ExpressVPN (OpenVPN) not working on pfSense 2.5.0a devel

coleni25

Hello everybody,
I'm new on this forum.
I've been using ExpressVPN for years on my pfSense router QOTOM-Q355G4 (pfSense V. 2.4.3 / 2.4.4 / 2.4.5) and now on 2.5.0a devel version after upgrading.
Just a few days before updating from 2.4.5, ExpressVPN stopped working : the link is UP (in OpenVPN status client instances) but when connecting to internet from any equipment (pc via cable or WiFi or mobile via Wifi), the ExpressVPN HTTP URL used for IP testing (https://www.expressvpn.com/fr/what-is-my-ip) always shows the ISP server address : ExpressVPN is never routing packets anymore.
Has someone the same issue since a few days ?
Thanks for your answers.

coleni25

Nobody working with ExpressVPN on pfSense router ?

farmishly

Any joy? facing the same issue here and am very confused. Everything done by the book, everything looks right and the link is up - gateway status is "pending" but I'm not sure if that's an issue - and there's traffic going through the firewall rule. BUT when I check my IP, like you, it is my public facing IP.

Maybe an update changed something?

coleni25

@farmishly
Hi farmishly, I'm currently not @ home and not accessing my router.
But what I remember is that you have to configure your virtual gateway and reject direct incoming traffic from WAN (if you have first configured your virtual route thru ExpressVPN gateway using only IP port 443).
The configuration document on the web is quite clear and, if you don't forget anything, it is perfectly working.
Please follow the help doc step by step for checking.
Regards.

coleni25

@farmishly
Important : don't forget NO_WAN_EGRESS rule

i.e. https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

clhols

@coleni25 Hi, I just updated to 2.5.0 and started seeing the ISP IP address like you.
Adding the NO_WAN_EGRESS rule stop traffic altogether.

I am not sure what you mean by "configure your virtual gateway and reject direct incoming traffic from WAN" or "configuration document on the web is quite clear".

Is it a pfsense configuration document or ExpressVPN configuration document?

coleni25

@clhols

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

clhols

@coleni25 Adding that rule results in:

This site can’t be reached
google.com refused to connect.

When trying to browse google.com.

clhols

@coleni25 Found a solution.
Under "System / Routing / Gateways" I edited the VPN gateway and checked "Disable Gateway Monitoring". So for some reason pfsense must think the gateway is down and sends traffic through WAN. I guess the Express VPN host doesn't respond to the pings.

An alternative is to set "Monitor IP" to some DNS servers IP like 1.1.1.2.

coleni25

@clhols
I'm not using ExpressVPN anymore on pfSense since my web provider doesn't accept secured smtp traffic over VPN (emails seem to be sent but are never received by the recipient).
So I'm using ExpressVPN on each device (p.c. or smartphone) with a special configuration for Outlook app.
Regards

Crackerjackshot

@clhols This only killed my internet connection.