Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ExpressVPN down on pfsense 2.4.4

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 6 Posters 2.8k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • FuturamaPhillF Offline
      FuturamaPhill
      last edited by FuturamaPhill

      Hi, I've been having some trouble getting my VPN to work on my pfsense firewall. I followed the guide on ExpressVPNs website but it's still showing as down and there suppose advised I post here.

      My firewall separates my lab environment from my home network so it actually has two private IPs, one on the LAN and one on the "WAN". I have internet connection on my lab environment and it is going through the firewall but for some reason the VPN won't connect. I've posted the log info for the VPN below but I wasn't able to find an obvious error, I'm hoping a fresh set of more experienced eyes may be able to tell me where I'm going wrong?

      Any help is much appreciated!

      °Feb 24 20:29:05 openvpn 58820 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.233.144:1195
      Feb 24 20:29:05 openvpn 58820 Socket Buffers: R=[42080->524288] S=[57344->524288]
      Feb 24 20:29:05 openvpn 58820 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
      Feb 24 20:29:05 openvpn 58820 UDPv4 link remote: [AF_INET]78.129.233.144:1195
      Feb 24 20:29:05 openvpn 58820 TLS: Initial packet from [AF_INET]78.129.233.144:1195, sid=63d2c1f8 213e455a
      Feb 24 20:29:05 openvpn 58820 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Feb 24 20:29:05 openvpn 58820 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
      Feb 24 20:29:05 openvpn 58820 VERIFY OK: nsCertType=SERVER
      Feb 24 20:29:05 openvpn 58820 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
      Feb 24 20:29:05 openvpn 58820 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
      Feb 24 20:29:10 openvpn 58820 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Feb 24 20:29:10 openvpn 58820 MANAGEMENT: CMD 'state 1'
      Feb 24 20:29:10 openvpn 58820 MANAGEMENT: Client disconnected
      Feb 24 20:29:15 openvpn 58820 event_wait : Interrupted system call (code=4)
      Feb 24 20:29:15 openvpn 58820 SIGTERM[hard,] received, process exiting
      Feb 24 20:29:22 openvpn 94263 WARNING: file '/var/etc/openvpn/client1.up' is group or others accessible
      Feb 24 20:29:22 openvpn 94263 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 3 2018
      Feb 24 20:29:22 openvpn 94263 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
      Feb 24 20:29:22 openvpn 94518 MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
      Feb 24 20:29:22 openvpn 94518 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
      Feb 24 20:29:22 openvpn 94518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Feb 24 20:29:22 openvpn 94518 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
      Feb 24 20:29:22 openvpn 94518 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
      Feb 24 20:29:22 openvpn 94518 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.233.144:1195
      Feb 24 20:29:22 openvpn 94518 Socket Buffers: R=[42080->524288] S=[57344->524288]
      Feb 24 20:29:22 openvpn 94518 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
      Feb 24 20:29:22 openvpn 94518 UDPv4 link remote: [AF_INET]78.129.233.144:1195
      Feb 24 20:29:22 openvpn 94518 TLS: Initial packet from [AF_INET]78.129.233.144:1195, sid=9715f081 ba9e90af
      Feb 24 20:29:22 openvpn 94518 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Feb 24 20:29:22 openvpn 94518 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
      Feb 24 20:29:22 openvpn 94518 VERIFY OK: nsCertType=SERVER
      Feb 24 20:29:22 openvpn 94518 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
      Feb 24 20:29:22 openvpn 94518 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-205-1a, emailAddress=support@expressvpn.com
      Feb 24 20:29:27 openvpn 94518 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
      Feb 24 20:29:27 openvpn 94518 MANAGEMENT: CMD 'state 1'
      Feb 24 20:29:27 openvpn 94518 MANAGEMENT: Client disconnected
      Feb 24 20:30:22 openvpn 94518 [Server-205-1a] Inactivity timeout (--ping-restart), restarting
      Feb 24 20:30:22 openvpn 94518 SIGUSR1[soft,ping-restart] received, process restarting
      Feb 24 20:30:22 openvpn 94518 Restart pause, 10 second(s)
      Feb 24 20:30:32 openvpn 94518 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
      Feb 24 20:30:32 openvpn 94518 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Feb 24 20:30:32 openvpn 94518 TCP/UDP: Preserving recently used remote address: [AF_INET]78.129.231.93:1195
      Feb 24 20:30:32 openvpn 94518 Socket Buffers: R=[42080->524288] S=[57344->524288]
      Feb 24 20:30:32 openvpn 94518 UDPv4 link local (bound): [AF_INET]192.168.1.215:0
      Feb 24 20:30:32 openvpn 94518 UDPv4 link remote: [AF_INET]78.129.231.93:1195
      Feb 24 20:30:32 openvpn 94518 TLS: Initial packet from [AF_INET]78.129.231.93:1195, sid=5326bff1 1733fd96
      Feb 24 20:30:32 openvpn 94518 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
      Feb 24 20:30:32 openvpn 94518 VERIFY OK: nsCertType=SERVER
      Feb 24 20:30:32 openvpn 94518 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-206-1a, emailAddress=support@expressvpn.com
      Feb 24 20:30:32 openvpn 94518 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-206-1a, emailAddress=support@expressvpn.com

