Setting up OpenVPN with ExpressVPN

kevindd992002 · Sep 26, 2016, 4:04 PM

So I got this working by creating the OpenVPN client with these custom options (which I got from the openvpn file I downloaded from expressvpn):

fast-io;persist-key;persist-tun;pull;ns-cert-type server;tun-mtu 1500;fragment 1300;mssfix 1450;keysize 256;sndbuf 524288;rcvbuf 524288

And then I enabled Hybrid Outbound NAT and duplicated the default rules with the Interface set to the OpenVPN interface as the only difference. I only have one WAN interface, so it's really just a flat environment.

My only problem now is that all traffic (even without changing the default LAN firewall rules) all go through the VPN interface. Is this normal by default? I checked and made sure that the WAN gateway is still the "default" gateway and yes it is. Under Diagnostics -> Routes though, I see that there's a 0.0.0.0/1 route that goes through the VPN interface which I think is the cause of the issue. I was assuming that policy-based routing will still take effect here but it seems that this is not the case.

What am I doing wrong? Please help. Thanks.

EDIT: And by the way, is it normal to have around 50% loss in the interface monitoring section of the VPN interface? I set 208.67.222.222 as the monitor IP for the interface and it's always showing offline under the dashboard because of that high a loss.

johnpoz · Sep 26, 2016, 4:13 PM

make you set your client not to pull routes if you want to use policy routing.

kevindd992002 · Sep 26, 2016, 5:27 PM

@johnpoz:

make you set your client not to pull routes if you want to use policy routing.

Ok, that worked. How about the packet loss I was talking about?

johnpoz · Sep 26, 2016, 5:34 PM

Well have no idea why you would get such packet loss. Other than your connection to them or they suck ;) I see 0 packet loss to my vps I vpn too. Why are you monitoring something out on the public internet for your vpn connection? Why would you not monitor the gateway you get from your vpn, the public IP of the vpn server? An IP address inside the vpn network your connecting to to validate the vpn is up?

kevindd992002 · Sep 27, 2016, 5:07 AM

@johnpoz:

Well have no idea why you would get such packet loss. Other than your connection to them or they suck ;) I see 0 packet loss to my vps I vpn too. Why are you monitoring something out on the public internet for your vpn connection? Why would you not monitor the gateway you get from your vpn, the public IP of the vpn server? An IP address inside the vpn network your connecting to to validate the vpn is up?

Ok, that makes sense. I guess I have to just pick one of the IP's where the FQDN of my VPN resolves to.

EDIT: Since the VPN server's FQDN resolves to multiple IP's, the only IP that results to 0.0% loss is the one where the VPN is connected to. Changing the monitor IP to one of the IP's in the cluster will give me 50% loss again. Leaving it blank will use the private IP gateway but results to a 100% loss (I guess the gateway is not responding to ICMP requests?). So what now? I don't want to dynamically change the monitor IP whenever it connects to a different IP in the cluster.

kevindd992002 · Sep 27, 2016, 1:11 AM

How do I know if my hardware (APU2C4) is supporting hardware crypto in openvpn?

nicolebyer727 · Sep 27, 2016, 10:08 AM

If its not working. You can try PureVPN.

Setup guide link https://support.purevpn.com/openvpn-manual-setup-guide

kevindd992002 · Sep 27, 2016, 10:41 AM

@nicolebyer727:

If its not working. You can try PureVPN.

Setup guide link https://support.purevpn.com/openvpn-manual-setup-guide

It actually works. I'm just optimizing the settings.

kevindd992002 · Sep 29, 2016, 7:10 AM

Any help here guys?

Can you explain why choosing "no hardware crypto" uses AES-NI automatically if the CPU supports it? Do you still have to enable AES-NI under System -> Advanced -> Misc. for this to happen or what?

mauroman33 · Sep 29, 2016, 9:22 AM

@kevindd992002:

Any help here guys?

Can you explain why choosing "no hardware crypto" uses AES-NI automatically if the CPU supports it? Do you still have to enable AES-NI under System -> Advanced -> Misc. for this to happen or what?

here something about hardware crypto in openvpn
https://forum.pfsense.org/index.php?topic=115627.msg646409#msg646409

kevindd992002 · Sep 29, 2016, 10:29 AM

@mauroman33:

@kevindd992002:

Any help here guys?

Can you explain why choosing "no hardware crypto" uses AES-NI automatically if the CPU supports it? Do you still have to enable AES-NI under System -> Advanced -> Misc. for this to happen or what?

here something about hardware crypto in openvpn
https://forum.pfsense.org/index.php?topic=115627.msg646409#msg646409

Thanks.

