ExpressVPN interface is up but gateway is down
-
Unfortunately It did not work here is the new openvpn log
–-------------------------------
Apr 27 09:50:42 openvpn 78208 SENT CONTROL [Server-477-1a]: 'PUSH_REQUEST' (status=1)
Apr 27 09:50:42 openvpn 78208 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.146.0.1,route 10.146.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.146.6.114 10.146.6.113'
Apr 27 09:50:42 openvpn 78208 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 09:50:42 openvpn 78208 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 09:50:42 openvpn 78208 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 09:50:42 openvpn 78208 OPTIONS IMPORT: timers and/or timeouts modified
Apr 27 09:50:42 openvpn 78208 OPTIONS IMPORT: –ifconfig/up options modified
Apr 27 09:50:42 openvpn 78208 Preserving previous TUN/TAP instance: ovpnc1
Apr 27 09:50:42 openvpn 78208 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Apr 27 09:50:42 openvpn 78208 Closing TUN/TAP interface
Apr 27 09:50:42 openvpn 78208 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.146.7.222 10.146.7.221 init
Apr 27 09:50:43 openvpn 78208 TUN/TAP device ovpnc1 exists previously, keep at program end
Apr 27 09:50:43 openvpn 78208 TUN/TAP device /dev/tun1 opened
Apr 27 09:50:43 openvpn 78208 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 27 09:50:43 openvpn 78208 /sbin/ifconfig ovpnc1 10.146.6.114 10.146.6.113 mtu 1500 netmask 255.255.255.255 up
Apr 27 09:50:43 openvpn 78208 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.146.6.114 10.146.6.113 init
Apr 27 09:50:45 openvpn 78208 Initialization Sequence Completed -
What does it say about the EXPRESSVPN interface under "status -> interfaces"?
-
EXPRESSVPN Interface (opt1, ovpnc1)
Status
up
MAC Address
00:00:00:00:00:00
IPv6 Link Local
fe80::2ec:acff:fece:d1ce%ovpnc1
MTU
1500
In/out packets
0/412539 (0 B/12.72 MiB)
In/out packets (pass)
0/412539 (0 B/12.72 MiB)
In/out packets (block)
0/0 (0 B/0 B)
In/out errors
0/0
Collisions
0Under status - gateways
EXPRESSVPN_VPNV4 Pending Pending Pending Pending Interface EXPRESSVPN_VPNV4 Gateway
-
My gateway status says it is offline and yet it is still sending data.
Did you setup the firewall rules yet?
Also, you might consider a fresh reboot of the router just to recover for all the changes you have been making. Something may have gone stale. I did it once or twice when I was trying to get things working.
I'm transferring files now using it, but when I'm done I will check my openvpn logs to see if they match yours. Can you send upload the latest version after the reboot?
-
Its when i enable the rule to tunnel to express vpn that my connections go out
–------------------------
Time Process PID Message
Apr 27 14:01:57 openvpn 15246 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 14:01:57 openvpn 15246 OPTIONS IMPORT: timers and/or timeouts modified
Apr 27 14:01:57 openvpn 15246 OPTIONS IMPORT: –ifconfig/up options modified
Apr 27 14:01:57 openvpn 15246 Preserving previous TUN/TAP instance: ovpnc1
Apr 27 14:01:57 openvpn 15246 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Apr 27 14:01:57 openvpn 15246 Closing TUN/TAP interface
Apr 27 14:01:57 openvpn 15246 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.168.7.106 10.168.7.105 init
Apr 27 14:01:58 openvpn 15246 TUN/TAP device ovpnc1 exists previously, keep at program end
Apr 27 14:01:58 openvpn 15246 TUN/TAP device /dev/tun1 opened
Apr 27 14:01:58 openvpn 15246 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 27 14:01:58 openvpn 15246 /sbin/ifconfig ovpnc1 10.135.6.162 10.135.6.161 mtu 1500 netmask 255.255.255.255 up
Apr 27 14:01:58 openvpn 15246 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.135.6.162 10.135.6.161 init
Apr 27 14:02:00 openvpn 15246 Initialization Sequence Completed
Apr 27 14:04:57 openvpn 15246 [Server-281-1a] Inactivity timeout (–ping-restart), restarting
Apr 27 14:04:57 openvpn 15246 SIGUSR1[soft,ping-restart] received, process restarting
Apr 27 14:04:57 openvpn 15246 Restart pause, 2 second(s)
Apr 27 14:04:59 openvpn 15246 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Apr 27 14:04:59 openvpn 15246 Socket Buffers: R=[42080->524288] S=[57344->524288]
Apr 27 14:04:59 openvpn 15246 UDPv4 link local (bound): [AF_INET]174.57.176.116
Apr 27 14:04:59 openvpn 15246 UDPv4 link remote: [AF_INET]107.181.69.67:1195
Apr 27 14:04:59 openvpn 15246 TLS: Initial packet from [AF_INET]107.181.69.67:1195, sid=c3073308 1a28242b
Apr 27 14:04:59 openvpn 15246 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Apr 27 14:04:59 openvpn 15246 VERIFY OK: nsCertType=SERVER
Apr 27 14:04:59 openvpn 15246 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-313-1a, emailAddress=support@expressvpn.com
Apr 27 14:04:59 openvpn 15246 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-313-1a, emailAddress=support@expressvpn.com
Apr 27 14:04:59 openvpn 15246 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1605', remote='link-mtu 1606'
Apr 27 14:04:59 openvpn 15246 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Apr 27 14:04:59 openvpn 15246 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 27 14:04:59 openvpn 15246 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 27 14:04:59 openvpn 15246 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 27 14:04:59 openvpn 15246 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 27 14:04:59 openvpn 15246 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 27 14:04:59 openvpn 15246 [Server-313-1a] Peer Connection Initiated with [AF_INET]107.181.69.67:1195
