Express VPN Received control message: AUTH_FAILED

KOM

@jegavelan Didn't your original .ovpn file have a key-direction entry in it? I'm sure I saw that but it's not in your post above anymore.

Jegavelan

@kom

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

KOM

@jegavelan Try manually setting your TLS key-direction to 1 instead of Use default direction

I'm grasping at straws at this point.

Jegavelan

@kom still no luck

KOM

@jegavelan I don't have much else to add other than to contact ExpressVPN Support and ask them if they have more details from the server logs because the auth_fail is completely unexplained. Usually that error comes with extra details, and when it does not it's often a bad username or password.

Gertjan

These are my settings :

The created config file is :

dev ovpnc2
verb 3
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.10.3
tls-client
client
lport 0
management /var/etc/openvpn/client2/sock unix
remote 45.91.22.2 1195 udp4
auth-user-pass /var/etc/openvpn/client2/up
capath /var/etc/openvpn/client2/ca
cert /var/etc/openvpn/client2/cert 
key /var/etc/openvpn/client2/key 
tls-auth /var/etc/openvpn/client2/tls-auth 1
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression asym
comp-lzo yes
resolv-retry infinite
fast-io
sndbuf 524288
rcvbuf 524288

verify-x509-name Server name-prefix;
remote-cert-tls server;
route-delay 2;
tun-mtu 1500;
fragment 1300;
mssfix 1450;
auth-nocache;

Starting with "verify-x509-name Server name-prefix", these are the custom added commands.

Note : with the "qdqdqdqsdqsdqsdqsdqsdq" password (see image), I guess massive

AUTH: Received control message: AUTH_FAILED

failures.

These :

dev ovpnc2
local 192.168.10.3
remote 45.91.22.2 1195 udp4

are most surely different on your system.

The VPN client connected just fine :
Logs in reverse order :

2021-05-27 08:42:46.012571+02:00 	openvpn 	86900 	Initialization Sequence Completed
2021-05-27 08:42:44.586214+02:00 	openvpn 	86900 	/usr/local/sbin/ovpn-linkup ovpnc2 1500 1629 10.104.2.110 10.104.2.109 init
2021-05-27 08:42:44.581361+02:00 	openvpn 	86900 	/sbin/ifconfig ovpnc2 10.104.2.110 10.104.2.109 mtu 1500 netmask 255.255.255.255 up
2021-05-27 08:42:44.581222+02:00 	openvpn 	86900 	TUN/TAP device /dev/tun2 opened
2021-05-27 08:42:44.580968+02:00 	openvpn 	86900 	TUN/TAP device ovpnc2 exists previously, keep at program end
2021-05-27 08:42:44.580890+02:00 	openvpn 	86900 	Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-05-27 08:42:44.580831+02:00 	openvpn 	86900 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-05-27 08:42:44.580781+02:00 	openvpn 	86900 	Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-05-27 08:42:44.580726+02:00 	openvpn 	86900 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2021-05-27 08:42:44.580592+02:00 	openvpn 	86900 	Using peer cipher 'AES-256-CBC'
2021-05-27 08:42:44.580546+02:00 	openvpn 	86900 	OPTIONS IMPORT: adjusting link_mtu to 1629
2021-05-27 08:42:44.580496+02:00 	openvpn 	86900 	OPTIONS IMPORT: peer-id set
2021-05-27 08:42:44.580450+02:00 	openvpn 	86900 	OPTIONS IMPORT: --ifconfig/up options modified
2021-05-27 08:42:44.580390+02:00 	openvpn 	86900 	OPTIONS IMPORT: compression parms modified
2021-05-27 08:42:44.580338+02:00 	openvpn 	86900 	OPTIONS IMPORT: timers and/or timeouts modified
2021-05-27 08:42:44.580269+02:00 	openvpn 	86900 	Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
2021-05-27 08:42:44.580214+02:00 	openvpn 	86900 	Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
2021-05-27 08:42:44.580158+02:00 	openvpn 	86900 	Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
2021-05-27 08:42:44.580050+02:00 	openvpn 	86900 	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.104.0.1,comp-lzo no,route 10.104.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.104.2.110 10.104.2.109,peer-id 64'
2021-05-27 08:42:44.557481+02:00 	openvpn 	86900 	SENT CONTROL [Server-2776-4a]: 'PUSH_REQUEST' (status=1)
2021-05-27 08:42:43.536122+02:00 	openvpn 	86900 	[Server-2776-4a] Peer Connection Initiated with [AF_INET]45.91.22.2:1195
2021-05-27 08:42:43.536062+02:00 	openvpn 	86900 	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-05-27 08:42:43.499590+02:00 	openvpn 	86900 	VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2776-4a, emailAddress=support@expressvpn.com
2021-05-27 08:42:43.499537+02:00 	openvpn 	86900 	VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2776-4a, emailAddress=support@expressvpn.com
2021-05-27 08:42:43.499492+02:00 	openvpn 	86900 	VERIFY EKU OK
2021-05-27 08:42:43.499443+02:00 	openvpn 	86900 	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-05-27 08:42:43.499382+02:00 	openvpn 	86900 	Validating certificate extended key usage
2021-05-27 08:42:43.499330+02:00 	openvpn 	86900 	VERIFY KU OK
2021-05-27 08:42:43.498816+02:00 	openvpn 	86900 	VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
2021-05-27 08:42:43.498660+02:00 	openvpn 	86900 	VERIFY WARNING: depth=1, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
2021-05-27 08:42:43.498568+02:00 	openvpn 	86900 	VERIFY WARNING: depth=0, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2776-4a, emailAddress=support@expressvpn.com
2021-05-27 08:42:43.472192+02:00 	openvpn 	86900 	TLS: Initial packet from [AF_INET]45.91.22.2:1195, sid=741e1863 61e2292e
2021-05-27 08:42:43.448232+02:00 	openvpn 	86900 	UDPv4 link remote: [AF_INET]45.91.22.2:1195
2021-05-27 08:42:43.448220+02:00 	openvpn 	86900 	UDPv4 link local (bound): [AF_INET]192.168.10.3:0
2021-05-27 08:42:43.448194+02:00 	openvpn 	86900 	Socket Buffers: R=[42080->524288] S=[57344->524288]
2021-05-27 08:42:43.448130+02:00 	openvpn 	86900 	TCP/UDP: Preserving recently used remote address: [AF_INET]45.91.22.2:1195
2021-05-27 08:42:43.447802+02:00 	openvpn 	86900 	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-05-27 08:42:43.447712+02:00 	openvpn 	86900 	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-05-27 08:42:43.447417+02:00 	openvpn 	86900 	WARNING: experimental option --capath /var/etc/openvpn/client2/ca
2021-05-27 08:42:43.446230+02:00 	openvpn 	86900 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-05-27 08:42:43.446125+02:00 	openvpn 	86900 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2/sock
2021-05-27 08:42:43.445134+02:00 	openvpn 	86645 	library versions: OpenSSL 1.1.1k-freebsd 25 Mar 2021, LZO 2.10
2021-05-27 08:42:43.445121+02:00 	openvpn 	86645 	OpenVPN 2.5.1 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 5 2021
2021-05-27 08:42:43.445097+02:00 	openvpn 	86645 	WARNING: file '/var/etc/openvpn/client2/up' is group or others accessible

