How to Set Up and Use ExpressVPN on pfSense (Updated 2024)
pfSense, an open-source software, has the ability to turn a computer system into a dedicated router or firewall. Using a VPN on open-source pfSense can boost its security abilities, and ExpressVPN is more than up to the task. You can configure it through a web-based interface like most routers. This article will guide you through the process of configuring ExpressVPN on pfSense.
Setting Up ExpressVPN on pfSense
Setting up ExpressVPN on pfSense is quite technical. You need to accurately follow the instructions in this article, as any mistake can result in the wrong configuration. The configuration process involves using the OpenVPN protocol to set up a connection to an ExpressVPN server. Although there is a new pfSense version (2.5.0), we will focus on the configuration settings for version 2.4.5 as a more significant number of users are still using it. Let’s dive into how to set up ExpressVPN on pfSense 2.4.5.
Get ExpressVPN for pfSense
1. The first thing to do is create an ExpressVPN account if you don’t have one. Go to the ExpressVPN website, click on “Get ExpressVPN,” and follow the instructions to get a subscription plan and complete the account creation process. Once you access your account, navigate to manual configuration settings through the following path: Set Up Other Devices > Manual Configuration.
2. Under “Manual Configuration,” select the “OpenVPN” tab, you will see your service credentials (username and password) directly under it. Leave the browser window open or copy the credentials somewhere you can easily reach because you will need them later. Just below the credentials, there is also a list of servers and their locations.
3. Select the server location you intend to use and pick a server. Then download the OpenVPN configuration file (.ovpn) of that server. You can choose UDP (faster) or TCP (more reliable) depending on your preference.
4. The next thing you need to do is to sign in to your pfSense control panel. The default username and password are usually “admin” and “pfsense” if no one has previously changed it. If that does not work, check the user manual or contact pfSense’s customer support team.
5. Once you’re in, on the top navigation bar, select “System,” then “Certificate Manager.” In the CA section, select the “+Add” button and input the following under their respective fields:
Create/Edit CA
Descriptive name: Input any name to represent your VPN connection (e.g., ExpressVPN-USA).
Method: click on “Import an existing Certificate Authority.”
Existing Certificate Authority
Certificate data: Use any text editor to open the .ovpn file you downloaded in step 3 above, copy the text between the <ca> and </ca> tags, and paste it in this field.
Certificate Private Key (optional): Leave empty.
Serial for next certificate: Leave empty.
Click the “Save” button.
6. Next, select “Certificates,” select the “+Add/Sign” button, and input the following:
Add/Sign a New Certificate
Method: Click Import an existing Certificate.
Descriptive name: Input any name to represent your certificate (e.g., ExpressVPN-Cert).
Import Certificate
Certificate data: Copy the text between the <cert> and </cert> tags in the .ovpn file you opened before and paste it here.
Private ket data: Copy the text between the <key> and </key> tags in the .ovpn file you opened before and paste it in this field.
Click the “Save” button.
7. Navigate to the top navigation bar and select “VPN” then “OpenVPN.” Select “Clients,” click the “+Add” button and input the following:
General Information
Disabled: Leave this box unchecked.
Server mode: Peer to Peer (SSL/TLS).
Protocol: UDP on IPv4 only.
Device mode: tun – Layer 3 Tunnel Mode.
Interface: WAN.
Local port: Leave empty.
Server host or address: Copy the server address listed between the word “remote” and the 4-digit port number in the .ovpn file you opened before and paste it in this field.
Server port: Input the 4-digit port number (next to the server address) you saw above.
Proxy port: Leave empty.
Proxy Authentication: Choose none.
Description: Input any name to represent your VPN connection (e.g., ExpressVPN-NY).
User Authentication Settings
Username: Input the ExpressVPN service username in step 2 above.
Password: Input the ExpressVPN service password in step 2 above twice.
Cryptographic Settings
TLS Configuration: Check this box.
Automatically generate a TLS key: Leave this box unchecked
TLS Key: Copy the text between the <tls-auth> and </tls-auth> tags in the .ovpn file you opened before and paste it in this field (don’t copy any line that begins with “#”).
TLS Key Usage Mode: Choose TLS Authentication.
Peer Certificate Authority: Choose the CA you created earlier (e.g., ExpressVPN-USA)
Client Certificate: Choose the certificate you created earlier (e.g., ExpressVPN-Cert)
Encryption Algorithm: Check the .ovpn file you opened before for the word “cipher” and choose the algorithm displayed after it in the dropdown menu here (e.g., AES-256-CBC).
Enable NCP: Leave this box unchecked.
NCP Algorithms: Leave empty
Auth digest algorithm: Check the .ovpn file you opened before for the word “auth” and choose the algorithm displayed after it in the dropdown menu here (e.g., SHA512).
Hardware Crypto: Select No Hardware Crypto Acceleration.You should select otherwise only if you are sure your device supports hardware cryptography.
Tunnel Settings
IPv4 Tunnel Network: Leave empty.
IPv6 Tunnel Network: Leave empty.
IPv4 Remote Network(s): Leave empty.
IPv6 Remote Network(s): Leave empty.
Limit outgoing bandwidth: Leave blank.
Compression: Choose Adaptive LZO Compression [Legacy, comp-lzo adaptive].
Topology: Leave as it is.
