Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    ExpressVPN OpenVPN won't work

    OpenVPN
    2
    4
    196
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mahyar last edited by Mahyar

      Hi
      I'm trying to config ExpressVPN OpenVPN on my PfSense but it won't work
      I follow the steps from their guide link
      I config the OpenVPN > Clients & Interfaces & Certificate Manager > CAs & Certificates.
      In status > OpenVPN is UP and Bytes Send / Bytes Received stuck in 10 Kib
      I have 1 WAN Interface - 1 LAN Interface & 1 Wireless Interface with an AP as bridge mode, all interfaces have there own IP ranges
      In NAT > Outbound > NAT Mode, I set to Manual and duplicate all WAN rule and edit them to change the interface to ExpressVPN

      I don't know what is the problem, I think my NAT config is wrong
      I talked to their support and they say it seems all the config is ok
      could you please help me

      screenshot-10.10.2.1-2020.05.25-11-58-50.jpg

      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by Gertjan

        Hi,

        Is the link itself up :

        6bec814c-552a-4bbb-a8e9-a3e3d8b14648-image.png

        ?

        The Status > System Logs > OpenVPN should show a nice and clean :

        May 25 13:50:59 	openvpn 	81240 	Initialization Sequence Completed
May 25 13:50:59 	openvpn 	81240 	/sbin/route add -net 10.26.0.1 10.26.0.101 255.255.255.255
May 25 13:50:59 	openvpn 	81240 	NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
May 25 13:50:57 	openvpn 	81240 	/usr/local/sbin/ovpn-linkup ovpnc2 1500 1609 10.26.0.102 10.26.0.101 init
May 25 13:50:57 	openvpn 	81240 	/sbin/ifconfig ovpnc2 10.26.0.102 10.26.0.101 mtu 1500 netmask 255.255.255.255 up
May 25 13:50:57 	openvpn 	81240 	TUN/TAP device /dev/tun2 opened
May 25 13:50:57 	openvpn 	81240 	TUN/TAP device ovpnc2 exists previously, keep at program end
May 25 13:50:57 	openvpn 	81240 	ROUTE: default_gateway=UNDEF
May 25 13:50:57 	openvpn 	81240 	GDG: problem writing to routing socket
May 25 13:50:57 	openvpn 	81240 	Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
May 25 13:50:57 	openvpn 	81240 	Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
May 25 13:50:57 	openvpn 	81240 	Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
May 25 13:50:57 	openvpn 	81240 	Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: adjusting link_mtu to 1629
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: peer-id set
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: route options modified
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: --ifconfig/up options modified
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: compression parms modified
May 25 13:50:57 	openvpn 	81240 	OPTIONS IMPORT: timers and/or timeouts modified
May 25 13:50:57 	openvpn 	81240 	PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.26.0.1,comp-lzo no,route 10.26.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.26.0.102 10.26.0.101,peer-id 14'
May 25 13:50:56 	openvpn 	81240 	SENT CONTROL [Server-3583-0a]: 'PUSH_REQUEST' (status=1)
May 25 13:50:55 	openvpn 	81240 	[Server-3583-0a] Peer Connection Initiated with [AF_INET]203.159.81.117:1195
May 25 13:50:55 	openvpn 	81240 	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 25 13:50:55 	openvpn 	81240 	VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3583-0a, emailAddress=support@expressvpn.com
May 25 13:50:55 	openvpn 	81240 	VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3583-0a, emailAddress=support@expressvpn.com
May 25 13:50:55 	openvpn 	81240 	VERIFY EKU OK
May 25 13:50:55 	openvpn 	81240 	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 25 13:50:55 	openvpn 	81240 	Validating certificate extended key usage
May 25 13:50:55 	openvpn 	81240 	VERIFY KU OK
May 25 13:50:55 	openvpn 	81240 	VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
May 25 13:50:55 	openvpn 	81240 	TLS: Initial packet from [AF_INET]203.159.81.117:1195, sid=294262f8 1152496c
May 25 13:50:55 	openvpn 	81240 	UDPv4 link remote: [AF_INET]203.159.81.117:1195
May 25 13:50:55 	openvpn 	81240 	UDPv4 link local (bound): [AF_INET]192.168.10.2:0
May 25 13:50:55 	openvpn 	81240 	Socket Buffers: R=[42080->524288] S=[57344->524288]
May 25 13:50:55 	openvpn 	81240 	TCP/UDP: Preserving recently used remote address: [AF_INET]203.159.81.117:1195
May 25 13:50:55 	openvpn 	81240 	Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 25 13:50:55 	openvpn 	81240 	Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
May 25 13:50:55 	openvpn 	81240 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 25 13:50:55 	openvpn 	81240 	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client2.sock
May 25 13:50:55 	openvpn 	80908 	library versions: OpenSSL 1.0.2u-freebsd 20 Dec 2019, LZO 2.10
May 25 13:50:55 	openvpn 	80908 	OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 4 2020

        Then, goto Firewall > NAT > Outbound and switch to "Manual Outbound NAT rule generation." and Save.
        "Clone" your "Local Network" to WAN NAT rule :

        7ee55625-ae9c-45ee-a6e8-5b360b3369e2-image.png

        Do this for all local networks that need VPN access (192.168.2.0/24 etc)

        No need to do anything with the IPv6 networks. Your VPN ISP doesn't speak "IPv6" (to be verified).

        Also : goto System > Routing > Gateways and edit your "VPN CLIENT" gateway.

        Enter an IPv4 that actually replies on ping - I took a IPv4 from one of my dedicated servers "some where on the net".

        1688f68f-7c87-4cfd-88cf-19cbb60d6a15-image.png

        For me, it seems that the VPN gateway IP doesn't reply on ping, so the gateway monitoring persist in showing the interface is down.
        Save.

        By now, you should see :
        6d1558dc-dbe0-4d84-ad8a-6e3d8f72be92-image.png

        While here System > Routing > Gateways, select / activate the "VPN CLIENT" gateway as the default "Default gateway IPv4".

        M 1 Reply Last reply Reply Quote 0
        • M
          Mahyar @Gertjan last edited by

          @Gertjan
          Thank you in advance
          as you can see my connection is up, in fact in traffic graph is showing that I have Send but I don't have any received
          Annotation 2020-05-25 120357.jpg

          Annotation 2020-05-25 165747.jpg

          This is my OpenVPN system log:
          screenshot-10.10.2.1-2020.05.25-16-53-05.jpg

          This is my NAT config:
          Annotation 2020-05-25 170806.jpg

          I'm sorry but I don't understand what should I do in gateway
          Annotation 2020-05-25 165656.jpg

          1 Reply Last reply Reply Quote 0
          • Gertjan
            Gertjan last edited by

            0d3ea926-0ee8-448a-b636-d2f2ae2835a6-image.png

            This is a selectable list.
            So select your EXPRESS as the default gateway ... )

            Like :

            @Gertjan said in ExpressVPN OpenVPN won't work:

            While here System > Routing > Gateways, select / activate the "VPN CLIENT" gateway as the default "Default gateway IPv4".

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy