Setting up expressvpn

Repeat creating this rule for any LAN, OPT, or VLAN Interfaces in pfsense that you are going to route through the ExpressVPN tunnel.

ExpressVPN setup by beginner for beginners

Section 1 – Setting up the OpenVPN / ExpressVPN interface
First, do some initial setup and planning:

  1. Prepare for logging/troubleshooting of firewall rules:
    I recommend turning on logging for ALL firewall rules that are present (also recommend turning on logging for all rules that you create. Pick a standard format for the descriptions on any rules that you create. something like “myrule-[Interfacename]allow. ” or “myrule-[Interfacename]block”. When looking at the system logs for the firewall, this will allow you to figure out which rules are driving which behavior.
  2. Prepare for monitoring of the VPN connection:
    a. Get the ExpressVPN id and password that you need to use. Go to the following site and sign into your account.
    https://www.expressvpn.com/setup#manual b. Pick an ExpressVPN site/server you’re going to use for the pfsense OpenVPN connection/VPN tunnel. c. Once you’ve picked this, download the .OVPN file for the server you’re going to use. Then open the file and get the host/server name from inside the file. Then do a ping on this server. You’ll need this later when setting up the “monitor IP” for the ExpressVPN gateway that will be created. You can do the ping from inside the pfsense if you want using Diagnostics > Ping.

Example for the ExpressVPN Dallas server:

>ping usa-dallas-xxxxx.xxxxxx.com
Pinging usa-dallas-xxxxx.xxxxxx.com [xx.xxx.xxx.xx]

  1. Now pick some ExpressVPN DNS server IP addresses to use as your DNSes:
  • If you’re setting up a VPN Tunnel to ExpressVPN, you already have an ExpressVPN account. If you have an account, you also can use the client VPN application to start a VPN connection from a PC or other device.
    • Use the client application to set a connection to a location whose DNS you want to use as your DNS on your firewall OpenVPN connection.
    • Use the ExpressVPN web page to identify the DNS server(s) for that location (pick one or more IP addresses. I recommend saving them into a file from which you can copy later).
      https://www.expressvpn.com/dns-leak-test
    • Note: since you can set up a list of multiple DNS servers in pfsense, you might want to repeat steps a and b with other locations to get a list of DNS servers from multiple ExpressVPN locations.
      Once you have gathered this information, stop the VPN client connection. For me, if I have the VPN client running, I cannot access the pfsense WebConfigurator.

    c. In your pfSense firewall Web Configurator, go to System > General Setup and change your DNS Servers to use one or more of these ExpressVPN DNS servers as the DNS used by the firewall. This will make sure you’re not using any public DNS.

    • Note: if you’re setting up other LANs or VLANs, each DHCP setup can hold up to 4 DNSes so you may need these DNS IP addresses again later. Review your DHCP Server groups under Services > DHCP Server and see if you want to switch any of them to use the Express VPN DNS servers.
    1. Install some helpful packages on your pfsense
      Using the openvpn clent importer will save some work when setting up the certificate and certificate authority later.
      a. System > Package Manager > Available Packages > openvpn-client-import
      b. System > Package Manager > Available Packages > openvpn-client-export

    123123 @123123
    отредактировано 123123
    placeholder. I’m combining things above now that the spam checker will let me.
    123123 @123123
    отредактировано 123123

    • I initially used the ExpressVPN setup guide and some other posts on the forum to figure this out. Here’s the guide from ExpressVPN, but it seems a bit old. some things seem to be out of date.
    • This guide contains what I believe are the bare minimum number of changes required at this time to get a working ExpressVPN tunnel in place after importing a standard .OVPN file, particularly in the “custom options” section you’ll see below. I’m not an expert so there could be other things that would be recommended in order to optimize behavior or maximize performance.
    1. If you have not already, download the .OPVN file for the location you’re going to use for your tunnel from https://www.expressvpn.com/setup#manual
    2. On your pfsense, go to VPN > OpenVPN > Client Import
      • Note: if you don’t have this “Client Import” option, you need to install the package for this from “System > Package Manager > Available Packages > openvpn-client-import”
      • select the .OVPN config file you downloaded, choose “Peer to Peer (SSL/TLS)”, choose the interface to use when creating the VPN tunnel, enter the userid and password from the “Manual setup” page on the ExpressVPN site, fill out any other fields, and click Import.
        This should have created:
      • A new Certificate Authority under System > Certificate Manager > CAs
      • A new Certificate under System > Certificate Manager > CAs
      • A new Client under VPN > OpenVPN > Clients
    3. At any point in time, if you want to see what the issues are with the set-up of the import of the “off the shelf” .OVPN file or after you make some changes, you can first go to Status > OpenVPN, try to start the connection (play icon), then go to Status > System Logs > OpenVPN, go to the bottom of the log, and read through the log entries. You can also change the verbosity settings on the OpenVPN client to see more detail or less detail in the log.

