1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

ExpressVPN & Merlin 384.15

Discussion in 'Asuswrt-Merlin' started by Skeptical.me, Feb 6, 2020.

  1. Skeptical.me

    Skeptical.me Very Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    636
    Location:
    Australia
    Introduction

    A few days ago I updated to 384.15_beta1.

    Yesterday I reset my router to default factory settings.

    I ran into an issue when setting up an OpenVPN Client and connecting to the server where the client hung with a "connecting..." status. I want to just point to a solution for anyone who reads this.

    I also want to detail a fix for the "Public: unknown" issue when connecting to ExpressVPN.

    Then I want to detail how to get Diversion working with ExpressVPN.

    Firstly, I made sure "LAN" > "DNSFilter" was on and set to "Router".



    ExpressVPN OpenVPN "connecting..." issue.

    Issue:

    When upgrading to Merlin 384.15 some people may run into an issue when adding an ExpressVPN .ovpn config file to a OpenVPN Client and then trying to connect to a server.

    [​IMG]

    After importing the .ovpn config file and adding it to an OpenVPN client I tried to connect and then I found it just hung in place trying to connect. I couldn't figure out why it just hung in place, so I contacted ExpressVPN, sent them screenshots of my client settings, and they gave up trying after a while.

    Solution:

    What I, and they, didn't notice was that (for some reason) the "Verify Server Certificate" options weren't selected, neither option (Yes/No). So I selected "No" clicked "Apply" and then the client connected to the server. Hopefully if this occurs to someone here this will help.

    [​IMG]



    "Public: unknown" OpenVPN ExpressVPN issue.

    Issue:

    [​IMG]

    When adding some ExpressVPN Config files to an OpenVPN Client and connecting to the server a message may appear "Public: unknown", the client can't display the public IP address as it normally does.

    As a result you may be unable to open websites.

    Solution:

    To overcome this you need to add the following code (at the very bottom of the code) to the "Custom Configuration" at the bottom of the Client settings page:

    Code:
    comp-lzo no
    push "comp-lzo no"
    Then set "Compression" to "Disabled"

    Next, you should be able to connect and see the public IP address where the "Public: unknown" message was.



    ExpressVPN, Netflix Proxy Warning, Policy Routing, DNS Leaks, and Diversion

    Issues:

    I first started using Merlin for the OpenVPN clients to watch Netflix (US), HULU, and Amazon Prime Video (US) from Australia.

    Then I discovered Policy Routing and Diversion.

    When using ExpressVPN from Australia it is important that both the (US) IP address and (US) DNS servers are used. If your real DNS leaks (or, say, Cloudflares DNS) you will get a proxy warning when attempting to stream video on Netflix, Hulu, and Amazon Prime Video.

    When you use ExpressVPN with Policy Routing your DNS may leak and cause proxy warnings, and on top of this Diversion will not work (at first it may appear Diversion is still working but it appears to fail).

    Solution:

    If you want Diversion to work, and stream video proxy warning free, you cannot use Policy Routing, and you must configure your OpenVPN client as such (making sure "Accept DNS Configuration" is set to "Exclusive" as well as setting "Force Internet Traffic through Tunnel" to "Yes"):

    [​IMG]


    [​IMG]

    If anyone has a solution to these issues I'll gladly add the solution to this post.
     
    Last edited: Feb 6, 2020
    royarcher, kernol and L&LD like this.
  2. Skeptical.me

    Skeptical.me Very Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    636
    Location:
    Australia
    @Jack Yaz

    Do you think I should verify the cert? I only selected "No" because other VPN providers don't and I've never noticed an ExpressVPN config include it. BUT I will contact Expressvpn and see what they say. I'll get back to you. Thanks for the heads up.
     
  3. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    3,385
    I deleted my post because it seems NordVPN also require No to verifying cert. So I'm not sure if it's needed. I would have thought certs should be verified to be truly secure!
     
  4. Skeptical.me

    Skeptical.me Very Senior Member

    Joined:
    Sep 22, 2016
    Messages:
    636
    Location:
    Australia
    Thought the same thing. This is ExpressVPN's response ...

    [​IMG]
     
  5. stefan21

    stefan21 New Around Here

    Joined:
    Feb 16, 2018
    Messages:
    5
    I'm on an asus RT-AC68U, merlin 384.14_2, with a pi-hole as DNS using unbound. Actually I used (without any problems) NordVPN but for some reasons I wanted to try ExpressVPN. I was running in the same issue as the OP.

    For my setup I found a configuration that seems to work:

    Upload form your ExpressVPN account the *.ovpn as choosen. Change following settings:

    1. Accept DNS Configuration Strict
    2. Force Internet traffic through tunnel Policy Rules (strict)
    3. Block routed clients if tunnel goes down Yes

    Leave rest as from *.ovpn uploaded.


    Policy rules:

    1. router 192.168.xxx.xxx 0.0.0.0 WAN
    2. pi-hole 192.168.xxx.xxx 0.0.0.0 VPN
    other clients ...


    custom config:

    fast-io
    remote-random
    pull
    tls-client
    verify-x509-name Server name-prefix
    remote-cert-tls server
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    keysize 256
    sndbuf 524288
    rcvbuf 524288
    comp-lzo no
    push "comp-lzo no"
    auth-nocache

    For my setup this results for ExpressVPN in

    - VPN IP
    - no DNS leak
    - no WebRTC Leak

    for those clients which are forced through policy rules in the VPN device.

    Hope this might help someone.

    regards,
    stefan
     
    L&LD likes this.