ExpressVPN interface is up but gateway is down



  • I am new to pfsense, I purchased a micro appliance so that my entire network could be behind a vpn.
    So I have spent two days trying to get expressvpn to work. today i spent 2 hours on live chat with expressvpn support and they referred me to the forums.
    I used expressvpn's setup tutorial https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

    the expressvpn interface is up
    i copied all four mappings and changed to express vpn
    but when i implemented the new rule to route lan traffic through expressvpn all the devices in my network cant connect
    the only thing i have found is that in status - gateways
    EXPRESSVPN_DHCP 10.41.6.85 10.41.6.85 0ms 0ms 100% Offline Interface EXPRESSVPN_DHCP Gateway
    the expressvpn is down

    when i switch back to default lan rule everythings can connect to the internet

    any help would be much appreciated

    openvpn logs

    –---------------------------
    Apr 27 08:30:06 openvpn 23933 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Apr 27 08:30:06 openvpn 23933 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Apr 27 08:30:06 openvpn 23933 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 27 08:30:06 openvpn 23933 [Server-1531-1a] Peer Connection Initiated with [AF_INET]45.56.149.3:1195
    Apr 27 08:30:08 openvpn 23933 SENT CONTROL [Server-1531-1a]: 'PUSH_REQUEST' (status=1)
    Apr 27 08:30:08 openvpn 23933 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.146.0.1,route 10.146.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.146.7.222 10.146.7.221'
    Apr 27 08:30:08 openvpn 23933 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 08:30:08 openvpn 23933 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 08:30:08 openvpn 23933 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 08:30:08 openvpn 23933 OPTIONS IMPORT: timers and/or timeouts modified
    Apr 27 08:30:08 openvpn 23933 OPTIONS IMPORT: –ifconfig/up options modified
    Apr 27 08:30:08 openvpn 23933 Preserving previous TUN/TAP instance: ovpnc1
    Apr 27 08:30:08 openvpn 23933 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Apr 27 08:30:08 openvpn 23933 Closing TUN/TAP interface
    Apr 27 08:30:08 openvpn 23933 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.165.6.230 10.165.6.229 init
    Apr 27 08:30:09 openvpn 23933 TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 27 08:30:09 openvpn 23933 TUN/TAP device /dev/tun1 opened
    Apr 27 08:30:09 openvpn 23933 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 27 08:30:09 openvpn 23933 /sbin/ifconfig ovpnc1 10.146.7.222 10.146.7.221 mtu 1500 netmask 255.255.255.255 up
    Apr 27 08:30:09 openvpn 23933 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.146.7.222 10.146.7.221 init
    Apr 27 08:30:11 openvpn 23933 Initialization Sequence Completed
    Apr 27 08:33:08 openvpn 23933 [Server-1531-1a] Inactivity timeout (–ping-restart), restarting
    Apr 27 08:33:08 openvpn 23933 SIGUSR1[soft,ping-restart] received, process restarting
    Apr 27 08:33:08 openvpn 23933 Restart pause, 2 second(s)
    Apr 27 08:33:10 openvpn 23933 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 27 08:33:10 openvpn 23933 Socket Buffers: R=[42080->524288] S=[57344->524288]
    Apr 27 08:33:10 openvpn 23933 UDPv4 link local (bound): [AF_INET]174.57.176.116
    Apr 27 08:33:10 openvpn 23933 UDPv4 link remote: [AF_INET]45.56.149.3:1195
    Apr 27 08:33:10 openvpn 23933 TLS: Initial packet from [AF_INET]45.56.149.3:1195, sid=575c39a8 a6a6e899
    Apr 27 08:33:10 openvpn 23933 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
    Apr 27 08:33:10 openvpn 23933 VERIFY OK: nsCertType=SERVER
    Apr 27 08:33:10 openvpn 23933 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1531-1a, emailAddress=support@expressvpn.com
    Apr 27 08:33:10 openvpn 23933 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1531-1a, emailAddress=support@expressvpn.com
    Apr 27 08:33:10 openvpn 23933 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1605', remote='link-mtu 1606'
    Apr 27 08:33:10 openvpn 23933 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Apr 27 08:33:10 openvpn 23933 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Apr 27 08:33:10 openvpn 23933 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Apr 27 08:33:10 openvpn 23933 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Apr 27 08:33:10 openvpn 23933 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Apr 27 08:33:10 openvpn 23933 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 27 08:33:10 openvpn 23933 [Server-1531-1a] Peer Connection Initiated with [AF_INET]45.56.149.3:1195
    Apr 27 08:33:12 openvpn 23933 SENT CONTROL [Server-1531-1a]: 'PUSH_REQUEST' (status=1)
    Apr 27 08:33:12 openvpn 23933 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.146.0.1,route 10.146.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.146.7.222 10.146.7.221'
    Apr 27 08:33:12 openvpn 23933 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 08:33:12 openvpn 23933 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 08:33:12 openvpn 23933 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 08:33:12 openvpn 23933 OPTIONS IMPORT: timers and/or timeouts modified
    Apr 27 08:33:12 openvpn 23933 OPTIONS IMPORT: –ifconfig/up options modified
    Apr 27 08:33:12 openvpn 23933 Preserving previous TUN/TAP instance: ovpnc1
    Apr 27 08:33:12 openvpn 23933 Initialization Sequence Completed

