ExpressVPN on Merlin - Custom Configuration

[stochashtic]

[ASUS AC68U, Merlin 384.7_2]

The ExpressVPN instructions are misleading/incorrect with regards to Step 7: Custom Configuration.

https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/

The default text that comes from the .ovpn file is required. I've experimented and using only the default text or appending the text from support page; both work. Using only the text (replacing) from the support page does not work - says "Connected (Local: 10.xx.x.xx - Public: unknown)" but with no internet.

Default text from .ovpn file:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
keysize 256
sndbuf 524288
rcvbuf 524288

Text from support page:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
# log /tmp/vpn.log

Note there is some overlap between the two. I've seen no performance difference between using only the default text or appending the ExpressVPN text.

Note: for STOCK firmware, ExpressVPN does not suggest any extra custom configuration beyond the default text above. And it works fine.

I've advised ExpressVPN to update their support page. (Their online support had also told me to replace the custom configuration text.)

(The original reason I switched to Merlin from stock is because the vpn was slow, but Merlin did not improve this. However, I will stick with Merlin for kill-switch and general security.)

 

[Seth Harman]

[ASUS AC68U, Merlin 384.7_2]
(The original reason I switched to Merlin from stock is because the vpn was slow, but Merlin did not improve this. However, I will stick with Merlin for kill-switch and general security.)

Just FYI I've never found switching firmware to generally be helpful for speeding up a VPN connection. I recently switched to an Asus RT-AC86U which features a Broadcom chip that supports hardware encryption/decryption from an RT-AC3100 and the speed difference between the two using ExpressVPN is massive. With the AC3100 I used to top out at about 19Mbps, with the AC86U I usually sustain around 75Mbps.

 

[D_Day]

Just FYI I've never found switching firmware to generally be helpful for speeding up a VPN connection. I recently switched to an Asus RT-AC86U which features a Broadcom chip that supports hardware encryption/decryption from an RT-AC3100 and the speed difference between the two using ExpressVPN is massive. With the AC3100 I used to top out at about 19Mbps, with the AC86U I usually sustain around 75Mbps.

I’ve been using ExpressVPN for over a year on my AC68U, I max out around 22 and with QOS not working previously it made no sense to use openvpn. I use the app on my devices at the moment as the speeds are greater but I will be looking to purchase an 86U at some point.

 

[Seth Harman]

I’ve been using ExpressVPN for over a year on my AC68U, I max out around 22 and with QOS not working previously it made no sense to use openvpn. I use the app on my devices at the moment as the speeds are greater but I will be looking to purchase an 86U at some point.

I'm surprised manufacturers aren't pushing hardware encryption/decryption more, VPNs are really visible in the public eye right now. In the last week alone I think I've seen 10 TV commercials for NordVPN.

 

[RMerlin]

In the last week alone I think I've seen 10 TV commercials for NordVPN.

Tunnel providers advertise on TVs now? Damn, must be a more profitable business than I expected...

 

[unclebuk]

Hello,

You wrote:
"I've advised ExpressVPN to update their support page. (Their online support had also told me to replace the custom configuration text.)"

What should you replace the custom configuration with?

Thanks for pointing this out.

Regards,
bUk

 

[unclebuk]

ExpressVPN also states this on the Asus router Instructions for Asuswrt-Merlin OpenVPN configuration page:

"Scroll down to Advanced Settings. Set Accept DNS Configuration to Strict if you intend to use ExpressVPN on all devices connected to the router or Exclusive if you only intend to use ExpressVPN on select devices."

Is this not patently false as they are confusing DNS server settings with policy rules for client routing??

Pretty uninspiring tech support in my estimation.

 

[Seth Harman]

Tunnel providers advertise on TVs now? Damn, must be a more profitable business than I expected...

Yes, it's crazy, but it seems to be limited to NordVPN as I haven't see any from any of the other providers.

 

[Lt. Col. Obvious]

ExpressVPN also states this on the Asus router Instructions for Asuswrt-Merlin OpenVPN configuration page:

"Scroll down to Advanced Settings. Set Accept DNS Configuration to Strict if you intend to use ExpressVPN on all devices connected to the router or Exclusive if you only intend to use ExpressVPN on select devices."

Is this not patently false as they are confusing DNS server settings with policy rules for client routing??

Pretty uninspiring tech support in my estimation.

Heh, worse than that. They're now offering their very own ExpressVPN firmware for many routers. I tried the firmware for the RT-AC68U... the date on the inside shows 10/a/18, but it's a version of DD-WRT from 2/7/17. THey virtually cripple the router, it's worse in every way and loses several methods of connecting to the internet in the first place.

Their VPN service is great, but somehow they're completely retarded in every other way. When I was discussing the issue on their char this kid kept insisting it's an industry standard and no one would even look to see what the firmware they're replacing is capable of before replacing it or to mention the features customers will be losing if they actually install the trash.

 

[#TY]

I just contacted ExpressVPN support as well and asked them to update the info in Step 7 on their page:
https://www.expressvpn.com/support/vpn-setup/manual-config-for-asus-router-with-openvpn/

to the following:

fast-io
remote-random
pull
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
keysize 256
sndbuf 524288
rcvbuf 524288

 

[#TY]

UPDATE: Looks like ExpressVPN implemented the changes to the custom configuration text in their .ovpn files. I just download two new ones today and there it was. Yay!

Their website still shows the old/wrong info though.

 

[Lt. Col. Obvious]

I will give them that, they respond quickly to customer needs. Their customer service definitely beats out Sprint. And I can't really fault the service itself much either. I have 3 of their services roughly equidistant and all usually get me to 30-45Mb/s. I tried several services out and this was the one that most reliably slipped under Sprint's nose.

 

[#TY]

Curiosity question: when you choose a VPN connection:

- do you pick the VPN server closest to you, even if that server is in the same country you're in? (for speed)
or
- do you pick a server that is close but never in the same country you're in?

 

[RMerlin]

Curiosity question: when you choose a VPN connection:

- do you pick the VPN server closest to you, even if that server is in the same country you're in? (for speed)
or
- do you pick a server that is close but never in the same country you're in?

Depends on your needs. If you need to get around geoblocks, you will get a server in a different country for instance. If you just want to hide your IP from the target server, you would use whatever is fastest. And if you are paranoid about your government, you will pick one in some specific country you "trust" more than your own country...

 

[#TY]

This website offers some useful information that can assist those that were wondering as well.
What’s the Best Country to Connect to Using VPN?

 

[stochashtic]

UPDATE: Looks like ExpressVPN implemented the changes to the custom configuration text in their .ovpn files. I just download two new ones today and there it was. Yay!

Their website still shows the old/wrong info though.

Their .ovpn file always had this configuration. Nothing has changed (except you specified a different mssfix). The question was whether one needs to append the custom text in Step 7. As per my original post, it works the same whether using the .ovpn default or appending. If you replace as inferred, then it does not work. I am guessing the text in Step 7 achieves nothing and the config specified in the .ovpn is enough.

 

[stochashtic]

They have now updated STEP 7 on the webpage too. This used to be the text included in the .ovpn file so not sure why this step is needed at all.

Question: what difference does setting

mssfix 1200

versus

mssfix 1450

make? It used to be the latter; now it's the former as per @#TY suggestion.

Cheers