ExpressVPN setup by beginner for beginners

123123

4. We need to resolve the issues with the .OVPN import by adjusting the OpenVPN client details
   • Go to VPN > OpenVPN > Clients, and click on the newly created client (should be the bottom one in the list), and edit it (click the pencil icon).
   • Find the "Server Certificate Key Usage Validation" option and check "Enforce key usage"
   • Find the "Don't pull routes" option and check it (not 100% sure this is required)
   • Find the "Don't add/remove routes" option and check it (not 100% sure this is required)
   • Find the "Pull DNS" option and check it (not 100% sure this is required)
   • Find the "Compression" option and change it to "Adaptive LZO Compression"
   • Modify the "Custom Options" field:
     • remove the "keysize 256" line
     • change the line "ns-cert-type server" to "remote-cert-tls server"
     • add a line at the end "auth-nocache" (without this I would see warnings in the log about things possibly being cached.)
     • add a line at the end "persist-key"
     • add a line at the end "persist-tun"
     • (be sure to not have any blank lines at the end of the field)
   • Find the "Gateway Creation" option and set it to "IPv4 only"

NOTE - this is my resulting Custom Options:
persist-key
persist-tun
remote-random
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
sndbuf 524288
rcvbuf 524288

• Find the "Verbosity level" and set it to 5 (this changes the level of detail you will see in Status > System Logs > OpenVPN). Try different settings to find the level of detail that works for you. The ExpressVPN guide recommends 3, but I like what 5 shows in the log.

5. Click Save
6. Go to Status > OpenVPN and start or restart the client you created.
   With luck, the status should show as "Connected (success)" or "Up"

Enable the new interface / gateway in pfsense

1. Go to Interfaces > Assignments. On the new row at the bottom, in the dropdown list select the client you just set up and click the "+ Add" button and click Save.
2. Go to the Interfaces menu and click the name of the interface you just created.
3. Check the "Enable Interface" checkbox and click "Save". Then click "Apply Changes".

Set up the Gateway monitor

1. Go to System > Routing > Gateways

2. Edit the gateway (click the pencil icon) for the row interface you just created

3. In the "Monitor IP" field, enter the IP address for the ExpressVPN server that you gathered by pinging the name of the server listed in the .OVPN file.

4. Click Save then click "Apply Changes"

• Now when you go to the pfsense main Web Configurator page or Status > Gateways, you should see an accurate status for the new ExpressVPN gateway.

123123

This post is deleted!

123123

This post is deleted!

123123

This post is deleted!

123123

Configure Outbound NAT rules

• The ExpressVPN manual setup documentation describes this process if my text-only descriptons are unclear.
  <expressvpn pfsense guide>

1. Go to Firewall > NAT > Outbound

2. For the "Mode" field, select the radio button for "Manual Outbound NAT rule generation. (AON - Advanced Outbound NAT)"
   Click the "Save" button under the Mode field.

3. For all existing WAN NAT rules, use the copy option (double page icon) to replicate the rule. Modify the resulting new rule setting the "Interface" field to the new ExpressVPN interface that you set up and click Save.
   Do this for all existing WAN outbound NAT rules.

4. Click "Apply Changes"

123123

Check your setup using the ExpressVPN tools

1. https://www.expressvpn.com/what-is-my-ip
   • it should show the location of the ExpressVPN server for which you configured the OpenVPN client
2. https://www.expressvpn.com/dns-leak-test
   • it should show no DNS leaks detected
3. https://www.expressvpn.com/webrtc-leak-test
   • it should show no WebRTC leaks detected
4. Check other web sites. Pages should load successfully

123123

Other notes

• You can still run any VPN client (ExpressVPN application) software on your devices that are connecting through the pfsense firewall. HOWEVER - YOU MAY NOT BE ABLE TO ACCESS THE PFSENSE WEB CONFIGURATOR IF YOU DO THIS. If you cannot access the Web Configurator, make sure you disable/stop the VPN client software on your device and then try again to use the Web Configurator/pfsense IP address.

I recommend staying with this step and do not continue until you have the ExpressVPN configuration and any networks/VLANs/firewall rules working the way you want things to work.

• If things aren't working the way you want, I recommend changing all the firewall rules that you can to have "logging" turned on. Then use Status > System Logs > Firewall to try to understand what is going on due to the firewall rules and make adjustments. If there's a rule that is filling up your logs then make any firewall rules/setting changes (if needed), refresh the log view, and once you're confident that the rule is behaving correctly, turn off the logging for that rule.

!!Once you get things working the way you want, take a backup of this setup before you continue.

1. Go to Diagnostics > Backup & Restore and create a backup file for your settings.

123123

Section 2 - Setting up a floating block firewall rule/ "kill switch" rule

Add a rule to tag all VPN traffic

• I set this up by following the video linked here. If you're having issues with the floating firewall/"kill switch" rule, cross-reference settings against the video from Lawrence Systems.
  Youtube Video

  This firewall rule will tag all traffic coming from any interfaces/devices that you want to only use the ExpressVPN connection so that you can use additional rules to filter this traffic

1. Go to Firewall > Rules > LAN

2. Click the "Add" button with the up arrow

3. Fill out the options:

   • Action: Pass
   • Interface: <Choose your new ExpressVPN interface>
   • Address Family: IPv4
   • Protocol: any
   • Source: choose "Single host or alias" enter the IP address of any devices/networks that will use the VPN tunnel. If you have all devices on 1 network/subnet, you can enter that. If you have multiple networks/subnets, either create multiple rules or create an alias under "Firewall > Aliases" and use that alias on this rule
   • Destination: *
   • Log: (I recommend checking this initially so you can confirm the rule behavior is working)
   • Description: give it a name that is easy to pick out of a log (recommend starting with a standard unique word)... like "myrule-allow ExpressVPN devices and tag"
   • Click the "Display Advanced" button
   • Tag: enter a value to be used to tag VPN packes. Maybe "tagvpn"
   • Gateway: <Select the new ExpresVPN gateway you're setting up>

4. Click Save

5. Click "Apply Changes"

Repeat creating this rule for any LAN, OPT, or VLAN Interfaces in pfsense that you are going to route through the ExpressVPN tunnel.

Add Kill Switch Floating Firewall rule

The intent of this rule is to prevent your tagged packets (from the OpenVPN interfaces) from going out over the normal WAN... you want them to only go out of your firewall over the ExpressVPN interface.

1. Go to Firewall > Rules > Floating
   Click the "Add" button with the up arrow to add this as the first rule.

   • Action: Block
   • Interface: WAN
   • Address Family: IPv4
   • Protocol: any
   • Source: any
   • Destination: any
   • Log: check this box so the log will capture any traffic being blocked by this rule.
   • Description: give it a name that is easy to pick out of a log (recommend starting with a standard unique word)... like "myrule-block tagged traffic from using WAN to access internet"
   • Click the "Display Advanced" button
   • Tagged: enter the same tag value that you used to tag packets on your OpenVPN rule.

2. Click Save

3. Click "Apply Changes"

Stay with this step and do not continue until you have your networks/VLANs/firewall rules working the way you want things to work.

• If things aren't working the way you want, I again recommend changing all the firewall rules that you can to have "logging" turned on. Then use Status > System Logs > Firewall to try to understand what is going on and make adjustments.

!!Once you get things working the way you want, take a backup of this setup before you continue.!!

1. Go to Diagnostics > Backup & Restore and create a backup file for your settings.

!!Check MBUF Usage as an indicator of proper functioning!!
(update from July 2023)
After some time I was having issues with MBUF Usage (shown on the front page of the WebGUI) growing very quickly and things generally were not working well... web pages would load sometimes, other times not and I would have to restart the firewall when it filled up all the MBUF. I even added a custom parameter for MBUF allocation and gave it a large value, but there was obviously a problem as I could watch the number go up by 1000+ every time the front page refreshed. I found a post that led me to believe it was something in my OpenVPN client set up. I wish I was able to tell you exactly which change I made fixed the issue, but so far I have not been able to recreate the issue by trying to put things back the way they were. But if you have this issue, seems it is most likely related to a setting in your OpenVPN client.

