Set up on your smart TV.
Need a DNS for your Smart TV?
Try ExpressVPN's DNS Now
Use ExpressVPN on your devices.
One ExpressVPN account. All devices.
Get Apps for Free

This tutorial will show you how to configure ExpressVPN on your pfSense with OpenVPN.

Not all ExpressVPN locations may be available for manually configured connections.

Important: The OpenVPN manual configuration does not offer the same security and privacy benefits as the ExpressVPN app. If your router does not support AES-NI (e.g., Asus RT-AC86U), you may experience occasional speed issues while using the OpenVPN manual configuration.

Note: The following steps were tested on pfSense 2.4.5 and are intended for users with a basic home network setup (192.168.1.0/24): Internet > Modem > pfSense > Router/Access Points.

Jump to…

1. Find your ExpressVPN account credentials
2. Set up the VPN on pfSense
3. Route WAN through the VPN tunnel
4. Confirm connection success


1. Find your ExpressVPN account credentials

Go to the ExpressVPN setup page. If prompted, enter your ExpressVPN credentials and click Sign In.

Enter your account credentials, then click "Sign In."

Enter the verification code that is sent to your email.

On the right, with OpenVPN already selected for you, you will see your username, password, and a list of OpenVPN configuration files.

On the right, with OpenVPN already selected for you, you will see your username, password, and a list of OpenVPN configuration files.

Click the location(s) you want in order to download the .ovpn file(s).

Keep this browser window open. You will need this information for the setup later.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


2. Set up the VPN on pfSense

Sign in to your pfSense web interface. (The default username and password are admin and pfsense.) Click SIGN IN.

In the top navigation bar, click System > Cert. Manager.

In the CA tab, click Add icon.Add. Enter the following information:

Create/ Edit CA

  • Descriptive name: Enter any name that will help you recognize your VPN connection. For example: ExpressVPN.
  • Method: Select Import an existing Certificate Authority.

Existing Certificate Authority

  • Certificate data: Right-click the .ovpn config file and open it with any text editor. Copy the text between the <ca> and </ca> tags, and paste it in this field.
    Enter text in the CA Cert field.
  • Certificate Private Key (optional): Leave blank.
  • Serial for next certificate: Leave blank.

Click Save.

Click “Save.”

Click Certificates. Click Add icon.Add/ Sign. Enter the following information:

Add/ Sign a New Certificate

  • Method: Select Import an existing Certificate.
  • Descriptive name: Enter any name. For example: ExpressVPN Cert.

Import Certificate

  • Certificate data: In the text editor you opened earlier, copy the text between the <cert> and </cert> tags, and paste it in this field.
    Enter text in the Public Client Cert field.
  • Private key data: In the text editor you opened earlier, copy the text between the <key> and </key> tags, and paste it in this field.
    Enter text in the Private Client Cert field.

Click Save.

Click “Save.”

In the top navigation bar, click VPN > OpenVPN.

Click Clients, then click Add icon.Add. Enter the following information:

General Information

  • Disabled: Leave unchecked.
  • Server mode: Select Peer to Peer (SSL/TLS).
  • Protocol: Select UDP on IPv4 only.
  • Device mode: Select tun – Layer 3 Tunnel Mode.
  • Interface: Select WAN.
  • Local port: Leave blank.
  • Server host or address: In the text editor you opened earlier, copy any server address listed between the word “remote” and the 4-digital port number. Paste it in this field.
  • Server port: Enter the number (after the server address) you found above.
  • Proxy host or address: Leave blank.
  • Proxy port: Leave blank.
  • Proxy Authentication: Select none.
  • Description: Enter any name that will help you recognize your VPN connection. For example: ExpressVPN NY.

Enter the information for "General Information"

User Authentication Settings

  • Username: Enter the username you found earlier.
  • Password: Enter the password you found earlier twice.

Cryptographic Settings

  • TLS Configuration: Check this box.
  • Automatically generate a TLS key: Uncheck this box.
  • TLS Key: In the text editor you opened earlier, copy the texts between the <tls-auth> and </tls-auth> tags, and paste it in this field.
    Enter text in the TLS Auth Key field.
  • TLS Key Usage Mode: Select TLS Authentication.
  • Peer Certificate Authority: Select the entry (e.g., ExpressVPN) you created earlier.
  • Client Certificate: Select the entry (e.g., ExpressVPN Cert) you created earlier.
  • Encryption Algorithm: In the text editor you opened earlier, look for the word “cipher.” Select the algorithm shown after “cipher” in the dropdown menu. For example: AES-256-GCM.
  • Enable NCP: Uncheck this box.
  • NCP Algorithms: Leave blank.
  • Auth digest algorithm: In the text editor you opened earlier, look for the word “auth.” Select the algorithm shown after “auth” in the dropdown menu. For example: SHA512.
  • Hardware Crypto: Unless you know that your device supports hardware cryptography, select No Hardware Crypto Acceleration.

