ExpressVPN on PFSense 2.6.0 - Anyone get it working?

mestacio

I did it!!!

• in "Allow compression" select "Decompress incoming, do not compress outgoing (Asymmetric)"

• in "compression" select "Adaptive LZO Compression [Legacy style, comp-lzo adaptive] "

note: on the instruction in the password part they say "Enter the password you found earlier twice." I put it just once

mach1ne

@mestacio brilliant I'll give it a try later!

mach1ne

@mestacio You are a legend!! I've just reconfigured ExpressVPN on PFSense 2.6.0 as per your settings and i've got a lovely status message of "UP"
Thanks for taking the time to post your suggestion.

newsboost

@mestacio Hi, sorry for bumping in - but I can see this thread isn't that old yet (16 days), so I hope it's okay to add - and just for the record: Whatever you did, I also have it working with "Allow Compression" set to "Refuse any non-stub compression (Most secure)". So you probably changed something else too, if this is what gave got you connected and "up".

mach1ne

@newsboost Well mine's working fine and I ain't gonna touch it in fear that it stops working Good to know though.

WA4OSH

@mestacio Thanks for that hint. I had independently figured out that part. It's missing in ExpressVPN's PFSense 2.4.5 instructions.

Limit outgoing bandwidth: Leave blank.
<MISSING: Allow compression>
Compression: Select Adaptive LZO Compression [Legacy, comp-lzo adaptive].

Before completing section 2, you can verify that the VPN tunnel is up by looking at Status > OpenVPN. You should see status "up" as well as a Local and Virtual Address.

WA4OSH

@gertjan It amazes me that ExpressVPN is trying to sell to gaming consumers with the latest and greatest WiFi routers. However, they completely miss the mark when in come to support small businesses, especially home businesses that have to route traffic to multiple VPNs depending on the traffic or policy. Home businesses have to rely on PFSense firewalls (instead of gaming routers) to keep out the ever-expanding fleets of Internet pirates.

WA4OSH

This post is deleted!

WA4OSH

@wa4osh @pftdm007 Corrected ...
I can create the VPN tunnel OK, but then can't route the traffic into it properly. The VPN does not come up for me.

Yes, instructions for 2.4.5 are OK for the most part. Some parts are missing, options are different. The ExpressVPN CSR quit once we go to the firewall part. He/She wasn't going to help configure my firewall. It's quite clear they hate PFSense and don't get it.

I had to work my way through their instructions and then sip some coffee and watch NetworkChuck's Your Home Router Sucks and Modern Consulting's How To Setup pfSense as VPN Client for OpenVPN Server to make some sense out of the situation.

Here are the steps I've taken:

1. Find your ExpressVPN Account Credentials √
2. Setup the VPN on PFSense √
   Don't forget to set Allow compressiong to Asymmetric (as described by @mestacio) √
   Verify that your tunnel is up Status / VPN ... look for 'up' √
3. Route through the VPN tunnel √
   Interfaces > assignments Create new OPT1 interface √
   Interfaces > OPT1 Enable the interface and rename it to ExpressVPN √
   Firewall > Aliases > IP Create the Home Network alias √
   Firewall > NAT > Outbound Use manual outbound rule generation √
   Firewall > NAT > Outbound Mappings: create a new copy of each of the WAN
   ... Mappings and create new rules for EXPRESSVPN √
   Firewall > Rules Create a new firewall rule to route LAN traffic to ExpressVPN √
   Firewall > Rules advanced Set the Gateway to EXPRESSVPN √
4. Confirm connection success √
   Verify that your tunnel is up Status / VPN ... look for 'up' √
   Address Checker -- look for green X <--- data is not going theough the tunnel!!!

I'm looking at System / Routing / Gateways to route traffic to EXPRESSVPN_V4 and set the default gateway IPv4 to ExpressVPN. There's no gateway for IPv6 traffic.

Unresolved issue?
Under Status > Dashboard > Gateways
... Why does ExpressVPN_V4 status stay on Unknown?
... Why does Status / Interfaces ExpressVPN interfaces Status show no carrier?

Their procedure builds the VPN tunnel, but does not route traffic through it properly.

pftdm007

@wa4osh said in ExpressVPN on PFSense 2.6.0 - Anyone get it working?:

Why does ExpressVPN_V4 status stay on Unknown?

Not sure. I've bounced between Unknown and Pending and Offline since I setup that thing about a month and a half ago... The dashboard widgets are flaky at best.

Sadly after having too many issues, I actually had to undo that VPN stuff and revert to a plain old pfsense setup because I was experiencing a myriad of severe issues...