Also, is there a way to test the throughput of my OpenVPN clients in hopes of comparing which is better? I'm trying out ExpressVPN and Buffered VPN right now as a way to access US-based NetFlix content and I'm hoping I can isolate which one is best.

johnpoz · Sep 29, 2016, 11:35 AM

go to fast.com using your vpn connection.. Powered by netflix..

kevindd992002 · Sep 30, 2016, 3:02 AM

@johnpoz:

go to fast.com using your vpn connection.. Powered by netflix..

Yeah, that's what I'm doing but I was hoping for a command line speed test but no worries.

I was reading up on the openvpn custom options and came about this article: https://blog.hambier.lu/post/solving-openvpn-mtu-issues wherein it was suggested that "fragment 1300" be removed and set "mssfix" to 1300 initially. When I do that, I get this error in the openvpn logs:

Bad LZO decompression header byte: 0

fragment 1300 and mssfix 1450 are in the opvpn file provided by expressvpn that's why I put them there.

kevindd992002 · Sep 30, 2016, 3:37 AM

Is it recommended to change the "firewall optimization options" to conservative when using a vpn? The thing is that I'm using policy-based routing so I'm worried that if I change this setting all traffic will be negatively impacted (not just the ones destined through the VPN tunnel).

EDIT:

Also, what is really the difference between the openvpn client options "Don't pull routes" and "Don't add/remove routes"? Here is an excerpt from the openvpn website:

–route-noexec -> this is the "don't add/remove routes" option
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

--route-nopull -> this is the "don't pull routes" option
When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

kevindd992002 · Oct 2, 2016, 9:59 AM

Any help please?

peterbuttler · Oct 3, 2016, 8:16 AM

You can check the Offical website of ExpressVPN and they have define all this information. https://www.expressvpn.com/support/vpn-setup/manual-config-for-windows-xp-vista-7-8-with-openvpn/

kevindd992002 · Oct 3, 2016, 9:53 AM

@peterbuttler:

You can check the Offical website of ExpressVPN and they have define all this information. https://www.expressvpn.com/support/vpn-setup/manual-config-for-windows-xp-vista-7-8-with-openvpn/

No, they don't. Pfsense as a firewall is not "officially" supported by ExpressVPN and so there's no manual there. Like I said, my connection to them is working just fine. I'm just optimizing it. If you read my previous post with the pending questions and try to find the answers to my questions on the site you linked, I'm not sure you'll find any. I don't even see route-noexec and route-nopull anywhere in that page.

nicolebyer727 · Oct 4, 2016, 12:36 PM

or you can also configure OpenVPN with PureVPN. Here is the manual setup guide https://support.purevpn.com/openvpn-manual-setup-guide

kevindd992002 · Oct 4, 2016, 1:09 PM

@nicolebyer727:

or you can also configure OpenVPN with PureVPN. Here is the manual setup guide https://support.purevpn.com/openvpn-manual-setup-guide

I appreciate the help but I feel like we're going around in circles here. Like I mentioned multiple times now, I don't need a guide for configuring openvpn as I already have it working with expressvpn. I just need to know the answers to my specific questions quoted below:

@kevindd992002:

Is it recommended to change the "firewall optimization options" to conservative when using a vpn? The thing is that I'm using policy-based routing so I'm worried that if I change this setting all traffic will be negatively impacted (not just the ones destined through the VPN tunnel).

EDIT:

Also, what is really the difference between the openvpn client options "Don't pull routes" and "Don't add/remove routes"? Here is an excerpt from the openvpn website:

–route-noexec -> this is the "don't add/remove routes" option
Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables.

--route-nopull -> this is the "don't pull routes" option
When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

4o4rh · Dec 13, 2016, 2:56 PM

Did you figure out or get answers.

I previously had expressvpn working with 3 client locations in a gateway failover configuration with opnsense 16.7.9.
gateway monitoring was working fine with google dns servers
After the system upgraded to 16.7.10, i decided to move to pfsense think there was more support and user base, but haven't found it yet.

I have the issue like you. 3x vpn clients, gateway config - getting offline due to 50% errors when using opendns or google dns servers as the monitoring addresses.

It seems to be ExpressVPN not passing ICMP as best as i can tell. If i traceroute from ubuntu it goes through without error, but if i traceroute with "-I" or from windows I get request timeouts at the same spots where i get packet loss using dpinger from the command line on pfsense.