ExpressVPN down on pfsense 2.4.4



  • Hi, I've been having some trouble getting my VPN to work on my pfsense firewall. I followed the guide on ExpressVPNs website but it's still showing as down and there suppose advised I post here.

    My firewall separates my lab environment from my home network so it actually has two private IPs, one on the LAN and one on the "WAN". I have internet connection on my lab environment and it is going through the firewall but for some reason the VPN won't connect. I've posted the log info for the VPN below but I wasn't able to find an obvious error, I'm hoping a fresh set of more experienced eyes may be able to tell me where I'm going wrong?

    Any help is much appreciated!

    °Feb 24 20:29:05 openvpn 58820 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.233.144:1195
    Feb 24 20:29:05 openvpn 58820 Socket Buffers: R=[42080->524288] S=[57344->524288]
    Feb 24 20:29:05 openvpn 58820 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
    Feb 24 20:29:05 openvpn 58820 UDPv4 link remote: [AF_INET]78.129.233.144:1195
    Feb 24 20:29:05 openvpn 58820 TLS: Initial packet from [AF_INET]78.129.233.144:1195, sid=63d2c1f8 213e455a
    Feb 24 20:29:05 openvpn 58820 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Feb 24 20:29:05 openvpn 58820 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
    Feb 24 20:29:05 openvpn 58820 VERIFY OK: nsCertType=SERVER
    Feb 24 20:29:05 openvpn 58820 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
    Feb 24 20:29:05 openvpn 58820 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
    Feb 24 20:29:10 openvpn 58820 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Feb 24 20:29:10 openvpn 58820 MANAGEMENT: CMD 'state 1'
    Feb 24 20:29:10 openvpn 58820 MANAGEMENT: Client disconnected
    Feb 24 20:29:15 openvpn 58820 event_wait : Interrupted system call (code=4)
    Feb 24 20:29:15 openvpn 58820 SIGTERM[hard,] received, process exiting
    Feb 24 20:29:22 openvpn 94263 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
    Feb 24 20:29:22 openvpn 94263 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
    Feb 24 20:29:22 openvpn 94263 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
    Feb 24 20:29:22 openvpn 94518 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Feb 24 20:29:22 openvpn 94518 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    Feb 24 20:29:22 openvpn 94518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 24 20:29:22 openvpn 94518 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    Feb 24 20:29:22 openvpn 94518 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
    Feb 24 20:29:22 openvpn 94518 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.233.144:1195
    Feb 24 20:29:22 openvpn 94518 Socket Buffers: R=[42080->524288] S=[57344->524288]
    Feb 24 20:29:22 openvpn 94518 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
    Feb 24 20:29:22 openvpn 94518 UDPv4 link remote: [AF_INET]78.129.233.144:1195
    Feb 24 20:29:22 openvpn 94518 TLS: Initial packet from [AF_INET]78.129.233.144:1195, sid=9715f081 ba9e90af
    Feb 24 20:29:22 openvpn 94518 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Feb 24 20:29:22 openvpn 94518 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
    Feb 24 20:29:22 openvpn 94518 VERIFY OK: nsCertType=SERVER
    Feb 24 20:29:22 openvpn 94518 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
    Feb 24 20:29:22 openvpn 94518 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
    Feb 24 20:29:27 openvpn 94518 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Feb 24 20:29:27 openvpn 94518 MANAGEMENT: CMD 'state 1'
    Feb 24 20:29:27 openvpn 94518 MANAGEMENT: Client disconnected
    Feb 24 20:30:22 openvpn 94518 [Server-205-1a] Inactivity timeout (--ping-restart), restarting
    Feb 24 20:30:22 openvpn 94518 SIGUSR1[soft,ping-restart] received, process restarting
    Feb 24 20:30:22 openvpn 94518 Restart pause, 10 second(s)
    Feb 24 20:30:32 openvpn 94518 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
    Feb 24 20:30:32 openvpn 94518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Feb 24 20:30:32 openvpn 94518 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.231.93:1195
    Feb 24 20:30:32 openvpn 94518 Socket Buffers: R=[42080->524288] S=[57344->524288]
    Feb 24 20:30:32 openvpn 94518 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
    Feb 24 20:30:32 openvpn 94518 UDPv4 link remote: [AF_INET]78.129.231.93:1195
    Feb 24 20:30:32 openvpn 94518 TLS: Initial packet from [AF_INET]78.129.231.93:1195, sid=5326bff1 1733fd96
    Feb 24 20:30:32 openvpn 94518 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
    Feb 24 20:30:32 openvpn 94518 VERIFY OK: nsCertType=SERVER
    Feb 24 20:30:32 openvpn 94518 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-206-1a, emailAddress=support@expressvpn.com
    Feb 24 20:30:32 openvpn 94518 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-206-1a, emailAddress=support@expressvpn.com



  • Check VPN/OpenVPN/ClientsEdit. that is where your problem exist on Expressvpn. without the correct configuration, you will not be able to connect.