The OpenVPN client connected.
I did not test routing over it.

Jegavelan

@gertjan I removed all the existing certs and configuration and re-created everything like what you have now.

I got rid of the auth_failed error now , but VPN is not getting connected. Attached other configuration and logs.

May 27 10:16:53	openvpn	98617	MANAGEMENT: Client disconnected
May 27 10:16:53	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:16:53	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:16:53	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:16:54	openvpn	98617	event_wait returned 0
May 27 10:16:54	openvpn	98617	I/O WAIT status=0x0020
May 27 10:16:54	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:16:54	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:16:54	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:16:54	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:16:55	openvpn	98617	event_wait returned 0
May 27 10:16:55	openvpn	98617	I/O WAIT status=0x0020
May 27 10:16:55	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:16:55	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:16:55	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:16:55	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:16:57	openvpn	98617	event_wait returned 0
May 27 10:16:57	openvpn	98617	I/O WAIT status=0x0020
May 27 10:16:57	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:16:57	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:16:57	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:16:57	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:16:58	openvpn	98617	event_wait returned 0
May 27 10:16:58	openvpn	98617	I/O WAIT status=0x0020
May 27 10:16:58	openvpn	98617	FRAG_OUT len=17 type=0 seq_id=0 frag_id=0 frag_size=0 flags=0x00000000
May 27 10:16:58	openvpn	98617	TLS Warning: no data channel send key available: [key#0 state=S_PRE_START id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
May 27 10:16:58	openvpn	98617	SENT PING
May 27 10:16:58	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:16:58	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:16:58	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:16:58	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:16:59	openvpn	98617	event_wait returned 0
May 27 10:16:59	openvpn	98617	I/O WAIT status=0x0020
May 27 10:16:59	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:16:59	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:16:59	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:16:59	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:17:00	newsyslog	40369	logfile turned over due to size>500K
May 27 10:17:00	newsyslog	40369	logfile turned over due to size>500K
May 27 10:17:00	openvpn	98617	event_wait returned 0
May 27 10:17:00	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:00	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:00	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:00	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:00	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:17:01	openvpn	98617	event_wait returned 0
May 27 10:17:01	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:01	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:01	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:01	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:01	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/195856]
May 27 10:17:03	openvpn	98617	event_wait returned 0
May 27 10:17:03	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:03	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:03	openvpn	98617	RANDOM USEC=201521
May 27 10:17:03	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:03	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:03	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:04	openvpn	98617	event_wait returned 0
May 27 10:17:04	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:04	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:04	openvpn	98617	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=6a6153d2 e65257b6, stored-sid=00000000 00000000, stored-ip=[AF_INET]191.101.42.152:1195
May 27 10:17:04	openvpn	98617	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
May 27 10:17:04	openvpn	98617	ACK reliable_can_send active=1 current=1 : [1] 0
May 27 10:17:04	openvpn	98617	ACK reliable_send ID 0 (size=4 to=32)
May 27 10:17:04	openvpn	98617	write_control_auth(): P_CONTROL_HARD_RESET_CLIENT_V2
May 27 10:17:04	openvpn	98617	ENCRYPT HMAC: 92bb1f18 cf2c8366 d7e8d2bf 9b56e3f7 02762ece ea7f8f39 2ff5e4b2 c507750b
May 27 10:17:04	openvpn	98617	ENCRYPT TO: 92bb1f18 cf2c8366 d7e8d2bf 9b56e3f7 02762ece ea7f8f39 2ff5e4b2 c507750[more...]
May 27 10:17:04	openvpn	98617	Reliable -> TCP/UDP
May 27 10:17:04	openvpn	98617	ACK reliable_send_timeout 32 [1] 0
May 27 10:17:04	openvpn	98617	TLS: tls_process: timeout set to 29
May 27 10:17:04	openvpn	98617	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=060639a3 0d491fb6, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
May 27 10:17:04	openvpn	98617	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
May 27 10:17:04	openvpn	98617	UDPv4 WRITE [54] to [AF_INET]191.101.42.152:1195: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=6a6153d2 e65257b6 tls_hmac=92bb1f18 cf2c8366 d7e8d2bf 9b56e3f7 02762ece ea7f8f39 2ff5e4b2 c507750b pid=[ #5 / time = (1622128593) 2021-05-27 10:16:33 ] [ ] pid=0 DATA
May 27 10:17:04	openvpn	98617	UDPv4 write returned 54
May 27 10:17:04	openvpn	98617	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=6a6153d2 e65257b6, stored-sid=00000000 00000000, stored-ip=[AF_INET]191.101.42.152:1195
May 27 10:17:04	openvpn	98617	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
