AXT1800 NordVPN Issues

haxor1337 · March 28, 2024, 3:46pm

GL-AXT1800 Slate AX, Firmware 4.5

I recently bought the router and have been trying to set up the NordVPN connection through the OpenVPN auto setup wizard.

I provided my credentials, got the list of servers, and attempted to initiate a connection but the VPN session never gets established. Here is the log, which seems to repeat the same output over and over.

I see various parsing errors and missing scripts.

Thu Mar 28 08:04:27 2024 daemon.warn ovpnclient[6721]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Mar 28 08:04:27 2024 daemon.warn ovpnclient[6721]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.100.27:1194
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: UDP link local: (not bound)
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: UDP link remote: [AF_INET]146.70.100.27:1194
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: TLS: Initial packet from [AF_INET]146.70.100.27:1194, sid=325f33c8 dc3360d6
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: VERIFY KU OK
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: Validating certificate extended key usage
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: VERIFY EKU OK
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: VERIFY X509NAME OK: CN=us9594.nordvpn.com
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: VERIFY OK: depth=0, CN=us9594.nordvpn.com
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Thu Mar 28 08:04:27 2024 daemon.notice ovpnclient[6721]: [us9594.nordvpn.com] Peer Connection Initiated with [AF_INET]146.70.100.27:1194
Thu Mar 28 08:04:28 2024 daemon.notice ovpnclient[6721]: SENT CONTROL [us9594.nordvpn.com]: ‘PUSH_REQUEST’ (status=1)
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Rule ‘out_conn_mark_restore’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Zone ‘lan’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Zone ‘wan’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Zone ‘guest’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Zone ‘ovpnclient’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Set tcp_ecn to off
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Set tcp_syncookies to on
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Set tcp_window_scaling to on
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Running script ‘/etc/firewall.nat6’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Running script ‘/etc/firewall.swap_wan_in_conn_mark.sh’
Thu Mar 28 08:04:40 2024 daemon.notice netifd: ovpnclient (7026): * Running script ‘/etc/firewall.vpn_server_policy.sh’
Thu Mar 28 08:04:41 2024 daemon.notice netifd: ovpnclient (7026): * Running script ‘/var/etc/gls2s.include’
Thu Mar 28 08:04:41 2024 daemon.notice netifd: ovpnclient (7026): ! Skipping due to path error: No such file or directory
Thu Mar 28 08:04:41 2024 daemon.notice netifd: ovpnclient (7026): * Running script ‘/usr/bin/gl_block.sh’
Thu Mar 28 08:04:41 2024 daemon.notice netifd: ovpnclient (7026): Failed to parse json data: unexpected character
Thu Mar 28 08:04:41 2024 daemon.notice netifd: ovpnclient (7026): uci: Entry not found
Thu Mar 28 08:04:41 2024 daemon.notice netifd: ovpnclient (7026): cat: can’t open ‘/tmp/run/ovpn_resolved_ip’: No such file or directory
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
Thu Mar 28 08:04:52 2024 daemon.warn ovpnclient[7434]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Mar 28 08:04:52 2024 daemon.warn ovpnclient[7434]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.100.27:1194
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: UDP link local: (not bound)
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: UDP link remote: [AF_INET]146.70.100.27:1194
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: TLS: Initial packet from [AF_INET]146.70.100.27:1194, sid=c7eb88ad 87613304
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: VERIFY KU OK
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: Validating certificate extended key usage
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: VERIFY EKU OK
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: VERIFY X509NAME OK: CN=us9594.nordvpn.com
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: VERIFY OK: depth=0, CN=us9594.nordvpn.com
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Thu Mar 28 08:04:52 2024 daemon.notice ovpnclient[7434]: [us9594.nordvpn.com] Peer Connection Initiated with [AF_INET]146.70.100.27:1194

admon · March 28, 2024, 3:47pm

Could you please check if you are using the right credentials?

The one for getting the servers list isn’t the one for OpenVPN itself.

haxor1337 · March 28, 2024, 4:08pm

My credentials are correct, I made sure to verify by logging out on the official Nord app and logging back in. I do have 2FA enabled for Nord so I don’t know if that would affect OpenVPN implementation. I wouldn’t think so.

admon · March 28, 2024, 4:21pm

Did you read my link? The login from the App is different from the OpenVPN one.

You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard

haxor1337 · March 28, 2024, 8:49pm

Thank you for pointing that out, I didn’t see that. I created service credentials and used that for OpenVPN, however, I am still getting the same log output and failure to establish a connection.

admon · March 28, 2024, 8:55pm

The log looks good so far, maybe try a different server.
I would recommend to use WireGuard anyway, if possible. OpenVPN is pretty bad speaking about performance.

ArnoG · March 28, 2024, 11:18pm

As far as the parsing errors/etc… I’ve seen those, even in successful connections, so you shouldn’t worry too much about them. Even with WG you will most likely see them.

daemon.notice netifd: wgclient (7280): Failed to parse json data: unexpected character
daemon.notice netifd: wgclient (7280): uci: Entry not found
daemon.notice netifd: wgclient (7280): cat: can’t open ‘/tmp/run/wg_resolved_ip’: No such file or directory

[Edit] After some digging around, the first 2 might be due to an empty mac address black list/block (gl_block), and hence are only warnings

ecfeed · March 29, 2024, 2:45am

I’ll just leave it here for whoever wants to have better bandwidth with Wireguard instead of OpenVPN on this router using NordVPN:

gist.github.com

https://gist.github.com/bluewalk/7b3db071c488c82c604baf76a42eaad3?permalink_comment_id=4967841#gistcomment-4967841

GetNordVPNWireGuardDetails.md

# About
Instructions to obtain WireGuard details of your NordVPN account. These can be used to setup a WireGuard tunnel on your router to NordVPN.

Source: https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27

# Prerequisites
If you have any linux machine, use that or install a vm if you don't have one.

Get their [official linux app installed](https://support.nordvpn.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Elementary-OS-and-Linux-Mint.htm). Make sure you have [wireguard installed too](https://www.wireguard.com/install/). And set the used technology to Nordlynx by running `nordvpn set technology nordlynx`

This file has been truncated. show original

Just follow the instruction to prepare wg.conf file and add new client to WireGuard. Works for me.

alzhao · March 30, 2024, 1:09am

The 2FA is for login your nord account, not for vpn connection, right?

You cannot connect if your openvpn needs 2FA when connect. If you don’t have this, I am pretty sure after you get the vpn credential correct it should connect.

RVer · March 30, 2024, 2:27am

I’ve also got a GL-AXT1800 running 4.5. Mine is stock (no additional packages) although I do have a GL-M2 board attached. Also, as I had upgraded from a snapshot, I did do a full reset.

NordVPN is working fine for me. No strange errors in my syslog. No parsing errors. In particular, I’m not getting any netifd errors. Have you made any network changes?

haxor1337 · March 30, 2024, 2:47am

Yeah I misunderstood how to set that up. I got that cleared up and have the right credentials now.

Nothing crazy. I’m trying to just establish a connection through the slate connected to a hotel wifi. Only “change” is that I use secure DNS servers. But otherwise, nothing out of the ordinary. And I can use the NordVPN app on my phone through hotel wifi just fine (and use secure DNS on my phone, too).

I don’t have a computer with me atm so I’ll try and debug and try wireguard when I get home.