Post by Admin on Feb 10, 2018 17:26:42 GMT
Hit www.linkev.com/?a_aid=expssour to fully Set up ExpressVPN OpenVPN on pfSense and/or other devices today.
This advanced tutorial will show you how to configure ExpressVPN on your pfSense device.
NOTE: This is for advanced users who have already purchased and installed pfSense software, and have also configured it for very basic routing for getting onto the internet.The steps were tested on and assume the following generic home setup: Internet > Modem > pfSense device > Router/AP.
For the purpose of this tutorial, we will assume you are configuring your network for a generic 192.168.1.0/24 network setup.
NOTE: This guide has been tested on the following version of pfSense: 2.3.3-RELEASE (amd64)
Contents:
Download the VPN configuration files.
Configure pfSense settings.
Confirm connection success.
Additional steps to route WAN through tunnel.
1. Download the VPN configuration files.
Sign in to your ExpressVPN account.
Click on Set up ExpressVPN.
On the left side of the screen, click Manual Config. On the right side of the screen, click OpenVPN.
You will see your username and password. Keep these on hand, as you will need them later.
Under your username and password, download the OpenVPN configuration file for the location you want to connect to. Keep this file handy, as you will be extracting information out of it for pfSense setup.
2. Configure pfSense settings.
Log in to your pfSense device and navigate to System > Cert. Manager.
Under “CAs,” click the Add button.
Enter the following:
Descriptive name: ExpressVPN.
Method: Import an existing Certificate Authority.
Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <ca> portion of the file. Copying the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
Certificate Private Key (optional): Leave this blank.
Serial for next certificate: Leave this blank.
After entering the information, your screen should look like this:
Click Save.
Stay on this page and click Certificates at the top.
At the bottom of the screen, click Add.
Under “Add a New Certificate,” enter the following:
Method: Import an existing Certificate.
Descriptive name: ExpressVPN Cert (or something meaningful to you).
Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <cert> portion of the file. Copy the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
Private key data: With your text editor still open, look for the text that is wrapped within the <key> portion of the file. Copy the entire string from —–BEGIN RSA PRIVATE KEY—– to —-END RSA PRIVATE KEY—-.
After entering the information, your screen should look like this:
Click Save.
At the top of the screen, navigate to VPN > OpenVPN.
Select Clients.
At the bottom of the screen, click Add.
Enter the following information:
2.1 General Information:
Disabled: Leave this box unchecked.
Server mode: Peer to Peer (SSL/TLS).
Protocol: UDP.
Device mode: tun.
Interface: WAN.
Local port: Leave blank.
Server host or address: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that starts with remote, followed by a server name. Copy the server name string into this field (e.g., server-address-name.expressnetw.com).
Server port: Copy the port number from the OpenVPN configuration file into this field (e.g., 1195).
Proxy host or address: Leave blank.
Proxy port: Leave blank.
Proxy Auth. – Extra Options – none.
Server hostname resolution: Check this box.
Description: Something meaningful to you. e.g., ExpressVPN Dallas.
2.2 User Authentication Settings:
Username: your ExpressVPN username
Password: your ExpressVPN password
2.3 Cryptographic Settings:
TLS authentication: Check this box
Key: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that is wrapped within the <tls-auth> portion of the file. Ignore the “2048 bit OpenVPN static key” entries and start copying from —–BEGIN OpenVPN Static key V1—– to —–END OpenVPN Static key V1—–.
Peer Certificate Authority: Select the “ExpressVPN” entry that you created previously in the Cert. Manager steps.
Client Certificate: Select the “ExpressVPN Cert” entry that you created previously in the Cert. Manager steps.
Encryption Algorithm: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text cipher. In this example, the OpenVPN configuration is listed as “cipher AES-256-CBC,” so we will select “AES-256-CBC (256-bit key, 128-bit block) from the dropdown.
Auth digest algorithm: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text auth followed by the algorithm after. In this example, we saw “auth SHA512,” so we will select “SHA512 (512-bit)” from the dropdown.
Hardware Crypto: Unless you know that your device supports hardware cryptography, leave this at No Hardware Crypto Acceleration.
2.4 Tunnel Settings:
IPv4 Tunnel Network: Leave blank.
IPv6 Tunnel Network: Leave blank.
IPv4 Remote network(s): Leave blank.
IPv6 Remote network(s): Leave blank.
Limit outgoing bandwidth: At your discretion, but for this tutorial – leave blank.