May 27 10:17:04	openvpn	98617	ACK reliable_can_send active=1 current=0 : [1] 0
May 27 10:17:04	openvpn	98617	ACK reliable_send_timeout 32 [1] 0
May 27 10:17:04	openvpn	98617	TLS: tls_process: timeout set to 29
May 27 10:17:04	openvpn	98617	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=060639a3 0d491fb6, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
May 27 10:17:04	openvpn	98617	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
May 27 10:17:04	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:04	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:04	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:05	openvpn	98617	event_wait returned 0
May 27 10:17:05	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:05	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:05	openvpn	98617	TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=6a6153d2 e65257b6, stored-sid=00000000 00000000, stored-ip=[AF_INET]191.101.42.152:1195
May 27 10:17:05	openvpn	98617	TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
May 27 10:17:05	openvpn	98617	ACK reliable_can_send active=1 current=0 : [1] 0
May 27 10:17:05	openvpn	98617	ACK reliable_send_timeout 31 [1] 0
May 27 10:17:05	openvpn	98617	TLS: tls_process: timeout set to 28
May 27 10:17:05	openvpn	98617	TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=060639a3 0d491fb6, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
May 27 10:17:05	openvpn	98617	TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
May 27 10:17:05	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:05	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:05	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:06	openvpn	98617	event_wait returned 0
May 27 10:17:06	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:06	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:06	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:06	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:06	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:07	openvpn	98617	event_wait returned 0
May 27 10:17:07	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:07	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:07	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:07	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:07	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:09	openvpn	98617	event_wait returned 0
May 27 10:17:09	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:09	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:09	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:09	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:09	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:10	openvpn	98617	event_wait returned 0
May 27 10:17:10	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:10	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:10	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:10	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:10	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:11	openvpn	98617	event_wait returned 0
May 27 10:17:11	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:11	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:11	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:11	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:11	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:12	openvpn	98617	event_wait returned 0
May 27 10:17:12	openvpn	98617	I/O WAIT status=0x0020
May 27 10:17:12	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:12	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:12	openvpn	98617	PO_CTL rwflags=0x0001 ev=3 arg=0x002b5c18
May 27 10:17:12	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/201521]
May 27 10:17:13	openvpn	98617	PO_WAIT[1,0] fd=3 rev=0x00000001 rwflags=0x0001 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	event_wait returned 1
May 27 10:17:13	openvpn	98617	I/O WAIT status=0x0040
May 27 10:17:13	openvpn	98617	MANAGEMENT: Client connected from /var/etc/openvpn/client1/sock
May 27 10:17:13	openvpn	98617	TIMER: coarse timer wakeup 1 seconds
May 27 10:17:13	openvpn	98617	RANDOM USEC=192571
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0002 ev=5 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/192571]
May 27 10:17:13	openvpn	98617	PO_WAIT[1,0] fd=5 rev=0x00000004 rwflags=0x0002 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	event_wait returned 1
May 27 10:17:13	openvpn	98617	I/O WAIT status=0x0080
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0001 ev=5 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/192571]
May 27 10:17:13	openvpn	98617	PO_WAIT[1,0] fd=5 rev=0x00000001 rwflags=0x0001 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	event_wait returned 1
May 27 10:17:13	openvpn	98617	I/O WAIT status=0x0040
May 27 10:17:13	openvpn	98617	MANAGEMENT: CMD 'state 1'
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0002 ev=5 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/192571]
May 27 10:17:13	openvpn	98617	PO_WAIT[1,0] fd=5 rev=0x00000004 rwflags=0x0002 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	event_wait returned 1
May 27 10:17:13	openvpn	98617	I/O WAIT status=0x0080
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6928
May 27 10:17:13	openvpn	98617	PO_CTL rwflags=0x0001 ev=5 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	I/O WAIT T?|T?|SR|Sw [1/192571]
May 27 10:17:13	openvpn	98617	PO_WAIT[1,0] fd=5 rev=0x00000011 rwflags=0x0001 arg=0x002b5c18
May 27 10:17:13	openvpn	98617	event_wait returned 1
May 27 10:17:13	openvpn	98617	I/O WAIT status=0x0040
May 27 10:17:13	openvpn	98617	MANAGEMENT: Client disconnected

