No VPN connection on GL-MT2500 with certain ExpressVPN configuration files

chrnit · April 14, 2024, 8:23pm

Since firmwares 4.5.0 and 4.5.16 GL-MT2500 has problems establishing a connection with certain ExpressVPN configuration files, e.g. for the configuration file of the country of Bosnia and Herzegovina. It works with other country configurations such as Croatia.

Please solve the problem and issue a new firmware.

Sun Apr 14 19:58:55 2024 daemon.notice ovpnclient[1849]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Apr 14 19:58:55 2024 daemon.notice ovpnclient[1849]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Apr 14 19:58:55 2024 daemon.err ovpnclient[1849]: RESOLVE: Cannot resolve host address: bosniaandherzegovina-ca-version-2.expressnetw.com:1195 (Name does not resolve)
Sun Apr 14 19:58:55 2024 daemon.err ovpnclient[1849]: RESOLVE: Cannot resolve host address: bosniaandherzegovina-ca-version-2.expressnetw.com:1195 (Name does not resolve)
Sun Apr 14 19:58:55 2024 daemon.warn ovpnclient[1849]: Could not determine IPv4/IPv6 protocol
Sun Apr 14 19:58:55 2024 daemon.notice ovpnclient[1849]: SIGHUP[soft,init_instance] received, process restarting
Sun Apr 14 19:58:55 2024 daemon.notice ovpnclient[1849]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Apr 14 19:58:55 2024 daemon.notice ovpnclient[1849]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Sun Apr 14 19:58:55 2024 daemon.notice ovpnclient[1849]: Restart pause, 5 second(s)
Sun Apr 14 19:59:00 2024 daemon.warn ovpnclient[1849]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sun Apr 14 19:59:00 2024 daemon.warn ovpnclient[1849]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Apr 14 19:59:00 2024 daemon.notice ovpnclient[1849]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Apr 14 19:59:00 2024 daemon.notice ovpnclient[1849]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Apr 14 19:59:00 2024 daemon.err ovpnclient[1849]: RESOLVE: Cannot resolve host address: bosniaandherzegovina-ca-version-2.expressnetw.com:1195 (Name does not resolve)
Sun Apr 14 19:59:00 2024 daemon.err ovpnclient[1849]: RESOLVE: Cannot resolve host address: bosniaandherzegovina-ca-version-2.expressnetw.com:1195 (Name does not resolve)
Sun Apr 14 19:59:00 2024 daemon.warn ovpnclient[1849]: Could not determine IPv4/IPv6 protocol
Sun Apr 14 19:59:00 2024 daemon.notice ovpnclient[1849]: SIGHUP[soft,init_instance] received, process restarting
Sun Apr 14 19:59:00 2024 daemon.notice ovpnclient[1849]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Apr 14 19:59:00 2024 daemon.notice ovpnclient[1849]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Sun Apr 14 19:59:00 2024 daemon.notice ovpnclient[1849]: Restart pause, 5 second(s)

admon · April 14, 2024, 8:24pm

The DNS name of the server does not resolve. So either it’s blocked by your ISPs DNS or ExpressVPN did some mistake.

Either way not an firmware bug.

chrnit · April 14, 2024, 8:28pm

I don’t think so because there is also a mobile phone app for ExpressVPN. When I disable mobile data and use my wifi home network (the same network as the router) then it connects to the VPN - so there is no block from ISP

admon · April 14, 2024, 8:41pm

In that case your DNS on the router seems to not work correctly.

chrnit · April 14, 2024, 9:11pm

That may very well be the case and the problem has emerged since firmware v4.5.0 - so the developers should be able fix it.

Furthermore, changing the DNS to manual and OpenDNS in settings does not work.

alzhao · April 15, 2024, 6:47am

The dns in your log does not resolve worldwide. It means that the vpn servers are not available.

chrnit · April 17, 2024, 8:02pm

Can you be a bit more specific about how you come to the conclusion that my DNS does not resolve worldwide? Regarding your screenshot I see that you used the name of the configuration file for a propagation check but I am not sure that is a valid way to check because the actual configuration data is in the file, not in the name of the file. Do you really suspect ExpressVPN to not propagate their Domain Names to the usual DNS servers?

I also tried with Google DNS in the settings (that should resolve everything) but it throws the same error. Why do you think it did work with firmware below 4.5.0 but not with firmware equal or above 4.5.0?
Most likely, this has nothing to do with the VPN or network provider but with a misconfiguration in the GL-MT2500 firmware.

alzhao · April 18, 2024, 2:19am

The domain is from your log, not file name.

So it seems that the ovpn files you download is old and is not valid anymore.