    123123 @123123
    отредактировано 123123

    1. We need to resolve the issues with the .OVPN import by adjusting the OpenVPN client details
      • Go to VPN > OpenVPN > Clients, and click on the newly created client (should be the bottom one in the list), and edit it (click the pencil icon).
      • Find the “Server Certificate Key Usage Validation” option and check “Enforce key usage”
      • Find the “Don’t pull routes” option and check it (not 100% sure this is required)
      • Find the “Don’t add/remove routes” option and check it (not 100% sure this is required)
      • Find the “Pull DNS” option and check it (not 100% sure this is required)
      • Find the “Compression” option and change it to “Adaptive LZO Compression”
      • Modify the “Custom Options” field:
        • remove the “keysize 256” line
        • change the line “ns-cert-type server” to “remote-cert-tls server”
        • add a line at the end “auth-nocache” (without this I would see warnings in the log about things possibly being cached.)
        • add a line at the end “persist-key”
        • add a line at the end “persist-tun”
        • (be sure to not have any blank lines at the end of the field)
      • Find the “Gateway Creation” option and set it to “IPv4 only”

    NOTE – this is my resulting Custom Options:
    persist-key
    persist-tun
    remote-random
    tls-client
    verify-x509-name Server name-prefix
    remote-cert-tls server
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1200
    sndbuf 524288
    rcvbuf 524288

    • Find the “Verbosity level” and set it to 5 (this changes the level of detail you will see in Status > System Logs > OpenVPN). Try different settings to find the level of detail that works for you. The ExpressVPN guide recommends 3, but I like what 5 shows in the log.
    1. Click Save
    2. Go to Status > OpenVPN and start or restart the client you created.
      With luck, the status should show as “Connected (success)” or “Up”

    Enable the new interface / gateway in pfsense

    1. Go to Interfaces > Assignments. On the new row at the bottom, in the dropdown list select the client you just set up and click the “+ Add” button and click Save.
    2. Go to the Interfaces menu and click the name of the interface you just created.
    3. Check the “Enable Interface” checkbox and click “Save”. Then click “Apply Changes”.

    Set up the Gateway monitor

    1. Go to System > Routing > Gateways
    2. Edit the gateway (click the pencil icon) for the row interface you just created
    3. In the “Monitor IP” field, enter the IP address for the ExpressVPN server that you gathered by pinging the name of the server listed in the .OVPN file.
    4. Click Save then click “Apply Changes”
    • Now when you go to the pfsense main Web Configurator page or Status > Gateways, you should see an accurate status for the new ExpressVPN gateway.

    123123 @123123
    отредактировано 123123
    Это сообщение удалено!
    123123
    отредактировано 123123
    Это сообщение удалено!
    123123
    отредактировано
    Это сообщение удалено!
    123123
    отредактировано 123123

    • The ExpressVPN manual setup documentation describes this process if my text-only descriptons are unclear.
    1. Go to Firewall > NAT > Outbound
    2. For the “Mode” field, select the radio button for “Manual Outbound NAT rule generation. (AON – Advanced Outbound NAT)”
      Click the “Save” button under the Mode field.
    3. For all existing WAN NAT rules, use the copy option (double page icon) to replicate the rule. Modify the resulting new rule setting the “Interface” field to the new ExpressVPN interface that you set up and click Save.
      Do this for all existing WAN outbound NAT rules.
    4. Click “Apply Changes”

    123123
    отредактировано

    1. https://www.expressvpn.com/what-is-my-ip
      • it should show the location of the ExpressVPN server for which you configured the OpenVPN client
    2. https://www.expressvpn.com/dns-leak-test
      • it should show no DNS leaks detected
    3. https://www.expressvpn.com/webrtc-leak-test
      • it should show no WebRTC leaks detected
    4. Check other web sites. Pages should load successfully

    123123
    отредактировано 123123

    • You can still run any VPN client (ExpressVPN application) software on your devices that are connecting through the pfsense firewall. HOWEVER – YOU MAY NOT BE ABLE TO ACCESS THE PFSENSE WEB CONFIGURATOR IF YOU DO THIS. If you cannot access the Web Configurator, make sure you disable/stop the VPN client software on your device and then try again to use the Web Configurator/pfsense IP address.

