Pfsense ExpressVPN Help

sa_userid · November 13, 2017, 11:36pm

Hi All,

I have a pfSense FW installed to act as a ExpressVPN client for my appleTV to get around some GeoBlocked content. I have followed the setup from the ExpressVPN site and from the System Log the VPN tunnel is all good. The problem happens when I add the FW rule directing the traffic to the VPN, I believe it leave the pipe but never gets back. How do I debug the traffic in and out of the VPN tunnel ?

Thanks

Dexter_Kane · November 14, 2017, 2:43am

Did you configure the outbound NAT?

sa_userid · November 14, 2017, 5:13am

36 pm

Dexter_Kane · November 14, 2017, 8:25am

Have you tried rebooting, sometimes a bunch of the services need to be restarted when setting up the VPN and rebooting makes sure everything is working the way it’s supposed to.

If that doesn’t help can you post your firewall rules.

sa_userid · November 19, 2017, 12:31pm

01 pm 54 pm ![45 pm|720x210]

No luck, I did a fresh install also.

sa_userid · November 19, 2017, 12:32pm

13 pm 45 pm

Dexter_Kane · November 19, 2017, 12:35pm

I’d get rid of that allow rule on the VPN interface, you want to treat it like WAN and block all inbound traffic. But that’s not the problem.

The VPN is definitely connected and working? Those rules and everything look okay. Can you post the VPN settings?

sa_userid · November 19, 2017, 8:14pm

46 am 26 am

sa_userid · November 19, 2017, 8:16pm

33 am

VPN rule added to try and fix the issue

Dexter_Kane · November 19, 2017, 10:34pm

What are you seeing in the VPN logs? Some of those options may be making it fail. It might be worth turning the logging down a bit to make it easier to spot any errors.

cburn11 · November 19, 2017, 10:42pm

If the problem is in fact your traffic is successfully leaving through the VPN but not coming back, that sounds a lot like a reverse path filter (link to post) problem I ran into. Reverse path filter is the name of the function in linux, I am not sure what bsd calls its analog. But with reverse path filter turned on, when my traffic returned over the vpn tunnel interface, the traffic would be silently dropped since the filter expected traffic from a non-local address to come in over the wan interface. Once I disabled reverse path filtering, return traffic over the vpn interface made it all the way back to the local hosts.

sa_userid · November 20, 2017, 2:23am

51 pm 25 pm

Dexter_Kane · November 20, 2017, 3:43am

So looks like the VPN isn’t connecting and it looks like some of those options are incompatible with the server config.

To start with I’d set compression to adaptive or on (off will work too but you might as well have it on). Then get rid of the tun-mtu option and the push options.

These are the options I have set on mine:

remote-cert-tls server; persist-key; persist-tun; reneg-sec 0; mute-replay-warnings

Plus fast io which is a check box on 2.4. If you set options which the pfsense client doesn’t support or the server doesn’t support that will stop it from connecting.

But judging from the logs it looks like it’s the inconsistent MTU setting which is causing the problem.

sa_userid · November 20, 2017, 5:11am

Thanks, removing the fast-io; did the trick.

While I am test this I have my Mac acting as the device (appletv). Currently I can ping my other internal devices like my printer & NAS, but can not print as it reports that the printer is not connected. Would there be a general rule blocking this traffic ?

Dexter_Kane · November 20, 2017, 5:13am

If it’s on the same subnet then the traffic doesn’t touch the firewall, so it woukdnt be a pfsense stopping it from seeing the printer.