    edit: I tried using Private Internet Access and had the same issue



  • I had a similar issue too.

    The instructions are unfortunately incorrect.

    Referring to the document at:

    https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn

    In the section where you configure the EXPRESSVPN interface, DO NOT set the IPv4 Configuration as DHCP, set it as NONE. OpenVPN will automatically configure the interface with an IP address and routes, it doesn't need DHCP to do this. Once it is done, restart the openvpn service (under status -> openvpn).

    If you just happen to be using the VPN to unblock netflix, it is important that you also change the DNS servers so they are based in the country for which you are trying to unblock netflix. Netflix uses some dynamic DNS inquiries where they can see if you are trying to spoof them. For example, if you live in Canada and are trying to access Netflix US, you should ensure that your router or PC is configured to use a US DNS server (like 8.8.8.8 or 8.8.4.4). Otherwise netflix will see you are using a Canadian DNS server and block the stream.

    Hope this works for you.



  • Unfortunately It did not work here is the new openvpn log

    –-------------------------------
    Apr 27 09:50:42 openvpn 78208 SENT CONTROL [Server-477-1a]: 'PUSH_REQUEST' (status=1)
    Apr 27 09:50:42 openvpn 78208 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.146.0.1,route 10.146.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.146.6.114 10.146.6.113'
    Apr 27 09:50:42 openvpn 78208 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 09:50:42 openvpn 78208 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 09:50:42 openvpn 78208 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 09:50:42 openvpn 78208 OPTIONS IMPORT: timers and/or timeouts modified
    Apr 27 09:50:42 openvpn 78208 OPTIONS IMPORT: –ifconfig/up options modified
    Apr 27 09:50:42 openvpn 78208 Preserving previous TUN/TAP instance: ovpnc1
    Apr 27 09:50:42 openvpn 78208 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Apr 27 09:50:42 openvpn 78208 Closing TUN/TAP interface
    Apr 27 09:50:42 openvpn 78208 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.146.7.222 10.146.7.221 init
    Apr 27 09:50:43 openvpn 78208 TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 27 09:50:43 openvpn 78208 TUN/TAP device /dev/tun1 opened
    Apr 27 09:50:43 openvpn 78208 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 27 09:50:43 openvpn 78208 /sbin/ifconfig ovpnc1 10.146.6.114 10.146.6.113 mtu 1500 netmask 255.255.255.255 up
    Apr 27 09:50:43 openvpn 78208 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.146.6.114 10.146.6.113 init
    Apr 27 09:50:45 openvpn 78208 Initialization Sequence Completed



  • What does it say about the EXPRESSVPN interface under "status -> interfaces"?



  • EXPRESSVPN Interface (opt1, ovpnc1)
    Status
    up
    MAC Address
    00:00:00:00:00:00
    IPv6 Link Local
    fe80::2ec:acff:fece:d1ce%ovpnc1
    MTU
    1500
    In/out packets
    0/412539 (0 B/12.72 MiB)
    In/out packets (pass)
    0/412539 (0 B/12.72 MiB)
    In/out packets (block)
    0/0 (0 B/0 B)
    In/out errors
    0/0
    Collisions
    0

    Under status - gateways

    EXPRESSVPN_VPNV4 Pending Pending Pending Pending Interface EXPRESSVPN_VPNV4 Gateway



  • My gateway status says it is offline and yet it is still sending data.