Compression: Enabled with Adaptive Compression.
Topology: Leave the default “Subnet — One IP address per client in a common subnet”.
Type-of-Service: Leave unchecked.
Disable IPv6: Check this box.
Don’t pull routes: Check this box.
Don’t add/remove routes: Leave unchecked.
2.5 Advanced Configuration:
Custom options: These options are derived from the OpenVPN configuration you’ve been referencing. We will be pulling out all custom options that we haven’t used previously. Copy and paste the following:
fast-io;persist-key;persist-tun;remote-random;pull;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
Verbosity level: 3 (Recommended)
Click Save.
3. Confirm connection success.
You should now be able to confirm that your OpenVPN connection was successful. Navigate to Status > OpenVPN.
Under “Client Instance Statistics,” in the “Status” column, you should see the word up, indicating the tunnel is online.
4. Additional steps to route WAN through tunnel.
Note: The below steps are for users who may need additional assistance actually routing their WAN traffic through the tunnel.
Now that the tunnel is online, you need to tell all of your traffic to be NAT’d properly. At the top of your screen, select Interfaces and click (assign).
Click on the + button. A new interface will be created. Make sure ovpnc1 is selected and click Save.
Navigate to Interfaces > OVPNC1:
Enter the following:
4.1 General Configuration.
Enable: Check this box.
Description: Something meaningful to you. e.g., EXPRESSVPN.
IPv4 Configuration Type: DHCP.
IPv6 Configuration Type: None.
MAC Address: Leave blank.
MTU: Leave blank.
MSS: Leave blank.
4.2 DHCP Client Configuration:
Options: Leave unchecked.
Hostname: Leave blank.
Alias IPv4 Address: Leave blank.
Reject leases from: Leave blank.
default dhcp client configuration.
4.3 DHCP6 Client Configuration:
Options: Leave unchecked.
Use IPv4 connectivity as parent interface: Leave unchecked.
Request only an IPv6 prefix: Leave unchecked.
DHCPv6 Prefix Delegation size: Leave default at 64.
Send IPv6 prefix hint: Leave unchecked.
Debug: Leave unchecked.
Do not wait for a RA: Leave unchecked.
Do not allow PD/Address release: Leave unchecked.
4.4 Reserved Networks:
Block private networks and loopback addresses: Leave unchecked.
Block bogon networks: Leave unchecked.
Click Save.
Navigate to Firewall > Aliases.
Under “IP,” click Add.
You will be providing your home network with an “Alias” that allows a friendly name to reference your network.
4.5 Properties.
Name: Something meaningful to you. For this tutorial, we will use “Local_Subnets”
Description: Something meaningful to you
Type: Network(s)
4.6 Network(s)
Network or FQDN: 192.168.1.0 / 24
Click Save.
Navigate to Firewall > NAT.
Click on Outbound at the top.
For “Outbound NAT Mode,” select Manual Outbound NAT rule generation.
Click Save and then click Apply Changes.
Under Mappings, you will be telling your traffic where to go when it leaves your network. You will essentially be copying the existing four default WAN connections and modifying them to use your new EXPRESSVPN virtual interface.
On the right side of the screen, click the Copy button next to the first WAN connection entry. It’s the icon with a square overlapping another square.
In the window that pops up, the only selection you will be changing is the “Interface” section. Click the drop-down and change from WAN to EXPRESSVPN.
Click Save.
Repeat the above steps for the other three WAN rules that exist.
Once all four EXPRESSVPN rules are added, click the Save button and click Apply Changes once again at the top.
Finally, you need to create a rule to redirect all local traffic through the EXPRESSVPN gateway you previously created. Navigate to Firewall > Rules:
Click on LAN.
Click the Add button with the up arrow (the far left button).
Enter the following:
4.7 Edit Firewall Rule.
Action: Pass.
Disabled: Leave unchecked.
Interface: LAN.
Address: IPv4.
Protocol: Any.
4.8 Source.
Source: Select Single host or alias and type the name of the alias you created for your network earlier. For this tutorial, we used “Local_Subnets.”
4.9 Destination.
Destination: any
4.9.1 Extra Options:
Log: Leave unchecked.
Description: Enter something meaningful to you. For this tutorial, we will enter “LAN TRAFFIC –> EXPRESSVPN”.
Click the blue Display Advanced button.
4.9.2 Advanced Options:
Leave everything new in these windows that appeared blank and look for Gateway. Change this to “EXPRESSVPN_DHCP”.
Click Save.
