ExpressVPN down on pfsense 2.4.4
-
Hi, I've been having some trouble getting my VPN to work on my pfsense firewall. I followed the guide on ExpressVPNs website but it's still showing as down and there suppose advised I post here.
My firewall separates my lab environment from my home network so it actually has two private IPs, one on the LAN and one on the "WAN". I have internet connection on my lab environment and it is going through the firewall but for some reason the VPN won't connect. I've posted the log info for the VPN below but I wasn't able to find an obvious error, I'm hoping a fresh set of more experienced eyes may be able to tell me where I'm going wrong?
Any help is much appreciated!
°Feb 24 20:29:05 openvpn 58820 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.233.144:1195
Feb 24 20:29:05 openvpn 58820 Socket Buffers: R=[42080->524288] S=[57344->524288]
Feb 24 20:29:05 openvpn 58820 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
Feb 24 20:29:05 openvpn 58820 UDPv4 link remote: [AF_INET]78.129.233.144:1195
Feb 24 20:29:05 openvpn 58820 TLS: Initial packet from [AF_INET]78.129.233.144:1195, sid=63d2c1f8 213e455a
Feb 24 20:29:05 openvpn 58820 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 24 20:29:05 openvpn 58820 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Feb 24 20:29:05 openvpn 58820 VERIFY OK: nsCertType=SERVER
Feb 24 20:29:05 openvpn 58820 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
Feb 24 20:29:05 openvpn 58820 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
Feb 24 20:29:10 openvpn 58820 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Feb 24 20:29:10 openvpn 58820 MANAGEMENT: CMD 'state 1'
Feb 24 20:29:10 openvpn 58820 MANAGEMENT: Client disconnected
Feb 24 20:29:15 openvpn 58820 event_wait : Interrupted system call (code=4)
Feb 24 20:29:15 openvpn 58820 SIGTERM[hard,] received, process exiting
Feb 24 20:29:22 openvpn 94263 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
Feb 24 20:29:22 openvpn 94263 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
Feb 24 20:29:22 openvpn 94263 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Feb 24 20:29:22 openvpn 94518 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Feb 24 20:29:22 openvpn 94518 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Feb 24 20:29:22 openvpn 94518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 24 20:29:22 openvpn 94518 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 24 20:29:22 openvpn 94518 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Feb 24 20:29:22 openvpn 94518 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.233.144:1195
Feb 24 20:29:22 openvpn 94518 Socket Buffers: R=[42080->524288] S=[57344->524288]
Feb 24 20:29:22 openvpn 94518 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
Feb 24 20:29:22 openvpn 94518 UDPv4 link remote: [AF_INET]78.129.233.144:1195
Feb 24 20:29:22 openvpn 94518 TLS: Initial packet from [AF_INET]78.129.233.144:1195, sid=9715f081 ba9e90af
Feb 24 20:29:22 openvpn 94518 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 24 20:29:22 openvpn 94518 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Feb 24 20:29:22 openvpn 94518 VERIFY OK: nsCertType=SERVER
Feb 24 20:29:22 openvpn 94518 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
Feb 24 20:29:22 openvpn 94518 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
Feb 24 20:29:27 openvpn 94518 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Feb 24 20:29:27 openvpn 94518 MANAGEMENT: CMD 'state 1'
Feb 24 20:29:27 openvpn 94518 MANAGEMENT: Client disconnected
Feb 24 20:30:22 openvpn 94518 [Server-205-1a] Inactivity timeout (--ping-restart), restarting
Feb 24 20:30:22 openvpn 94518 SIGUSR1[soft,ping-restart] received, process restarting
Feb 24 20:30:22 openvpn 94518 Restart pause, 10 second(s)
Feb 24 20:30:32 openvpn 94518 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Feb 24 20:30:32 openvpn 94518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 24 20:30:32 openvpn 94518 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.231.93:1195
Feb 24 20:30:32 openvpn 94518 Socket Buffers: R=[42080->524288] S=[57344->524288]
Feb 24 20:30:32 openvpn 94518 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
Feb 24 20:30:32 openvpn 94518 UDPv4 link remote: [AF_INET]78.129.231.93:1195
Feb 24 20:30:32 openvpn 94518 TLS: Initial packet from [AF_INET]78.129.231.93:1195, sid=5326bff1 1733fd96
Feb 24 20:30:32 openvpn 94518 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Feb 24 20:30:32 openvpn 94518 VERIFY OK: nsCertType=SERVER
Feb 24 20:30:32 openvpn 94518 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-206-1a, emailAddress=support@expressvpn.com
Feb 24 20:30:32 openvpn 94518 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-206-1a, emailAddress=support@expressvpn.com -
Check VPN/OpenVPN/ClientsEdit. that is where your problem exist on Expressvpn. without the correct configuration, you will not be able to connect.
