How to set up pfSense with ExpressVPN (OpenVPN)

general-177x88

Need a VPN or DNS for your device?

Get ExpressVPN Now
expressvpn for all devices

One ExpressVPN account. All devices.

Get apps for free

This tutorial will show you how to configure ExpressVPN on your pfSense device.

This is for advanced users who have already purchased and installed pfSense software, and have also configured it for very basic routing for getting onto the internet.The steps were tested on and assume the following generic home setup: Internet > Modem > pfSense device > Router/AP

For the purpose of this tutorial, we will assume you are configuring your network for a generic 192.168.1.0/24 network setup.

NOTE: This guide has been tested on the following version of pfSense: 2.3.3-RELEASE (amd64)

Jump to section

Download the VPN configuration files
Configure pfSense settings
Confirm connection success
Additional steps to route WAN through tunnel


Download the VPN configuration files

Sign in to your ExpressVPN account.

log in to expressvpn.com

Click on Set up ExpressVPN.

set-up-expressvpn

On the left side of the screen, click Manual Config. On the right side of the screen, click OpenVPN.

You will see your username and password. Keep these on hand, as you will need them later.

Under your username and password, download the OpenVPN configuration file for the location you want to connect to. Keep this file handy, as you will be extracting information out of it for pfSense setup.

new openvpn manual configuration

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


Configure pfSense settings

Log in to your pfSense device and navigate to System > Cert. Manager.

system cert manager

Under “CAs,” click the Add button.

Enter the following:

  • Descriptive name: ExpressVPN
  • Method: Import an existing Certificate Authority
  • Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <ca> portion of the file. Copying the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
  • Certificate Private Key (optional): Leave this blank
  • Serial for next certificate: Leave this blank

After entering the information, your screen should look like this:

enter-ca-details

Click Save.

Stay on this page and click Certificates at the top.

click certificates

At the bottom of the screen, click Add.

Under “Add a New Certificate,” enter the following:

  • Method: Import an existing Certificate
  • Descriptive name: ExpressVPN Cert (or something meaningful to you)
  • Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <cert> portion of the file. Copy the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–
  • Private key data: With your text editor still open, look for the text that is wrapped within the <key> portion of the file. Copy the entire string from —–BEGIN RSA PRIVATE KEY—– to —-END RSA PRIVATE KEY—-

After entering the information, your screen should look like this:

enter private key data

Click Save.

At the top of the screen, navigate to VPN > OpenVPN.

click openvpn

Select Clients.

click clients

At the bottom of the screen, click Add.

Enter the following information:

General Information:

  • Disabled: Leave this box unchecked
  • Server mode: Peer to Peer (SSL/TLS)
  • Protocol: UDP
  • Device mode: tun
  • Interface: WAN
  • Local port: Leave blank
  • Server host or address: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that starts with remote, followed by a server name. Copy the server name string into this field (e.g., server-address-name.expressnetw.com)
  • Server port: Copy the port number from the OpenVPN configuration file into this field (e.g., 1195)
  • Proxy host or address: Leave blank
  • Proxy port: Leave blank
  • Proxy Auth. – Extra Options – none
  • Server hostname resolution: Check this box
  • Description: Something meaningful to you. e.g., ExpressVPN Dallas

enter general information

User Authentication Settings

  • Username: your ExpressVPN username
  • Password: your ExpressVPN password

user authentication settings

Cryptographic Settings

  • TLS authentication: Check this box
  • Key: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that is wrapped within the <tls-auth> portion of the file. Ignore the “2048 bit OpenVPN static key” entries and start copying from —–BEGIN OpenVPN Static key V1—– to —–END OpenVPN Static key V1—–
  • Peer Certificate Authority: Select the “ExpressVPN” entry that you created previously in the Cert. Manager steps
  • Client Certificate: Select the “ExpressVPN Cert” entry that you created previously in the Cert. Manager steps
  • Encryption Algorithm: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text cipher. In this example, the OpenVPN configuration is listed as “cipher AES-256-CBC,” so we will select “AES-256-CBC (256-bit key, 128-bit block) from the dropdown
  • Auth digest algorithm: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text auth followed by the algorithm after. In this example, we saw “auth SHA512,” so we will select “SHA512 (512-bit)” from the dropdown
  • Hardware Crypto: Unless you know that your device supports hardware cryptography, leave this at No Hardware Crypto Acceleration

enter cryptographic settings

Tunnel Settings

  • IPv4 Tunnel Network: Leave blank
  • IPv6 Tunnel Network: Leave blank
  • IPv4 Remote network(s): Leave blank
  • IPv6 Remote network(s): Leave blank
  • Limit outgoing bandwidth: At your discretion, but for this tutorial – leave blank.
  • Compression: Enabled with Adaptive Compression
  • Topology: Leave the default “Subnet — One IP address per client in a common subnet”
  • Type-of-Service: Leave unchecked
  • Disable IPv6: Check this box
  • Don’t pull routes: Check this box
  • Don’t add/remove routes: Leave unchecked

enter tunnel settings

Advanced Configuration

  • Custom options: These options are derived from the OpenVPN configuration you’ve been referencing. We will be pulling out all custom options that we haven’t used previously. Copy and paste the following:
    fast-io;persist-key;persist-tun;remote-random;pull;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
  • Verbosity level: 3 (Recommended)

enter advanced configuration

Click Save.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


Confirm connection success

You should now be able to confirm that your OpenVPN connection was successful. Navigate to Status > OpenVPN.

