What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Skeptical.me

Very Senior Member
Introduction

A few days ago I updated to 384.15_beta1.

Yesterday I reset my router to default factory settings.

I ran into an issue when setting up an OpenVPN Client and connecting to the server where the client hung with a "connecting..." status. I want to just point to a solution for anyone who reads this.

I also want to detail a fix for the "Public: unknown" issue when connecting to ExpressVPN.

Then I want to detail how to get Diversion working with ExpressVPN.

Firstly, I made sure "LAN" > "DNSFilter" was on and set to "Router".



ExpressVPN OpenVPN "connecting..." issue.

Issue:

When upgrading to Merlin 384.15 some people may run into an issue when adding an ExpressVPN .ovpn config file to a OpenVPN Client and then trying to connect to a server.

q1YqTEc.png


After importing the .ovpn config file and adding it to an OpenVPN client I tried to connect and then I found it just hung in place trying to connect. I couldn't figure out why it just hung in place, so I contacted ExpressVPN, sent them screenshots of my client settings, and they gave up trying after a while.

Solution:

What I, and they, didn't notice was that (for some reason) the "Verify Server Certificate" options weren't selected, neither option (Yes/No). So I selected "No" clicked "Apply" and then the client connected to the server. Hopefully if this occurs to someone here this will help.

oIOSZxi.png




"Public: unknown" OpenVPN ExpressVPN issue.

Issue:

zDBg1lJ.png


When adding some ExpressVPN Config files to an OpenVPN Client and connecting to the server a message may appear "Public: unknown", the client can't display the public IP address as it normally does.

As a result you may be unable to open websites.

Solution:

To overcome this you need to add the following code (at the very bottom of the code) to the "Custom Configuration" at the bottom of the Client settings page:

Code:
comp-lzo no
push "comp-lzo no"

Then set "Compression" to "Disabled"

Next, you should be able to connect and see the public IP address where the "Public: unknown" message was.



ExpressVPN, Netflix Proxy Warning, Policy Routing, DNS Leaks, and Diversion

Issues:

I first started using Merlin for the OpenVPN clients to watch Netflix (US), HULU, and Amazon Prime Video (US) from Australia.

Then I discovered Policy Routing and Diversion.

When using ExpressVPN from Australia it is important that both the (US) IP address and (US) DNS servers are used. If your real DNS leaks (or, say, Cloudflares DNS) you will get a proxy warning when attempting to stream video on Netflix, Hulu, and Amazon Prime Video.

When you use ExpressVPN with Policy Routing your DNS may leak and cause proxy warnings, and on top of this Diversion will not work (at first it may appear Diversion is still working but it appears to fail).

Solution:

If you want Diversion to work, and stream video proxy warning free, you cannot use Policy Routing, and you must configure your OpenVPN client as such (making sure "Accept DNS Configuration" is set to "Exclusive" as well as setting "Force Internet Traffic through Tunnel" to "Yes"):

XaE9Utz.png



ikgyNXa.png


If anyone has a solution to these issues I'll gladly add the solution to this post.
 
Last edited:
@Jack Yaz

Do you think I should verify the cert? I only selected "No" because other VPN providers don't and I've never noticed an ExpressVPN config include it. BUT I will contact Expressvpn and see what they say. I'll get back to you. Thanks for the heads up.
 
@Jack Yaz

Do you think I should verify the cert? I only selected "No" because other VPN providers don't and I've never noticed an ExpressVPN config include it. BUT I will contact Expressvpn and see what they say. I'll get back to you. Thanks for the heads up.
I deleted my post because it seems NordVPN also require No to verifying cert. So I'm not sure if it's needed. I would have thought certs should be verified to be truly secure!
 
I deleted my post because it seems NordVPN also require No to verifying cert. So I'm not sure if it's needed. I would have thought certs should be verified to be truly secure!

Thought the same thing. This is ExpressVPN's response ...

ntOoair.png
 
I'm on an asus RT-AC68U, merlin 384.14_2, with a pi-hole as DNS using unbound. Actually I used (without any problems) NordVPN but for some reasons I wanted to try ExpressVPN. I was running in the same issue as the OP.

For my setup I found a configuration that seems to work:

Upload form your ExpressVPN account the *.ovpn as choosen. Change following settings:

1. Accept DNS Configuration Strict
2. Force Internet traffic through tunnel Policy Rules (strict)
3. Block routed clients if tunnel goes down Yes

Leave rest as from *.ovpn uploaded.


Policy rules:

1. router 192.168.xxx.xxx 0.0.0.0 WAN
2. pi-hole 192.168.xxx.xxx 0.0.0.0 VPN
other clients ...


custom config:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288
comp-lzo no
push "comp-lzo no"
auth-nocache

For my setup this results for ExpressVPN in

- VPN IP
- no DNS leak
- no WebRTC Leak

for those clients which are forced through policy rules in the VPN device.

Hope this might help someone.

regards,
stefan
 
Thanks Stefan, your additional configs stopped my leakage. Expressvpn setup is missing a lot of stuff
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top