ProtonVPN over OpenVPN only routing ipv4, leaking ipv6

Brand new user, probably missing something obvious. Starting with default openWRT settings, I followed the instructions on protonVPN's website for setting up an openVPN instance on openWrt:

It was extremely straightforward and seemed to work fine on my desktop. My IP was as expected (a protonVPN node in the intended region). dnsleaktest.com showed a CloudFlare DNS server, and I wasn't sure if that meant i had a DNS leak - Proton's public documentation is not clear on whether they partner with Cloudflare for DNS.

However, when i use my android device to do the same tests, my ipv6 address is still associated with my ISP. Having followed the instructions linked above, i believe my firewall rules should be routing both wan and wan6 interfaces through the VPN instance as both interfaces are part of the wan firewall zone.

What else should I explore to fix this?

1 Like

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Testing with ipleak.net also shows the origin of IPv4, IPv6 and the used DNS server.

Not all VPN providers support IPv6 in which case you have an IPv6 leak, if you show the following in addition what brada4 asked, we can have a look.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ip route show
ip -6 route show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
root@OpenWrt1:~# ubus call system board
{
	"kernel": "5.10.161",
	"hostname": "OpenWrt1",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys E8450 (UBI)",
	"board_name": "linksys,e8450-ubi",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
root@OpenWrt1:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd93:a84a:87d2::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.2.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '10.2.0.1'

config device
	option name 'wan'

config device
	option name 'lan1'

root@OpenWrt1:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt1:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

root@OpenWrt1:~# 

[quote="egc, post:3, topic:210004"]

root@OpenWrt1:~# ip route show
0.0.0.0/1 via 10.96.0.1 dev tun0 
default via ***redacted*** dev wan  src ***redacted*** 
10.96.0.0/16 dev tun0 scope link  src 10.96.0.17 
***redacted***/23 dev wan scope link  src ***redacted***
128.0.0.0/1 via 10.96.0.1 dev tun0 
***redacted*** via ***redacted*** dev wan 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
root@OpenWrt1:~# ip -6 route show
default from ***redacted*** via fe80::21c:73ff:fe00:99 dev wan  metric 512 
default from ***redacted***/64 via fe80::21c:73ff:fe00:99 dev wan  metric 512 
***redacted***/64 dev wan  metric 256 
***redacted***/64 dev br-lan  metric 1024 
unreachable ***redacted***/64 dev lo  metric 2147483647 
***redacted***/64 dev wan  metric 256 
***redacted***/64 dev wan  metric 256 
***redacted***/64 dev br-lan  metric 1024 
unreachable ***redacted***/48 dev lo  metric 2147483647 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev tun0  metric 256 
anycast ***redacted*** dev br-lan  metric 0 
anycast ***redacted*** dev br-lan  metric 0 
anycast fe80:: dev br-lan  metric 0 
anycast fe80:: dev wan  metric 0 
anycast fe80:: dev eth0  metric 0 
anycast fe80:: dev wlan1  metric 0 
anycast fe80:: dev wlan0  metric 0 
anycast fe80:: dev tun0  metric 0 
multicast ff00::/8 dev eth0  metric 256 
multicast ff00::/8 dev br-lan  metric 256 
multicast ff00::/8 dev wan  metric 256 
multicast ff00::/8 dev wlan1  metric 256 
multicast ff00::/8 dev wlan0  metric 256 
multicast ff00::/8 dev tun0  metric 256 
root@OpenWrt1:~# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn;
 echo;done
/etc/openvpn/NY1.ovpn
# ==============================================================================
# Copyright (c) 2023 Proton AG (Switzerland)
# Email: contact@protonvpn.com
#
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# ==============================================================================

# The server you are connecting to is using a circuit in order to separate entry IP from exit IP
# The same entry IP allows to connect to multiple exit IPs in the same data center.

# If you want to explicitly select the exit IP corresponding to server US-FREE#49 you need to
# append a special suffix to your OpenVPN username.
# Please use "***redacted***" in order to enforce exiting through US-FREE#49.