Firewall Rules.jpg Firewall Rules 01.jpg

Gertjan

@jegavelan

Your Manual NAT entries, and the second LAN firewall rule look fine to me.

These :

are Floating rules ?
if so, then that's not looking fine at all ..... Why did you create these rules ??

Same thing for DNS settings : not needed at all.

Make first a minimal Client VPN setup with https://www.youtube.com/watch?v=lp3mtR4j3Lw

Btw : when the VPN client is connected = working, drop the verbosity of the VPN log - reset it to 3. It's not needed to see enties for every byte that goes out. It tends to hide crusial information.

@jegavelan said in Express VPN Received control message: AUTH_FAILED:

re-created everything like what you have now

I used the info from my vpn's account page.
And this one : https://www.expressvpn.com/fr/support/vpn-setup/pfsense-with-expressvpn-openvpn/

Keep in mind that OpenVPN had a huge update a couple of month ago : the version used back then was 2.4.7 ( ? ) and now pfSens is using the version 2.5.1 - the future, upcoming version will be 2.5.2. This means that this ExprssVPN / pfSense help page should be double checked with the new and changed OpenVPN parameters. It's not a click here click there and go solution.
Also : I don't know what version of OpenVPN ExpessVN is using on their side. I do know that my setup worked last time I tested it, using pgSense 2.5.1 and OpenVPN .

4o4rh

@gertjan did you ever solve this?

Gertjan

@gwaitsi said in Express VPN Received control message: AUTH_FAILED:

@gertjan did you ever solve this?

Never had any issues while using 'pfSense' and 'ExpressVPN'. My connection is not actually used right now, but it's up for years now. Some maintenance is needed ones in a while, as Express can change things on their side, and pfSense also changes the OpenVPN version regularly. It's an on going read-learn-apply cycle.

Read again, I was trying to answer questions. Not asking them.

4o4rh

@gertjan yes it works, but i also have these messages in my logs for both expressvpn and protonvpn. i.e. certificate verify warning

ay 26 15:00:23	openvpn	75963	VERIFY WARNING: depth=0, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1417-1a, emailAddress=support@expressvpn.com
May 26 15:00:23	openvpn	75963	VERIFY WARNING: depth=1, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
May 26 15:00:23	openvpn	75963	VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
M

Gertjan

@gwaitsi said in Express VPN Received control message: AUTH_FAILED:

unable to get certificate CR

CRL missing, or not accessible, isn't a big deal in this case.
See for example unable to get certificate crl

If something happens to the certificate emitted by expressvpn, they would remove it message or warning, and force you to update your connection settings.
There is no such thing as : expressvpn let you use their generated certs, but starts to list them on a revocation list. That not needed in this usage case.
I've these same two warnings.