ExpressVPN on PFSense 2.6.0 - Anyone get it working?

mach1ne

I've been trying to get ExpressVPN connected using pfsense 2.6.0 without any joy...Their config instructions only supports up to 2.4.5. I spent 2 hrs on the expressvpn online chat with a support chap but we could not get it going...So has anyone else managed it? If so i'd love some advice

pftdm007

@mach1ne did you follow their instructions, and where did you get blocked? I am no expert by any stretch but I'd imagine instructions would be fairly similar between 2.4.5 & 2.6.0 ?? What issues are you facing?

mach1ne

@pftdm007 yes I followed express VPN instructions to the letter...trouble is that pfsense 2.6.0 has slightly different options in the openvpn section to 2.4.5.
It basically does not connect and obtain an IP info from the VPN servers.
I'm considering purchasing Private internet access as they have a 80% off deal which is way cheap than what I paid for express vpn

pftdm007

So you're saying that OpenVPN cant get an IP from your ExpressVPN servers???

Post your options and those requested by Express and we can compare. In my recent experiences... these are complicated and all options need to be set properly, especially when the GUI dont match between the vendor's instructions and your system (read here: I setup something improperly or pasted the parameters in the wrong location).

Also, look at the OPVPN logs (System Logs > OpenVPN) after you restart the service and post here so we can see the actual error messages or issues being flagged by the system. without some data from your end point its impossible to debug and troubleshoot.

Gertjan

@mach1ne said in ExpressVPN on PFSense 2.6.0 - Anyone get it working?:

I spent 2 hrs on the expressvpn online chat with a support chap but we could not get it going..

Strange ..... ExprssVPN is a big company. They do their best to support a lot of devices. That is : they create applications for them. So, install the app, and you're good.
pfSense uses the connection differently, as it permits you to route entire networks over their VPN tunnel.
Talking 2 hours to a VPN guy makes me think : do they know what VPN, what is "OpenVPN" is ?
Granted, they don't know what X ** is, of course, and are not there to 'debug' X**.
Half of the setup is the routing part, and Exprss couldn't help you with that anyway.

X is pfSense of course. It could also be OpenWRT, NLSense, etc.

I posted in this forum a while ago a complete step by step "pfSense 2.6.0 with the OpenVPN client, connected to ExprssVPN". Good news : it works, sorry, connects just fine.
I never actually use my ExprssVPN account. It's there the day I new another WAN IP.

pfSense 2.6.0 doesn't use the same OpenVPN software version as Express does.
ExpressVPN : probably OpenVPN 2.4.x
pfSEnse : check for yourself : OpenVPN 2.5.4 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 12 2022 (look in the logs).

Between 2.4.x and 2.5.4 there are some differences. Just enough to make you read the "OpenVPN - if you read nothing then at least, read this". Also known as the Release notes.

I'll post a link to the post later this day. It's in here, I'm sure.

mach1ne

I've removed the expressvpn config now, so would need to reconfigure it to check the logs to see where it is failing.
Here's my pfsense build details: 2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

Also I did a search for a step by step guide under all your posts and could not find it...Have you a link?

mestacio

@mach1ne
@mach1ne I try to send a solution but my post is flagged has a spam

mestacio

I did it!!!

• in "Allow compression" select "Decompress incoming, do not compress outgoing (Asymmetric)"

• in "compression" select "Adaptive LZO Compression [Legacy style, comp-lzo adaptive] "

note: on the instruction in the password part they say "Enter the password you found earlier twice." I put it just once

mach1ne

@mestacio brilliant I'll give it a try later!

mach1ne

@mestacio You are a legend!! I've just reconfigured ExpressVPN on PFSense 2.6.0 as per your settings and i've got a lovely status message of "UP"
Thanks for taking the time to post your suggestion.

newsboost

@mestacio Hi, sorry for bumping in - but I can see this thread isn't that old yet (16 days), so I hope it's okay to add - and just for the record: Whatever you did, I also have it working with "Allow Compression" set to "Refuse any non-stub compression (Most secure)". So you probably changed something else too, if this is what gave got you connected and "up".

mach1ne

@newsboost Well mine's working fine and I ain't gonna touch it in fear that it stops working Good to know though.

WA4OSH

@mestacio Thanks for that hint. I had independently figured out that part. It's missing in ExpressVPN's PFSense 2.4.5 instructions.

Limit outgoing bandwidth: Leave blank.
<MISSING: Allow compression>
Compression: Select Adaptive LZO Compression [Legacy, comp-lzo adaptive].

Before completing section 2, you can verify that the VPN tunnel is up by looking at Status > OpenVPN. You should see status "up" as well as a Local and Virtual Address.

WA4OSH

@gertjan It amazes me that ExpressVPN is trying to sell to gaming consumers with the latest and greatest WiFi routers. However, they completely miss the mark when in come to support small businesses, especially home businesses that have to route traffic to multiple VPNs depending on the traffic or policy. Home businesses have to rely on PFSense firewalls (instead of gaming routers) to keep out the ever-expanding fleets of Internet pirates.

WA4OSH

This post is deleted!

WA4OSH

@wa4osh @pftdm007 Corrected ...
I can create the VPN tunnel OK, but then can't route the traffic into it properly. The VPN does not come up for me.

