I have a pfSense FW installed to act as a ExpressVPN client for my appleTV to get around some GeoBlocked content. I have followed the setup from the ExpressVPN site and from the System Log the VPN tunnel is all good. The problem happens when I add the FW rule directing the traffic to the VPN, I believe it leave the pipe but never gets back. How do I debug the traffic in and out of the VPN tunnel ?
Have you tried rebooting, sometimes a bunch of the services need to be restarted when setting up the VPN and rebooting makes sure everything is working the way it’s supposed to.
If that doesn’t help can you post your firewall rules.
What are you seeing in the VPN logs? Some of those options may be making it fail. It might be worth turning the logging down a bit to make it easier to spot any errors.
If the problem is in fact your traffic is successfully leaving through the VPN but not coming back, that sounds a lot like a reverse path filter (link to post) problem I ran into. Reverse path filter is the name of the function in linux, I am not sure what bsd calls its analog. But with reverse path filter turned on, when my traffic returned over the vpn tunnel interface, the traffic would be silently dropped since the filter expected traffic from a non-local address to come in over the wan interface. Once I disabled reverse path filtering, return traffic over the vpn interface made it all the way back to the local hosts.
So looks like the VPN isn’t connecting and it looks like some of those options are incompatible with the server config.
To start with I’d set compression to adaptive or on (off will work too but you might as well have it on). Then get rid of the tun-mtu option and the push options.
Plus fast io which is a check box on 2.4. If you set options which the pfsense client doesn’t support or the server doesn’t support that will stop it from connecting.
But judging from the logs it looks like it’s the inconsistent MTU setting which is causing the problem.
While I am test this I have my Mac acting as the device (appletv). Currently I can ping my other internal devices like my printer & NAS, but can not print as it reports that the printer is not connected. Would there be a general rule blocking this traffic ?