Setting up ExpressVPN using OpenVPN

marksinister · Dec 9, 2024, 8:59 AM

Setup Tutorials
How to set up ExpressVPN on pfSense (OpenVPN)
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

I followed this tutorial to setup ExpressVPN on my pfsense that I've been working on for about a month now. I followed everything to the letter. I can see in the status under OpenVPN that the VPN is connected to the expressVPN server.

But whenever I go to check on one of those site to see what my IP is, they all say my Cable company IP or it says you're not using a VPN? Does anyone know how to fix this issue?

I contacted ExpressVPN support and they told me to come here for help.

The Party of Hell No · Dec 9, 2024, 12:25 AM

It connects correctly? But when you check a site like "Whats my IP" it says your IP is the one assigned by your ISP?

If this is the case, go to firewall - rules - LAN (Whatever you call your LAN) - select it and scroll to the second to last rule, the IPv4 connect to any rule - select the pencil (Edit) scroll down the rule to advanced settings - select and scroll way down to Gateway and using the carrot change the gateway from the Wan to the ExpressVPN gateway - save and go back to the the web GUI.

Test and see if the IP has changed. If not you may have to reset the states on the WEB GUI page. Then retest.

Gertjan · Dec 9, 2024, 8:59 AM

@marksinister said in Setting up ExpressVPN using OpenVPN:

I followed this tutorial to setup ExpressVPN on my pfsense that I've been working on for about a month now. I followed everything to the letter. I can see in the status under OpenVPN that the VPN is connected to the expressVPN server.

"Connected" is just the start.
As soon as it is connected, you have a decond (or even third) WAN type interface.
You have to tell 'pfSense' to use this OpenVPN (client) interface instead of the classic WAN interface.

It's here : https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/#route

Btw : make live easy on yourself, start with 1 (one) active OpenVPN interface, not 2.

marksinister · Dec 10, 2024, 7:32 AM

@The-Party-of-Hell-No

You mean this?

This was already set. I followed the expressVPN tutorial to the letter. I even had the ExpressVPN support walk me through it. The reason why I'm here is because ExpressVPN support told me to come here because their tutorial is on a older version of the program.

If there's any screenshots you would like me to show you I'll send them.

marksinister · Dec 10, 2024, 7:39 AM

@Gertjan

You mean this?

link text

I followed that tutorial to the letter. I even had ExpressVPN support walk me through it for an hour. They told me to come here because their tutorial was on the old version of Pfsense. That's why they told me to ask the Netgate forums. They sent me the link to sign up here.

If you want more screenshots let me know.

stephenw10 · Dec 12, 2024, 8:30 AM

Lets see your LAN firewall rules. Or rules from whatever interface you're testing from.

Gertjan · Dec 12, 2024, 8:34 AM

@marksinister said in Setting up ExpressVPN using OpenVPN:

You mean this?

link text

No sure.
This https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/#route

That guide is somewhat older now, true.
The last time I tried it, it 'worked' - but I'm pretty sure that "doing things" by the letter will create a none working setup, as things 'do change'.

marksinister · Dec 12, 2024, 8:30 AM

@stephenw10

Sorry for the late reply. Here are the screen shots for firewall rules.

Firewall Rules LAN page

The rule with the Red "X" was the first time I tried to follow the tutorial before I called ExpressVPN for help. I disabled that one, or I hope it's disabled here.

Next is the QNCNet Aliases page.

Next is the ExpressVPN Gateway setting for the New Jersey 3 connection.

Next is the ExpressVPN NJ Rule.

And Last is the LAN edit page

Let me know if I missed anything?

marksinister · Dec 12, 2024, 8:34 AM

@Gertjan That is why ExpressVPN pointed me to this forum to try to resolved the problem. Because when they were walking me through it. They notice that most of the setting were not showing up in the new version.

I just submitted screenshots of my firewall rules to stephenw comment post if you want to take a look at it. Any advice would be very helpful.

stephenw10 · Dec 12, 2024, 1:42 PM

Ok, well that should work as long as the EXPRESSVPNNEWJERSEY3 gateway is on-line and your are testing from a client within the QNCnet alias (192.168.4.0/24).

What is the QNCnet alias? Why not just use the LAN subnet there?

The rule shows only one state and 10k of traffic so it is matching something, but not much.

That rule you have with the red X on it can never match anything, I assume that's why it's disabled. And has the red X!

stephenw10 · Dec 12, 2024, 1:46 PM

Let's see your outbound NAT settings too.

The ExpressVPN walkthrough has you edit the WAN rule which would disable traffic leaving the WAN dircetly. That's what many customers would want but I always advise against it. However you are still seeing traffic leave the WAN and get replies so your rules must still include that.

Gertjan · Dec 12, 2024, 3:16 PM

@marksinister

This :

comes from where ?

Your pfSense LAN uses 192.168.1.x/24 with pfSense LAN being 192.168.1.1.
So, every device on that LAN will use something between 192.168.1.2 to 192.168.1.254 ?
Right ?

Yet you introduced a rule on the LAN interface that says : allow only traffic coming from a source IP named (alias) ALBERCURQUIVPN. I don't know what that alias stands for but I"m pretty sure it isn't 192.168.1.1/24 so that rule can never match/apply.
After all, the source IP can only be, on your pfSense LAN : 192.168.1.2 to 192.168.1.254.
Right ?

marksinister · Dec 13, 2024, 8:13 AM

@Gertjan

"Your pfSense LAN uses 192.168.1.x/24 with pfSense LAN being 192.168.1.1."

