No, it doesn't appear to be connected. There is no point at which it says that it completed the initialization or that it has successfully connected.
Your logs specifically say that there is a TLS error and that the handshake failed.
So the problem is not likely related to your firewall (or at least not at this point)... it is simply unable to connect because of the TLS failure. Figure out what is happening there first -- once you can connect properly (and the log will indicate that), you can then sort out any firewall issues.
The VPN should not be bridged at all. It should be a network on its own (using device tun0). That network can be associated with a network or directly with a firewall zone. I recommend creating a separate firewall zone for the VPN as well.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
root@THE-NET:/# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'wan'
option name 'ACL Blocked'
option target 'DROP'
list dest_ip '212.159.6.10'
list dest_ip '64.212.106.84'
list dest_ip '4.2.2.5'
list dest_ip '206.165.6.11'
list dest_ip '4.2.2.6'
list dest_ip '4.2.2.4'
list dest_ip '194.72.6.57'
list dest_ip '194.73.82.242'
list dest_ip '212.159.13.49'
list dest_ip '206.165.6.12'
list dest_ip '64.215.98.148'
list dest_ip '4.2.2.2'
list dest_ip '209.244.0.4'
list dest_ip '141.1.27.249'
list dest_ip '4.2.2.1'
list dest_ip '62.6.40.162'
list dest_ip '212.159.13.50'
list dest_ip '194.72.9.34'
list dest_ip '194.74.65.69'
list dest_ip '195.27.1.1'
list dest_ip '209.130.139.2'
list dest_ip '67.17.215.132'
list dest_ip '4.2.2.3'
list dest_ip '212.159.6.9'
list dest_ip '209.244.0.3'
list dest_ip '193.58.204.59'
list dest_ip '195.99.66.220'
list dest_ip '141.1.1.1'
list dest_ip '83.137.225.121'
list dest_ip '62.40.32.33'
list dest_ip '213.251.133.164'
list dest_ip '62.40.32.34'
list dest_ip '193.111.200.191'
list dest_ip '156.154.70.22'
list dest_ip '156.154.71.22'
list dest_ip '198.153.192.1'
list dest_ip '198.153.194.1'
list dest_ip '74.82.42.42'
list dest_ip '194.72.6.51'
list dest_ip '158.43.128.1'
list dest_ip '158.43.128.72'
list dest_ip '158.43.192.1'
list dest_ip '158.43.240.3'
list dest_ip '158.43.240.4'
list dest_ip '192.76.144.66'
list dest_ip '193.67.79.39'
list dest_ip '193.78.240.12'
list dest_ip '193.79.242.39'
list dest_ip '193.101.111.10'
list dest_ip '193.101.111.20'
list dest_ip '194.98.65.65'
list dest_ip '195.129.12.83'
list dest_ip '195.129.12.122'
list dest_ip '62.134.11.4'
list dest_ip '62.233.128.17'
list dest_ip '81.17.66.13'
list dest_ip '129.250.35.250'
list dest_ip '129.250.35.251'
list dest_ip '193.22.119.22'
list dest_ip '193.95.93.77'
list dest_ip '193.205.130.253'
list dest_ip '193.226.61.1'
list dest_ip '194.30.0.1'
list dest_ip '194.72.0.114'
list dest_ip '195.182.110.132'
list dest_ip '195.238.40.45'
list dest_ip '199.2.252.10'
list dest_ip '204.97.212.10'
list dest_ip '204.95.160.2'
list dest_ip '204.95.160.4'
list dest_ip '205.171.3.25'
list dest_ip '62.240.110.218'
list dest_ip '82.151.90.1'
list dest_ip '24.200.241.37'
list dest_ip '205.151.222.250'
list dest_ip '205.151.222.251'
config rule
option name 'RDP'
option src 'lan'
option src_port '3389'
option dest 'lan'
option dest_port '3389'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'ExpressVPN'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'ExpressVPN'
config forwarding
option src 'lan'
option dest 'ExpressVPN'
config forwarding
option src 'wan'
option dest 'ExpressVPN'
The IP`s on the Drop List are bad DNS Servers that do not use Https/DNSSEC, or Eavesdrop DNS Servers. I would set to Reject, though then the DNS Server gets a response, so better to Drop.
This is probably not what you want... most of the time, input and forward should be set to REJECT. You absolutely do not want users on the internet to have access to the router itself (which currently they do!).
This one won't have any effect once the VPN is established since it only covers the wan zone as the destination. Instead, remove the destination entirely and it will apply to both the WAN and the VPN.
This doesn't do anything because both the source and destination are in the same zone. You can remove this.
This should be removed... the WAN should not have access to the express VPN zone.
Let's see the entire OpenVPN config file (obfuscate/remove the keys, of course).
TLS Handshake Failed usually means there was no response from the VPN server at all during the initial negotiation.
Can you ping the server IP? If the server is configured as a name rather than an IP, the router's DNS must be operational even without the VPN up.
The other reason for TLS Handshake Failed would be using the wrong static key. The static key must match the one on the other end. Static keys are an optional extra layer of encryption, if the server does not expect a static key it must be disabled on the client as well.
The OPVN file is not imported, that doesnt work and untestested by ExpressVPN as they informed me. It works with DD-WRT.
Im having to manually input all these settings from the OPVN file and create the separate files from the extracted data from the OpenVPN file.
auth-user pass created, and set
ca.crt created extracted from the OPVN file
etc etc
Though something is tell ing me that something is just a miss with the TLS file created from the OPVN extracted data.
Another thing i noticed with the connection it says the following:
Sun Nov 20 20:43:46 2022 daemon.warn openvpn(ExpressVPN)[11190]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:1194
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Socket Buffers: R=[180224->360448] S=[180224->360448]
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: UDP link local: (not bound)
Sun Nov 20 20:43:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: UDP link remote: [AF_INET]***.***.***.***:1194
Sun Nov 20 20:44:46 2022 daemon.err openvpn(ExpressVPN)[11190]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 20 20:44:46 2022 daemon.err openvpn(ExpressVPN)[11190]: TLS Error: TLS handshake failed
Sun Nov 20 20:44:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: SIGUSR1[soft,tls-error] received, process restarting
Sun Nov 20 20:44:46 2022 daemon.notice openvpn(ExpressVPN)[11190]: Restart pause, 300 second(s)
The part where it says UDP Local Link not bound ? is there a problem here?
I followed this Tutorial replacing all the data with whats contained with my OVPN file, and added some extra variables not listed in the tutorial but was in my OVPN file.
To be clear, following a guide for LEDE is probably not the best option given that we've moved from 17.01 > 22.03 (that's 5 years, 4 major versions). Many things will be different.
Sun Nov 20 21:27:45 2022 daemon.warn openvpn(ExpressVPN)[24398]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun Nov 20 21:27:45 2022 daemon.warn openvpn(ExpressVPN)[24398]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
this suggests that your firewall may not have a named wan in UCI syntax.
You can either just add it to the config file manually (/etc/config/firewall), or figure out how the wan zone shows up in the UCI syntax (uci show firewall should help you figure that out)
Since then I've moved on to using a GL.iNet router, which runs a customised version of OpenWRT with OpenVPN ready to go. So my instructions haven't been updated in a year & a half, aren't likely to be, & may be becoming outdated too.