ExpressVPN



  • Hi everyone,

    I've got a Dell R710 running EXSI 6.5 and PfSense 2.3.4 working as my firewall. Works great.

    I've got a ExpressVPN membership which I'd like to enable with PFSense. I've used their guide for installation, but when complete.. nothing seems to be routed through the firewall and my internet stops working.

    1. Anyone have a good how to guide that actually works?
    2. Is there anyway to only route certain local IPs via the VPN (my downloaders..) so the remaining devices don't get bogged down with the VPN speed?


  • I also recently attempted to setup ExpressVPN on my pfsense running 2.3.3-p1.  Setup PIA VPN ok with it, though ExpressVPN is a bit different for its lack of pulling routes over in the config.  I followed the official how-to guide from ExpressVPN and have similar problems as you.  I have blown up my config and tried it a couple different ways.  I see the outbound traffic of the VPN tunnel increase with internet activity, so I know the traffic is attempting to leave, but no response.  I see the firewall in pfsense blocking all of my traffic in the logs but not sure where to go from here.

    I have reviewed my NAT rules many times, which seem pretty simple, just copy all the existing WAN rules switch it to use the OPT1 (VPN interface I created), the official guide doesn't say whether or not to turn off the existing WAN rules, or shift them up or down, i have tried every combination I can think of, and the traffic is consistently blocked by the firewall with "NO_TRAFFIC:SINGLE" being by most common error message in any outbound traffic from one of my LAN clients going to an external IP.

    ExpressVPN support is pretty useless, they just ask you, "did you read our guide?"  If you answer yes, they just suggest another server or using L2TP/IPSEC.  I have tried another server with exact same results, not tried L2TP yet, they have no guide for L2TP-IPSEC for pfsense.

    Any help to both of us would be greatly appreciated.



  • @jezzy:

    1. Is there anyway to only route certain local IPs via the VPN (my downloaders..) so the remaining devices don't get bogged down with the VPN speed?

    For how to handle traffic per host:
    https://blog.monstermuffin.org/tunneling-specific-traffic-over-a-vpn-with-pfsense/



  • After sorting through the OpenVPN logs and looking at the .ovpn settings file from ExpressVPN I figured it out.

    I was seeing this in my OpenVPN settings:
    May 10 20:08:33 openvpn 15843 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

    "comp-lzo" is listed in the .ovpn settings file from ExpressVPN, but not in their tutorial.  I added it to the Advanced Configuration custom options field, enabled the firewall rule to push my LAN traffic to the gateway, and like magic, it all works now.

    Here are my custom options:
    fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

    Hope this helps some of you other ExpressVPN users that have found their tutorial not correct.



  • @sneakking:

    @jezzy:

    1. Is there anyway to only route certain local IPs via the VPN (my downloaders..) so the remaining devices don't get bogged down with the VPN speed?

    For how to handle traffic per host:
    https://blog.monstermuffin.org/tunneling-specific-traffic-over-a-vpn-with-pfsense/

    Thanks, I just setup pfSense and wasn't able to route IPs via my VPN.



  • you just need to go through the right guide of your VPN provider to properly route IPs via Pfsense as per your selected VPN service. I use ExpressVPN and I faced the same issue and resolve it after following the instructions on their page https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/