GL-E750 OpenVPN ExpressVPN does not connect

I tried to config OpenVPN client for Express VPN and it does not connect for all servers

I am getting the following error

WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6

OpenVPN 2.5.2 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

library versions: OpenSSL 1.1.1k 25 Mar 2021

neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Auth Username:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

Exiting due to fatal error

From the log, the config needs a private key passphrase.

So in the ovpn there should be --askpass as one line. If there is no such line, you should add this before upload to the router so that the router will ask for this info.

But I do have one question, why only some server ask this for Expressvpn?

Hello Alzaho

The file is as following, can you please edit it as I am not technically good in this stuff

dev tun
fast-io
persist-key
persist-tun
nobind
remote canada-toronto-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

Just try to add “askpass” as one line, like below

dev tun
fast-io
persist-key
persist-tun
nobind
remote canada-toronto-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
askpass 

Hello, I have the same --askpass error on my AX3000 but as soon as I add askpass to the OpenVPN config file I’m no longer able to upload it. Getting this in the GUI:

I’m using ProtonVPN.
Here’s my example config, same error happens on every config file location:

# ==============================================================================
# Copyright (c) 2016-2020 Proton Technologies AG (Switzerland)
# Email: contact@protonvpn.com
#
# The MIT License (MIT)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR # OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# ==============================================================================

# The server you are connecting to is using a circuit in order to separate entry IP from exit IP
# The same entry IP allows to connect to multiple exit IPs in the same data center.

# If you want to explicitly select the exit IP corresponding to server SK#6 you need to
# append a special suffix to your OpenVPN username.
# Please use "X0W7KI6VPg3gnSbE+b:2" in order to enforce exiting through SK#6.

# If you are a paying user you can also enable the ProtonVPN ad blocker (NetShield) or Moderate NAT:
# Use: "X0W7KI6VPg3gnSbE+b:2+f1" to enable anti-malware filtering
# Use: "X0W7KI6VPg3gnSbE+b:2+f2" to additionally enable ad-blocking filtering
# Use: "X0W7KI6VPg3gnSbE+b:2+nr" to enable Moderate NAT
# Note that you can combine the "+nr" suffix with other suffixes.

client
dev tun
proto udp

remote 196.245.151.210 51820
remote 196.245.151.210 1194
remote 196.245.151.210 4569
remote 196.245.151.210 5060
remote 196.245.151.210 80

remote-random
resolv-retry infinite
nobind

# The following setting is only needed for old OpenVPN clients compatibility. New clients
# automatically negotiate the optimal cipher.
cipher AES-256-CBC

auth SHA512
verb 3

setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io

<ca>
-----BEGIN CERTIFICATE-----
---some key---

-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
---some key---
</tls-auth>

Are you trying to upload the OpenVPN config to a VPN Group that already has existing config(s)? If so, create a new group for the modified config,.

I do not work for and I do not have formal association with GL.iNet

1 Like

Just create a new group other than upload files to existing group.

I have the exact same problem when trying to connect my GL-MT3000 with a OpenVPN server running on my Synology NAS.

On perhaps the 30th attempt, the opnv file now appears to have been imported correctly. Previously I had deleted the group and created a new one. The openvpn connection now works with this configuration.

However, if I create another group with the exact same opnv file, I get again the same error messages as described by the users above, when I start the Openvpn connection.

Somehow the router does not seem to import the opvn file and/or username/password correctly. In any case, it can not be due to the config.

The opnv file contains the following:

dev tun
tls-client
remote XXX 1194
pull
script-security 2
reneg-sec 0
cipher AES-256-CBC
auth SHA512
auth-user-pass

-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----

Router: GL-MT3000
Firmware: 4.2.0

I found out the following by checking the Openvpn config files on the router via WinSCP:

In the working Openvpn config, the router stored the username and password in a text file and added the path to the file in the ovpn file after auth-user-pass:

auth-user-pass /etc/openvpn/profiles/XXXXX/auth/username_password.txt

XXXXX = a random number for the group of the configuration

In the non-functioning Openvpn configs, the file with the username and password was created, but the path was not added to the ovpn file.

This means that the import of the ovpn file does not work reliably.