      1 Reply Last reply Reply Quote 0
      • L Offline
        lovan6
        last edited by

        Check VPN/OpenVPN/ClientsEdit. that is where your problem exist on Expressvpn. without the correct configuration, you will not be able to connect.

        1 Reply Last reply Reply Quote 0
        • 4 Offline
          4o4rh
          last edited by 4o4rh

          Here are my custom settings

          remote-random;
pull;
verify-x509-name Server name-prefix;
remote-cert-tls server;
key-direction 1;
route-method exe;
route-delay 2;
tun-mtu 1500;
fragment 1300;
mssfix 1450;
auth-nocache;

          Screen settings below

          Server Mode : peer to peer SSL/TLS
Protocol: UDP
Device Mode: TUN
Interface: WAN
Server Port: 1195
TLS Config: Use a TLS Key
(looks like you have all the keys properly)
Encryption Algorithm: AES-256-CBC
Enable NCP: uncheck
Auth Digest Algorithm: SHA512
Hardware Crypto: depends on your system (No Hardware normal)
Compression: LZO Compression [compress lzo....]
Topology: Subnet - One IP
Don't Pull Routes: unchecked
Don't Add/Remove route: unchecked
UDP Fast IO: checked
Send/Receive Buffer: 512K
Gateway: IPv4 only

          The above settings work fine with a single ExpressVPN connection.
          I had a problem with the package manager not connecting when using the Rotterdam access point.
          I changed the access point and the problem was solved - so you might also want to try that.

          The only problem i currently have is connecting to two access points in a member down mode.
          as soon as the second client is up, the routing for certain services e.g. android and linux updates breaks (although browsing works).

          E 1 Reply Last reply Reply Quote 0
          • E Offline
            epsense @4o4rh
            last edited by

            @gwaitsi said in ExpressVPN down on pfsense 2.4.4:

            Here are my custom settings

            remote-random;
pull;
verify-x509-name Server name-prefix;
remote-cert-tls server;
key-direction 1;
route-method exe;
route-delay 2;
tun-mtu 1500;
fragment 1300;
mssfix 1450;
auth-nocache;

            Screen settings below

            Server Mode : peer to peer SSL/TLS
Protocol: UDP
Device Mode: TUN
Interface: WAN
Server Port: 1195
TLS Config: Use a TLS Key
(looks like you have all the keys properly)
Encryption Algorithm: AES-256-CBC
Enable NCP: uncheck
Auth Digest Algorithm: SHA512
Hardware Crypto: depends on your system (No Hardware normal)
Compression: LZO Compression [compress lzo....]
Topology: Subnet - One IP
Don't Pull Routes: unchecked
Don't Add/Remove route: unchecked
UDP Fast IO: checked
Send/Receive Buffer: 512K
Gateway: IPv4 only

            The above settings work fine with a single ExpressVPN connection.
            I had a problem with the package manager not connecting when using the Rotterdam access point.
            I changed the access point and the problem was solved - so you might also want to try that.