# If you are a paying user you can also enable the ProtonVPN ad blocker (NetShield) or Moderate NAT:
# Use: "***redacted***+f1" to enable anti-malware filtering
# Use: "***redacted***+f2" to additionally enable ad-blocking filtering
# Use: "***redacted***+nr" to enable Moderate NAT
# Note that you can combine the "+nr" suffix with other suffixes.

client
dev tun
proto udp

remote 143.244.44.181 4569
remote 143.244.44.181 1194
remote 143.244.44.181 51820
remote 143.244.44.181 80
remote 143.244.44.181 5060

remote-random
resolv-retry infinite
nobind

cipher AES-256-GCM

setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun
block-outside-dns

reneg-sec 0

remote-cert-tls server
auth-user-pass /etc/openvpn/NY1.auth


<ca>
-----BEGIN CERTIFICATE-----
***redacted***
-----END CERTIFICATE-----
</ca>

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
***redacted***
-----END OpenVPN Static key V1-----
</tls-crypt>

root@OpenWrt1:~# logread | grep openvpn
Tue Sep 10 09:37:12 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #386548 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 09:37:12 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #386549 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 09:37:12 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #386550 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 09:37:12 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #386551 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 09:37:12 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #386552 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 09:37:12 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #386553 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 10:02:17 2024 daemon.warn openvpn(NY1)[28024]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
Tue Sep 10 10:02:17 2024 daemon.warn openvpn(NY1)[28024]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Tue Sep 10 10:02:17 2024 daemon.warn openvpn(NY1)[28024]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Tue Sep 10 10:36:33 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #48022 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings


<deleted a bunch more bad packet ID warnings>


Tue Sep 10 11:01:51 2024 daemon.warn openvpn(NY1)[28024]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
Tue Sep 10 11:01:51 2024 daemon.warn openvpn(NY1)[28024]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Tue Sep 10 11:01:51 2024 daemon.warn openvpn(NY1)[28024]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Tue Sep 10 11:09:15 2024 daemon.err openvpn(NY1)[28024]: AEAD Decrypt error: bad packet ID (may be a replay): [ #110231 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings


<deleted a bunch more bad packet ID warnings>

I'm not super familiar with ipv6 ranges but i did my best to redact only the sensitive addresses.

ipleak.net was very helpful - confirmed that my ipv4 traffic is protected by the VPN, and ipv6 traffic is exposed. It did not detect a DNS leak.

I thought ProtonVPN was able to handle ipv6 routing but I just checked again and I was wrong. Their desktop application blocks ipv6 traffic and that hasn't caused me any problems before, so I think my solution here is to block it on the router. I'll look up how to do that now.

You are running an old and outdated build upgrading is highly recommended.
Some of the warnings are probably because you are using an older OpenVPN client

The OpenVPN log is incomplete I suspect that openpvn was already running a long time, to get more information we should see the openvpn log (logread | grep openvpn) shortly after the OpenVPN is up.
The AEAD decrypt error is actually a warning if it happens occasionally you can ignore it otherwise lower MTU to 1400.

But there is a route for IPv4 via the tunnel so the VPN seems up, but Proton does not seem to support IPv6 so you have an IPv6 leak.

To deal with this you can disable IPv6 on the router or on the clients, but if that is not feasible you can try to set an IPv6 route via the tunnel, of course this will not work so effectively it will block IPv6 not sure how your router/LAN clients will react on this.

Also not sure if your old OpenVPN client support IPv6 but you can try to add to the openvpn config: redirect-gateway ipv6 this will add the default gateway via the tunnel to your IPv6 routing table.

You can show again: ip -6 route show after you have set this in the OpenVPN config and the VPN is up

hm, not sure how i ended up with an outdated build - its a fresh install, using the LuCI interface to install openvpn-openssl. It's still not showing any upgrade available.

Is there a simple way to upgrade the package if opkg doesn't have a newer one available?