  • Here are my custom settings

    remote-random;
    pull;
    verify-x509-name Server name-prefix;
    remote-cert-tls server;
    key-direction 1;
    route-method exe;
    route-delay 2;
    tun-mtu 1500;
    fragment 1300;
    mssfix 1450;
    auth-nocache;
    

    Screen settings below

    Server Mode : peer to peer SSL/TLS
    Protocol: UDP
    Device Mode: TUN
    Interface: WAN
    Server Port: 1195
    TLS Config: Use a TLS Key
    (looks like you have all the keys properly)
    Encryption Algorithm: AES-256-CBC
    Enable NCP: uncheck
    Auth Digest Algorithm: SHA512
    Hardware Crypto: depends on your system (No Hardware normal)
    Compression: LZO Compression [compress lzo....]
    Topology: Subnet - One IP
    Don't Pull Routes: unchecked
    Don't Add/Remove route: unchecked
    UDP Fast IO: checked
    Send/Receive Buffer: 512K
    Gateway: IPv4 only
    

    The above settings work fine with a single ExpressVPN connection.
    I had a problem with the package manager not connecting when using the Rotterdam access point.
    I changed the access point and the problem was solved - so you might also want to try that.

    The only problem i currently have is connecting to two access points in a member down mode.
    as soon as the second client is up, the routing for certain services e.g. android and linux updates breaks (although browsing works).



  • @gwaitsi said in ExpressVPN down on pfsense 2.4.4:

    Here are my custom settings

    remote-random;
    pull;
    verify-x509-name Server name-prefix;
    remote-cert-tls server;
    key-direction 1;
    route-method exe;
    route-delay 2;
    tun-mtu 1500;
    fragment 1300;
    mssfix 1450;
    auth-nocache;
    

    Screen settings below

    Server Mode : peer to peer SSL/TLS
    Protocol: UDP
    Device Mode: TUN
    Interface: WAN
    Server Port: 1195
    TLS Config: Use a TLS Key
    (looks like you have all the keys properly)
    Encryption Algorithm: AES-256-CBC
    Enable NCP: uncheck
    Auth Digest Algorithm: SHA512
    Hardware Crypto: depends on your system (No Hardware normal)
    Compression: LZO Compression [compress lzo....]
    Topology: Subnet - One IP
    Don't Pull Routes: unchecked
    Don't Add/Remove route: unchecked
    UDP Fast IO: checked
    Send/Receive Buffer: 512K
    Gateway: IPv4 only
    

    The above settings work fine with a single ExpressVPN connection.
    I had a problem with the package manager not connecting when using the Rotterdam access point.
    I changed the access point and the problem was solved - so you might also want to try that.

    The only problem i currently have is connecting to two access points in a member down mode.
    as soon as the second client is up, the routing for certain services e.g. android and linux updates breaks (although browsing works).

    Looks fine to me, i have similar conf.

    dev ovpnc1
    verb 3
    dev-type tun
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA512
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local MYIPADDRESS
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote usa-washingtondc-ca-version-2.expressnetw.com 1195
    auth-user-pass /var/etc/openvpn/client1.up
    auth-retry nointeract
    ca /var/etc/openvpn/client1.ca
    cert /var/etc/openvpn/client1.cert
    key /var/etc/openvpn/client1.key
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    ncp-disable
    comp-lzo adaptive
    resolv-retry infinite
    route-nopull
    fast-io
    sndbuf 524288
    rcvbuf 524288
    fast-io
    persist-key
    persist-tun
    remote-random
    pull
    comp-lzo
    tls-client
    verify-x509-name Server name-prefix
    ns-cert-type server
    key-direction 1
    route-method exe
    route-delay 2
    tun-mtu 1500
    fragment 1300
    mssfix 1450
    verb 3
    sndbuf 524288
    rcvbuf 524288



  • @epsense did you try to setup with two access points as failover ?
    I still get some strange issue where linux machines can't find the package mirrors or have very low bandwidth if i do. but everything else seems to work ok



  • I manged to resolve my issue. It was an issue with the certificate configuration, I recreated it and its working now.

    Thanks for the response :)



  • @gwaitsi said in ExpressVPN down on pfsense 2.4.4:

    @epsense did you try to setup with two access points as failover ?
    I still get some strange issue where linux machines can't find the package mirrors or have very low bandwidth if i do. but everything else seems to work ok

    Not yet, I'm still messing around. When i stop the vpn and try to restart it back up, it's won't connect still saying it's pending. then i go System/routing change to DHCP4 then my vpn start back up once it did i have to change DHCP4 back to EXPRESSVPN_VPN4 then it start to tunnel correctly.



  • @FuturamaPhill what did u do i am facing similar issues


Log in to reply