PfSense as OpenVPN Client to VPNExpress



  • Hi all,

    I am a newbie. I am trying to set up pfSense as a VPN client to VPNExpress and have all the traffic flowing into the pfSense on the LAN go into the VPN.  If I get this done and working I will post the instructions. I have gotten the service to work before and its great. The difference between the working set up and this one is that I now have another device in front of the pfSense. So I now have a private IP address on my pfSense’s WAN port.

    On my initial go at it I noticed I get Internet connectivity behind the other NAT device (it’s a netgear wireless router) even with the “block private networks “on the WAN interface. But I turned it off just in case.

    Here is what I have now:

    Internet <->(wan)Netgear(lan)<->(wan)pfSense(lan)–> Laptop, iPad, pc’s

    I am able to get the OpenVPN client up and running.  I say this because I get the ‘Initialization complete’ message at the end. I did notice this one warning/error ‘Bad LZO decompression header byte: 0’. So the OpenVPN:Client icon is green so I assume its working based on that and the other messages I the log.

    So I believe I have a routing/firewall/NAT rule problem. Because I cannot get traffic to pass from my LAN through the VPN tunnel to the Internet.

    My next steps are listed below:

    1. Went to Interface->(assign) and hit the +button to add a new interface OPT2. (I have a guest network already using OPT1).

    2. I selected OPT2  and made the following changes:
        -Enabled Interface
        -Named: ExpressVPN
        -Enabled block private networks and bogon networks. I figured this was necessary since it will be acting like a WAN port.

    3. Hit Save and applied changes.

    4. Went to Firewall->NAT and chose Outbound tab, and selected Manual Outbound NAT rule generation (AON-Advanced Outbound NAT).

    5. Hit Save and Apply changes.

    6. Went to Firewall-> Rules and hit the + button  under the LAN Tab. I created the following rule:
        a. Action: Pass
        b. Interface: LAN
        c. TCP/IP Version: IPv4
        d. Protocol: any
        e. Source: LAN Subnet
        f. Destination: any
        g. Description: LAN thru ExpressVPN
        h. Under Advanced options section I made the gateway the ExpressVPN

    7. Hit Save and apply changes

    8. This is what I am left with: Attachment 1

    9. I went to the ExpressVPN tab and hit the + button and created the following rule:
        a. Action: Pass
        b. Interface: ExpressVPN
        c. TCP/IP Version: IPv4
        d. Protocol: any
        e. Source: any
        f. Destination: any
        g. Description: ExpressVPN Pass all

    I am left with: Attachment 2

    1. Hit Save and Apply Changes

    2. I have this under the ExpressVPN tab when done: Attachment 3

    3. I went to configure the gateway
        a. Went to System->Routing and chose the Gateway tab and have the following: Attachment 4

    b. I added the Monitor IP 208.67.222.222 and then hit Save and Apply changes to give me this: Attachment 5

    1. I then went to General Setup
    2. Chose WAN for gateway of all DNS Servers
        a. Placed 208.67.220.220 and 208.67.222.222 for the WAN.
        b. Deselected  Allow DNS server list to be overridden by DHCP/PPP on WAN
        c. Hit Save and Apply Settings
    3. At this point everything should work but it doesn’t. I checked the firewall rules.  It looks like i should be getting out but traffic from Lan is being blocked. I don't know why. I am getting the following: Attachment 6

    16. The client instance show the connection… but my traffic isn’t being routed through it.  It looks like the pfsense is blocking traffic coming from my LAN to the Internet ip address .  The VPN instance info says: Attachment 7

    17. Below are the rules I have for the LAN. From what I can see it looks right. Attachment 8

    Any suggestions. I don't know why it is blocking that traffic.

    ![Attachment 1.png](/public/imported_attachments/1/Attachment 1.png)
    ![Attachment 1.png_thumb](/public/imported_attachments/1/Attachment 1.png_thumb)
    ![Attachment 3.png](/public/imported_attachments/1/Attachment 3.png)
    ![Attachment 3.png_thumb](/public/imported_attachments/1/Attachment 3.png_thumb)
    ![Attachment 6.png](/public/imported_attachments/1/Attachment 6.png)
    ![Attachment 6.png_thumb](/public/imported_attachments/1/Attachment 6.png_thumb)
    ![Attachment 8.png](/public/imported_attachments/1/Attachment 8.png)
    ![Attachment 8.png_thumb](/public/imported_attachments/1/Attachment 8.png_thumb)



  • All,

    I got the set up to work but not exactly sure why. I followed the instruction i posted. However, even though it said 'Initialization Complete'. I still got some warnings regarding MTU's. I guess that needs to be fixed in order for it to work.

    I will do some more testing and if I come up with a consistent process I will post it.



  • You need your LAN rules the other way around. Rules are matched from the top down, first match wins, so all your traffic will be matched by the "Default allow LAN to any rule". None of it will get to "LAN thru ExpressVPN" - put "LAN thru ExpressVPN" above "Default allow LAN to any rule".
    On WAN and EXPRESSVPN rule tabs you should not need any pass rules - unless you have a public server or similar, you do not want to allow incoming connections from the big wide internet. Traffic initiated from you (on LAN) is passed by your LAN rules and pfSense recognizes and passes the data flowing back in the reverse direction for that.