How to Setup and Use ExpressVPN on pfSense

ExpressVPN logo

Editor Choice emblem

ExpressVPN

Our Score: 9.8

ExpressVPN’s speed-optimized network, military-grade encryption, and ease of use guarantees you a great experience. Even more, it is compatible with multiple devices, including your pfSense router.

However, while using ExpressVPN with your pfSense is a match made in heaven, first time users may face challenges setting the whole thing up. Not to worry, though. Here’s a step by step approach on how to do it.

How to Setup ExpressVPN on your pfSense

First, you must configure your pfSense for flawless access to the internet. So, when you’ve configured your pfSense, here’s how to setup ExpressVPN on it using OpenVPN. Note that this guide assumes you’re setting your network for a generic 192.168.1.0/24 network setup.

Step 1: Download a VPN configuration file. To do this, sign in to your ExpressVPN account and select Set Up Other Devices. On the left side of your screen, select Manual Configuration.

Step 2: On the right side of your screen, select OpenVPN. You’ll see your username and password and then several OpenVPN configuration files. Note the username and password down somewhere for when you need to enter it later.

Step 3: Download the OpenVPN configuration file of your preferred location(s). You need to keep this file as you’ll need it to complete the setup.

Step 4: Sign in to your pfSense account on a browser.

Step 5: Go to Systems -> Cert. Manager -> CAs, then click the Add button. After this, input the following and then click Save.

  • Descriptive name: ExpressVPN
  • Method: Import an existing Certificate Authority
  • Certificate data: Using any text editor, open the OpenVPN configuration file that you downloaded in step 3. After this, find the text wrapped within the <ca> portion of the file. Copy the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and paste here.
  • Certificate Private Key (optional): Leave empty
  • Serial for next certificate: Leave empty

Step 6: At the top of the Cert. Manager page, select Certificates. Then at the end of the screen, select Add. Under Add a New Certificate, enter the following and then click Save.

  • Method: Import an existing Certificate
  • Descriptive name: ExpressVPN Cert (or another name you like)
  • Certificate data: As in step 5, open the OpenVPN configuration file. Then, find the text wrapped within the <cert> part of the file. Copy the entire string from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– and paste here.
  • Private key data: Still on the text editor, find the text that’s wrapped within the <key> segment of the file. Copy the entire string from —–BEGIN RSA PRIVATE KEY—– to —-END RSA PRIVATE KEY—- and paste here.

Step 7: At the top of your screen, select VPN -> OpenVPN -> Clients. Then, at the bottom of your screen, select Add, input the following, and click Save.

  1. General Information:
  2. Disabled: Don’t check “✔️”
  3. Server mode: Peer to Peer (SSL/TLS)
  4. Protocol: UDP
  5. Device mode: tun
  6. Interface: WAN
  7. Local port: Leave empty
  8. Server host or address: As in step 5, open the OpenVPN configuration file. Then, find the text that starts with remote, then a server name. Copy the server name string into this field (e.g., server-address-name.expressnetw.com)
  9. Server port: Copy and paste here the port number from the OpenVPN configuration file (e.g., 1195)
  10. Proxy host or address: Leave empty
  11. Proxy port: Leave empty
  12. Proxy Auth. – Extra Options: none
  13. Server hostname resolution: Check “✔️”
  14. Description: Use any name of your choice
  15. User Authentication Settings
  16. Username: your ExpressVPN username
  17. Password: your ExpressVPN password
  18. Cryptographic Settings
  19. TLS authentication: Check “✔️”
  20. Key: As in step 5, open the OpenVPN configuration file. Then, find the text wrapped within the <tls-auth> segment of the file. Ignore the “2048-bit OpenVPN static key” entries and start copying from —–BEGIN OpenVPN Static key V1—– to —–END OpenVPN Static key V1—–
  21. Peer Certificate Authority: Select the “ExpressVPN” entry that you created in step 5 above.
  22. Client Certificate: Select the “ExpressVPN Cert” entry that you created in step 6 above.
  23. Encryption Algorithm: As in step 5, open the OpenVPN configuration file. Then, find the text cipher and select it.
  24. Auth digest algorithm: As in step 5, open the OpenVPN configuration file. Then, find the text auth followed by the algorithm after, and select it.
  25. Hardware Crypto: Unless you know that your pfSense supports hardware cryptography, leave this at No Hardware Crypto Acceleration.
  26. If you’re using a pfSense 2.4, you’ll need to input the data below
  27. Uncheck Automatically generate a TLS Key
  28. Set Usage Mode to TLS Authentication
  29. Uncheck Enable Negotiable Cryptographic Parameters
  30. Ignore the NCP Algorithms section
  31. Tunnel Settings
  32. IPv4 Tunnel Network: Leave empty
  33. IPv6 Tunnel Network: Leave empty
  34. IPv4 Remote network(s): Leave empty
  35. IPv6 Remote network(s): Leave empty
  36. Limit outgoing bandwidth: Input limit at your discretion (leave empty for no limit)
  37. Compression: Enabled with Adaptive Compression
  38. Topology: Leave the default “Subnet — One IP address per client in a common subnet”
  39. Type-of-Service: Don’t check “✔️”
  40. Disable IPv6: Check “✔️” (this box will be absent if you’re using a pfSense 2.4)
  41. Don’t pull routes: Check “✔️”
  42. Don’t add/remove routes: Don’t check “✔️”
  43. If you’re using a pfSense 2.4, you’ll need to set Compressing to Adaptive LZO Compression
  44. Advanced Configuration
  45. Custom Options: Copy and paste the following:

fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

  • Verbosity level: 3 (recommended)
  • If you’re using a pfSense 2.4, you’ll need to input the data below
  • UDP FAST I/O: Check “✔️”
  • Send/Receive Buffer: 512 KB
  • Gateway creation: IPv4 only

Step 8: Confirm that your service is up by going to Status -> OpenVPN.

If you have followed the steps above, then your ExpressVPN should be up and running. If it’s not, try these steps again. If your problem persists, then contact the ExpressVPN Support Team.

Note that if you want to route your WAN traffic through the tunnel, you may need additional configuration steps.

In conclusion

While setting up, ExpressVPN might appear stressful and complicated. As much as possible, we have simplified the process in this article. So,you can now subscribe to ExpressVPN, and enjoy its amazing features. You can choose the 12-month plan at $8.32/month, the 6-month plan at $9.99/month, or the one-month plan at $12.95/month. Even cooler, these plans are covered by a 100% money-back guarantee if you’re not satisfied with ExpressVPN’s service within the first 30 days after you subscribe.