Heck of a time with ProtonVPN

viperperidot

Occasional Visitor
Hi there, I'm using an Asus-RT-AC66U B1 router with the latest Merlin firmware. I have been trying to get ProtonVPN working consistently and have been having a heck of a time. It works for a bit and then something happens and it stops working. Usually when I try to change clients or reboot the router.

I have accept DNS config set to Exclusive and I have Policy Rules Strict enabled with killswitch. I am forcing all my traffic through the tunnell with a rule of router IP address/24.

Sometimes when I try to connect it says Error - check configuration! Other times it will connect but the public IP will say Unknown and I will not be able to load websites. I have a suspicion it has something to do with my dns but I'm not sure. On the WAN page I have a dns server specified.

I uploaded the ovpn file directly from Proton and my config looks like this:

Server-poll-timeout 20
Remote-random
Resolv-retry infinite
Tun-mtu 1500
Tun-mtu-extra 32
Mssfix 1450
Remote-cert-tls-server
Pull
Fast-io

Any help would be greatly appreciated. I have been battling this for a couple days and I'm not sure what I'm doing but I have had it working with this config and then I will change clients or something and it will break. I found this forum so I am hopeful I am doing something wrong and we can fix it.

Thank you

Edit: If anyone needs any more info from my system log please let me know and I can post that.
 

eibgrad

Senior Member
Not sure if any of these are the source of your problems, however, they do concern me.

First, afaik, all directives in the config file should be lowercase.

Second, there is no such thing as remote-cert-tls-server. The option is remote-cert-tls w/ an argument of server.

Code:
remote-cert-tls server
Finally, router-ip/24 is NOT a proper notation. If the router is 192.168.1.1, then the proper notation for policy based routing is 192.168.1.0/24.
 

MaziahBebop

Regular Contributor
Also using ProtonVPN. Almost zero connectivity issues. My conf also straight from their dashboard:
Code:
# ==============================================================================

client
dev tun
proto tcp

remote <--snip--> 443
remote <--snip--> 5995
remote <--snip--> 8443

remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io
VPN Proton.PNG



I am forcing all my traffic through the tunnell with a rule of router IP address/24.
Not sure what you mean by that though. I'm sending my DNS through the VPN using the LAN->DHCP tab:

DHCP VPN.png


And you could also achieve the same with DNSFilter:

DNSFilter.png


Is your setup similar, or something different altogether?

[edit]

In case you're wondering, the 10.x.0.1 is not given in the config. You can find your x value after your router connects to the server, you can see your VPN ip is 10.16.0.23 for example, then your VPN gateway must be 10.16.0.1 (for example).
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Check your System Log, it will tell you why it's failing.
 

viperperidot

Occasional Visitor
Check your System Log, it will tell you why it's failing.
Here is the latest from my system log, it keeps running this same process on repeat. I can go back further if you need me to or reboot the router and post the entire process. Sorry I am not too familiar with computers so I don't know what these mean.

May 5 09:12:59 ovpn-client2[18729]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 5 09:12:59 ovpn-client2[18729]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.157.118:5060
May 5 09:12:59 ovpn-client2[18729]: Socket Buffers: R=[122880->122880] S=[122880->122880]
May 5 09:12:59 ovpn-client2[18729]: UDP link local: (not bound)
May 5 09:12:59 ovpn-client2[18729]: UDP link remote: [AF_INET]185.159.157.118:5060
May 5 09:12:59 ovpn-client2[18729]: TLS: Initial packet from [AF_INET]185.159.157.118:5060, sid=ba2ab1ec f73a5021
May 5 09:13:00 ovpn-client2[18729]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
May 5 09:13:00 ovpn-client2[18729]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
May 5 09:13:00 ovpn-client2[18729]: VERIFY ERROR: depth=0, error=certificate is not yet valid: CN=ca-37.protonvpn.com
May 5 09:13:00 ovpn-client2[18729]: OpenSSL: error:1416F086:lib(20):func(367):reason(134)
May 5 09:13:00 ovpn-client2[18729]: TLS_ERROR: BIO read tls_read_plaintext error
May 5 09:13:00 ovpn-client2[18729]: TLS Error: TLS object -> incoming plaintext read error
May 5 09:13:00 ovpn-client2[18729]: TLS Error: TLS handshake failed
May 5 09:13:00 ovpn-client2[18729]: SIGUSR1[soft,tls-error] received, process restarting
May 5 09:13:00 ovpn-client2[18729]: Restart pause, 80 second(s)
 

viperperidot

Occasional Visitor
One other thing to note is that when I set my dns back to select automatically and turn off the VPN I still don't have internet...the WiFi is connected but I can't visit any websites. The same behaviour as when those settings are turned on. Shouldn't my internet work if I disable the vpn and custom dns server? I can send the system log of this too if needed, just don't want to post any sensitive information on here and I'm not sure what the sys log reveals. Thanks
 

viperperidot

Occasional Visitor
Another thing is that the behavior is not consistent either, for example I set my dns on the wan page back to a specified server and then went to the vpn page and it said connected even though the service state was set to off. Then I switched it on and now it says connected and I don't see any errors in the system log but I still don't have internet. (WiFi connected but cannot load websites)

One thing I noticed in the sys log is that the dns server it is forcing my router through with rule ip address .0/24 is different than the dns server I specified on the wan page...not sure if that matters or not.

