Problem with openVPN/ExpressVPN

Routers VPN, DNS, Leaks
1

Hi, I've a problem with OpenVPN/ExpressVPN on my GLNet Spitz GL-X750 router connected to a camera security system. For reasons that I don't understand, too often the VPN crashes, interrupting internet. Making it impossible to access the cameras. So I would need to know, in a simple way because I'm not very practical, how to set up my ExpressVPN installed through OpenVPN so that it doesn't block internet traffic even if the VPN service crashes or doesn't work. Thank you.

2

Hi,

  1. Please share the issue syslog with us, when the OpenVPN client (connects to the Express VPN) down or crash.
  2. If connected to Express VPN, and what operation to do to cause VPN connection drops?
  3. On the default VPN settings, when the router enabled VPN client and connects to VPN server, all traffic will go to VPN. When a VPN is disconnected, the router blocks all traffic to ensure that traffic is not leaked to the WAN.
    For your requirement, you can select the VPN policy mode to "VPN Policy Based on the Client Device" and "do not use VPN", and add the device "camera system". In this case, others client devices still will go to VPN, and the camera will go to WAN.
    image
    image1315×793 51.8 KB
4

Hi and thank you for your reply. As I wrote at the beginning of the post I'm not familiar with VPN. I will try to answer you anyway. I restarted the whole procedure from the beginning (Photo 1),

Configurazione di Partenza
Configurazione di Partenza1280×678 54.8 KB

I started the VPN and I did not encounter any problems (Photo 2).

VPN Attivo
VPN Attivo1280×679 59.9 KB

And this is the log.

Blockquote
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: OPTIONS IMPORT: adjusting link_mtu to 1629
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: OPTIONS IMPORT: data channel crypto options modified
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: net_route_v4_best_gw query: dst 0.0.0.0
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: net_route_v4_best_gw result: via 10.168.103.220 dev wwan0
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: TUN/TAP device ovpnclient opened
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: net_iface_mtu_set: mtu 1500 for ovpnclient
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: net_iface_up: set ovpnclient up
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: net_addr_v4_add: 10.88.0.28/16 dev ovpnclient
Tue May 13 18:40:30 2025 daemon.notice ovpnclient[17083]: /etc/openvpn/scripts/ovpnclient-up ovpnclient 0 ovpnclient 1500 1629 10.88.0.28 255.255.0.0 init
Tue May 13 18:40:31 2025 user.notice ovpnclient-up: env value:route_vpn_gateway=10.88.0.1 X509_0_emailAddress=support@expressvpn.com daemon_log_redirect=0 X509_1_emailAddress=support@expressvpn.com script_type=up proto_1=udp daemon=0 SHLVL=1 foreign_option_1=dhcp-option DNS 10.88.0.1 dev_type=tun remote_1=italy-cosenza-ca-version-2.expressnetw.com dev=ovpnclient X509_0_CN=Server-11010-0a X509_0_C=VG remote_port_1=1195 X509_1_CN=ExpressVPN CA X509_1_C=VG ifconfig_netmask=255.255.0.0 tls_digest_sha256_0=ac:60:ca:79:64:9f:d2:25:69:24:12:23:03:98:22:63:cd:2b:4c:6e:ec:48:34:37:d3:02:4c:45:7c:d0:c2:a4 daemon_start_time=1747154428 script_context=init ifconfig_local=10.88.0.28 common_name=Server-11010-0a tls_digest_sha256_1=c7:aa:a9:c1:55:9d:e2:34:dc:2b:09:86:b1:81:b0:a6:95:59:5e:18:e1:e9:57:ac:14:7d:b0:c7:88:39:71:54 verb=3 link_mtu=1629 X509_0_O=ExpressVPN trusted_ip=213.21.226.22 tls_serial_hex_0=0f:a2:05 X509_1_O=ExpressVPN tun_mtu=1500 tls_serial_hex_1=01 trusted_port=1195 tls_id_0=C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=
Tue May 13 18:40:32 2025 daemon.notice netifd: ovpnclient (17083): sh: 1: unknown operand
Tue May 13 18:40:35 2025 daemon.notice netifd: Interface 'ovpnclient' is now up
Tue May 13 18:40:35 2025 daemon.notice netifd: Network device 'ovpnclient' link is up
Tue May 13 18:40:39 2025 daemon.warn ovpnclient[17083]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue May 13 18:40:39 2025 daemon.notice ovpnclient[17083]: Initialization Sequence Completed
Tue May 13 18:40:41 2025 user.notice mwan3[17540]: Execute ifup event on interface ovpnclient (ovpnclient)
Tue May 13 18:40:41 2025 user.notice mwan3[17540]: Starting tracker on interface ovpnclient (ovpnclient)
Tue May 13 18:40:47 2025 user.notice firewall: Reloading firewall due to ifup of ovpnclient (ovpnclient)

5

What I would like to do is leave the VPN as it is now but prevent it, in the event of a crash, from blocking the entire internet connection and consequently the cameras.

6

You can switch to the "Based on the client device" mode and set the camera to "do not use VPN", so that when the VPN client is down, the camera is still available to access because the camera goes to WAN.

PS. in v4.7 and earlier, killswitch cannot be enabled at the same time if the VPN policy is based on client device, since killswitch will block non-VPN traffic.