====== PFSense - VPN - Use ExpressVPN - Configure pfSense to use the ExpressVPN configuration files ======

===== Configure Certificates for ExpressVPN =====

Navigate to **System -> Cert. Manager**.

Under “CAs,” click the **Add** button.

Enter the following:

  * Descriptive name: **ExpressVPN_CA**.
  * Method:  **Import an existing Certificate Authority**.
  * Certificate data:  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor.  Look for the text that is wrapped within the **<ca>** portion of the file.  Copying the entire string from **<nowiki>—–BEGIN CERTIFICATE—–</nowiki>** to **<nowiki>—–END CERTIFICATE—–</nowiki>**.
  * Certificate Private Key (optional):  **Leave this blank**.
  * Serial for next certificate:  **0**.  Or Leave this blank if it is not populated.
  * Click **Save**.

After entering the information, your screen should look like this:

{{:pfsense:use_expressvpn:pfsense_certificate_manager_ca_expressvpn.png?800|}}

----

This is what the certificate authority should look like once you’ve added it:

{{:pfsense:vpn:use_expressvpn:pfsense_-_system_-_certificate_manager_-_cas_-_expressvpn.png?800|}}

----

Stay on this page and click **Certificates** at the top.

Under “Certificates” click the **Add** button.

  * Method:  **Import an existing Certificate**.
  * Descriptive name:  **ExpressVPN_cert**.  Or something meaningful to you.
  * Certificate data:  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor.  Look for the text that is wrapped within the **<cert>** portion of the file.  Copy the entire string from **—–BEGIN CERTIFICATE—–** to **—–END CERTIFICATE—–**.
  * Private key data:  With your text editor still open, look for the text that is wrapped within the **<key>** portion of the file.  Copy the entire string from **—–BEGIN RSA PRIVATE KEY—– to —-END RSA PRIVATE KEY—-**.
  * Click **Save**.

After entering the information, your screen should look like this:

{{:pfsense:use_expressvpn:pfsense_certificate_manager_certificate_expressvpn.png?800|}}

----

===== Create an OpenVPN Client using ExpressVPN =====

Navigate to **VPN -> OpenVPN -> Clients**.

At the bottom of the screen, click **Add**.

In **General Information** enter:

  * Disabled:  **Not Checked**.
  * Server mode:  **Peer to Peer (SSL/TLS)**.
  * Protocol:  **UDP on IPv4 only**.
  * Device mode:  **tun - Layer 3 Tunnel Mode**.
  * Interface:  **WAN**.
  * Local port: **<blank>**.
  * Server host or address: **france-paris-1-ca-version-2.expressnetw.com**.  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor.  Look for text that starts with **remote**, followed by a server name.  Copy the server name string into this field (e.g., server-address-name.expressnetw.com).
  * Server port:  **1195**.  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor.  Look for text that starts with **remote**.  Take the port number at the end of the text.  (e.g., 1195).
  * Proxy host or address:  **<blank>**.
  * Proxy port:  **<blank>**.
  * Proxy Authentication:  **none**.
  * Description: **ExpressVPN client - France Paris 1**.  Change as required.

{{:pfsense:use_expressvpn:pfsense_vpn_client_general_-_expressvpn_-_france_-_paris_-_1.png?800|}}

In **User Authentication Settings** enter:

  * Username:  ****.
  * Password:  ****.
  * Authentication Retry:  **Not Checked**.

{{:pfsense:use_expressvpn:pfsense_vpn_client_user_authentication_settings.png?800|}}

In **Cryptographic Settings** enter:

  * TLS Configuration:  ****.  Use a TLS Key.
  * TLS Key:  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that is wrapped within the **<tls-auth>** portion of the file.  Ignore the “2048 bit OpenVPN static key” entries and start copying from **—–BEGIN OpenVPN Static key V1—–** to **—–END OpenVPN Static key V1—–**.
  * TLS Key Usage Mode:  **TLS Authentication**.
  * Peer Certificate Authority:  **ExpressVPN_CA**.  Select the “ExpressVPN CA” that you created previously in the Cert. Manager steps.
  * Client Certificate:  **ExpressVPN_cert**.  Select the “ExpressVPN Cert” that you created previously in the Cert. Manager steps.
  * Encryption Algorithm:  **AES-256-CBC (256 bit key, 128 bit block)**.  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor.  Look for the text **cipher**.  In this example, the OpenVPN configuration is listed as “cipher AES-256-CBC,” so we will select “AES-256-CBC (256-bit key, 128-bit block) from the drop-down.
  * Enable NCP:  **Checked**.  Enable Negotiable Cryptographic Parameters.
  * NCP Algorithms:  **AES-256-GCM** and **AES-256-CBC**.  Keep the order.
  * Auth digest algorithm:  **SHA512 (512 bit)**.  Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor.  Look for the text **auth** followed by the algorithm after.  In this example, we saw “auth SHA512,” so we will select “SHA512 (512-bit)” from the dropdown.
  * Hardware Crypto:  **Intel RDRAND engine - RAND**.  Unless you know that your device supports hardware cryptography, leave this at **No Hardware Crypto Acceleration**.

{{:pfsense:use_expressvpn:pfsense_-_vpn_client_cryptographic_settings_-_expressvpn_-_france_-_paris_-_1.png?800|}}

In **Tunnel Settings** enter:

  * IPv4 Tunnel Network:  **<blank>**.
  * IPv6 tunnel network:  **<blank>**.
  * IPv4 remote network(s):  **<blank>**.
  * IPv6 remote network(s):  **<blank>**.
  * Limit outgoing bandwidth:  **<blank>**.
  * Compression: **Adaptive LZO Compression [Legacy style,comp-lzo adaptive]**.
  * Topology: **Subnet – One IP address per client in a common subnet**.
  * Type-of-service: **Not Checked**.
  * Don’t pull routes:  **Not Checked**.
  * Don’t add/remove routes:  **Checked**.

{{:pfsense:use_expressvpn:pfsense_vpn_client_tunnel_settings.png?800|}}


In **Advanced Configuration** enter:

  * Custom options:  These options are derived from the OpenVPN configuration you have been referencing. We will be pulling out all custom options that we have not used previously. Copy and paste the following: <code>
fast-io;
persist-key;
persist-tun;
remote-random;
#pull;
comp-lzo;
tls-client;
verify-x509-name Server name-prefix;
remote-cert-tls server;
key-direction 1;
route-method exe;
route-delay 2;
tun-mtu 1500;
fragment 1300;
mssfix 1450;
verb 3;
sndbuf 524288;
rcvbuf 524288
</code>

  * UDP Fast I/O:  **Checked**.  Use fast I/O operations with UDP writes to tun/tap. Experimental.
  * Send/Receive Buffer:  **512 KiB**.
  * Gateway creation:  **IPv4 only**.
  * Verbosity level:  **default**.  Change as required.  **3** may be a good option to not receive too many alerts.

{{:pfsense:use_expressvpn:pfsense_vpn_client_advanced_configuration.png?800|}}

----

Now that you have the configuration files, return to [[PFSense:VPN:Use ExpressVPN|Use ExpressVPN]] and do the next step: [[PFSense:VPN:Use ExpressVPN:Create VPN Interface|Create VPN Interface]].