PFsense 2.5 RC OpenVPN/ExpressVPN problem

LayerThree

@jairoav25 I understand this but I will stay with PfSense and try to figure this Problem out xD

stephenw10

Mmm, this seems almost certainly to be a config mismatch between the OpenVPN 2.5 client in pfSense 2.5 (confusingly!) and the OpenVPN 2.4 server you're trying to connect to.

The first thing I would try is leaving NCP enabled and adding AES-256-CBC to the list of ciphers.

Also set compression to 'Omit prefernce' since you can see in the logs the server is pushing comp-lzo no but you have it set to adaptive.

Steve

applesalwaysred

@layerthree Yes.

JairoAV25

@layerthree

OpenWRT didn't work. The solution in my case was to install OpnSense. Check my response here

stephenw10

Anyone seeing a problem with the expressvpn certificate?

Just seen where it looks like they are issuing a 50 year cert that is overrunning a counter and hence shows as expired.

Steve

OpenResty

Hey, I could be wrong but I think its something to do with the NAT.
I personnaly would try going over to NordVPN's SetUp for pfsense 2.5 & try that . Try loading both tutorials next to each other in browser to compare.
Now In the beginning of tutorial try to Load cetificates the expressvpn way instead of Nords, But then from there follow Nordvpn for the rest of the setup. Also Make Sure when you add Expressvpn to the NAT as described that you add it to the top of the Mappings List & not at the bottom.
Maybe having a look at Nords Tutorial may give some Clues. Also make sure you reboot pfsense after setup as it may still look like its not working but hopefully will after a reboot.
I dont think theres any harm in trying but make sure to reboot if it looks to not work after.
If it will work for NordVPN 2.5 then it may work for Express. XXXX

applesalwaysred

@openresty Just got an update from support. Removed the option "Don't pull routes" which is mentioned in their guide. I now have an encrypted connection.

LayerThree

@applesalwaysred so u did everything like in the guide except this the "Dont pull routes" and it works?

If that's true, then I will update soon!

stephenw10

@stephenw10 said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

Anyone seeing a problem with the expressvpn certificate?

Just seen where it looks like they are issuing a 50 year cert that is overrunning a counter and hence shows as expired.

Yeah if you're using the SG-3100 (or SG-1000) you might hit that. There is a patch for it now:
https://redmine.pfsense.org/issues/11504

Steve

LayerThree

So the "Don't pull routes" solved the whole problem.

Follow the guide, except this step and then restart ur machine. After this everything works.

Thank you for ur help!

bcruze

@layerthree said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

So the "Don't pull routes" solved the whole problem.

Follow the guide, except this step and then restart ur machine. After this everything works.

Thank you for ur help!

I posted in the other thread. I just reset up my provider that wasn't working

it connected. but if I restart the tunnel. traffic stop passing again

you?

stephenw10

I would always set 'don't pull routes' personally. Otherwise you're at the mercy of whatever they want to send you, which is usually a new default route.
However if you don't pull routes from them you need to policy route the traffic you want via the VPN gateway.

Steve

trikki69

Apologies for resurrecting this thread 5 months after the last post but I'm hoping the solution I found helps someone else out with pfsense and ExpressVPN problems.

I've been having really big problems trying to get ExpressVPN working on pfsense - took me about 6 hrs of troubleshooting yesterday.

First, I set the VPN gateways to "unmonitored" in the routing section of pfsense - don't think it made any differece but the gateways now report as green "up - unmonitored" instead of red "offline - 100% Packet loss"

I thought I'd found the answer in this post about unchecking "don't pull routes" but as per @stephenw10 commented, I was getting a new default route pushed to me, all of my clients where getting pushed out of the VPN interface which is not what I wanted.
I tried adding my own default route but as soon as the VPN service stopped and started again the VPN pushed default route was back again and all of my clients were being sent out over the VPN again.

I finally added this to my advanced custom options within the OpenVPN client setup:
;pull-filter ignore redirect-gateway;

I don't get any problems with VPN pushed default routes now even when the VPN services are restarted.
Hope this helps someone in the future. :)

noplan

@trikki69 said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

so your problem is now solved with this

added this to my advanced custom options within the OpenVPN client setup:
;pull-filter ignore redirect-gateway;

brNP

trikki69

@noplan said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

@trikki69 said in PFsense 2.5 RC OpenVPN/ExpressVPN problem:

so your problem is now solved with this

added this to my advanced custom options within the OpenVPN client setup:
;pull-filter ignore redirect-gateway;

brNP

Yep - works great now, no thanks to ExpressVPN support.