-Internet randomly going down and pfsense not switching to the vanilla WAN gateway
-Websites not loading or partially loading (I confirm this is not IDS/FW or browser specific) they just must not like the VPN IP at all...
-VOIP device losing its registration to the SIP server and making my phone not working (also randomly)
-Random DNS resolution issues
-OpenVPN hard crashing (fatal errors)...
-Google pestering me with Captcha's each time I open their crappy page (use brave search engine instead)....
-Social media blocking me from access without login
-ebay locking me up 3x in a row because they do not recognize my IP...
-Just a general sense of sluggishness and latency

Its just sad that NordVPN will not refund me.... I wasted $120 for a 2 year plan that I will not use...

I also had the strong feeling that they didnt really care for pfsense, at least their "tech" support was REAL BAD.

WA4OSH

@pftdm007 I'm coming up to a renewal anniversary with ExpressVPN. I've been with them for several years now. I think I might host my own OpenVPN on some obscure Linode somewhere. This will allow me to have a VPN destination when on travel or while on guest networks around town Eg. the library or at work. I think that ExpressVPN has become too big for their britches. Do these guys have an excess of new customers? Do they care about customer retention?

Your subscription automatically renews on Jun XX, 2022

mestacio

@wa4osh Did you restart your pfSense??

newsboost

@wa4osh I got it working and suspect you've made the same mistake as I. pfSense by default pings the express vpn gateway, but the express-vpn gateway does not respond to ping. For that reason you need to go to: "System -> Routing -> Gateways -> Edit" and ensure "Disable Gateway Monitoring" is enabled, i.e. "This will consider this gateway as always being up". When this is checked, there are some routing rules that will begin working because they won't work, when pfSense things the gateway is down (default behaviour). There is another method: To manually specify an ip address to ping.

Furthermore, I assume you've done the "Firewall -> NAT -> Outbound"-stuff, which I at least found some outdated tutorials/instructions explaining pretty good how to setup (I've later found out that all instructions I saw told me to use "Manual Outbound NAT rule generation" but this I think is a bad idea, I think the "Hybrid Outbound NAT rule generation" is much easier because then you won't forget to manually update outbound NAT rules, when you e.g. add new VLANs (which I struggled a lot with). So hybrid just so much easier for me + it's easier to get an overview of my rules using the hybrid-method. I hope this helps. I can tell you that at least it works fine here with pfSense 2.6.0 and expressVPN and yes, I was also annoyed that expressVPN didn't have good, updated documentation - and for that reason I'm writing these things down and hope you can make it work.

I'm using policy-based routing to ALL my outgoing VLAN 10 traffic is NAT'ed on the internet to go through the express VPN server - but all private/internal traffic stays private/internal (192.168.xx.xx). It's really great, I'm really happy with my setup so I hope you'll make it work soon and maybe confirm that these comments helped, in case other people struggle with the same in the future and a google search leads them to this topic in this forum.

xxxoverload

@newsboost you're a god!!! Thank you so much. as soon as i disabled the gateway monitoring it finally worked.

I also disabled the outbound nat rules to the wan just in case the vpn goes down it won't let any traffic out the wan but, I have to leave it in manual outbound nat mode though or it will default to the wan if the vpn goes down for whatever reason.

rcoleman-netgate

@xxxoverload You can also set the IP to something other than [blank] which will use the next upstream IP. Make it 1.1.1.1 or 8.8.8.8 and it will work that way, too

newsboost

@xxxoverload You're very welcome, I'm very happy it works for you and you found my description valuable! I (too) spent so (damn!) many hours struggling with this so I thought I should give back and write some detailed instructions and contribute to the community with that information.

By the way, I didn't figure those things out myself, I asked somewhere (cannot remember where) and a friendly godlike/guru person helped me with that same piece of info, but that information/post is probably drowning and also for that reason I thought/think it is important that we help each other with these things :-)

About disabling outbound nat rules: Yeah, once you figure out the system, there are just so many possibilities to customize the behaviour we want :-)

elmo1943

Sorry for late reply. I had Expressvpn running, not well and very very slow. Finally removed and reinstalled pfSense (now 2.6.2). Installed Expressvpn on wrt3200acm router that is connected to pfSense and all problems are gone and speed is much much faster (same as with no vpn). Downside is wrt3200acm router is wifi ac. Tried Nordvpn on rt-ax86u but was a total failure, slow, disconnects, etc. Back to wrt3200acm on pfSense and looking for good ax wifi card for pfSense, no luck yet. Hope 2.7 will have 2.5gb drivers and I will not have to install (it worked but I am not good at that). Many people here on the net helped me to get Expressvpn installed and even more to install 2.5gb drivers, Thanks all very much.