How to Download, Install and Use ExpressVPN on pfSense

The chances are that if you use a pfSense-powered firewall or router, you are more than serious about your cyber-security. So, without any surprise, you’ll want to utilize a VPN service as well. Let’s talk about how to set up and use ExpressVPN on pfSense. 


As per ExpressVPN’s support documentation, this VPN has been tested on pfSense 2.4.5. However, we expect it to work on newer pfSense versions (above 2.5) as well – without any issues. Also, note that the following installation steps are intended for users with a basic home network setup (powered by pfSense, of course).

1. First, let’s help you get your ExpressVPN subscription.  

2. You’ll land on ExpressVPN’s site, where you need to click on 'Get ExpressVPN.'

ExpressVPN Landing Page

3. Now, pick a subscription plan (long-term ones come with considerable savings). 

4. Enter your email address and then proceed to pay for your new subscription. 

5. Once done, ExpressVPN will send you a confirmation email, so check your inbox. 

6. This is when you need to return to ExpressVPN’s website (go to its home page). 

7. Click on 'My Account' using the top-right placed menu (the website’s main menu). 

8. Provide your ExpressVPN credentials and select 'Sign In.'

Signing In to ExpressVPN Website

9. You’ll be asked for a verification code, which you can copy from your email inbox. 

10. At this moment, you should be looking at your ExpressVPN online dashboard

11. Select 'Set Up Other Devices' and expect to see a new page open. 

12. Then, pick 'Manual Configuration' on the right. On the left, select 'OpenVPN.'

13. Make a note of your OpenVPN username and password (on the right side). 

OpenVPN OVPN Files Listed on ExpressVPN Website

14. Just below, pick any VPN server and download its associated OVPN file


We recommend leaving your ExpressVPN online dashboard open in the background. That will help you copy-paste your username and password more quickly. You might also need additional information from there, so keep that window handy. 

15. Now, log in to your pfSense device and access its interface. 

16. Using the top-placed navigation bar, go to System > Cert. Manager

17. Select the CA tab and click on '+ Add.' Then, enter the following information. 

  • Descriptive Name: Come up with an easy-to-remember name. 
  • Method: Select 'Import an Existing Certificate Authority.'
  • Certificate Data: Launch the recently downloaded OVPN file in a text editor (right-click on it and select 'Open With,' and then choose a text editor). Then, copy the text between the <ca> and </ca> tags and paste it into this field. 
  • Certificate Private Key (Optional): Feel free to leave this blank. 
  • Serial for Next Certificate: Leave this one blank as well. 
ExpressVPN CA Certificate

18. Double-check if you’ve entered everything correctly. Then, click on 'Save.'

Saving Certificate Authority pfSense ExpressVPN

19. Now, select 'Certificates' and click on '+ Add.'

20. You’ll be asked for a series of information. So, use the following.

  • Method: Select 'Import an Existing Certificate.'
  • Descriptive Name: Enter any name (like 'ExpressVPN Certificate'). 
  • Certificate Data: Once again, open the OVPN file in a text editor. Then, copy everything between the <cert> and </cert> tags. 
  • Private Key Data: For this field, copy everything between the <key> and </key> tags (from the recently downloaded OVPN file, once you open it in a text editor). 
ExpressVPN CERT Certificate

21. Recheck if you’ve entered everything correctly and hit the 'Save' button. 

Importing ExpressVPN Certificated on pfSense

22. Using the top navigation bar, go to VPN > OpenVPN.

23. Select 'Clients' and click on the '+ Add' button. 

24. You’ll be asked for various information again. So, check out just below. 

25. Fill out the information in the 'General Information' group, based on the following.

  • Disabled: Leave this unchecked. 
  • Server Mode: Select 'Peer to Peer (SSL/TLS).'
  • Protocol: Select 'UDP on IPv4 Only.'
  • Device Mode: Select 'tun – Layer 3 Tunnel Mode.'
  • Interface: Feel free to pick 'WAN' here. 
  • Local Port: Don’t change anything (leave blank).
  • Server Host or Address: Once again, open the OVPN file in a text editor. Then, copy the server address found between the word "remote" and the 4-digit port number. 
  • Server Port: Your 4-digit port number is found in the OVPN file. 
  • Proxy Host or Address: Leave this field blank. 
  • Proxy Port: Leave blank. 
  • Proxy Authentication: Select 'None' here. 
  • Description: Come up with a name that’ll help you recognize your VPN connection. 
ExpressVPN Installation Settings on pfSense

26. Now, take a look at the 'User Authentication Settings' group. 

27. Your username is found on your online dashboard (your OpenVPN username). 

28. Your password is also found on your dashboard (OpenVPN password). 

29. Then, fill out the 'Cryptographic Settings' fields based on the following. 

  • TLS Configuration: Make sure to check this box. 
  • Automatically Generate a TLS Key: Make sure this box is unchecked. 
  • TLS: Once again, you need to use your OVPN file. This time around, copy everything you see between the <tls-auth> and </tls-auth> tags. 
  • TLS Key Usage mode: Select 'TLS Authentication' here. 
  • Peer Certificate Authority: Pick the entry you’ve created earlier. 
  • Client Certificate: Pick the certificate you created moments ago. 
  • Encryption Algorithm: Once you open the OVPN file in a text editor, look for the word "cipher." Select the algorithm shown after "cipher" in the dropdown menu. For example, this could be AES-256-CBC. 
  • Enable NCP: Don't use this option (uncheck this box). 
  • NCP Algorithms: Feel free to leave blank. 
  • Auth Digest Algorithm: Open the OVPN file again and look for the word "auth." Select the algorithm shown after "auth" in the dropdown menu. For example, SHA512. 
  • Hardware Crypto: Select based on the capability of your pfSense hardware. If this option isn’t available on your device, select 'No Hardware Crypto Acceleration.'
Cryptographic Settings ExpressVPN on pfSense