Sorry I know there is a lot of variables here, maybe I should just reboot the router and post the sys log? I have one of my vpn clients set to start automatically at boot but I don't think that feature has been working.
 

viperperidot

Occasional Visitor
Also using ProtonVPN. Almost zero connectivity issues. My conf also straight from their dashboard:
Code:
# ==============================================================================

client
dev tun
proto tcp

remote <--snip--> 443
remote <--snip--> 5995
remote <--snip--> 8443

remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io
View attachment 26439




Not sure what you mean by that though. I'm sending my DNS through the VPN using the LAN->DHCP tab:

View attachment 26440

And you could also achieve the same with DNSFilter:

View attachment 26441

Is your setup similar, or something different altogether?

[edit]

In case you're wondering, the 10.x.0.1 is not given in the config. You can find your x value after your router connects to the server, you can see your VPN ip is 10.16.0.23 for example, then your VPN gateway must be 10.16.0.1 (for example).
This is what I have setup to route all traffic through vpn, I saw a video on YT that said to do this.16009717970738668858140227099341.jpg
 

viperperidot

Occasional Visitor
Not sure if any of these are the source of your problems, however, they do concern me.

First, afaik, all directives in the config file should be lowercase.

Second, there is no such thing as remote-cert-tls-server. The option is remote-cert-tls w/ an argument of server.

Code:
remote-cert-tls server
Finally, router-ip/24 is NOT a proper notation. If the router is 192.168.1.1, then the proper notation for policy based routing is 192.168.1.0/24.
Sorry I was typing this into my phone and didn't copy and paste from computer but all the things you mentioned I do have set up correctly.
 

viperperidot

Occasional Visitor
@MaziahBebop

Maybe I should try TCP if you have it working maybe the issue is with udp...

Edit: I tried changing to tcp and it is still not working, dam this is annoying.. :(
 
Last edited:

MaziahBebop

Regular Contributor
After reading your replies, and some of the logs, here is my suggestion:
  • Download a fresh ovpn file from Proton.
  • Check that you're downloading the correct ovpn file (it's for routers)
  • Don't edit the file
  • Upload the fresh ovpn to the router.
  • Don't edit any settings in your router VPN client tab, except, enter the username and password from your Proton dashboard.
  • Just start by routing *1* local IP through the VPN, e.g., 192.168.50.100.
  • Once it's working for one device, then you could add more.
 

viperperidot

Occasional Visitor
After reading your replies, and some of the logs, here is my suggestion:
  • Download a fresh ovpn file from Proton.
  • Check that you're downloading the correct ovpn file (it's for routers)
  • Don't edit the file
  • Upload the fresh ovpn to the router.
  • Don't edit any settings in your router VPN client tab, except, enter the username and password from your Proton dashboard.
  • Just start by routing *1* local IP through the VPN, e.g., 192.168.50.100.
  • Once it's working for one device, then you could add more.
@MaziahBebop

Ok I tried this and still no luck...I even tried just setting the Force Traffic to Yes instead of making specific rules and it did not work..
 

viperperidot

Occasional Visitor
Another to add is that I literally just had everything working fine yesterday and the only change I made was adding some new vpn client profiles and trying them out which worked for a bit and then stopped. But even after going back to the vpn profile that worked previously and that I had made zero changes to it will not work!
 

RMerlin

Asuswrt-Merlin dev
May 5 09:13:00 ovpn-client2[18729]: VERIFY ERROR: depth=0, error=certificate is not yet valid: CN=ca-37.protonvpn.com
Your router clock isn't properly set, so the OpenVPN tunnel will fail to be established, as the certificate validation requires an accurate clock. Check your router's WAN DNS settings as well as the NTP settings.
 

viperperidot

Occasional Visitor
Your router clock isn't properly set, so the OpenVPN tunnel will fail to be established, as the certificate validation requires an accurate clock. Check your router's WAN DNS settings as well as the NTP settings.
I'm not sure exactly which settings to look for in those panels but I did check my system log again and the clock is now showing the correct time. However I still cannot access the internet...the router clock must have automatically updated somehow. But the problem still isn't fixed. :(
 

viperperidot

Occasional Visitor
The vpn says connected and even shows a public IP, yet I cannot access the internet. I don't even see any errors in the log since restarting the vpn connection. This is bizarre, I wish I could give more information. Doesn't this mean it must be something with my dns server? I've got the wan set to use the dns provided by Proton.When I look in the sys log it says forcing through a dns server other than the one I specified, not sure if that's important.
 

viperperidot

Occasional Visitor
UPDATE: I finally got fedup and just reset my router back to factory defaults and then re configured everything. And it is now working!! After looking around a bit I did see what you were referring to @RMerlin in the NTP settings. I see that there is a note under the time zone that says this is different than your local time zone. Previously I had set that field to my local time zone!!! So I think you are right that maybe what was causing the issue. Maybe having the vpn set to automatically connect on reboot was also a factor, I'm not sure...anyway I'm really glad it's working now and thanks everyone for the help. But I have one last question, why is the time zone in this field supposed to be different than your local time zone? And I guess I should just leave this field alone to the default right? Thanks!!!
 

RMerlin

Asuswrt-Merlin dev
But I have one last question, why is the time zone in this field supposed to be different than your local time zone?
It must match your PC, not the other way around. It simply checks what your browser reports versus what is configured on the router, and reports any mismatch. Sometimes it's because the router's start/end of DST is incorrect, in which case you might have to manually configure it.

This isn't related to the previous issue however, where the clock was not set at all.
 
Similar threads
Thread starter Title Forum Replies Date
T openVpn client - ProtonVPN - error - SSL/TLS issue Asuswrt-Merlin 4

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top