ExpressVPN setup by beginner for beginners

123123

I created this guide after struggling to get ExpressVPN set up. Hope it helps. Let me know if you see inaccuracies, typos, etc.

Relevant versions:
pfsense version: 23.01-RELEASE
OpenVPN version: OpenVPN 2.6_beta1

References used for creating this how to:

1. YouTube video from Lawrence Systems

Youtube Video

• begins with a nice disclaimer regarding "privacy VPNs"
• discusses setup including a kill switch rule to prevent traffic from going out the WAN interface

2. ExpressVPN's Documented set-up steps
   https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

   • I first followed this guide, but I struggled to get it to work so I started a fresh setup and figured out the steps described below.
   • But the steps from ExpressVPN above could be helpful.

3. pfsense documentation
   https://docs.netgate.com/manuals/pfsense/en/latest/the-pfsense-documentation.pdf

   • Didn't use it too much, but helped me understand a couple things

Section 1 - Setting up the OpenVPN / ExpressVPN interface
First, do some initial setup and planning:

1. Prepare for logging/troubleshooting of firewall rules:
   I recommend turning on logging for ALL firewall rules that are present (also recommend turning on logging for all rules that you create. Pick a standard format for the descriptions on any rules that you create... something like "myrule-[Interfacename]allow...." or "myrule-[Interfacename]block". When looking at the system logs for the firewall, this will allow you to figure out which rules are driving which behavior.

2. Prepare for monitoring of the VPN connection:
   a. Get the ExpressVPN id and password that you need to use. Go to the following site and sign into your account.
   https://www.expressvpn.com/setup#manual

   b. Pick an ExpressVPN site/server you're going to use for the pfsense OpenVPN connection/VPN tunnel.

   c. Once you've picked this, download the .OVPN file for the server you're going to use. Then open the file and get the host/server name from inside the file. Then do a ping on this server. You'll need this later when setting up the "monitor IP" for the ExpressVPN gateway that will be created. You can do the ping from inside the pfsense if you want using Diagnostics > Ping.

Example for the ExpressVPN Dallas server:

>ping usa-dallas-xxxxx.xxxxxx.com
Pinging usa-dallas-xxxxx.xxxxxx.com [xx.xxx.xxx.xx]

3. Now pick some ExpressVPN DNS server IP addresses to use as your DNSes:

• If you're setting up a VPN Tunnel to ExpressVPN, you already have an ExpressVPN account. If you have an account, you also can use the client VPN application to start a VPN connection from a PC or other device.

  • Use the client application to set a connection to a location whose DNS you want to use as your DNS on your firewall OpenVPN connection.

  • Use the ExpressVPN web page to identify the DNS server(s) for that location (pick one or more IP addresses... I recommend saving them into a file from which you can copy later).
    https://www.expressvpn.com/dns-leak-test

  • Note: since you can set up a list of multiple DNS servers in pfsense, you might want to repeat steps a and b with other locations to get a list of DNS servers from multiple ExpressVPN locations.
    Once you have gathered this information, stop the VPN client connection. For me, if I have the VPN client running, I cannot access the pfsense WebConfigurator.

  c. In your pfSense firewall Web Configurator, go to System > General Setup and change your DNS Servers to use one or more of these ExpressVPN DNS servers as the DNS used by the firewall. This will make sure you're not using any public DNS.

  • Note: if you're setting up other LANs or VLANs, each DHCP setup can hold up to 4 DNSes so you may need these DNS IP addresses again later. Review your DHCP Server groups under Services > DHCP Server and see if you want to switch any of them to use the Express VPN DNS servers.

4. Install some helpful packages on your pfsense
   Using the openvpn clent importer will save some work when setting up the certificate and certificate authority later.
   a. System > Package Manager > Available Packages > openvpn-client-import
   b. System > Package Manager > Available Packages > openvpn-client-export

123123

placeholder... I'm combining things above now that the spam checker will let me.

123123

Now we're ready to set up an openVPN client/tunnel.
Notes:

• I initially used the ExpressVPN setup guide and some other posts on the forum to figure this out. Here's the guide from ExpressVPN, but it seems a bit old... some things seem to be out of date.

https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

• This guide contains what I believe are the bare minimum number of changes required at this time to get a working ExpressVPN tunnel in place after importing a standard .OVPN file, particularly in the "custom options" section you'll see below. I'm not an expert so there could be other things that would be recommended in order to optimize behavior or maximize performance.