Apr 27 14:05:01 openvpn 15246 SENT CONTROL [Server-313-1a]: 'PUSH_REQUEST' (status=1)
Apr 27 14:05:01 openvpn 15246 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.182.0.1,route 10.182.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.182.7.186 10.182.7.185'
Apr 27 14:05:01 openvpn 15246 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 14:05:01 openvpn 15246 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 14:05:01 openvpn 15246 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Apr 27 14:05:01 openvpn 15246 OPTIONS IMPORT: timers and/or timeouts modified
Apr 27 14:05:01 openvpn 15246 OPTIONS IMPORT: –ifconfig/up options modified
Apr 27 14:05:01 openvpn 15246 Preserving previous TUN/TAP instance: ovpnc1
Apr 27 14:05:01 openvpn 15246 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Apr 27 14:05:01 openvpn 15246 Closing TUN/TAP interface
Apr 27 14:05:01 openvpn 15246 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.135.6.162 10.135.6.161 init
Apr 27 14:05:02 openvpn 15246 TUN/TAP device ovpnc1 exists previously, keep at program end
Apr 27 14:05:02 openvpn 15246 TUN/TAP device /dev/tun1 opened
Apr 27 14:05:02 openvpn 15246 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 27 14:05:02 openvpn 15246 /sbin/ifconfig ovpnc1 10.182.7.186 10.182.7.185 mtu 1500 netmask 255.255.255.255 up
Apr 27 14:05:02 openvpn 15246 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.182.7.186 10.182.7.185 init
Apr 27 14:05:04 openvpn 15246 Initialization Sequence Completed -
First off, which version of pfsense are you using?
Are you certain all settings in "VPN -> OpenVPN -> Clients -> Edit" are set correctly?
In "firewall -> NAT -> Outbound" you only need one rule, that is to pass anything on 192.168.0.0/24 to EXPRESSVPN, you should be able to disable the others (192.168.0.0 may not match you subnet).
In "firewall -> Rules -> LAN" you can have a single rule which forwards traffic to your single PC if you like or a subnet to EXPRESS_VPNV4. You can disable it to which off forwarding your traffic to the VPN.
Has the "Status -> Interfaces" changed since the reboot? -
I had a similar issue too.
The instructions are unfortunately incorrect.
Referring to the document at:
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn
In the section where you configure the EXPRESSVPN interface, DO NOT set the IPv4 Configuration as DHCP, set it as NONE. OpenVPN will automatically configure the interface with an IP address and routes, it doesn't need DHCP to do this. Once it is done, restart the openvpn service (under status -> openvpn).
I have the same issues as OP. the tutorial also shows on the OpenVPN client settings in pfsense to click on "Don't pull routes - Bars the server from adding routes to the client's routing table". Meaning no routes would be pulled over. Are you suggesting that this part of the tutorial is wrong too? Can you please post your OpenVPN client config?
I am running 2.3.3-p1
-
After sorting through the OpenVPN logs and looking at the .ovpn settings file from ExpressVPN I figured it out.
I was seeing this in my OpenVPN settings:
May 10 20:08:33 openvpn 15843 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'"comp-lzo" is listed in the .ovpn settings file from ExpressVPN, but not in their tutorial. I added it to the Advanced Configuration custom options field, enabled the firewall rule to push my LAN traffic to the gateway, and like magic, it all works now.
Here are my custom options:
fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288Hope this helps some of you other ExpressVPN users that have found their tutorial not correct.
-
Hi Sneakking,
could you please send me all your settings ?
I still cannot get the gateway up.
Many thanks,
christian
-
Hi,
I had the same problem. With a couple of different settings, which are different from the instructions (written for pfSense 2.3.0) on the website of ExpressVPN I got it to work.
- In the dropdownmenu of the "IP4 configuration type" of the expressvpn interface set: none (DHCP doesn't work)
- In the OpenVPN-clientsettings: TLS key Usage Mode: set "TLS key Authentication" (With aditional encryption it does not work)
In custom options I use these settings:
fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name- prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288 - In the Firewall/Aliases: be sure you enter the right subnets that are between the pfSenseserver and the actual clients (I had an extra wirelessrouter between pfSense and the clients so I had to enter an extra subnet to get it to work)
The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%...
Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers) -
@lansmurf said in ExpressVPN interface is up but gateway is down:
The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%...
Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers)A bit late, but replying in case it might help someone. I had same problem with Dpinger and packet loss. Solved it by enabling Hardware Crypto in openvpn client. Now I can use external IP to monitor if VPN gateway is online. Of course, your hardware needs to support this.