    I recommend staying with this step and do not continue until you have the ExpressVPN configuration and any networks/VLANs/firewall rules working the way you want things to work.

    • If things aren’t working the way you want, I recommend changing all the firewall rules that you can to have “logging” turned on. Then use Status > System Logs > Firewall to try to understand what is going on due to the firewall rules and make adjustments. If there’s a rule that is filling up your logs then make any firewall rules/setting changes (if needed), refresh the log view, and once you’re confident that the rule is behaving correctly, turn off the logging for that rule.

    !!Once you get things working the way you want, take a backup of this setup before you continue.

    1. Go to Diagnostics > Backup & Restore and create a backup file for your settings.

    123123
    отредактировано 123123

      I set this up by following the video linked here. If you’re having issues with the floating firewall/”kill switch” rule, cross-reference settings against the video from Lawrence Systems.
      Youtube Video
    1. Go to Firewall > Rules > LAN
    2. Click the “Add” button with the up arrow
    3. Fill out the options:
      • Action: Pass
      • Interface:
      • Address Family: IPv4
      • Protocol: any
      • Source: choose “Single host or alias” enter the IP address of any devices/networks that will use the VPN tunnel. If you have all devices on 1 network/subnet, you can enter that. If you have multiple networks/subnets, either create multiple rules or create an alias under “Firewall > Aliases” and use that alias on this rule
      • Destination: *
      • Log: (I recommend checking this initially so you can confirm the rule behavior is working)
      • Description: give it a name that is easy to pick out of a log (recommend starting with a standard unique word). like “myrule-allow ExpressVPN devices and tag”
      • Click the “Display Advanced” button
      • Tag: enter a value to be used to tag VPN packes. Maybe “tagvpn”
      • Gateway:
    4. Click Save
    5. Click “Apply Changes”

    Repeat creating this rule for any LAN, OPT, or VLAN Interfaces in pfsense that you are going to route through the ExpressVPN tunnel.

    Add Kill Switch Floating Firewall rule

    The intent of this rule is to prevent your tagged packets (from the OpenVPN interfaces) from going out over the normal WAN. you want them to only go out of your firewall over the ExpressVPN interface.

    1. Go to Firewall > Rules > Floating
      Click the “Add” button with the up arrow to add this as the first rule.
      • Action: Block
      • Interface: WAN
      • Address Family: IPv4
      • Protocol: any
      • Source: any
      • Destination: any
      • Log: check this box so the log will capture any traffic being blocked by this rule.
      • Description: give it a name that is easy to pick out of a log (recommend starting with a standard unique word). like “myrule-block tagged traffic from using WAN to access internet”
      • Click the “Display Advanced” button
      • Tagged: enter the same tag value that you used to tag packets on your OpenVPN rule.
    2. Click Save
    3. Click “Apply Changes”

    Stay with this step and do not continue until you have your networks/VLANs/firewall rules working the way you want things to work.

    • If things aren’t working the way you want, I again recommend changing all the firewall rules that you can to have “logging” turned on. Then use Status > System Logs > Firewall to try to understand what is going on and make adjustments.

    !!Once you get things working the way you want, take a backup of this setup before you continue.

    1. Go to Diagnostics > Backup & Restore and create a backup file for your settings.

    !!Check MBUF Usage as an indicator of proper functioning!!
    (update from July 2023)
    After some time I was having issues with MBUF Usage (shown on the front page of the WebGUI) growing very quickly and things generally were not working well. web pages would load sometimes, other times not and I would have to restart the firewall when it filled up all the MBUF. I even added a custom parameter for MBUF allocation and gave it a large value, but there was obviously a problem as I could watch the number go up by 1000+ every time the front page refreshed. I found a post that led me to believe it was something in my OpenVPN client set up. I wish I was able to tell you exactly which change I made fixed the issue, but so far I have not been able to recreate the issue by trying to put things back the way they were. But if you have this issue, seems it is most likely related to a setting in your OpenVPN client.