    Did you setup the firewall rules yet?

    Also, you might consider a fresh reboot of the router just to recover for all the changes you have been making. Something may have gone stale. I did it once or twice when I was trying to get things working.

    I'm transferring files now using it, but when I'm done I will check my openvpn logs to see if they match yours. Can you send upload the latest version after the reboot?



  • Its when i enable the rule to tunnel to express vpn that my connections go out

    –------------------------

    Time Process PID Message
    Apr 27 14:01:57 openvpn 15246 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 14:01:57 openvpn 15246 OPTIONS IMPORT: timers and/or timeouts modified
    Apr 27 14:01:57 openvpn 15246 OPTIONS IMPORT: –ifconfig/up options modified
    Apr 27 14:01:57 openvpn 15246 Preserving previous TUN/TAP instance: ovpnc1
    Apr 27 14:01:57 openvpn 15246 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Apr 27 14:01:57 openvpn 15246 Closing TUN/TAP interface
    Apr 27 14:01:57 openvpn 15246 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.168.7.106 10.168.7.105 init
    Apr 27 14:01:58 openvpn 15246 TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 27 14:01:58 openvpn 15246 TUN/TAP device /dev/tun1 opened
    Apr 27 14:01:58 openvpn 15246 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 27 14:01:58 openvpn 15246 /sbin/ifconfig ovpnc1 10.135.6.162 10.135.6.161 mtu 1500 netmask 255.255.255.255 up
    Apr 27 14:01:58 openvpn 15246 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.135.6.162 10.135.6.161 init
    Apr 27 14:02:00 openvpn 15246 Initialization Sequence Completed
    Apr 27 14:04:57 openvpn 15246 [Server-281-1a] Inactivity timeout (–ping-restart), restarting
    Apr 27 14:04:57 openvpn 15246 SIGUSR1[soft,ping-restart] received, process restarting
    Apr 27 14:04:57 openvpn 15246 Restart pause, 2 second(s)
    Apr 27 14:04:59 openvpn 15246 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 27 14:04:59 openvpn 15246 Socket Buffers: R=[42080->524288] S=[57344->524288]
    Apr 27 14:04:59 openvpn 15246 UDPv4 link local (bound): [AF_INET]174.57.176.116
    Apr 27 14:04:59 openvpn 15246 UDPv4 link remote: [AF_INET]107.181.69.67:1195
    Apr 27 14:04:59 openvpn 15246 TLS: Initial packet from [AF_INET]107.181.69.67:1195, sid=c3073308 1a28242b
    Apr 27 14:04:59 openvpn 15246 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
    Apr 27 14:04:59 openvpn 15246 VERIFY OK: nsCertType=SERVER
    Apr 27 14:04:59 openvpn 15246 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-313-1a, emailAddress=support@expressvpn.com
    Apr 27 14:04:59 openvpn 15246 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-313-1a, emailAddress=support@expressvpn.com
    Apr 27 14:04:59 openvpn 15246 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1605', remote='link-mtu 1606'
    Apr 27 14:04:59 openvpn 15246 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
    Apr 27 14:04:59 openvpn 15246 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Apr 27 14:04:59 openvpn 15246 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Apr 27 14:04:59 openvpn 15246 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Apr 27 14:04:59 openvpn 15246 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Apr 27 14:04:59 openvpn 15246 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Apr 27 14:04:59 openvpn 15246 [Server-313-1a] Peer Connection Initiated with [AF_INET]107.181.69.67:1195
    Apr 27 14:05:01 openvpn 15246 SENT CONTROL [Server-313-1a]: 'PUSH_REQUEST' (status=1)
    Apr 27 14:05:01 openvpn 15246 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.182.0.1,route 10.182.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.182.7.186 10.182.7.185'
    Apr 27 14:05:01 openvpn 15246 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 14:05:01 openvpn 15246 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 14:05:01 openvpn 15246 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
    Apr 27 14:05:01 openvpn 15246 OPTIONS IMPORT: timers and/or timeouts modified
    Apr 27 14:05:01 openvpn 15246 OPTIONS IMPORT: –ifconfig/up options modified
    Apr 27 14:05:01 openvpn 15246 Preserving previous TUN/TAP instance: ovpnc1
    Apr 27 14:05:01 openvpn 15246 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    Apr 27 14:05:01 openvpn 15246 Closing TUN/TAP interface
    Apr 27 14:05:01 openvpn 15246 /usr/local/sbin/ovpn-linkdown ovpnc1 1500 1605 10.135.6.162 10.135.6.161 init
    Apr 27 14:05:02 openvpn 15246 TUN/TAP device ovpnc1 exists previously, keep at program end
    Apr 27 14:05:02 openvpn 15246 TUN/TAP device /dev/tun1 opened
    Apr 27 14:05:02 openvpn 15246 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Apr 27 14:05:02 openvpn 15246 /sbin/ifconfig ovpnc1 10.182.7.186 10.182.7.185 mtu 1500 netmask 255.255.255.255 up
    Apr 27 14:05:02 openvpn 15246 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1605 10.182.7.186 10.182.7.185 init
    Apr 27 14:05:04 openvpn 15246 Initialization Sequence Completed



