-AES256-GCM-SHA384] and I know another OpenWrt user was having issues with AES GCM ciphers. While OpenWrt doesn't allow specifying a client side TLS cipher in the client config, I haven't tried to do so via cli

As to the log, there's a few warnings, along with error output I've never encountered before:

# Warnings
#-------------------
Fri Aug 10 12:11:10 2018 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
Fri Aug 10 12:11:10 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'


# Errors
#-------------------
Fri Aug 10 12:00:01 2018 TLS Error: Unroutable control packet received from [AF_INET]185.183.104.139:1194 (si=3 op=P_CONTROL_V1)

Fri Aug 10 12:11:16 2018 write to TUN/TAP : Invalid argument (code=22)

Try this configuration and see what errors appear. I use this one without error.

config openvpn 'protonvpn'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	option auth_user_pass '/etc/openvpn/protonvpn/userpass.txt'
	option ca '/etc/openvpn/protonvpn/ca.crt'
	option tls_auth '/etc/openvpn/protonvpn/tlsauth.key'
	option resolv_retry 'infinite'
	option mute_replay_warnings '1'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option remote_cert_tls 'server'
	option cipher 'AES-256-GCM'
	option compress 'lzo'
	option keepalive '10 120'
	option ifconfig_nowarn '1'
	option port '1194'
	option log '/tmp/openvpn.log'
	option status '/tmp/openvpn-status.log'
	option verb '3'
	option key_direction '1'
	option auth 'SHA512'
        option fast_io '1'
	option remote '185.183.104.139'

Dear All,

I am back with the same issue. The previous config doesn't work.
I have no feedback from ProtonVPN.

And I still have the same issue.

What exactly is the issue?

1 Like

I have configured my router to have two different wi-fi networks. My router is connected to the modem by LAN.

Network 1 it is a general one (private home network)
Network 2 it is a general one but with VPN access. VPN from ProtonVPN (by OpenVPN).

In normal conditions the network 1 works fine. However when I turn on the VPN I lost internet access in the network 1. The network 2 should have internet after turn on the VPN but doesn't work as well.

Can you help me?

I had the need to reproduce your configuration - the same initial result.
Basically the OpenVPN service sets the default-GW by default.
To skip this go to 'Switch to advanced configuration'->'Networking' and mark the 'Don't add routes automatically' check-box.
From that you must use second routing table for the second subnet. Can be achieved just by iproute2 or with some other features with mwan3.