You’re finished! You should now start to see traffic flowing through your new rule you created, confirming that the traffic is moving through the ExpressVPN tunnel you created.
NOTE: This is for advanced users who have already purchased and installed pfSense software, and have also configured it for very basic routing for getting onto the internet.The steps were tested on and assume the following generic home setup: Internet > Modem > pfSense device > Router/AP.
For the purpose of this tutorial, we will assume you are configuring your network for a generic 192.168.1.0/24 network setup.
NOTE: This guide has been tested on the following version of pfSense: 2.3.3-RELEASE (amd64)
Contents:
Download the VPN configuration files.
Configure pfSense settings.
Confirm connection success.
Additional steps to route WAN through tunnel.
1. Download the VPN configuration files.
Sign in to your ExpressVPN account.
Click on Set up ExpressVPN.
On the left side of the screen, click Manual Config. On the right side of the screen, click OpenVPN.
You will see your username and password. Keep these on hand, as you will need them later.
Under your username and password, download the OpenVPN configuration file for the location you want to connect to. Keep this file handy, as you will be extracting information out of it for pfSense setup.
2. Configure pfSense settings.
Log in to your pfSense device and navigate to System > Cert. Manager.
Under “CAs,” click the Add button.
Enter the following:
Descriptive name: ExpressVPN.
Method: Import an existing Certificate Authority.
Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <ca> portion of the file. Copying the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
Certificate Private Key (optional): Leave this blank.
Serial for next certificate: Leave this blank.
After entering the information, your screen should look like this:
Click Save.
Stay on this page and click Certificates at the top.
At the bottom of the screen, click Add.
Under “Add a New Certificate,” enter the following:
Method: Import an existing Certificate.
Descriptive name: ExpressVPN Cert (or something meaningful to you).
Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <cert> portion of the file. Copy the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
Private key data: With your text editor still open, look for the text that is wrapped within the <key> portion of the file. Copy the entire string from —–BEGIN RSA PRIVATE KEY—– to —-END RSA PRIVATE KEY—-.
After entering the information, your screen should look like this:
Click Save.
At the top of the screen, navigate to VPN > OpenVPN.
Select Clients.
At the bottom of the screen, click Add.
Enter the following information:
2.1 General Information:
Disabled: Leave this box unchecked.
Server mode: Peer to Peer (SSL/TLS).
Protocol: UDP.
Device mode: tun.
Interface: WAN.
Local port: Leave blank.
Server host or address: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that starts with remote, followed by a server name. Copy the server name string into this field (e.g., server-address-name.expressnetw.com).
Server port: Copy the port number from the OpenVPN configuration file into this field (e.g., 1195).
Proxy host or address: Leave blank.
Proxy port: Leave blank.
Proxy Auth. – Extra Options – none.
Server hostname resolution: Check this box.
Description: Something meaningful to you. e.g., ExpressVPN Dallas.
2.2 User Authentication Settings:
Username: your ExpressVPN username
Password: your ExpressVPN password
2.3 Cryptographic Settings:
TLS authentication: Check this box
Key: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that is wrapped within the <tls-auth> portion of the file. Ignore the “2048 bit OpenVPN static key” entries and start copying from —–BEGIN OpenVPN Static key V1—– to —–END OpenVPN Static key V1—–.
Peer Certificate Authority: Select the “ExpressVPN” entry that you created previously in the Cert. Manager steps.
Client Certificate: Select the “ExpressVPN Cert” entry that you created previously in the Cert. Manager steps.
Encryption Algorithm: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text cipher. In this example, the OpenVPN configuration is listed as “cipher AES-256-CBC,” so we will select “AES-256-CBC (256-bit key, 128-bit block) from the dropdown.
Auth digest algorithm: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text auth followed by the algorithm after. In this example, we saw “auth SHA512,” so we will select “SHA512 (512-bit)” from the dropdown.
Hardware Crypto: Unless you know that your device supports hardware cryptography, leave this at No Hardware Crypto Acceleration.
2.4 Tunnel Settings:
IPv4 Tunnel Network: Leave blank.
IPv6 Tunnel Network: Leave blank.
IPv4 Remote network(s): Leave blank.
IPv6 Remote network(s): Leave blank.
Limit outgoing bandwidth: At your discretion, but for this tutorial – leave blank.
Compression: Enabled with Adaptive Compression.
Topology: Leave the default “Subnet — One IP address per client in a common subnet”.
Type-of-Service: Leave unchecked.
