VPN works with just 1 connection

username1 · January 9, 2022, 3:42am

Hi, I have OpenWRT installed on a Raspberry PI. It is working fine as a router. I can connect it to ANY wireless internet and it's able to transmit data. So far so good.

The VPN which I installed inside the router works with a single connection though! It doesn't work with other connections. I have drawn this picture to illustrate that since there are too many devices involved:

On top, you will find regular wifis that I have at home. These are the sources of the internet for my Raspberry Pi router, which you see in the middle. At the bottom, you will find my laptop and cellphone that are connected to the Raspberry Pi router.

When I connect Raspberry PI to source 1, the internet on my laptop works. When I enable the VPN inside the router, the internet still works.

However, when I connect to any other source, the internet works but as long as I don't turn on the VPN! When I turn on the VPN inside the router, the internet disappears.

How can I resolve that?

edit: 2nd picture is in the comments since I can't embed more than 1 image.

username1 · January 9, 2022, 3:43am

psherman · January 9, 2022, 3:46am

What are the "internet sources" here -- I'm having trouble understanding your scenario here. Is this a "road warrior" setup, or do you have multiple internet connections at your home/business?

Is the VPN connecting to a commercial VPN provider or is it connecting back to your own network (i.e. that road warrior type setup)?

username1 · January 9, 2022, 3:50am

What are the "internet sources" here

I have 2 cell phones that I use as hotspots. And I have 1 home internet that I get through Comcast.

It is a road warrior type setup. I am using Express VPN as I am using my Raspberry PI router as a VPN router.

psherman · January 9, 2022, 3:53am

So the idea is that your Pi connects to Express VPN, and you are using one source at a time -- one of your phones or the Comcast connection. Which configuration works? Comcast, or one of the phones?

What VPN protocol are you using?

username1 · January 9, 2022, 3:55am

So the idea is that your Pi connects to Express VPN, and you are using one source at a time -- one of your phones or the Comcast connection.

Exactly. One source at a time. It works with just one of my phone's hotspot. Just one. The other phone's hotspot and the Comcast home internet both don't work.

What VPN protocol are you using?

Sorry I didn't understand. I can post my network, wireless, and firewall files though.

psherman · January 9, 2022, 3:56am

Have you tried connecting to the Express VPN service directly via your computer (with the VPN software installed) to test that all 3 connections work as expected?

username1 · January 9, 2022, 3:57am

I haven't tried that I think that can't be a problem.

edit: I am trying now and will tell you the result.

username1 · January 9, 2022, 4:45am

That's not a problem. I tested it.

psherman · January 9, 2022, 4:46am

ok. What VPN protocol are you using?

username1 · January 9, 2022, 4:48am

How do I give you that information? This is my openvpn file

root@OpenWrt:/etc/config# cat openvpn
config openvpn 'CA_expressvpn'
	option enabled '1'
	option client '1'
	option proto 'udp'
	option dev 'tun'
	option fast_io '1'
	option persist_key '1'
	option persist_tun '1'
	option nobind '1'
	list remote 'canada-example-2.expressnetw.com'
	option port '1195'
	option remote_random '1'
	option pull '1'
	option comp_lzo 'no'
	option tls_client '1'
	option verify_x509_name 'Server name-prefix'
	option ns_cert_type 'server'
	option route_method 'exe'
	option route_delay '2'
	option tun_mtu '1500'
	option fragment '1300'
	option mssfix '1200'
	option verb '3'
	option cipher 'AES-256-CBC'
	option keysize '256'
	option auth 'SHA512'
	option sndbuf '524288'
	option rcvbuf '524288'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/user.crt'
	option key '/etc/openvpn/user.key'
	option tls_auth '/etc/openvpn/ta.key'
	option key_direction '1'
	option auth_user_pass '/etc/openvpn/user.auth'

psherman · January 9, 2022, 4:49am

The protocol is clearly OpenVPN.

What do the logs say when it doesn’t work?

logread -e openvpn

username1 · January 9, 2022, 4:50am

Oh okay. 1 sec let me pull them

username1 · January 9, 2022, 5:02am

These are the logs:

Sun Jan  9 04:57:03 2022 daemon.warn openvpn(CA_expressvpn)[4325]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun Jan  9 04:57:03 2022 daemon.warn openvpn(CA_expressvpn)[4325]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Sun Jan  9 04:57:03 2022 daemon.warn openvpn(CA_expressvpn)[4325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TCP/UDP: Preserving recently used remote address: [AF_INET]71.19.252.124:1195
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: UDP link local: (not bound)
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: UDP link remote: [AF_INET]71.19.252.124:1195
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TLS: Initial packet from [AF_INET]71.19.252.124:1195, sid=e9392623 20733b18
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1630-1a, emailAddress=support@expressvpn.com
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1630-1a, emailAddress=support@expressvpn.com
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: [Server-1630-1a] Peer Connection Initiated with [AF_INET]71.19.252.124:1195
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: SENT CONTROL [Server-1630-1a]: 'PUSH_REQUEST' (status=1)
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,comp-lzo no,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.0.106 10.167.0.105,peer-id 23,cipher AES-256-GCM'
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: compression parms modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: route options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: peer-id set
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: adjusting link_mtu to 1629
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: data channel crypto options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: NCP: overriding user-set keysize with default
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_best_gw query: dst 0.0.0.0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_best_gw result: via 192.168.1.254 dev wlan0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TUN/TAP device tun0 opened
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_iface_mtu_set: mtu 1500 for tun0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_iface_up: set tun0 up
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_addr_ptp_v4_add: 10.167.0.106 peer 10.167.0.105 dev tun0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: /usr/libexec/openvpn-hotplug up CA_expressvpn tun0 1500 1557 10.167.0.106 10.167.0.105 init
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 71.19.252.124/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 0.0.0.0/1 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 128.0.0.0/1 via 10.167.0.105 dev [NULL] table 0root@OpenWrt:~# logread -e openvpn
Sun Jan  9 04:57:03 2022 daemon.warn openvpn(CA_expressvpn)[4325]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun Jan  9 04:57:03 2022 daemon.warn openvpn(CA_expressvpn)[4325]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Sun Jan  9 04:57:03 2022 daemon.warn openvpn(CA_expressvpn)[4325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TCP/UDP: Preserving recently used remote address: [AF_INET]71.19.252.124:1195
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: UDP link local: (not bound)
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: UDP link remote: [AF_INET]71.19.252.124:1195
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TLS: Initial packet from [AF_INET]71.19.252.124:1195, sid=e9392623 20733b18
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1630-1a, emailAddress=support@expressvpn.com
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1630-1a, emailAddress=support@expressvpn.com
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jan  9 04:57:03 2022 daemon.notice openvpn(CA_expressvpn)[4325]: [Server-1630-1a] Peer Connection Initiated with [AF_INET]71.19.252.124:1195
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: SENT CONTROL [Server-1630-1a]: 'PUSH_REQUEST' (status=1)
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.167.0.1,comp-lzo no,route 10.167.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.167.0.106 10.167.0.105,peer-id 23,cipher AES-256-GCM'
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: compression parms modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: route options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: peer-id set
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: adjusting link_mtu to 1629
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: OPTIONS IMPORT: data channel crypto options modified
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: NCP: overriding user-set keysize with default
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_best_gw query: dst 0.0.0.0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_best_gw result: via 192.168.1.254 dev wlan0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TUN/TAP device tun0 opened
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_iface_mtu_set: mtu 1500 for tun0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_iface_up: set tun0 up
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_addr_ptp_v4_add: 10.167.0.106 peer 10.167.0.105 dev tun0
Sun Jan  9 04:57:05 2022 daemon.notice openvpn(CA_expressvpn)[4325]: /usr/libexec/openvpn-hotplug up CA_expressvpn tun0 1500 1557 10.167.0.106 10.167.0.105 init
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 71.19.252.124/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 0.0.0.0/1 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 128.0.0.0/1 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_add: 10.167.0.1/32 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 04:57:08 2022 daemon.warn openvpn(CA_expressvpn)[4325]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan  9 04:57:08 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Initialization Sequence Completed
Sun Jan  9 04:59:57 2022 daemon.notice openvpn(CA_expressvpn)[4325]: [Server-1630-1a] Inactivity timeout (--ping-restart), restarting
Sun Jan  9 04:59:57 2022 daemon.notice openvpn(CA_expressvpn)[4325]: SIGUSR1[soft,ping-restart] received, process restarting