            The only problem i currently have is connecting to two access points in a member down mode.
            as soon as the second client is up, the routing for certain services e.g. android and linux updates breaks (although browsing works).

            Looks fine to me, i have similar conf.

            dev ovpnc1
            verb 3
            dev-type tun
            dev-node /dev/tun1
            writepid /var/run/openvpn_client1.pid
            #user nobody
            #group nobody
            script-security 3
            daemon
            keepalive 10 60
            ping-timer-rem
            persist-tun
            persist-key
            proto udp4
            cipher AES-256-CBC
            auth SHA512
            up /usr/local/sbin/ovpn-linkup
            down /usr/local/sbin/ovpn-linkdown
            local MYIPADDRESS
            tls-client
            client
            lport 0
            management /var/etc/openvpn/client1.sock unix
            remote usa-washingtondc-ca-version-2.expressnetw.com 1195
            auth-user-pass /var/etc/openvpn/client1.up
            auth-retry nointeract
            ca /var/etc/openvpn/client1.ca
            cert /var/etc/openvpn/client1.cert
            key /var/etc/openvpn/client1.key
            tls-auth /var/etc/openvpn/client1.tls-auth 1
            ncp-disable
            comp-lzo adaptive
            resolv-retry infinite
            route-nopull
            fast-io
            sndbuf 524288
            rcvbuf 524288
            fast-io
            persist-key
            persist-tun
            remote-random
            pull
            comp-lzo
            tls-client
            verify-x509-name Server name-prefix
            ns-cert-type server
            key-direction 1
            route-method exe
            route-delay 2
            tun-mtu 1500
            fragment 1300
            mssfix 1450
            verb 3
            sndbuf 524288
            rcvbuf 524288

            4 1 Reply Last reply Reply Quote 0
            • 4 Offline
              4o4rh @epsense
              last edited by

              @epsense did you try to setup with two access points as failover ?
              I still get some strange issue where linux machines can't find the package mirrors or have very low bandwidth if i do. but everything else seems to work ok

              E 1 Reply Last reply Reply Quote 0
              • FuturamaPhillF Offline
                FuturamaPhill
                last edited by

                I manged to resolve my issue. It was an issue with the certificate configuration, I recreated it and its working now.

                Thanks for the response :)

                A 1 Reply Last reply Reply Quote 0
                • E Offline
                  epsense @4o4rh
                  last edited by

                  @gwaitsi said in ExpressVPN down on pfsense 2.4.4:

                  @epsense did you try to setup with two access points as failover ?
                  I still get some strange issue where linux machines can't find the package mirrors or have very low bandwidth if i do. but everything else seems to work ok

                  Not yet, I'm still messing around. When i stop the vpn and try to restart it back up, it's won't connect still saying it's pending. then i go System/routing change to DHCP4 then my vpn start back up once it did i have to change DHCP4 back to EXPRESSVPN_VPN4 then it start to tunnel correctly.

                  1 Reply Last reply Reply Quote 0
                  • A Offline
                    akkiz @FuturamaPhill
                    last edited by

                    @FuturamaPhill what did u do i am facing similar issues

                    U 1 Reply Last reply Reply Quote 0
                    • U Offline
                      UKdude78 @akkiz
                      last edited by

                      @akkiz

                      Not got express vpn, but sounds like phill simply re-created or selected his openvpn certificates and downloaded a fresh copy and used them instead.

                      pfsense can be tricky one wrong setting or one wrong copy and paste of a set of certifcation and it won't work, always best to take your time and re-read the guides and double check your settings, am still making mistakes time to time.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.