1. If you have not already, download the .OPVN file for the location you're going to use for your tunnel from https://www.expressvpn.com/setup#manual
2. On your pfsense, go to VPN > OpenVPN > Client Import

   • Note: if you don't have this "Client Import" option, you need to install the package for this from "System > Package Manager > Available Packages > openvpn-client-import"

   • select the .OVPN config file you downloaded, choose "Peer to Peer (SSL/TLS)", choose the interface to use when creating the VPN tunnel, enter the userid and password from the "Manual setup" page on the ExpressVPN site, fill out any other fields, and click Import.
     This should have created:

   • A new Certificate Authority under System > Certificate Manager > CAs

   • A new Certificate under System > Certificate Manager > CAs

   • A new Client under VPN > OpenVPN > Clients

3. At any point in time, if you want to see what the issues are with the set-up of the import of the "off the shelf" .OVPN file or after you make some changes, you can first go to Status > OpenVPN, try to start the connection (play icon), then go to Status > System Logs > OpenVPN, go to the bottom of the log, and read through the log entries. You can also change the verbosity settings on the OpenVPN client to see more detail or less detail in the log.

123123

4. We need to resolve the issues with the .OVPN import by adjusting the OpenVPN client details
   • Go to VPN > OpenVPN > Clients, and click on the newly created client (should be the bottom one in the list), and edit it (click the pencil icon).
   • Find the "Server Certificate Key Usage Validation" option and check "Enforce key usage"
   • Find the "Don't pull routes" option and check it (not 100% sure this is required)
   • Find the "Don't add/remove routes" option and check it (not 100% sure this is required)
   • Find the "Pull DNS" option and check it (not 100% sure this is required)
   • Find the "Compression" option and change it to "Adaptive LZO Compression"
   • Modify the "Custom Options" field:
     • remove the "keysize 256" line
     • change the line "ns-cert-type server" to "remote-cert-tls server"
     • add a line at the end "auth-nocache" (without this I would see warnings in the log about things possibly being cached.)
     • add a line at the end "persist-key"
     • add a line at the end "persist-tun"
     • (be sure to not have any blank lines at the end of the field)
   • Find the "Gateway Creation" option and set it to "IPv4 only"

NOTE - this is my resulting Custom Options:
persist-key
persist-tun
remote-random
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
sndbuf 524288
rcvbuf 524288

• Find the "Verbosity level" and set it to 5 (this changes the level of detail you will see in Status > System Logs > OpenVPN). Try different settings to find the level of detail that works for you. The ExpressVPN guide recommends 3, but I like what 5 shows in the log.

5. Click Save
6. Go to Status > OpenVPN and start or restart the client you created.
   With luck, the status should show as "Connected (success)" or "Up"

Enable the new interface / gateway in pfsense

1. Go to Interfaces > Assignments. On the new row at the bottom, in the dropdown list select the client you just set up and click the "+ Add" button and click Save.
2. Go to the Interfaces menu and click the name of the interface you just created.
3. Check the "Enable Interface" checkbox and click "Save". Then click "Apply Changes".

Set up the Gateway monitor

1. Go to System > Routing > Gateways

2. Edit the gateway (click the pencil icon) for the row interface you just created

3. In the "Monitor IP" field, enter the IP address for the ExpressVPN server that you gathered by pinging the name of the server listed in the .OVPN file.

4. Click Save then click "Apply Changes"

• Now when you go to the pfsense main Web Configurator page or Status > Gateways, you should see an accurate status for the new ExpressVPN gateway.

123123

This post is deleted!

123123

This post is deleted!

123123

This post is deleted!

123123

Configure Outbound NAT rules

• The ExpressVPN manual setup documentation describes this process if my text-only descriptons are unclear.
  <expressvpn pfsense guide>

1. Go to Firewall > NAT > Outbound

2. For the "Mode" field, select the radio button for "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)"
   Click the "Save" button under the Mode field.

3. For all existing WAN NAT rules, use the copy option (double page icon) to replicate the rule. Modify the resulting new rule setting the "Interface" field to the new ExpressVPN interface that you set up and click Save.
   Do this for all existing WAN outbound NAT rules.