Sun Jan  9 04:59:57 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Restart pause, 5 second(s)
Sun Jan  9 05:00:02 2022 daemon.warn openvpn(CA_expressvpn)[4325]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: TCP/UDP: Preserving recently used remote address: [AF_INET]71.19.252.124:1195
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: UDP link local: (not bound)
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: UDP link remote: [AF_INET]71.19.252.124:1195
Sun Jan  9 05:00:02 2022 daemon.err openvpn(CA_expressvpn)[4325]: event_wait : Interrupted system call (code=4)
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_del: 10.167.0.1/32 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_del: 71.19.252.124/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_del: 0.0.0.0/1 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_route_v4_del: 128.0.0.0/1 via 10.167.0.105 dev [NULL] table 0 metric -1
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: Closing TUN/TAP interface
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: net_addr_ptp_v4_del: 10.167.0.106 dev tun0
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: /usr/libexec/openvpn-hotplug down CA_expressvpn tun0 1500 1626 10.167.0.106 10.167.0.105 init
Sun Jan  9 05:00:02 2022 daemon.notice openvpn(CA_expressvpn)[4325]: SIGTERM[hard,] received, process exiting
Sun Jan  9 05:01:28 2022 daemon.warn openvpn(CA_expressvpn)[4810]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sun Jan  9 05:01:28 2022 daemon.warn openvpn(CA_expressvpn)[4810]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Sun Jan  9 05:01:28 2022 daemon.warn openvpn(CA_expressvpn)[4810]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: TCP/UDP: Preserving recently used remote address: [AF_INET]71.19.252.142:1195
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: UDP link local: (not bound)
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: UDP link remote: [AF_INET]71.19.252.142:1195
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: TLS: Initial packet from [AF_INET]71.19.252.142:1195, sid=53478e2e d9503121
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1632-1a, emailAddress=support@expressvpn.com
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1632-1a, emailAddress=support@expressvpn.com
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Sun Jan  9 05:01:28 2022 daemon.notice openvpn(CA_expressvpn)[4810]: [Server-1632-1a] Peer Connection Initiated with [AF_INET]71.19.252.142:1195
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: SENT CONTROL [Server-1632-1a]: 'PUSH_REQUEST' (status=1)
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.103.0.1,comp-lzo no,route 10.103.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.103.0.158 10.103.0.157,peer-id 7,cipher AES-256-GCM'
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: compression parms modified
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: route options modified
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: peer-id set
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: adjusting link_mtu to 1629
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: OPTIONS IMPORT: data channel crypto options modified
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: NCP: overriding user-set keysize with default
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_route_v4_best_gw query: dst 0.0.0.0
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_route_v4_best_gw result: via 192.168.1.254 dev wlan0
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: TUN/TAP device tun0 opened
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_iface_mtu_set: mtu 1500 for tun0
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_iface_up: set tun0 up
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_addr_ptp_v4_add: 10.103.0.158 peer 10.103.0.157 dev tun0
Sun Jan  9 05:01:29 2022 daemon.notice openvpn(CA_expressvpn)[4810]: /usr/libexec/openvpn-hotplug up CA_expressvpn tun0 1500 1557 10.103.0.158 10.103.0.157 init
Sun Jan  9 05:01:32 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_route_v4_add: 71.19.252.142/32 via 192.168.1.254 dev [NULL] table 0 metric -1
Sun Jan  9 05:01:32 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_route_v4_add: 0.0.0.0/1 via 10.103.0.157 dev [NULL] table 0 metric -1
Sun Jan  9 05:01:32 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_route_v4_add: 128.0.0.0/1 via 10.103.0.157 dev [NULL] table 0 metric -1
Sun Jan  9 05:01:32 2022 daemon.notice openvpn(CA_expressvpn)[4810]: net_route_v4_add: 10.103.0.1/32 via 10.103.0.157 dev [NULL] table 0 metric -1
Sun Jan  9 05:01:32 2022 daemon.warn openvpn(CA_expressvpn)[4810]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan  9 05:01:32 2022 daemon.notice openvpn(CA_expressvpn)[4810]: Initialization Sequence Completed

psherman · January 9, 2022, 5:14am

There are a few warnings, but it seems that the tunnel comes up.

what happens if you run a ping test:
ping 8.8.8.8
ping google.com

username1 · January 9, 2022, 5:18am

When VPN is off:

root@OpenWrt:~# ping google.com
PING google.com (142.251.32.14): 56 data bytes
64 bytes from 142.251.32.14: seq=0 ttl=118 time=45.334 ms
64 bytes from 142.251.32.14: seq=1 ttl=118 time=60.945 ms
64 bytes from 142.251.32.14: seq=2 ttl=118 time=28.181 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 28.181/44.820/60.945 ms

When VPN is on:

root@OpenWrt:~# ping google.com
PING google.com (142.251.32.14): 56 data bytes
^C
--- google.com ping statistics ---
29 packets transmitted, 0 packets received, 100% packet loss

psherman · January 9, 2022, 5:20am

what about the ping test to 8.8.8.8 when it doesn't work?

username1 · January 9, 2022, 5:21am

root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
13 packets transmitted, 0 packets received, 100% packet loss

psherman · January 9, 2022, 5:22am

Have you tried restarting OpenWrt when you switch internet connections?

username1 · January 9, 2022, 5:24am

I have done it multiple times. I am facing this problem for a week.