status openvpn

Under “Client Instance Statistics,” in the “Status” column, you should see the word up, indicating the tunnel is online.

check client instances statistics

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


Additional steps to route WAN through tunnel

Note: The below steps are for users who may need additional assistance actually routing their WAN traffic through the tunnel.

Now that the tunnel is online, you need to tell all of your traffic to be NAT’d properly. At the top of your screen, select Interfaces and click (assign).

interfaces assign

Click on the + button. A new interface will be created. Make sure ovpnc1 is selected and click Save.

Navigate to Interfaces > OVPNC1:

Enter the following:

General Configuration

  • Enable: Check this box
  • Description: Something meaningful to you. e.g., EXPRESSVPN
  • IPv4 Configuration Type: DHCP
  • IPv6 Configuration Type: None
  • MAC Address: Leave blank
  • MTU: Leave blank
  • MSS: Leave blank

enter general configuration

DHCP Client Configuration

  • Options: Leave unchecked
  • Hostname: Leave blank
  • Alias IPv4 Address: Leave blank
  • Reject leases from: Leave blank

default dhcp client configuration

DHCP6 Client Configuration

  • Options: Leave unchecked
  • Use IPv4 connectivity as parent interface: Leave unchecked
  • Request only an IPv6 prefix: Leave unchecked
  • DHCPv6 Prefix Delegation size: Leave default at 64
  • Send IPv6 prefix hint: Leave unchecked
  • Debug: Leave unchecked
  • Do not wait for a RA: Leave unchecked
  • Do not allow PD/Address release: Leave unchecked

enter dhcp6

Reserved Networks

  • Block private networks and loopback addresses: Leave unchecked
  • Block bogon networks: Leave unchecked

default reserved networks

Click Save.

Navigate to Firewall > Aliases.

firewall aliases

Under “IP,” click Add.

You will be providing your home network with an “Alias” that allows a friendly name to reference your network.

Properties

  • Name: Something meaningful to you. For this tutorial, we will use “Local_Subnets”
  • Description: Something meaningful to you
  • Type: Network(s)

Network(s)

  • Network or FQDN: 192.168.1.0 / 24

enter properties

Click Save.

Navigate to Firewall > NAT.

firewall nat

Click on Outbound at the top.

outbound

For “Outbound NAT Mode,” select Manual Outbound NAT rule generation.

choose outbound nat mode

Click Save and then click Apply Changes.

nat configuration changed

Under Mappings, you will be telling your traffic where to go when it leaves your network. You will essentially be copying the existing four default WAN connections and modifying them to use your new EXPRESSVPN virtual interface.

On the right side of the screen, click the Copy button next to the first WAN connection entry. It’s the icon with a square overlapping another square.

click copy

In the window that pops up, the only selection you will be changing is the “Interface” section. Click the drop-down and change from WAN to EXPRESSVPN.

enter advanced outbound nat entry

Click Save.

Repeat the above steps for the other three WAN rules that exist.

Once all four EXPRESSVPN rules are added, click the Save button and click Apply Changes once again at the top.

Finally, you need to create a rule to redirect all local traffic through the EXPRESSVPN gateway you previously created. Navigate to Firewall > Rules:

firewall rules

Click on LAN.

lan

Click the Add button with the up arrow (the far left button).

click add

Enter the following:

Edit Firewall Rule

  • Action: Pass
  • Disabled: Leave unchecked
  • Interface: LAN
  • Address: IPv4
  • Protocol: Any

Source

  • Source: Select Single host or alias and type the name of the alias you created for your network earlier. For this tutorial, we used “Local_Subnets.”

Destination

  • Destination: any

Extra Options

  • Log: Leave unchecked
  • Description: Enter something meaningful to you. For this tutorial, we will enter “LAN TRAFFIC –> EXPRESSVPN”

Click the blue Display Advanced button.

advanced options

Advanced Options

Leave everything new in these windows that appeared blank and look for Gateway. Change this to “EXPRESSVPN_DHCP”

gateway

Click Save.

You’re finished! You should now start to see traffic flowing through your new rule you created, confirming that the traffic is moving through the ExpressVPN tunnel you created.

pfsense vpn on

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top

Was this article helpful?11 0 Undo