    123123
    отредактировано 123123

    The End (sorry for all the self-replies and bad links. the Spam filter is not happy with me) I’ll try to clean it up later when my reputation score improves. correction. I won’t be able to edit it due to the 1 hour edit time limit.

    wendellkbest @123123
    отредактировано

    @123123 The “openvpn-client-import” package is no longer available. Do you have any instructions for entering the settings manually? Would also help to give details on the Custom Options

    Gertjan @wendellkbest
    отредактировано Gertjan

    Would also help to give details on the Custom Options

    Right now, I’ve a connection to expressvpn with this very minimal : 462fb754-5494-40fb-b0f0-8e6fcadf6775-image.pngas these 3 settings do not exist in the pfSense GUI, but they are needed (I guess) when using ExpressVPN. Without them : failure to connect. I’ve removed all other proposed custom options. Also, I’ve set “compression” to ‘no’ : b4e4204f-9a01-45bc-8061-7707e0c53c22-image.pngbut the more future proof : b61849b5-a93d-4646-a6e3-9d7b0e387346-image.pngalso seems to work. 38ebbaf4-9219-4aab-a99a-2cae6a48756f-image.pngI can ping test using my EXPRESSVPN interface : f56a104e-108e-41d3-a520-0995b84734d9-image.pngand the OpenVPN client: Express VPN interface : d7e4053b-b199-49ed-9218-d42a79a609e6-image.pngNote : I didn’t test any routing at this moment, as I use the client VPN only ‘when really needed’. Also : The pfSense GUI is only, as usual, the front end.
    pfSense uses the classic openvpn binaries and configuration files. My /var/etc/openvpn/clientx/config/opvn (x can be 1, 2 etc) looks like this right now :

    dev ovpnc3 disable-dco verb 3 dev-type tun dev-node /dev/tun3 writepid /var/run/openvpn_client3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.10.4 engine rdrand tls-client lport 0 management /var/etc/openvpn/client3/sock unix remote france-strasbourg-ca-version-2.expressnetw.com 1195 udp4 pull auth-user-pass /var/etc/openvpn/client3/up auth-retry nointeract remote-cert-tls server capath /var/etc/openvpn/client3/ca cert /var/etc/openvpn/client3/cert key /var/etc/openvpn/client3/key tls-auth /var/etc/openvpn/client3/tls-auth 1 data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC data-ciphers-fallback AES-256-CBC allow-compression asym resolv-retry infinite fast-io sndbuf 524288 rcvbuf 524288 tun-mtu 1500 fragment 1300 mssfix 1200 route-nopull 

    You can see that the custom option are added at the end with an extra blank line after each line. And a final “route-nopull” is added at the end. Always check & compare this file with the original Express config.ovpn file.
    Difference might exist, as we can’t know what openvpn (version) ExpressVPN is using.
    pfSense 23.01 uses :

    [23.01-RELEASE][[email protected]]/cf/conf: openvpn --version OpenVPN 2.6_beta1 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO] library versions: OpenSSL 1.1.1t-freebsd 7 Feb 2023, LZO 2.10 . 

    ��

    Nice, a beta version

    No “help me” PM’s please. Use the forum, the community will thank you.
    Edit : and where are the logs ??

    Setting up expressvpn

    Об этой странице

    Мы зарегистрировали подозрительный трафик, исходящий из вашей сети. С помощью этой страницы мы сможем определить, что запросы отправляете именно вы, а не робот. Почему это могло произойти?

    Эта страница отображается в тех случаях, когда автоматическими системами Google регистрируются исходящие из вашей сети запросы, которые нарушают Условия использования. Страница перестанет отображаться после того, как эти запросы прекратятся. До этого момента для использования служб Google необходимо проходить проверку по слову.

    Источником запросов может служить вредоносное ПО, подключаемые модули браузера или скрипт, настроенный на автоматических рассылку запросов. Если вы используете общий доступ в Интернет, проблема может быть с компьютером с таким же IP-адресом, как у вас. Обратитесь к своему системному администратору. Подробнее.

    Проверка по слову может также появляться, если вы вводите сложные запросы, обычно распространяемые автоматизированными системами, или же вводите запросы очень часто.