Type-of-Service: Leave this box unchecked
Don’t pull routers: Leave this box unchecked
Don’t add/remove routes: Leave this box unchecked
Advanced Configuration
Custom options: Copy and paste the following:
fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
UDP Fast I/O: Check this box.
Send/Receive Buffer: Choose 512 KiB.
Gateway Creation: Choose IPv4 only.
Verbosity Level: Choose 3 (recommended).
Click the “Save” button.
8. Go to “Interfaces” in the top navigation bar and select “Assignments.” Click the “+Add” button to add the ExpressVPN interface.
9. Select the “OPT1” under “Interface,” select “ovpnc1,” and click the “Save” button.
10. Back to the top navigation bar, click “Interfaces,” select “OPT1,” and input the following:
General Configuration
Enable: Check this box.
Description: Input any name that represents the interface (e.g., ExpressVPN).
Mac Address: Leave empty.
MTU: Leave empty.
MSS: Leave empty.
Reserved Networks
Block private networks and loopback addresses: Leave this box unchecked
Block bogon networks: Leave this box unchecked
Click the “Save” button and click “Apply Changes.”
11. Back to the top navigation bar, click “Firewall,” then “Aliases.” Select the “+Add” button to add an alias for your home network and input the following:
Properties
Name: Enter a name to represent your network (e.g., Local_Subnet)/
Description: A description to describe your network (e.g., Home)
Type: Choose Networks.
Network(s)
Network or FDQN: Input 192.168.1.0 and choose 24.
Click the “Save” button.
12. In the top navigation bar, select Firewall > NAT > Outbound. Choose “Manual Outbound NAT rule generation” for “Mode,” click “Save,” then “Apply Changes.”
13. Under “Mappings,” go to your first WAN interface and click the copy icon under “Actions.” Then choose “EXPRESSVPN” for “Interface” click “Save.” Repeat this step for every WAN entry in this section. Click “Apply Changes” at the top.
14. Next, click “Firewall,” then “Rules.” Select “LAN,” click the “Add” button on the far left and input the following:
Edit Firewall Rule
Action: Choose Pass.
Disabled: Leave unchecked.
Interface: Choose LAN.
Address: Choose IPv4.
Protocol: Choose Any.
Source
Source: Choose Single host or alias and input the name of the alias you created for your network earlier.
Destination: Choose Any
Log: Leave unchecked.
Description: Input a description of your firewall rule.
Select Display Advanced.
Advanced Options
Gateway: Choose EXPRESSVPN.
Click the “Save” button, then “Apply Changes.”
15. To confirm the OpenVPN connection is active, navigate to the following path: Status > OpenVPN. You should see “up” under the “Status” section.
As you can see, it’s a long and technical process. Be very careful not to miss any step.
Get ExpressVPN for pfSense
Advantages of Using ExpressVPN on pfSense
Here are the perks of using ExpressVPN on pfSense:
1. Security
ExpressVPN’s security structure includes reliable VPN protocols (OpenVPN), military-grade encryption (AES-256), leak protection, compatibility with the Onion network, malware/ad blocker (CyberSec), Split Tunneling, and a Kill Switch. Your privacy and security are in secure hands.
2. Circumvent Geo-Restrictions
ExpressVPN’s servers are powerful when it comes to unblocking content you cannot view due to geo-restrictions. Netflix, BBC iPlayer, HBO Now, and Amazon Prime Video are a few of the popular services it can unblock. Its extensive server network allows you to access streaming content in any region worldwide.
Frequently Asked Questions About How to Set Up and Use ExpressVPN for PfSense
Are there other alternatives to ExpressVPN?
Yes, there are other VPN services you may want to consider if you do not want to use ExpressVPN. However, you should know that ExpressVPN has the best capabilities you can find anywhere. Its security features are topnotch, likewise its unblocking prowess and ease of use. ExpressVPN will make sure that you have no regrets about using the VPN service.
Can I use a free VPN instead of ExpressVPN for PfSense?
Yes, you could. However, this is not advised. Firstly, a free VPN service may not work so well with PfSense. These providers often have limited features in the form of bandwidth and data caps, slow internet connection, and a limited number of servers. Also, in most cases, you can only install the free service on one device. These will leave you frustrated if you are trying to use PfSense. More so, there are several security challenges you could experience with free VPN services. For example, some have been known to retain and sell users’ data to third parties. Hence, when you use their services, you will be automatically putting yourself in danger.
Does ExpressVPN have a free version?
Unfortunately not. ExpressVPN has a one-month subscription plan, a 6-month subscription plan and a one-year plan. None of these come at no cost. However, ExpressVPN has a money-back guarantee window. This lasts for 30 days of initial subscription. Within this period, you can use the service, request a refund with no question asked. Thus, if you are looking for a premium service to use with PfSense for a while, ExpressVPN’s money-back window works perfectly.
Is using ExpressVPN with PfSense legal?
Yes. VPN services like ExpressVPN are legal in many countries. It is just a few locations, especially in countries with restrictive internet policies that VPN services are restricted. However, also bear in mind that what you use the VPN service for is very important. If you use a VPN to carry out illegal activities, you will get into trouble if discovered. More so, you will not get into trouble for using a VPN with PfSense. There are no restrictions against using a VPN while on the platform.
Conclusion
To use ExpressVPN on pfSense, you have to go through a thorough configuration process. You need to be very meticulous with the setup process because any small detail can affect the connection’s success. We hope that this guide helps you set up ExpressVPN on pfSense.