Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual ExpressVPN failover - routing broken

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 273 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by

      I am using two ExpressVPN nodes in a gateway down fail-over mode, routing all my traffic over the VPN with exceptions going over the WAN. This config was working under 2.4.2 and 2.4.3 but since 2.4.4 has stopped working.

      I have established;

      • forcing one the gateway's down from router menu does not fix the problem
      • disabling one of the clients solves the issue

      With a single client VPN,

      • it is possible to simply change the specified gateway for the rule and traffic happily switches between WAN and VPN.
      • all functions and programs work.
      • all clients android, windows, etc function correctly

      With dual VPN clients,

      • routing correctly passes through the specified gateway, or the correct gateway pool with tracert
      • http/s both work for normal browsing.
      • there are intermittent problems with pop/smtp connections to google
      • ubuntu and debian linux updates are not reachable for local servers and work with default servers at significantly reduced bandwidth ** interestingly some sites in the list resolve, others appear not to **

      The server uses the following push values

      PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.156.0.1,comp-lzo no,route 10.156.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.156.0.30 10.156.0.29,peer-id 11'

      Custom options i have used are:

      pull-filter ignore "dhcp-option DNS "; /* required remove push errors in log */
pull-filter ignore "route ";  /* required remove push errors in log */
pull-filter ignore "redirect-gateway ";  /* required remove push errors in log */
pull-filter ignore "topology net30";  
resolv-retry infinite;
persist-key;
persist-tun;
remote-random;
tls-client;
verify-x509-name Server name-prefix;
remote-cert-tls server;
key-direction 1;
route-method exe;
route-delay 2;
tun-mtu 1500;
fragment 1300;
mssfix 1450;
auth-nocache;

      don't pull routes = checked
      don't add routes = unchecked
      UDP fast I/O = checked

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.