Here's a fresh logread after restarting the openvpn instance:

Tue Sep 10 15:02:42 2024 daemon.err openvpn(NY1)[22614]: event_wait : Interrupted system call (code=4)
Tue Sep 10 15:02:42 2024 daemon.notice openvpn(NY1)[22614]: SIGTERM received, sending exit notification to peer
Tue Sep 10 15:02:43 2024 daemon.notice openvpn(NY1)[22614]: net_addr_v4_del: 10.96.0.9 dev tun0
Tue Sep 10 15:02:43 2024 daemon.notice openvpn(NY1)[22614]: /usr/libexec/openvpn-hotplug down NY1 tun0 1500 1624 10.96.0.9 255.255.0.0 init
Tue Sep 10 15:02:43 2024 daemon.notice openvpn(NY1)[22614]: SIGTERM[soft,exit-with-notification] received, process exiting
Tue Sep 10 15:02:57 2024 daemon.notice openvpn(NY1)[22825]: OpenVPN 2.5.8 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Sep 10 15:02:57 2024 daemon.notice openvpn(NY1)[22825]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Tue Sep 10 15:02:57 2024 daemon.warn openvpn(NY1)[22825]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 10 15:02:57 2024 daemon.notice openvpn(NY1)[22825]: TCP/UDP: Preserving recently used remote address: [AF_INET]143.244.44.181:5060
Tue Sep 10 15:02:57 2024 daemon.notice openvpn(NY1)[22825]: UDP link local: (not bound)
Tue Sep 10 15:02:57 2024 daemon.notice openvpn(NY1)[22825]: UDP link remote: [AF_INET]143.244.44.181:5060
Tue Sep 10 15:02:57 2024 daemon.warn openvpn(NY1)[22825]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Sep 10 15:02:57 2024 daemon.warn openvpn(NY1)[22825]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
Tue Sep 10 15:02:57 2024 daemon.warn openvpn(NY1)[22825]: WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Tue Sep 10 15:02:57 2024 daemon.warn openvpn(NY1)[22825]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Tue Sep 10 15:02:57 2024 daemon.notice openvpn(NY1)[22825]: [node-us-159.protonvpn.net] Peer Connection Initiated with [AF_INET]143.244.44.181:5060
Tue Sep 10 15:02:58 2024 daemon.warn openvpn(NY1)[22825]: NOTE: setsockopt TCP_NODELAY=1 failed
Tue Sep 10 15:02:58 2024 daemon.notice openvpn(NY1)[22825]: TUN/TAP device tun0 opened
Tue Sep 10 15:02:58 2024 daemon.notice openvpn(NY1)[22825]: net_iface_mtu_set: mtu 1500 for tun0
Tue Sep 10 15:02:58 2024 daemon.notice openvpn(NY1)[22825]: net_iface_up: set tun0 up
Tue Sep 10 15:02:58 2024 daemon.notice openvpn(NY1)[22825]: net_addr_v4_add: 10.96.0.9/16 dev tun0
Tue Sep 10 15:02:58 2024 daemon.notice openvpn(NY1)[22825]: /usr/libexec/openvpn-hotplug up NY1 tun0 1500 1624 10.96.0.9 255.255.0.0 init
Tue Sep 10 15:02:58 2024 daemon.notice openvpn(NY1)[22825]: Initialization Sequence Completed
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1979 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1980 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1981 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1982 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1983 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1984 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1985 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1986 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1987 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1988 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1989 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1990 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1991 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1992 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1993 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1994 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1995 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1996 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1997 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1998 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #1999 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Tue Sep 10 15:03:01 2024 daemon.err openvpn(NY1)[22825]: AEAD Decrypt error: bad packet ID (may be a replay): [ #2000 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

It’s the openwrt build that is out of date. Start by upgrading to 23.05

1 Like

I recommend you disable the ipv6 from wan interface. Protonvpn works only with ipv4.
I use it and no more leaks via ipv6.

1 Like

As already mentioned you should upgrade to 23.05.4 (check if that is possible for your router) which also gives you a recent OpenVPN.

Regarding IPv6, see my earlier answer:
ProtonVPN over OpenVPN only routing ipv4, leaking ipv6 - #9 by egc

Either disable IPv6 or add IPv6 default routing via the VPN (this will brake IPv6 connection)

1 Like

I used dangowrt's "owrt-ubi-installer" because it's linked from the hardware page here (https://openwrt.org/toh/linksys/e8450). The releases page for owrt-ubi-installer says not to use the more recent releases because of the OpenWRT Kiss of Death issue (https://github.com/dangowrt/owrt-ubi-installer/releases) so i used v1.0.2, which installs OpenWRT 22.03.3.

Does the OKD issue manifest in the install script and not OpenWRT itself? Can I safely upgrade OpenWRT without risking a bricked device?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.