Great info! Thanks!
Just to clarify: you said 'On a previous trip, it worked well for a few days and suddenly became very erratic and I had to use US access points for it to work again". Do you mean that the access points that you normally use (HK2 and Taiwan) were erratic, but that the US Access Points (STILL using ExpressVPN ) were ok. Just trying to ascertain that it was the access points (but not ExpressVPN in general) that got “fussy”.
Correct, yes. I still got usable connections with other access points from ExpressVPN. However, be prepared for surprises at all times. The authorities are constantly trying to limit or slow down VPN connections; this could at any time also affect whatever ExpressVPN are doing to make it work rather well currently.
Thanks for helping. Yes, China GFW always a challenge. My guys there have used ExpressVPN for many years with great results. While it is always a cat/mouse as you say, ExpressVPN seems to be the most consistent and acts quickly to adjust when China specific/GFW connection issues occur. They are also the most responsive VPN Service I have ever used (I am in the Security Software field). They are the only VPN provider that I know of who has 24x7 online chat that actually answers and is helpful. I highly recommend them for anyone (and now, thanks to you, for GLI users), who need VPN in China. (Their performance in other parts of the world are similar; if a VPN can perform in China, it can perform anywhere. 
If anyone has other questions about VPN use in China (either with or without GLI) feel free to ask. I can also respond to questions re: other VPN providers in China, as my field people there have tested most of the major ones. (and thanks again to khaberz for your great input and ongoing participation).
lstevens: If you can find out how to get or create an .ovpn for Honkong4, that would be great Their support just told me they don’t have one and I need to try the other access points. A real pity, as HK4 is by far the fastest and most reliable one…
I spoke w/my tech contact there…apparently the issue isn’t the lack of the .ovpn file. The reason HK4 is more reliable/faster is because of the proprietary methods are is baked into their proprietary software (and interface with software on HK4). Without that software, HK4 is no different from their other servers. So, that’s why they just reserve that server for users of their proprietary software. Even if they supplied a .ovpn file for HK4, it wouldn’t make a difference. There IS a solution (but not for GLI routers): You can buy one (or if you already have one) of the model routers that will run their proprietary router software (listed on their website). If you do that, than all servers (including HK4) are available, since the router software they provide has the proper encryption/hooks for the special servers.
Ah, Got it. That does make sense. Thanks a lot for the information, lstevens!
Anyway, they don’t allow Netflix from HK4 even from desktop. I think they want to reserve it for “mission critical” applications.
For others reading this thread, ExpressVPN is one of a dwindling number of VPNs that supports BOTH BBC Iplayer and Netflix. Like the GFC, both BBC and Netflix are constantly adjusting their systems to identify and block VPNs.
I used my office router as VPN server and it works in China most of the time.
But sometimes it just cannot connect for bad luck.
Several weeks ago I configured ExpressVPN on AR300M. I failed to do it with .ovpn file they provided on their site, just uploading it to GL-inet web interface didn’t work. So I disabled all vpn services that gl-inet has (vpn-service and startvpn) and enabled pure openvpn service instead. After that uploaded to router .crt, key files, auth file with username and password. Via command ssh line added vpn interface:
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci set network.vpn0.auto=1
Then added firewall zone for vpn:
uci set firewall.vpn=zone
uci set firewall.vpn.name=vpn
uci set firewall.vpn.network=vpn0
uci set firewall.vpn.input=REJECT
uci set firewall.vpn.output=REJECT
uci set firewall.vpn.forward=ACCEPT
uci set firewall.vpn.masq=1
Then applied modifications:
uci commit network
/etc/init.d/network reload
uci commit firewall
/etc/init.d/firewall reload
Then modified /etc/config/openvpn file this way:
config openvpn ‘myvpn’
option enabled ‘1’
option dev ‘tun’
option proto ‘udp’
option verb ‘3’
option log ‘/var/log/openvpn.log’
option pull ‘1’
option port ‘1195’
option client ‘1’
option nobind ‘1’
option persist_tun ‘1’
option persist_key ‘1’
option comp_lzo ‘no’
option tun_mtu ‘1500’
option mssfix ‘1450’
option fragment ‘1300’
option keepalive ‘10 60’
option resolv_retry ‘infinite’
option reneg_sec ‘0’
option mute_replay_warnings ‘1’
option auth ‘SHA512’
option cipher ‘AES-256-CBC’
option auth_user_pass ‘/etc/openvpn/expressvpn/auth’
option fast_io ‘1’
option sndbuf ‘524288’
option rcvbuf ‘524288’
option ns_cert_type ‘server’
option keysize ‘256’
option ca ‘/etc/openvpn/expressvpn/ca2.crt’
option cert ‘/etc/openvpn/expressvpn/client.crt’
option key ‘/etc/openvpn/expressvpn/client.key’
option tls_client ‘1’
option tls_auth ‘/etc/openvpn/expressvpn/ta.key 1’
option key_direction ‘1’
option remote ‘belgium-ca-version-2.expressnetw.com 1195’
option remote ‘switzerland-2-ca-version-2.expressnetw.com 1195’
option remote_random ‘1’
(option remote_random feature for some reason not working and I connect always via last line remote server)
Then changed in luci web interface firewall settings - removed lan - wan forwardings, instead added lan - vpn forwardings. Rebooted router.
The only strange thing with GL-inet routers that I also need to execute restarting firewall command, without it - it do not work , so I also added command to rc.local:
/etc/init.d/firewall restart
It is not specific to vpn service, with my own vpn server, I also need to restart firewall for some reason. If I use another OpenWRT router without gl-inet web interface - it work without firewall restart.
The connection seems relatively reliable, about 7-8 Mbps, but once in several days it happen that internet connection breaks and I need to ssh to router and execute /etc/init.d/firewall restart (or just reboot it)
If someone knows why this happening (firewall feature) that would be great if you let me know. Maybe because there are some custom gl inet firewall rules, but I really like configuring vpn via direct config file modification instead of uploading ovpn, so has to disable all their vpn services.