Enter the information for "Cryptographic Settings."

Tunnel Settings

  • IPv4 Tunnel Network: Leave blank.
  • IPv6 Tunnel Network: Leave blank.
  • IPv4 Remote network(s): Leave blank.
  • IPv6 Remote network(s): Leave blank.
  • Limit outgoing bandwidth: Leave blank.
  • Compression: Select Refuse any non-stub compression (Most secure)
  • Topology: Leave this as is.
  • Type-of-Service: Leave unchecked.
  • Don’t pull routes: Check this box.
  • Don’t add/remove routes: Leave unchecked.

Advanced Configuration

  • Custom options: Copy and paste the following:
    fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo no;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
  • UDP Fast I/O: Check this box.
  • Send/ Receive Buffer: Select 512 KiB.
  • Gateway Creation: Select IPv4 only.
  • Verbosity level: Select 3 (recommended).

Click Save.

Click "Save."

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


3. Route WAN through the VPN tunnel

After the tunnel is online, you need to route your WAN traffic through the tunnel.

In the top navigation bar, click Interfaces > Assignments.

Click Add icon.Add. A new interface will be created. For OPT1, select ovpnc1. Click Save.

Click "Save."

In the top navigation bar, click Interfaces > OPT1.

Click "OPT1."

Enter the following information:

General Configuration

  • Enable: Check this box.
  • Description: Enter any name that is meaningful to you. For example: ExpressVPN.
  • MAC Address: Leave blank.
  • MTU: Leave blank.
  • MSS: Leave this blank.

Reserved Networks

  • Block private networks and loopback addresses: Leave unchecked.
  • Block bogon networks: Leave unchecked.

Click Save.

pfsense-2.4.5-interfaces-opt1-click-save

Click Apply Changes.

In the top navigation bar, click Firewall > Aliases.

Click Add icon.Add.

Provide your home network with an “Alias” that allows a friendly name to reference your network. Enter the following information:

Properties

  • Name: Enter a meaningful name. For example: Local_Subnets.
  • Description: Enter something meaningful to you. For example: Home network.
  • Type: Select Network(s).

Network(s)

  • Network or FQDN: Enter 192.168.1.0, and select 24.

Click Save.

Click "Save."

In the top navigation bar, click Firewall > NAT > Outbound.

For Mode, select Manual Outbound NAT rule generation. Click Save > Apply Changes.

Click "Apply Changes."

Your traffic needs a destination when it leaves your network. Scroll down to Mappings, you will need to modify your existing WAN connections to use your new ExpressVPN virtual interface.

For the first WAN connection entry, click Copy icon..

Click the "copy" icon.

For Interface, select EXPRESSVPN.

Select "EXPRESSVPN."

Click Save.

Repeat the above steps for the other WAN entries.

Once all the new rules are added, click Apply Changes at the top.

Now, create a rule to redirect all local traffic through the OpenVPN gateway you just created. In the top navigation bar, click Firewall > Rules.

Click LAN. Click Add on the far left.

Enter the following information:

Edit Firewall Rule

  • Action: Select Pass.
  • Disabled: Leave unchecked.
  • Interface: Select LAN.
  • Address: Select IPv4.
  • Protocol: Select Any.

Source

  • Source: Select Single host or alias and enter the name of the alias you created for your network earlier. For example: Local_subnets.

Destination

  • Destination: Select any.

Extra Options

  • Log: Leave unchecked.
  • Description: Enter something meaningful to you. For example: LAN traffic to ExpressVPN.

Click Display Advanced.

Advanced Options

  • Gateway: Select EXPRESSVPN.

Select "EXPRESSVPN."

Click Save > Apply Changes.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top


4. Confirm connection success

You should now be able to confirm that your OpenVPN connection is successful. In the top navigation bar, click Status > OpenVPN.

If your VPN tunnel is online, the Status should read “up.”

If your VPN tunnel is online, the Status should read “up.”

You can also use ExpressVPN’s IP Address Checker to verify you are connected to the VPN. The displayed IP address should correlate to the location you are connected to via OpenVPN. If not, under Service, click the pause icon and then the start icon to restart the VPN.

Need help? Contact the ExpressVPN Support Team for immediate assistance.

Back to top

Was this article helpful?

We're sorry to hear that. Let us know how we can improve.

Which Smart TV do you need help with?

Examples: Samsung Smart TV, LG Smart TV

A member of our Support Team will follow up on your issue.