Snapshot openvpn compression issue

Not sure this is where to post this. Feel free to move it.
I am trying to connect to expressvpn. Seems they are using compression. I get this in logread.

Fri Jun 26 13:17:18 2026 daemon.notice netifd: Interface 'tun0' is setting up now
Fri Jun 26 13:17:18 2026 daemon.info openvpn(proto): Enabled default hotplug processing, as the openvpn configuration 'script_security' is '3'
Fri Jun 26 13:17:18 2026 daemon.notice openvpn_tun0[1264]: Note: --fragment disables data channel offload.
Fri Jun 26 13:17:18 2026 daemon.err openvpn_tun0[1264]: Options error: Compression or compression stub framing is not allowed since OpenVPN was built without compression support.
Fri Jun 26 13:17:18 2026 daemon.warn openvpn_tun0[1264]: Use --help for more information.
Fri Jun 26 13:17:18 2026 daemon.notice netifd: Interface 'tun0' is now down

OpenWrt SNAPSHOT r35067-85e15f34ac / LuCI Master 26.176.73524~c3bb510

--help does not show anything.

Thanks

Compression is considered a real security risk for OpenVPN, that's why it's been disabled (very much intentionally).

It probably will not help but you can try to add:

allow-compression asym

But indeed compression is deprecated because it is unsafe

my advice would be, if possible switch to wireguard as protocol

Thanks for the replies. Unfortunately expressvpn does not offer wireguard at this time.

allow-compression asym 

Does not work either. Neither does starting with --help

Thanks

Compression is disabled on expressvpn servers for OpenVPN. They did it server-side years ago (2018) following the VORACLE vulnerability.

Ref: Expressvpn Fixes “Voracle” Compression Vulnerability in Apps

If you are using a manual configuration file from before the VORACLE attack, please download a new configuration file, or update your file to include the line "comp-lzo off".

Could be your config files are trying to have it on causing the connection to fail.

comp-lzo off should be comp-lzo no as in the .ovpn

Here is the current downloded .ovpn file minus the certs.

dev tun
fast-io
persist-key
persist-tun
nobind
remote usa-albuquerque-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/express.auth

Here is the error from logread.

Mon Jun 29 10:14:07 2026 daemon.notice netifd: Interface 'tun0' is setting up now
Mon Jun 29 10:14:07 2026 daemon.info openvpn(proto): Enabled default hotplug processing, as the openvpn configuration 'script_security' is '3'
Mon Jun 29 10:14:07 2026 daemon.warn openvpn_tun0[10940]: DEPRECATED OPTION: --fast-io option ignored.
Mon Jun 29 10:14:07 2026 daemon.warn openvpn_tun0[10940]: DEPRECATED OPTION: --persist-key option ignored. Keys are now always persisted across restarts.
Mon Jun 29 10:14:07 2026 daemon.notice openvpn_tun0[10940]: Note: --fragment disables data channel offload.
Mon Jun 29 10:14:07 2026 daemon.err openvpn_tun0[10940]: Options error: Compression or compression stub framing is not allowed since OpenVPN was built without compression support.
Mon Jun 29 10:14:07 2026 daemon.warn openvpn_tun0[10940]: Use --help for more information.
Mon Jun 29 10:14:07 2026 daemon.notice netifd: Interface 'tun0' is now down

Thanks

Use verb 5

Remove:

Edit: I made some notes maybe those can be helpful:
OpenWRT OpenVPN setup on Master branch

Thanks! Removing ' comp-lzo no' got a little further. I will start over with your guide. I used it in the first place but have been modifying things and cant remember all I might have changed.

Thanks again

Keep us informed it is a learning experience for all of us :slight_smile:

Seem to be making progress. I am sure I am still missing something. Here is my config file.

dev tun1
#fast-io
#persist-key
persist-tun
nobind
remote usa-albuquerque-ca-version-2.expressnetw.com 1195

remote-random
pull

pull-filter ignore "redirect-gateway def1"

pull-filter ignore comp-lzo
pull-filter ignore compress
pull-filter ignore allow-compression

tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 5
cipher AES-256-GCM
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass /etc/openvpn/express.auth

<cert>
-----BEGIN CERTIFICATE----- 

Here is logread output.