  • First off, which version of pfsense are you using?
    Are you certain all settings in "VPN -> OpenVPN -> Clients -> Edit" are set correctly?
    In "firewall -> NAT -> Outbound" you only need one rule, that is to pass anything on 192.168.0.0/24 to EXPRESSVPN, you should be able to disable the others (192.168.0.0 may not match you subnet).
    In "firewall -> Rules -> LAN" you can have a single rule which forwards traffic to your single PC if you like or a subnet to EXPRESS_VPNV4. You can disable it to which off forwarding your traffic to the VPN.
    Has the "Status -> Interfaces" changed since the reboot?



  • @OldWoman37:

    I had a similar issue too.

    The instructions are unfortunately incorrect.

    Referring to the document at:

    https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn

    In the section where you configure the EXPRESSVPN interface, DO NOT set the IPv4 Configuration as DHCP, set it as NONE. OpenVPN will automatically configure the interface with an IP address and routes, it doesn't need DHCP to do this. Once it is done, restart the openvpn service (under status -> openvpn).

    I have the  same issues as OP.  the tutorial also shows on the OpenVPN client settings in pfsense to click on "Don't pull routes - Bars the server from adding routes to the client's routing table".  Meaning no routes would be pulled over.  Are you suggesting that this part of the tutorial is wrong too?  Can you please post your OpenVPN client config?

    I am running 2.3.3-p1



  • After sorting through the OpenVPN logs and looking at the .ovpn settings file from ExpressVPN I figured it out.

    I was seeing this in my OpenVPN settings:
    May 10 20:08:33 openvpn 15843 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

    "comp-lzo" is listed in the .ovpn settings file from ExpressVPN, but not in their tutorial.  I added it to the Advanced Configuration custom options field, enabled the firewall rule to push my LAN traffic to the gateway, and like magic, it all works now.

    Here are my custom options:
    fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

    Hope this helps some of you other ExpressVPN users that have found their tutorial not correct.



  • Hi Sneakking,

    could you please send me all your settings ?

    I still cannot get the gateway up.

    Many thanks,

    christian



  • Hi,

    I had the same problem. With a couple of different settings, which are different from the instructions (written for pfSense 2.3.0) on the website of ExpressVPN I got it to work.

    1. In the dropdownmenu  of the  "IP4 configuration type" of the expressvpn interface set: none  (DHCP doesn't work)
    2. In the OpenVPN-clientsettings: TLS key Usage Mode: set "TLS key Authentication"  (With aditional encryption it does not work)
                                                      In custom options I use these settings:
      fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-    prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
    3. In the Firewall/Aliases: be sure you enter the right subnets that are between the pfSenseserver and the actual clients (I had an extra wirelessrouter between pfSense and the clients so I had to enter an extra subnet to get it to work)

    The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%... 
    Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers)



  • @lansmurf said in ExpressVPN interface is up but gateway is down:

    The only problem I stil have is that althought the interface and the gateway are up and working. Dpinger cannot ping the VPN server. I have set the Data payload to 1 but I still don't get a ping… If I enter 8.8.8.8 to monitor I get a huge packetloss >40%... 
    Maybe someone can give me advise at this point to get better monitoring results? (I guess this is important for load balancing if you enter multiple gateways to diffenrent VPN servers)

    A bit late, but replying in case it might help someone. I had same problem with Dpinger and packet loss. Solved it by enabling Hardware Crypto in openvpn client. Now I can use external IP to monitor if VPN gateway is online. Of course, your hardware needs to support this.


Log in to reply