123123

The End

(sorry for all the self-replies and bad links... the Spam filter is not happy with me)

I'll try to clean it up later when my reputation score improves.... correction... I won't be able to edit it due to the 1 hour edit time limit.

wendellkbest

@123123 The "openvpn-client-import" package is no longer available. Do you have any instructions for entering the settings manually? Would also help to give details on the Custom Options

Gertjan

@wendellkbest said in ExpressVPN setup by beginner for beginners:

Would also help to give details on the Custom Options

Right now, I've a connection to expressvpn with this very minimal :

as these 3 settings do not exist in the pfSense GUI, but they are needed (I guess) when using ExpressVPN. Without them : failure to connect.

I've removed all other proposed custom options.

Also, I've set "compression" to 'no' :

but the more future proof :

also seems to work.

I can ping test using my EXPRESSVPN interface :

and the OpenVPN client: Express VPN interface :

Note : I didn't test any routing at this moment, as I use the client VPN only 'when really needed'.

Also : The pfSense GUI is only, as usual, the front end.
pfSense uses the classic openvpn binaries and configuration files.

My /var/etc/openvpn/clientx/config/opvn (x can be 1, 2 etc) looks like this right now :

dev ovpnc3
disable-dco
verb 3
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_client3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.10.4
engine rdrand
tls-client
lport 0
management /var/etc/openvpn/client3/sock unix
remote france-strasbourg-ca-version-2.expressnetw.com 1195 udp4
pull
auth-user-pass /var/etc/openvpn/client3/up
auth-retry nointeract
remote-cert-tls server
capath /var/etc/openvpn/client3/ca
cert /var/etc/openvpn/client3/cert 
key /var/etc/openvpn/client3/key 
tls-auth /var/etc/openvpn/client3/tls-auth 1
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
allow-compression asym
resolv-retry infinite
fast-io
sndbuf 524288
rcvbuf 524288
tun-mtu 1500

fragment 1300

mssfix 1200

route-nopull

You can see that the custom option are added at the end with an extra blank line after each line. And a final "route-nopull" is added at the end.

Always check & compare this file with the original Express config.ovpn file.
Difference might exist, as we can't know what openvpn (version) ExpressVPN is using.
pfSense 23.01 uses :

[23.01-RELEASE][admin@pfSense.omg.net]/cf/conf: openvpn --version
OpenVPN 2.6_beta1 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] [DCO]
library versions: OpenSSL 1.1.1t-freebsd  7 Feb 2023, LZO 2.10
....

Nice, a beta version

123123

@wendellkbest said in ExpressVPN setup by beginner for beginners:

@123123 The "openvpn-client-import" package is no longer available. Do you have any instructions for entering the settings manually? Would also help to give details on the Custom Options

1. If you want to enter the certificate details manually, you can follow the manual setup document available on the ExpressVPN site.

   But I would double-check the pfsense Package Manager whether the import package tool is available (or maybe is already installed on your pfsense).

   https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

2. Now that I got some reputation points, I was able to update the old posts. I updated the original posts with details about the "Custom Options" field values, but my intent was for the instructions to be somewhat dynamic as things change over time (like if ExpressVPN updates the .ovpn files or something like that).

Gertjan

@123123 said in ExpressVPN setup by beginner for beginners:

(like if ExpressVPN updates the .ovpn files or something like that)

Or the OpenVPN version used by pfSense changes !
Or the OpenVPN version used by Express changes.
For the normal Express clients, this is a none-issue as they 'just have to upgrade their Express VPN client and done.
When you use an VPN ISP with pfSense, you don't use their client.
You and I and many others do things 'the hard way, also known as 'manually'.
When the version changes, parameters can get declared 'not wanted' - and new parameters can get added.
For some, there will be a pfSense GUI equivalent so you handle their usage with some ease.
For some, the custom option box is needed.

Right now, pfSense ans Express seems to be in sync, as my custom options box contains the bare minimum :

I'm pretty sure these parameters, fragment and mssfix, the decimal values, are not optimal.