ExpressVPN - Geo-restricted website works when connected through their app over OpenVPN UDP but not through pfSense OpenVPN

charles_moody

@vjizzle following this thread because of the same problems with expressvpn.

Even if it's not a technical fix you could use a ups so the pfsense box wont't go down

vjizzle

@vjizzle said in ExpressVPN - Geo-restricted website works when connected through their app over OpenVPN UDP but not through pfSense OpenVPN:

@CrystalFire :

Thanks for sharing your setting!

When I disable DNS Forwarding in the resolver (like you have) and select my VPN interfaces as outbound interface in DNS resolverI always have a DNS leak whenever I restart pfSense. dnsleaktest.com shows me DNS from my ISP. I have to restart unbound service manually after every reboot to make it use the VPN interface for resolving. This happens on every reboot / boot. And every time it can be fixed by manually restarting unbound. After that no dns leak until my pfSense restarts :(.

I have been playing with the outbound NAT rules but I can't seem to fix this. Does this sound familiar for anyone?

--edit typos

This is why I have setup DNS servers in the General Setup tab in pfsense and then assigned the VPN interface as the gateway. Then I have Forwarding enabled in DNS Resolver with SSL/TLS. In this way on every (re)boot of pfSense I can make sure that there is not DNS leak with the DNS ip of my internet provider. Off course dnsleaktest.com us showing multiple cloudflare and quad9 dns servers, but I can live with that.

BTW I am running 3 VPN client connections to ExpressVPN and using a Routing group I am able to have a "fail-over" situation because I sometimes find that my ExpressVPN client disconnects. Those VPN interfaces are the only ones selected in DNS Resolver as outgoing interface. This setup has been tested with only 1 VPN client and shows the same behaviour.

So with this configuration and by trying different ExpressVPN servers I found some of them working fine with Netflix. But I suppose just a matter of time that those servers are also backlisted :P.

The permanent solution here seems to be OpenWRT. For me that is a no go because pfSense is so much more user friendly. Plus I am using Suricata to protect internet exposed servers and with OpenWRT that is a p.i.t.a. to configure.

vjizzle

This post is deleted!

JairoAV25

First of all, I'm not a native English speaker so I apologize if I commit any mistake.

I was facing this issue recently with pfSense. In fact, I installed the new pfSense version and this was even worse because the ExpressVPN establishes well but no routing. Similar to what this post is about.

So I saw you guys mentioned that OpenWRT is the solution in this post. Nothing farther away from reality.

OpenWRT for x86_64 machines (which is my case) is a bad choice.

My deployment is:

ISP ——> vlan_10 ——> Vlan Capable 8 port Switch —> Old Laptop with one NIC running pfSense ——> Physical NIC for LAN ———> Same Switch I mentioned before ——> My Lan

OpenWRT didn't manage this deployment well. Constantly network issues, reinstalling image one and one more times, ethernet interfaces frozen so the local network couldn't reach appliance. The Installation is not user-friendly.

After 5 hours of fighting with OpenWRT, I was about to rollback to pfSense when I found which was, in my case the solution to Geo-Restriction. OpnSense

Yes. OpnSense is like the big brother of pfSense. Similar installation but with a better GUI. I followed the same wiki from ExpressVPN, no issue at all, everything connected at the first attempt.

The changes were with outbound NAT. If you choose Manual NAT, It deletes all rules created automatically so you have to create your own in my case the rules are:

Screen Shot 2021-02-22 at 11.05.18 AM.png

I think the trick is in the part I circled. In pfSense, if I am not mistaken, the Target Address is the WAN and not the ExpressVPN (I am not sure) Besides that the wiki suggests to clone the rules created by pfSense and change the interface to those. Here I just remove the automatic rules and create mine

The firewall rules are:

Screen Shot 2021-02-22 at 11.08.52 AM.png

And finally, I enabled Unbound DNS and checked the box for DNS Query Forwarding.