-
Here are my custom settings
remote-random; pull; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; auth-nocache;
Screen settings below
Server Mode : peer to peer SSL/TLS Protocol: UDP Device Mode: TUN Interface: WAN Server Port: 1195 TLS Config: Use a TLS Key (looks like you have all the keys properly) Encryption Algorithm: AES-256-CBC Enable NCP: uncheck Auth Digest Algorithm: SHA512 Hardware Crypto: depends on your system (No Hardware normal) Compression: LZO Compression [compress lzo....] Topology: Subnet - One IP Don't Pull Routes: unchecked Don't Add/Remove route: unchecked UDP Fast IO: checked Send/Receive Buffer: 512K Gateway: IPv4 only
The above settings work fine with a single ExpressVPN connection.
I had a problem with the package manager not connecting when using the Rotterdam access point.
I changed the access point and the problem was solved - so you might also want to try that.The only problem i currently have is connecting to two access points in a member down mode.
as soon as the second client is up, the routing for certain services e.g. android and linux updates breaks (although browsing works). -
@gwaitsi said in ExpressVPN down on pfsense 2.4.4:
Here are my custom settings
remote-random; pull; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; auth-nocache;
Screen settings below
Server Mode : peer to peer SSL/TLS Protocol: UDP Device Mode: TUN Interface: WAN Server Port: 1195 TLS Config: Use a TLS Key (looks like you have all the keys properly) Encryption Algorithm: AES-256-CBC Enable NCP: uncheck Auth Digest Algorithm: SHA512 Hardware Crypto: depends on your system (No Hardware normal) Compression: LZO Compression [compress lzo....] Topology: Subnet - One IP Don't Pull Routes: unchecked Don't Add/Remove route: unchecked UDP Fast IO: checked Send/Receive Buffer: 512K Gateway: IPv4 only
The above settings work fine with a single ExpressVPN connection.
I had a problem with the package manager not connecting when using the Rotterdam access point.
I changed the access point and the problem was solved - so you might also want to try that.The only problem i currently have is connecting to two access points in a member down mode.
as soon as the second client is up, the routing for certain services e.g. android and linux updates breaks (although browsing works).Looks fine to me, i have similar conf.
dev ovpnc1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local MYIPADDRESS
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote usa-washingtondc-ca-version-2.expressnetw.com 1195
auth-user-pass /var/etc/openvpn/client1.up
auth-retry nointeract
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
ncp-disable
comp-lzo adaptive
resolv-retry infinite
route-nopull
fast-io
sndbuf 524288
rcvbuf 524288
fast-io
persist-key
persist-tun
remote-random
pull
comp-lzo
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
sndbuf 524288
rcvbuf 524288 -
@epsense did you try to setup with two access points as failover ?
I still get some strange issue where linux machines can't find the package mirrors or have very low bandwidth if i do. but everything else seems to work ok -
I manged to resolve my issue. It was an issue with the certificate configuration, I recreated it and its working now.
Thanks for the response :)
-
@gwaitsi said in ExpressVPN down on pfsense 2.4.4:
@epsense did you try to setup with two access points as failover ?
I still get some strange issue where linux machines can't find the package mirrors or have very low bandwidth if i do. but everything else seems to work okNot yet, I'm still messing around. When i stop the vpn and try to restart it back up, it's won't connect still saying it's pending. then i go System/routing change to DHCP4 then my vpn start back up once it did i have to change DHCP4 back to EXPRESSVPN_VPN4 then it start to tunnel correctly.
-
@FuturamaPhill what did u do i am facing similar issues
-
Not got express vpn, but sounds like phill simply re-created or selected his openvpn certificates and downloaded a fresh copy and used them instead.
pfsense can be tricky one wrong setting or one wrong copy and paste of a set of certifcation and it won't work, always best to take your time and re-read the guides and double check your settings, am still making mistakes time to time.