Table of Contents
PFSense - VPN - Use ExpressVPN - Configure pfSense to use the ExpressVPN configuration files
Configure Certificates for ExpressVPN
Navigate to System → Cert. Manager.
Under “CAs,” click the Add button.
Enter the following:
- Descriptive name: ExpressVPN_CA.
- Method: Import an existing Certificate Authority.
- Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <ca> portion of the file. Copying the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
- Certificate Private Key (optional): Leave this blank.
- Serial for next certificate: 0. Or Leave this blank if it is not populated.
- Click Save.
After entering the information, your screen should look like this:
This is what the certificate authority should look like once you’ve added it:
Stay on this page and click Certificates at the top.
Under “Certificates” click the Add button.
- Method: Import an existing Certificate.
- Descriptive name: ExpressVPN_cert. Or something meaningful to you.
- Certificate data: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text that is wrapped within the <cert> portion of the file. Copy the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—–.
- Private key data: With your text editor still open, look for the text that is wrapped within the <key> portion of the file. Copy the entire string from —–BEGIN RSA PRIVATE KEY—– to —-END RSA PRIVATE KEY—-.
- Click Save.
After entering the information, your screen should look like this:
Create an OpenVPN Client using ExpressVPN
Navigate to VPN → OpenVPN → Clients.
At the bottom of the screen, click Add.
In General Information enter:
- Disabled: Not Checked.
- Server mode: Peer to Peer (SSL/TLS).
- Protocol: UDP on IPv4 only.
- Device mode: tun - Layer 3 Tunnel Mode.
- Interface: WAN.
- Local port: <blank>.
- Server host or address: france-paris-1-ca-version-2.expressnetw.com. Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that starts with remote, followed by a server name. Copy the server name string into this field (e.g., server-address-name.expressnetw.com).
- Server port: 1195. Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that starts with remote. Take the port number at the end of the text. (e.g., 1195).
- Proxy host or address: <blank>.
- Proxy port: <blank>.
- Proxy Authentication: none.
- Description: ExpressVPN client - France Paris 1. Change as required.
In User Authentication Settings enter:
- Username: .
- Password: .
- Authentication Retry: Not Checked.
In Cryptographic Settings enter:
- TLS Configuration: . Use a TLS Key.
- TLS Key: Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for text that is wrapped within the <tls-auth> portion of the file. Ignore the “2048 bit OpenVPN static key” entries and start copying from —–BEGIN OpenVPN Static key V1—– to —–END OpenVPN Static key V1—–.
- TLS Key Usage Mode: TLS Authentication.
- Peer Certificate Authority: ExpressVPN_CA. Select the “ExpressVPN CA” that you created previously in the Cert. Manager steps.
- Client Certificate: ExpressVPN_cert. Select the “ExpressVPN Cert” that you created previously in the Cert. Manager steps.
- Encryption Algorithm: AES-256-CBC (256 bit key, 128 bit block). Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text cipher. In this example, the OpenVPN configuration is listed as “cipher AES-256-CBC,” so we will select “AES-256-CBC (256-bit key, 128-bit block) from the drop-down.
- Enable NCP: Checked. Enable Negotiable Cryptographic Parameters.
- NCP Algorithms: AES-256-GCM and AES-256-CBC. Keep the order.
- Auth digest algorithm: SHA512 (512 bit). Open the OpenVPN configuration file that you downloaded and open it with your favorite text editor. Look for the text auth followed by the algorithm after. In this example, we saw “auth SHA512,” so we will select “SHA512 (512-bit)” from the dropdown.
- Hardware Crypto: Intel RDRAND engine - RAND. Unless you know that your device supports hardware cryptography, leave this at No Hardware Crypto Acceleration.
In Tunnel Settings enter:
- IPv4 Tunnel Network: <blank>.
- IPv6 tunnel network: <blank>.
- IPv4 remote network(s): <blank>.
- IPv6 remote network(s): <blank>.
- Limit outgoing bandwidth: <blank>.
- Compression: Adaptive LZO Compression [Legacy style,comp-lzo adaptive].
- Topology: Subnet – One IP address per client in a common subnet.
- Type-of-service: Not Checked.
- Don’t pull routes: Not Checked.
- Don’t add/remove routes: Checked.
In Advanced Configuration enter:
- Custom options: These options are derived from the OpenVPN configuration you have been referencing. We will be pulling out all custom options that we have not used previously. Copy and paste the following:
fast-io; persist-key; persist-tun; remote-random; #pull; comp-lzo; tls-client; verify-x509-name Server name-prefix; remote-cert-tls server; key-direction 1; route-method exe; route-delay 2; tun-mtu 1500; fragment 1300; mssfix 1450; verb 3; sndbuf 524288; rcvbuf 524288
- UDP Fast I/O: Checked. Use fast I/O operations with UDP writes to tun/tap. Experimental.
- Send/Receive Buffer: 512 KiB.
- Gateway creation: IPv4 only.
- Verbosity level: default. Change as required. 3 may be a good option to not receive too many alerts.
Now that you have the configuration files, return to Use ExpressVPN and do the next step: Create VPN Interface.