Not Geo-restricted at least in Netflix, not Disney Plus. Not sure about other streaming services because I don’t use them. Worth trying.

vjizzle

@jairoav25
Hi,

Thanks for sharing this. Can you tell me what dns servers you have unbound forwarding to? I will post my config later on. Thank you.

stephenw10

@jairoav25 said in ExpressVPN - Geo-restricted website works when connected through their app over OpenVPN UDP but not through pfSense OpenVPN:

OpnSense is like the big brother of pfSense

Um....... dispute!

JairoAV25

Update for everyone:

Avoid using Google Chrome to test DNS leaks or Streaming services.

After messing with several configurations in the DNS part I ended up with this ones:

I tested ExpressVPN Dns gotten from using the app from the Phone and doing a DNS leak test but at the end, I set Cloudflare DNS

Under System — Settings — General:
Screen Shot 2021-02-22 at 3.33.05 PM.png

I activate DNSSEC, Forwarding, and Unbound as shown below,
Under Services — Unbound DNS — General:
Screen Shot 2021-02-22 at 3.18.14 PM.png

Under Services — DHCPv4 — LAN I left DNS servers blank
Screen Shot 2021-02-22 at 3.22.06 PM.png

Finally, a Result that Disney, Amazon Prime, and Netflix and a DNS LEAK Test in ExpressVPN are working with Firefox:
Screen Shot 2021-02-22 at 3.29.09 PM.png

Screen Shot 2021-02-22 at 3.26.05 PM.png

Screen Shot 2021-02-22 at 3.28.25 PM.png

Screen Shot 2021-02-22 at 3.28.54 PM.png

On Google Chrome, It is still showing DNS leak and Disney Plus doesn't load and Amazon Prime Video is showing VPN is being used. Weird:

Screen Shot 2021-02-22 at 3.37.09 PM.png
Screen Shot 2021-02-22 at 3.39.30 PM.png

Let me know your thoughts on this.

EDIT:

If you want to test DNS leak from CLI:

https://github.com/macvk/dnsleaktest

My results:

❯ ./dnsleaktest.sh
Your IP:
45.41.180.30 [United States of America AS30633 Leaseweb-USA-WDC]

You use 3 DNS servers:
45.41.180.29 [United States of America AS30633 Leaseweb-USA-WDC]
45.41.180.30 [United States of America AS30633 Leaseweb-USA-WDC]
45.41.180.31 [United States of America AS30633 Leaseweb-USA-WDC]

Conclusion:
DNS is not leaking.

vjizzle

Hi JairoAV25,

Thank you for doing extensive research on this! I just tried to replicate your settings in pfSense and it did not work for Netflix. I believe the reason why it will not work is that the ExpressVPN app forces your iPhone, iPad or laptop (Mac and Windows) to use the DNS server assigned by ExpressVPN. On my pfSense I use pfBlockerNG and if I leave the DNS field on the DHCPv4 server empty, pfSense will forward all the DNS requests for my LAN clients trough the ExpressVPN tunnel (which will be redirected to ExpressVPN DNS server) bypassing my pfBlockerNG. BUT I think that is what will make ExpressVPN on pfSense work just like the app on a device :).

I do need pfBlockerNG function so bypassing local DNS on pfSense is not an option. From experience I know that there are other VPN providers which claim (and in fact do!) work with pfSense and Netflix. But all of them specify their own DNS server which you have to enter in pfSense. If only we could get this from ExpressVPN :(

JairoAV25

@vjizzle
I C.

Have you tried to contact ExpressVPN to get the DNS from them? When I was troubleshooting and digging into many posts, I read some people saying that ExpressVPN gave them DNS to set.

Not sure if was this before and now they are suggesting Google or CLoudfare DNS. It worth a try.

vjizzle

@jairoav25
Yes in the past I tried to get DNS from them. Their advice was also to use Google or Cloudflare because officially they don't support pfSense. In since have moved away from ExpressVPN. There are beter options out there. Thank you for trying and sharing your experience!