root@OpenWrt:~# logread -f
Mon Jun 29 21:07:40 2026 daemon.notice netifd: Interface 'openvpnclient' is setting up now
Mon Jun 29 21:07:40 2026 daemon.warn openvpn(proto): Default hotplug processing disabled, as the openvpn configuration 'script_security' is less than '3'
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Note: --fragment disables data channel offload.
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: OpenVPN 2.7.4 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: library versions: OpenSSL 3.5.7 9 Jun 2026
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: DCO version: 6.18.37 #0 SMP Mon Jun 29 07:48:52 2026
Mon Jun 29 21:07:40 2026 daemon.warn openvpn_openvpnclient[11347]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Fragmentation MTU parms [ mss_fix:1135 max_frag:1275 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: TCP/UDP: Preserving recently used remote address: [AF_INET]98.159.33.19:1195
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: UDPv4 link local: (not bound)
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: UDPv4 link remote: [AF_INET]98.159.33.19:1195
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: TLS: Initial packet from [AF_INET]98.159.33.19:1195, sid=2d618ee6 f9dd1725
Mon Jun 29 21:07:40 2026 daemon.warn openvpn_openvpnclient[11347]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA3, emailAddress=support@expressvpn.com
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: VERIFY OK: nsCertType=SERVER
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-12657-0a, emailAddress=support@expressvpn.com
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-12657-0a, emailAddress=support@expressvpn.com
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519, peer signing digest/type: rsa_pss_rsae_sha256 RSASSA-PSS, key agreement: x25519
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: [Server-12657-0a] Peer Connection Initiated with [AF_INET]98.159.33.19:1195
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Mon Jun 29 21:07:40 2026 daemon.notice openvpn_openvpnclient[11347]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: SENT CONTROL [Server-12657-0a]: 'PUSH_REQUEST' (status=1)
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.170.0.1,comp-lzo no,route-gateway 10.170.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.170.0.5 255.255.0.0,peer-id 44,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Pushed option removed by filter: 'redirect-gateway def1'
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Pushed option removed by filter: 'comp-lzo no'
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: OPTIONS IMPORT: route-related options modified
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: OPTIONS IMPORT: tun-mtu set to 1500
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: TUN/TAP device tun1 opened
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: tun/tap device [tun1] opened
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: do_ifconfig, ipv4=1, ipv6=0
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: net_iface_mtu_set: mtu 1500 for tun1
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: net_iface_up: set tun1 up
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: net_addr_v4_add: 10.170.0.5/16 dev tun1
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: /usr/lib/openvpn/dns-updown
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: dns up command exited with status 127
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Data Channel MTU parms [ mss_fix:1132 max_frag:1272 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Fragmentation MTU parms [ mss_fix:1132 max_frag:1272 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Data Channel: cipher 'AES-256-GCM', peer-id: 44
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Timers: ping 10, ping-restart 60
Mon Jun 29 21:07:41 2026 daemon.notice openvpn_openvpnclient[11347]: Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Mon Jun 29 21:07:43 2026 daemon.notice openvpn_openvpnclient[11347]: Initialization Sequence Completed
Mon Jun 29 21:07:51 2026 daemon.err openvpn_openvpnclient[11347]: write to TUN/TAP : Invalid argument (fd=-1,code=22)
Mon Jun 29 21:08:01 2026 daemon.err openvpn_openvpnclient[11347]: write to TUN/TAP : Invalid argument (fd=-1,code=22)
Mon Jun 29 21:08:11 2026 daemon.err openvpn_openvpnclient[11347]: write to TUN/TAP : Invalid argument (fd=-1,code=22)
Mon Jun 29 21:08:21 2026 daemon.err openvpn_openvpnclient[11347]: write to TUN/TAP : Invalid argument (fd=-1,code=22)
^Croot@OpenWrt:~#

Maybe It is something with the firewall? Don't understand that very well.

Thanks

This means the connection is starting so progress indeed.

The error could be DCO related.

Add to the openvpn config:

disable-dco

Reboot and test again

You do need firewall settings.

In the wan firewall zone > Advanced Settings add tun1 under Covered Devices

disable-dco
```Made no difference.

I am wondering if this pushing compression may be the problem?
```Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.22.0.1,comp-lzo no,route-gateway 10.22.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.22.0.28 255.255.0.0,peer-id 49,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'disable-dco

Here is the current log.

root@OpenWrt:~# logread -f
Sun Jul  5 12:43:00 2026 daemon.notice netifd: Interface 'openvpnclient' is setting up now
Sun Jul  5 12:43:00 2026 daemon.info openvpn(proto): Enabled default hotplug processing, as the openvpn configuration 'script_security' is '3'
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Note: --fragment disables data channel offload.
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: OpenVPN 2.7.4 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: library versions: OpenSSL 3.5.7 9 Jun 2026
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: DCO version: 6.18.37 #0 SMP Sun Jul  5 11:02:07 2026
Sun Jul  5 12:43:01 2026 daemon.warn openvpn_openvpnclient[27160]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sun Jul  5 12:43:01 2026 daemon.warn openvpn_openvpnclient[27160]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Fragmentation MTU parms [ mss_fix:1135 max_frag:1275 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: TCP/UDP: Preserving recently used remote address: [AF_INET]98.159.233.196:1195
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: UDPv4 link local: (not bound)
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: UDPv4 link remote: [AF_INET]98.159.233.196:1195
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: TLS: Initial packet from [AF_INET]98.159.233.196:1195, sid=9212434a 04f76bb8
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA3, emailAddress=support@expressvpn.com
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: VERIFY OK: nsCertType=SERVER
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-12566-0a, emailAddress=support@expressvpn.com
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-12566-0a, emailAddress=support@expressvpn.com
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519, peer signing digest/type: rsa_pss_rsae_sha256 RSASSA-PSS, key agreement: x25519
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: [Server-12566-0a] Peer Connection Initiated with [AF_INET]98.159.233.196:1195
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Jul  5 12:43:01 2026 daemon.notice openvpn_openvpnclient[27160]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: SENT CONTROL [Server-12566-0a]: 'PUSH_REQUEST' (status=1)
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.22.0.1,comp-lzo no,route-gateway 10.22.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.22.0.28 255.255.0.0,peer-id 49,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'disable-dco
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Pushed option removed by filter: 'redirect-gateway def1'
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Pushed option removed by filter: 'comp-lzo no'
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: OPTIONS IMPORT: route-related options modified
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: OPTIONS IMPORT: tun-mtu set to 1500
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: TUN/TAP device tun1 opened
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: tun/tap device [tun1] opened
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: /usr/libexec/openvpn-hotplug tun1 1500 0 10.22.0.28 255.255.0.0 init
Sun Jul  5 12:43:02 2026 daemon.notice netifd: Interface 'openvpnclient' is now up
Sun Jul  5 12:43:02 2026 daemon.notice netifd: Network device 'tun1' link is up
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 10.22.0.1#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 209.18.47.63#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 209.18.47.61#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 209.18.47.62#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 2001:1998:f00:3::1#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 2001:1998:f00:1::1#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using nameserver 2001:1998:f00:2::1#53
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for test
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for local
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Sun Jul  5 12:43:02 2026 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Data Channel MTU parms [ mss_fix:1132 max_frag:1272 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Fragmentation MTU parms [ mss_fix:1132 max_frag:1272 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:136 ET:0 ]
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Data Channel: cipher 'AES-256-GCM', peer-id: 49
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Timers: ping 10, ping-restart 60
Sun Jul  5 12:43:02 2026 daemon.notice openvpn_openvpnclient[27160]: Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
Sun Jul  5 12:43:02 2026 user.notice firewall: Reloading firewall due to ifup of openvpnclient (tun1)
Sun Jul  5 12:43:04 2026 daemon.notice openvpn_openvpnclient[27160]: Initialization Sequence Completed
Sun Jul  5 12:43:07 2026 user.info : info: guest-ping called
Sun Jul  5 12:43:12 2026 daemon.err openvpn_openvpnclient[27160]: write to TUN/TAP : Invalid argument (fd=-1,code=22)
Sun Jul  5 12:43:21 2026 user.info : info: guest-ping called
Sun Jul  5 12:43:22 2026 daemon.err openvpn_openvpnclient[27160]: write to TUN/TAP : Invalid argument (fd=-1,code=22)
^Croot@OpenWrt:~# 

Thanks

Could well be. Compression is deprecated and will de left out in the next OpenVPN version entirely.
VPN providers should already have stopped with it long ago.

Maybe contact Express VPN also about it

I will bring it up with expressvpn but doubt it will get anywhere. I think openvpn should be able to "ignore" compression requests or at least provide a better error message. Wish I knew enough help with that. Also --help does not provide any info. I understand this is early days, just providing info in hopes it helps.

Thanks

Well it seems nordvpn fails also. Probably others too.
https://www.linksysinfo.org/index.php?threads/openvpn-can-no-longer-connect-nordvpn-other-vpn-providers-since-firmware-2026-2.79668/

Does anyone know of a working openvpn service? Or a good wireguard alternative?

Thanks

I use proton for openvpn they offer a free account which I am using.

Proton also has good and free WireGuard

I use mullvad for WireGuard unfortunetaly they stopped supporting openvpn so WireGuard Only.

I also have keepsolid openvpn which works but I cannot recommend it.

I also have VPS in the cloud to which I can connect via OpenVPN and WireGuard

I tried to go to expressvpn 's chat. Got frustrated and asked them to elevate it to the next level. Gave them a link to this thread. Maybe they will look at it if their system allows it. If I get anything I will reply here.

Thanks

PS: Is there an estimate of how many users of openwrt there are? Fun fact there aircova routers are supposed to be based on a proprietary version of openwrt. According to google.