open vpn ip

vusqq

@viragomann yes, it has a real public wan ip

viragomann

@vusqq
I assume, you're able to determine this, but refer to https://en.wikipedia.org/wiki/Private_network, which describes what are non-public IPs.

For investigation you can go to Diagnostic > Packet Capture on pfSense and sniff the traffic on WAN interface. Set the port filter to that one you use for OpenVPN (e.g. 1194), start the capture and try to connect from the internet.

After stopping the capture, you should see packets, if they arrived at your WAN.

chpalmer

@vusqq said in open vpn ip:

@viragomann okay maybe I got this all wrong
im under the assumption openvpn is a free vpn service that I can use on pfsense

What server are you trying to connect to?

You do realize that this is not a VPN service such as being advertised out there to hide you on the internet.. correct? although there are services that allow you to use OpenVPN to connect to them..

vusqq

@chpalmer I was under the assumption, but now im realizing. thanks for the clarification.

vusqq

@chpalmer I just tried installing expressvpn on my netgate1100 and was told by a express rep that its not compatible? is wireguard a vpn that will hide my ip?

Gertjan

@vusqq said in open vpn ip:

I just tried installing expressvpn on my netgate1100 and was told by a express rep that its not compatible?

Hummm.
Install Google ad fire it up.
Enter pfsense expressvpn

and admire the results.
The very first link is www.expressvpn.com - this might actually be the site of ExpressVPN.
I'll leave it up to you to see if that's true.
Expressvpn : Setup Tutorials : How to set up ExpressVPN on pfSense (OpenVPN)

The thing is : ExpressVPN, or not, they want you should install on any device, your phone, PC, whatever, their 'app'. They control and develop that app, they tested it for you.
If you decide to use ExpressVPN (any VPN) on your own router, like pfSense, you need to handle this :

dev tun
fast-io
persist-key
persist-tun
nobind
remote netherlands-amsterdam-ca-version-2.expressnetw.com 1195
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass
etc etc etc

yourself.
I know, you are paying every month, but they are not going to help with that.

I'm using ExpresVPN right now, with pfSense as a OpenVPN client.
That is, it's connected. I'm routing nothing over it, it's just a spare WAN-IP connection.

vusqq

@gertjan appreciate the help
I will try to do it right now, just hope there isn't an issue with my openvpn server (in learning)

vusqq

@gertjan expressvpn status shows down
the tunnel ip I used for openvpn server is 192.168.2.0/24, my lan is default pfsense
is the firewall aliases Network or FQDN: Enter 192.168.1.0 suppose to match?
also there was 2 steps on the setup guide that I did not see on pfsense
enable nap-uncheck this box and Compression: Select Adaptive LZO Compression [Legacy, comp-lzo adaptive].

Gertjan

@vusqq :

This is what I have :

And these are the custom settings :

@vusqq said in open vpn ip:

expressvpn status shows down

In that case, go have a look why

Check the last line of Status > System Logs > OpenVPN
Now (re)start the OpenVPN express vpn client instance (on the dashboard).
Check again Status > System Logs > OpenVPN : everything that was added is probably from the openvpn client trying to connect to expressvpn : what does it say ?

vusqq

@gertjan thanks a lot for the screenshot
guide didn't state I have to change "allow compression" so it didn't give me the option to choose "adaptive lzo compression"
but now it shows expressvpn is up but status shows "Reconnecting (Auth Failure)"
im pretty sure my ovpn server isn't configured right which ive been messing around with.
should I leave it "peer2peer or last option even though I won't be needing to log in outside my home?
also what ip should I insert for tunnel on a default network? and im leaving local blank if thats okay.

vusqq

do I have to have openvpn server up and running in order for expressvpn to work or can I just delete openvpn completely?

Gertjan

@vusqq said in open vpn ip:

do I have to have openvpn server up and running in order for expressvpn to work

OpenVPN server and OpenVPN client are two different programs.

See the OpenVPN server as a web server. You can use it to connect you phone to your home network, when your out there in the world.
OpenVPN client is the browser. You use the OpenVPN client to connect another OpenVPN server, like ExpressVPN or another pfSense with Open server.

@vusqq said in open vpn ip:

can I just delete openvpn completely?

What do you mean ? OpenVPN server ? If you don't need or use the server, you can delete it.

@vusqq said in open vpn ip:

status shows "Reconnecting (Auth Failure)"

The logs lines say ?

Auth failure = one of these is wrong :

or your crypto settings :

@vusqq said in open vpn ip:

also what ip should I insert for tunnel on a default network?

Your client connects to a Express VPN server, and that one will send over the details.

Btw : to understand why there are slight differences with the settings on the express vpn web page, and pfSense : pfsense uses openVPN (OpenSSL) version 2.6.x. Express is using another, older (?) version. They probably also compiled their own optimized version.

@vusqq said in open vpn ip:

im pretty sure my ovpn server

? OpenVPN client is used to connect to ExpressVPN.

What is your goal ?
Using the OpenVPN server ?
I was understanding you wanted to use ExpressVPN.

vusqq

@gertjan thanks for explaining.
yes just to use express vpn. i deleted the openvpn server as i dont have any use for it and its ca/cert.
i followed a guide last night for my systems version (23.01), (though it mightve worked if i wouldve checked my cryptographic settings) and now its connected and giving me a virtual ip but still showing my current ip on browser?
these are first 4 log lines

MANAGEMENT: Client disconnected
Mar 28 07:17:48 openvpn 95571 MANAGEMENT: CMD 'status 2'
Mar 28 07:17:48 openvpn 95571 MANAGEMENT: CMD 'state 1'
Mar 28 07:17:48 openvpn 95571 MANAGEMENT: Client connected from /var/etc/openvpn/client3/sock

and these are the 2 warnings that i see

VERIFY WARNING: depth=1, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Mar 28 07:17:43 openvpn 95571 VERIFY WARNING: depth=0, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-10802-0a, emailAddress=support@expressvpn.com

Gertjan

@vusqq said in open vpn ip:

.... and now its connected and giving me a virtual ip but still showing my current ip on browser?

When it's up, you see things like this :

Dashboard, OpenVPN widget :

and on the Status > OpenVPN page :

@vusqq said in open vpn ip:

and these are the 2 warnings that i see
VERIFY WARNING: depth=1, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Mar 28 07:17:43 openvpn 95571 VERIFY WARNING: depth=0, unable to get certificate CRL: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-10802-0a, emailAddress=support@expressvpn.com

You can safely ignore these two.
They are 'normal' in this kind of setup.

The thing is, you've reached what I have now. As I'm not actually using ExpressVPN right now.

You are now here, on step 3 : https://www.expressvpn.com/fr/support/vpn-setup/pfsense-avec-expressvpn-openvpn/#route

Just follow the manual.
The example uses "191.168.1.0/24" as an example, the default pfSense setup.
The example routes your entire LAN through ExpressVPN.

vusqq

@gertjan awesome, it worked.
thank you very much for your knowledge, clear instructions, and patience. hope you have a great day.
also thank you @chpalmer @viragomann for helping out