Yes, instructions for 2.4.5 are OK for the most part. Some parts are missing, options are different. The ExpressVPN CSR quit once we go to the firewall part. He/She wasn't going to help configure my firewall. It's quite clear they hate PFSense and don't get it.

I had to work my way through their instructions and then sip some coffee and watch NetworkChuck's Your Home Router Sucks and Modern Consulting's How To Setup pfSense as VPN Client for OpenVPN Server to make some sense out of the situation.

Here are the steps I've taken:

1. Find your ExpressVPN Account Credentials √
2. Setup the VPN on PFSense √
   Don't forget to set Allow compressiong to Asymmetric (as described by @mestacio) √
   Verify that your tunnel is up Status / VPN ... look for 'up' √
3. Route through the VPN tunnel √
   Interfaces > assignments Create new OPT1 interface √
   Interfaces > OPT1 Enable the interface and rename it to ExpressVPN √
   Firewall > Aliases > IP Create the Home Network alias √
   Firewall > NAT > Outbound Use manual outbound rule generation √
   Firewall > NAT > Outbound Mappings: create a new copy of each of the WAN
   ... Mappings and create new rules for EXPRESSVPN √
   Firewall > Rules Create a new firewall rule to route LAN traffic to ExpressVPN √
   Firewall > Rules advanced Set the Gateway to EXPRESSVPN √
4. Confirm connection success √
   Verify that your tunnel is up Status / VPN ... look for 'up' √
   Address Checker -- look for green X <--- data is not going theough the tunnel!!!

I'm looking at System / Routing / Gateways to route traffic to EXPRESSVPN_V4 and set the default gateway IPv4 to ExpressVPN. There's no gateway for IPv6 traffic.

Unresolved issue?
Under Status > Dashboard > Gateways
... Why does ExpressVPN_V4 status stay on Unknown?
... Why does Status / Interfaces ExpressVPN interfaces Status show no carrier?

Their procedure builds the VPN tunnel, but does not route traffic through it properly.

pftdm007

@wa4osh said in ExpressVPN on PFSense 2.6.0 - Anyone get it working?:

Why does ExpressVPN_V4 status stay on Unknown?

Not sure. I've bounced between Unknown and Pending and Offline since I setup that thing about a month and a half ago... The dashboard widgets are flaky at best.

Sadly after having too many issues, I actually had to undo that VPN stuff and revert to a plain old pfsense setup because I was experiencing a myriad of severe issues...

-Internet randomly going down and pfsense not switching to the vanilla WAN gateway
-Websites not loading or partially loading (I confirm this is not IDS/FW or browser specific) they just must not like the VPN IP at all...
-VOIP device losing its registration to the SIP server and making my phone not working (also randomly)
-Random DNS resolution issues
-OpenVPN hard crashing (fatal errors)...
-Google pestering me with Captcha's each time I open their crappy page (use brave search engine instead)....
-Social media blocking me from access without login
-ebay locking me up 3x in a row because they do not recognize my IP...
-Just a general sense of sluggishness and latency

Its just sad that NordVPN will not refund me.... I wasted $120 for a 2 year plan that I will not use...

I also had the strong feeling that they didnt really care for pfsense, at least their "tech" support was REAL BAD.

WA4OSH

@pftdm007 I'm coming up to a renewal anniversary with ExpressVPN. I've been with them for several years now. I think I might host my own OpenVPN on some obscure Linode somewhere. This will allow me to have a VPN destination when on travel or while on guest networks around town Eg. the library or at work. I think that ExpressVPN has become too big for their britches. Do these guys have an excess of new customers? Do they care about customer retention?

Your subscription automatically renews on Jun XX, 2022

mestacio

@wa4osh Did you restart your pfSense??

newsboost

@wa4osh I got it working and suspect you've made the same mistake as I. pfSense by default pings the express vpn gateway, but the express-vpn gateway does not respond to ping. For that reason you need to go to: "System -> Routing -> Gateways -> Edit" and ensure "Disable Gateway Monitoring" is enabled, i.e. "This will consider this gateway as always being up". When this is checked, there are some routing rules that will begin working because they won't work, when pfSense things the gateway is down (default behaviour). There is another method: To manually specify an ip address to ping.

Furthermore, I assume you've done the "Firewall -> NAT -> Outbound"-stuff, which I at least found some outdated tutorials/instructions explaining pretty good how to setup (I've later found out that all instructions I saw told me to use "Manual Outbound NAT rule generation" but this I think is a bad idea, I think the "Hybrid Outbound NAT rule generation" is much easier because then you won't forget to manually update outbound NAT rules, when you e.g. add new VLANs (which I struggled a lot with). So hybrid just so much easier for me + it's easier to get an overview of my rules using the hybrid-method. I hope this helps. I can tell you that at least it works fine here with pfSense 2.6.0 and expressVPN and yes, I was also annoyed that expressVPN didn't have good, updated documentation - and for that reason I'm writing these things down and hope you can make it work.

I'm using policy-based routing to ALL my outgoing VLAN 10 traffic is NAT'ed on the internet to go through the express VPN server - but all private/internal traffic stays private/internal (192.168.xx.xx). It's really great, I'm really happy with my setup so I hope you'll make it work soon and maybe confirm that these comments helped, in case other people struggle with the same in the future and a google search leads them to this topic in this forum.