Disable IPv6: Check this box.
Don’t pull routes: Check this box.
Don’t add/remove routes: Leave unchecked.
2.5 Advanced Configuration:
Custom options: These options are derived from the OpenVPN configuration you’ve been referencing. We will be pulling out all custom options that we haven’t used previously. Copy and paste the following:
fast-io;persist-key;persist-tun;remote-random;pull;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
Verbosity level: 3 (Recommended)
Click Save.
3. Confirm connection success.
You should now be able to confirm that your OpenVPN connection was successful. Navigate to Status > OpenVPN.
Under “Client Instance Statistics,” in the “Status” column, you should see the word up, indicating the tunnel is online.
4. Additional steps to route WAN through tunnel.
Note: The below steps are for users who may need additional assistance actually routing their WAN traffic through the tunnel.
Now that the tunnel is online, you need to tell all of your traffic to be NAT’d properly. At the top of your screen, select Interfaces and click (assign).
Click on the + button. A new interface will be created. Make sure ovpnc1 is selected and click Save.
Navigate to Interfaces > OVPNC1:
Enter the following:
4.1 General Configuration.
Enable: Check this box.
Description: Something meaningful to you. e.g., EXPRESSVPN.
IPv4 Configuration Type: DHCP.
IPv6 Configuration Type: None.
MAC Address: Leave blank.
MTU: Leave blank.
MSS: Leave blank.
4.2 DHCP Client Configuration:
Options: Leave unchecked.
Hostname: Leave blank.
Alias IPv4 Address: Leave blank.
Reject leases from: Leave blank.
default dhcp client configuration.
4.3 DHCP6 Client Configuration:
Options: Leave unchecked.
Use IPv4 connectivity as parent interface: Leave unchecked.
Request only an IPv6 prefix: Leave unchecked.
DHCPv6 Prefix Delegation size: Leave default at 64.
Send IPv6 prefix hint: Leave unchecked.
Debug: Leave unchecked.
Do not wait for a RA: Leave unchecked.
Do not allow PD/Address release: Leave unchecked.
4.4 Reserved Networks:
Block private networks and loopback addresses: Leave unchecked.
Block bogon networks: Leave unchecked.
Click Save.
Navigate to Firewall > Aliases.
Under “IP,” click Add.
You will be providing your home network with an “Alias” that allows a friendly name to reference your network.
4.5 Properties.
Name: Something meaningful to you. For this tutorial, we will use “Local_Subnets”
Description: Something meaningful to you
Type: Network(s)
4.6 Network(s)
Network or FQDN: 192.168.1.0 / 24
Click Save.
Navigate to Firewall > NAT.
Click on Outbound at the top.
For “Outbound NAT Mode,” select Manual Outbound NAT rule generation.
Click Save and then click Apply Changes.
Under Mappings, you will be telling your traffic where to go when it leaves your network. You will essentially be copying the existing four default WAN connections and modifying them to use your new EXPRESSVPN virtual interface.
On the right side of the screen, click the Copy button next to the first WAN connection entry. It’s the icon with a square overlapping another square.
In the window that pops up, the only selection you will be changing is the “Interface” section. Click the drop-down and change from WAN to EXPRESSVPN.
Click Save.
Repeat the above steps for the other three WAN rules that exist.
Once all four EXPRESSVPN rules are added, click the Save button and click Apply Changes once again at the top.
Finally, you need to create a rule to redirect all local traffic through the EXPRESSVPN gateway you previously created. Navigate to Firewall > Rules:
Click on LAN.
Click the Add button with the up arrow (the far left button).
Enter the following:
4.7 Edit Firewall Rule.
Action: Pass.
Disabled: Leave unchecked.
Interface: LAN.
Address: IPv4.
Protocol: Any.
4.8 Source.
Source: Select Single host or alias and type the name of the alias you created for your network earlier. For this tutorial, we used “Local_Subnets.”
4.9 Destination.
Destination: any
4.9.1 Extra Options:
Log: Leave unchecked.
Description: Enter something meaningful to you. For this tutorial, we will enter “LAN TRAFFIC –> EXPRESSVPN”.
Click the blue Display Advanced button.
4.9.2 Advanced Options:
Leave everything new in these windows that appeared blank and look for Gateway. Change this to “EXPRESSVPN_DHCP”.
Click Save.
You’re finished! You should now start to see traffic flowing through your new rule you created, confirming that the traffic is moving through the ExpressVPN tunnel you created.