My LAN is 192.168.4.x. The machine that connects to the internet through PFSense uses 192.168.4.35, The PFSense LAN IP is actually 192.168.4.188. It's a long story why it's that. But anyway my computer connects fine to the internet. I just have no VPN connection.

"Yet you introduced a rule on the LAN interface that says : allow only traffic coming from a source IP named (alias) ALBERCURQUIVPN."

No that was from my first ExpressVPN tutorial attempt. When they said to give it a description I didn't know what name to call my LAN that was connecting to the "Albuquerque Server" so I name my LAN that so I could know what server it is connecting to. I was planning to make a bunch of different connections, such as one to New York, one to London, one to Japan, etc... So I didn't know if I would have to make a new LAN Subnet everytime I needed to make a VPN server connection.

The QNCNet Subnet was just a test name I use when I was walking through the tutorial with the ExpressVPN support guy.
If the connection worked and I had to make a Subnet for every connection I would've probably just append the server name to the end of it if I had to make a subnet everytime I needed to make a VPN server. That's what I thought.

marksinister · Dec 13, 2024, 8:22 AM

@stephenw10

"What is the QNCnet alias? Why not just use the LAN subnet there?"

QNCNet Alias should be my Subnet. It was just a description. I didn't understand what to name it. I didn't want to put something generic like LAN Subnet because I didn't know if I would have to make a new subnet evertime I wanted to make a different VPN server setup.

I didn't know if I made a connection to New York Server if I would have to make a LAN Subnet - New York, and if a made a London Server I woudl have to make a LAN Subnet - London, and so on and so on.

I was planning to make a connection to bunch the ExpressVPN servers so I can switch to different ones when I needed too.

"That rule you have with the red X on it can never match anything, I assume that's why it's disabled. And has the red X!"

This was my first attempt at following the tutorial. When I contacted ExpressVPN support they told me to start over from scratch. So I just disabled that from there (I hope it's disabled) and they walked me through the other connection that I made.

I didn't delete anything because I didn't want to delete a setting and then my machine wouldn't connect to the internet at all. The only thing I had working was the machine on the network can get on the internet. So I didn't want to delete anything just in case I can't figure out how to get my machine back on the internet.

marksinister · Dec 13, 2024, 8:43 AM

@stephenw10

@stephenw10 said in Setting up ExpressVPN using OpenVPN:

The ExpressVPN walkthrough has you edit the WAN rule which would disable traffic leaving the WAN dircetly. That's what many customers would want but I always advise against it. However you are still seeing traffic leave the WAN and get replies so your rules must still include that.

I'm kind of confused about this? I don't want to connect through the internet through the WAN. I want to connect to the internet through the VPN. When I tried disabling the WAN I have no internet access at all. So When I leave it enable I get internet access. But no VPN security.

Here's the Outbound settings. I'm only going into the New Jersey VPN since it's suppose to be a clone of the WAN connection. I'm going to post every setting from Top to bottom.

That should be all 6 connections cloned from the WAN connection.

stephenw10 · Dec 13, 2024, 2:52 PM

Ok the problem is that in the cloned outbound NAT rules the translation address is still set to WAN address and it should be EXPRESSVPNNEWJERSEY3 address.

You almost certainly don't need to IPSec specific port 500 rules on any interface. Those are only used if you have IPSec clients behind the firewall.

marksinister · Dec 15, 2024, 12:04 PM

@stephenw10

Hi, I changed all the clones to the ExpressVPN New Jersey Translastion address instead of WAN but it still saying my local ISP address on all the MyIP websites.

I really thought that was my mistake. But it seems it was not.

I didn't change the IPSec because I didn't know what to change it to.

stephenw10 · Dec 16, 2024, 1:53 PM

You can just remove those IPSec specific rules. They don't do anything unless you have IPSec clients behind the firewall.

The rules translating traffic from LAN out of the VPN look correct now though.

So are the firewall rules still the same? So you see data/connections against the policy routing rules?

marksinister · Dec 17, 2024, 10:35 PM

@stephenw10

@stephenw10 said in Setting up ExpressVPN using OpenVPN:

You can just remove those IPSec specific rules. They don't do anything unless you have IPSec clients behind the firewall.

So you're saying just delete it out and leave it blank?

@stephenw10 said in Setting up ExpressVPN using OpenVPN:

So are the firewall rules still the same? So you see data/connections against the policy routing rules?

I didn't change anything since the last set of screenshots. The only thing I changed was the clones that you told me to change.

How to I check to see data/connections against the policy routing rules? The only thing I know to do is going on google and search for myip website to see if they can see my ISP IP address.

What am I suppose to look for when I check wherever I'm suppose to check?

stephenw10 · Dec 17, 2024, 11:22 PM

@marksinister said in Setting up ExpressVPN using OpenVPN:

So you're saying just delete it out and leave it blank?

Yes, disable or remove them. I would disable them until I'm sure they weren't doing anything and then delete them.

@marksinister said in Setting up ExpressVPN using OpenVPN:

I didn't change anything since the last set of screenshots. The only thing I changed was the clones that you told me to change.

Those were the NAT rules though. The firewall rules are also unchanged?

You can see the states and traffic that a rule has passed in the rules list. If it's matching traffic there you will see it.
If it shows 0 states or traffic that something else is passing it.