VPN Cipher Error - cant find option it suggests

Hi, ive currently got the error:

daemon.warn openvpn(ExpressVPN)[28599]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Tue Nov 15 19:49:56 2022 daemon.err openvpn(ExpressVPN)[28599]: Cannot pre-load keyfile (/etc/openvpn/tlsauth.key)

I cant for the life of me find the option --data-ciphers, i can only find the option Ciphers.

Im using the lastest OpenWRT

Also because of this, is that why it cannot load the tlsauth.key ?

Thanks for any help here.

Successfully setup a connection to ExpressVPN, only problem i have now is how to route all my traffic through the VPN.

The VPN is alive, though still all my traffic goes through its normal route not the VPN. Have i missed something? Do i need to create a rely bridge?

Cheers for any help.

Just comment forward rule lan->wan from firewall configuration file.

My current Firewall setting, is there something wrong here?

It is very strange configuration, where have you found it?

I followed: https://www.my-private-network.co.uk/kbhome/openwrt-lede-openvpn-setup/

Then extracted the correct settings from the ovpn file from ExpressVPN to match the correct variables which are different than the Tutorial, then the connection was successfull, creating separate ca.crt, key file, and cert files from the ovpn.

So ive got the connection, just need to divert all traffic through the VPN Interface.

Ive also got other connections to my OpenWRT Router which routes to other OpenWRT Repeaters, that part is sound. Just need all br-lan to go through tun0

OK, your manual is shit with pictures, sorry, I can only help in text files configuration.

The simple question is:

I need a rule to forward all traffic from going through its normal VDSL Route to basically pass through the created VPN Tunnel.

Do i just Bridge the br-lan through the VPN, if so using relyd, what would the rule i need?

See /etc/config/firewall file, and make search 'forwarding'.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'

Here is 'default' forwarding. You should comment it to prevent forwarding lan->wan. You should add forwarding lan->vpn.

I`ll give it a try, that sounds plausable.

You should also create zone for tun interface.

Make sure that OpenVPN has modified the routing table (System-->Routes, in the middle of the page). It should have installed two routes to and which effectively direct any request for the Internet (except one) through the VPN tunnel.
The one exception is that a connection to the VPN server itself must go through the regular WAN. OpenVPN should have installed a /32 route for it. This is how encrypted packets for every other site start their journey.

Remember the firewall rules control what traffic will be allowed, but it is based on what the routing table dictates how the kernel attempt to send them.

1 Like

Im running ver.22.03, do you mean Status > Routing or Network > Routing ?

Current Firewall Rules:

Current IPV4 Routes

VPN is connected, im missing something probably so simple right in my eyes.

I did think of Bridging (Lan > ExpressVPN) using relyd then to > WAN, though wouldnt that still use my normal IP?