4. Click "Apply Changes"

123123

Check your setup using the ExpressVPN tools

1. https://www.expressvpn.com/what-is-my-ip
   • it should show the location of the ExpressVPN server for which you configured the OpenVPN client
2. https://www.expressvpn.com/dns-leak-test
   • it should show no DNS leaks detected
3. https://www.expressvpn.com/webrtc-leak-test
   • it should show no WebRTC leaks detected
4. Check other web sites. Pages should load successfully

123123

Other notes

• You can still run any VPN client (ExpressVPN application) software on your devices that are connecting through the pfsense firewall. HOWEVER - YOU MAY NOT BE ABLE TO ACCESS THE PFSENSE WEB CONFIGURATOR IF YOU DO THIS. If you cannot access the Web Configurator, make sure you disable/stop the VPN client software on your device and then try again to use the Web Configurator/pfsense IP address.

I recommend staying with this step and do not continue until you have the ExpressVPN configuration and any networks/VLANs/firewall rules working the way you want things to work.

• If things aren't working the way you want, I recommend changing all the firewall rules that you can to have "logging" turned on. Then use Status > System Logs > Firewall to try to understand what is going on due to the firewall rules and make adjustments. If there's a rule that is filling up your logs then make any firewall rules/setting changes (if needed), refresh the log view, and once you're confident that the rule is behaving correctly, turn off the logging for that rule.

!!Once you get things working the way you want, take a backup of this setup before you continue.

1. Go to Diagnostics > Backup & Restore and create a backup file for your settings.

123123

Section 2 - Setting up a floating block firewall rule/ "kill switch" rule

Add a rule to tag all VPN traffic

• I set this up by following the video linked here. If you're having issues with the floating firewall/"kill switch" rule, cross-reference settings against the video from Lawrence Systems.
  Youtube Video

  This firewall rule will tag all traffic coming from any interfaces/devices that you want to only use the ExpressVPN connection so that you can use additional rules to filter this traffic

1. Go to Firewall > Rules > LAN

2. Click the "Add" button with the up arrow

3. Fill out the options:

   • Action: Pass
   • Interface: <Choose your new ExpressVPN interface>
   • Address Family: IPv4
   • Protocol: any
   • Source: choose "Single host or alias" enter the IP address of any devices/networks that will use the VPN tunnel. If you have all devices on 1 network/subnet, you can enter that. If you have multiple networks/subnets, either create multiple rules or create an alias under "Firewall > Aliases" and use that alias on this rule
   • Destination: *
   • Log: (I recommend checking this initially so you can confirm the rule behavior is working)
   • Description: give it a name that is easy to pick out of a log (recommend starting with a standard unique word)... like "myrule-allow ExpressVPN devices and tag"
   • Click the "Display Advanced" button
   • Tag: enter a value to be used to tag VPN packes. Maybe "tagvpn"
   • Gateway: <Select the new ExpresVPN gateway you're setting up>

4. Click Save

5. Click "Apply Changes"

Repeat creating this rule for any LAN, OPT, or VLAN Interfaces in pfsense that you are going to route through the ExpressVPN tunnel.

Add Kill Switch Floating Firewall rule

The intent of this rule is to prevent your tagged packets (from the OpenVPN interfaces) from going out over the normal WAN... you want them to only go out of your firewall over the ExpressVPN interface.

1. Go to Firewall > Rules > Floating
   Click the "Add" button with the up arrow to add this as the first rule.

   • Action: Block
   • Interface: WAN
   • Address Family: IPv4
   • Protocol: any
   • Source: any
   • Destination: any
   • Log: check this box so the log will capture any traffic being blocked by this rule.
   • Description: give it a name that is easy to pick out of a log (recommend starting with a standard unique word)... like "myrule-block tagged traffic from using WAN to access internet"
   • Click the "Display Advanced" button
   • Tagged: enter the same tag value that you used to tag packets on your OpenVPN rule.

2. Click Save

3. Click "Apply Changes"

Stay with this step and do not continue until you have your networks/VLANs/firewall rules working the way you want things to work.

• If things aren't working the way you want, I again recommend changing all the firewall rules that you can to have "logging" turned on. Then use Status > System Logs > Firewall to try to understand what is going on and make adjustments.

!!Once you get things working the way you want, take a backup of this setup before you continue.!!

1. Go to Diagnostics > Backup & Restore and create a backup file for your settings.

!!Check MBUF Usage as an indicator of proper functioning!!
(update from July 2023)
After some time I was having issues with MBUF Usage (shown on the front page of the WebGUI) growing very quickly and things generally were not working well... web pages would load sometimes, other times not and I would have to restart the firewall when it filled up all the MBUF. I even added a custom parameter for MBUF allocation and gave it a large value, but there was obviously a problem as I could watch the number go up by 1000+ every time the front page refreshed. I found a post that led me to believe it was something in my OpenVPN client set up. I wish I was able to tell you exactly which change I made fixed the issue, but so far I have not been able to recreate the issue by trying to put things back the way they were. But if you have this issue, seems it is most likely related to a setting in your OpenVPN client.

123123

The End

(sorry for all the self-replies and bad links... the Spam filter is not happy with me)

I'll try to clean it up later when my reputation score improves.... correction... I won't be able to edit it due to the 1 hour edit time limit.

wendellkbest

@123123 The "openvpn-client-import" package is no longer available. Do you have any instructions for entering the settings manually? Would also help to give details on the Custom Options

Gertjan

@wendellkbest said in ExpressVPN setup by beginner for beginners:

Would also help to give details on the Custom Options

Right now, I've a connection to expressvpn with this very minimal :

as these 3 settings do not exist in the pfSense GUI, but they are needed (I guess) when using ExpressVPN. Without them : failure to connect.

I've removed all other proposed custom options.

Also, I've set "compression" to 'no' :

but the more future proof :

also seems to work.

I can ping test using my EXPRESSVPN interface :

and the OpenVPN client: Express VPN interface :

Note : I didn't test any routing at this moment, as I use the client VPN only 'when really needed'.

Also : The pfSense GUI is only, as usual, the front end.
pfSense uses the classic openvpn binaries and configuration files.

My /var/etc/openvpn/clientx/config/opvn (x can be 1, 2 etc) looks like this right now :

dev ovpnc3
disable-dco
verb 3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.10.4
engine rdrand
tls-client
lport 0
management /var/etc/openvpn/client3/sock unix
remote france-strasbourg-ca-version-2.expressnetw.com 1195 udp4
pull
auth-user-pass /var/etc/openvpn/client3/up
auth-retry nointeract
remote-cert-tls server
capath /var/etc/openvpn/client3/ca
cert /var/etc/openvpn/client3/cert 
key /var/etc/openvpn/client3/key 
tls-auth /var/etc/openvpn/client3/tls-auth 1
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression asym
resolv-retry infinite
fast-io
sndbuf 524288
rcvbuf 524288
tun-mtu 1500

fragment 1300

mssfix 1200

route-nopull

You can see that the custom option are added at the end with an extra blank line after each line. And a final "route-nopull" is added at the end.

Always check & compare this file with the original Express config.ovpn file.
Difference might exist, as we can't know what openvpn (version) ExpressVPN is using.
pfSense 23.01 uses :

[23.01-RELEASE][admin@pfSense.omg.net]/cf/conf: openvpn --version
OpenVPN 2.6_beta1 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO]
library versions: OpenSSL 1.1.1t-freebsd  7 Feb 2023, LZO 2.10
....

Nice, a beta version

123123

@wendellkbest said in ExpressVPN setup by beginner for beginners:

@123123 The "openvpn-client-import" package is no longer available. Do you have any instructions for entering the settings manually? Would also help to give details on the Custom Options

1. If you want to enter the certificate details manually, you can follow the manual setup document available on the ExpressVPN site.

   But I would double-check the pfsense Package Manager whether the import package tool is available (or maybe is already installed on your pfsense).

   https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

2. Now that I got some reputation points, I was able to update the old posts. I updated the original posts with details about the "Custom Options" field values, but my intent was for the instructions to be somewhat dynamic as things change over time (like if ExpressVPN updates the .ovpn files or something like that).

Gertjan

@123123 said in ExpressVPN setup by beginner for beginners:

(like if ExpressVPN updates the .ovpn files or something like that)

Or the OpenVPN version used by pfSense changes !
Or the OpenVPN version used by Express changes.
For the normal Express clients, this is a none-issue as they 'just have to upgrade their Express VPN client and done.
When you use an VPN ISP with pfSense, you don't use their client.
You and I and many others do things 'the hard way, also known as 'manually'.
When the version changes, parameters can get declared 'not wanted' - and new parameters can get added.
For some, there will be a pfSense GUI equivalent so you handle their usage with some ease.
For some, the custom option box is needed.

Right now, pfSense ans Express seems to be in sync, as my custom options box contains the bare minimum :

I'm pretty sure these parameters, fragment and mssfix, the decimal values, are not optimal.