30. Then, take a look at the 'Tunnel Settings' group of fields. 

31. Fill them out based on the following information. 

  • IPv4 Tunnel Network: Leave blank. 
  • IPv6 Tunnel Network: Leave this one blank as well. 
  • IPv4 Remote Network: Leave as it is. 
  • IPv6 Remote Network: Leave as it is. 
  • Limit Outgoing Bandwidth: Leave blank for unlimited. 
  • Compression: Select 'Adaptive LZO Compression [Legacy].'
  • Topology: Don’t change anything for this field. 
  • Type-of-Service: Make sure this item is unchecked. 
  • Don’t Pull Routes: Check this box. 
  • Don’t Add/Remove Routes: Leave this field unchecked. 

32. Now, you should see looking at the 'Advanced Configuration' group of fields. 

31. First, make sure to take a look at the 'Custom Options' field. 

32. Then, copy the following code.

fast-io;persist-key;persist-tun;remote-random;pull;comp-lzo;tls-client;verify-x509-name Server name-prefix;remote-cert-tls server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

33. Now, fill out the rest of the fields based on the following instructions. 

  • UDP Fast I/O: Feel free to check this box.
  • Send/Receive Buffer: Pick '512 KiB' here. 
  • Gateway Creation: Make sure to select 'IPv4 Only.'
  • Verbosity Level: Go with '3 (Recommended).'
Verbosity Level ExpressVPN pfSense

34. Once you’ve entered the required information, go ahead and click on 'Save.'

35. We now need to route your WAN traffic through your VPN tunnel. 

36. Using the top navigation bar, go to Interfaces > Interface Assignments

37. Click on '+ Add,' and a new interface will be created. 

38. For 'OPT 1,' make sure to select 'ovpnc1' and then go ahead with 'Save.'

Interface Assignments ExpressVPN pfSense

39. Using the top navigation bar, go to Interfaces > OPT1

OPT1 Interfaces on pfSense

40. Then, enter the required information based on the following. 

  • Enable: Check this box. 
  • Description: Enter any name (something like 'ExpressVPN').
  • MAC Address, MTU & MSS: Leave all three of those blank. 
  • Block Private Networks and Loopback Addresses: Leave unchecked. 
  • Block Bogon Networks: Leave unchecked as well. 
Reserved Networks Settings on pfSense

41. Now, use the 'Save' button and then click on 'Apply Changes.'

42. Using the top navigation bar, go to Firewall > Aliases

43. Once again, click on '+ Add,' and come up with a name for your network alias. 

44. Then, enter the following information. 

  • Name: Enter a meaningful name (easy to recognize). 
  • Description: Come up with a meaningful description. 
  • Type: Go with 'Network(s).'
  • Network or FQDN: Enter '' Then, select '24.'
Saving Network Properties on pfSense

45. Save your changes and then go to Firewall > NAT > Outbound

46. For 'Mode,' select 'Manual Outbound NAT Rule Generation.'

NAT Configuration on pfSense

47. Once again, save your changes by using the Save > Apply Changes route.

48. Scroll down to 'Mappings,' where you should see your existing WAN connections. 

49. For the first WAN connection entry, click on the Copy icon (below 'Actions'). 

Copying WAN Tunnels on pfSense

50. For 'Interface,' make sure to select 'EXPRESSVPN.'

Selecting ExpressVPN Interface on pfSense

51. Don’t forget to save your changes

52. Now, repeat that same process for any other WAN entries you might have. 

53. Lastly, you need to create a rule for your local traffic. Go to Firewall > Rules

54. Select 'LAN,' and then click on 'Add' on the far left. 

55. Fill out the required information based on the following. 

Edit Firewall Rule

  • Action: Select 'Pass'.
  • Disabled: Leave this unchecked. 
  • Interface: Make sure to select 'LAN' here. 
  • Address: Go with 'IPv4'.
  • Protocol: Go with 'Any'.

Source & Destination

  • Source: Select 'Single Host or Alias.' Then, enter the name of the alias you’ve created earlier (you’ve done this in Firewall > Aliases). 
  • Destination: Feel free to pick 'Any.'

Extra Options

  • Log: Feel free to leave this unchecked. 
  • Description: Enter a meaningful description. Something like 'LAN to ExpressVPN.'
  • Then, make sure to click on 'Display Advanced.'

Advanced Options

  • Gateway: Select 'EXPRESSVPN' here. 
Adjusting Gateways on pfSense

56. Finally, save and apply all your changed by going to Save > Apply Changes

57. One more thing. You need to check whether your VPN connection works. 

58. Go to Status > OpenVPN. Then, check for 'Up' in the 'Status' column. 

Checking ExpressVPN Status on pfSense

That would be all on how to set up ExpressVPN on pfSense. We understand that this is a highly complex procedure. So, in case you have any questions or doubts, make sure to let us know via the comments section below. And lastly, thank you for reading!

How to Watch Hotties Online From Anywhere: Stream the Blind Date Food Competition Series
If you like blind date reality shows as much as cooking competitions and extremely spicy food, you'll most probably love this new...
How to Watch 7 Little Johnstons Season 12 Online From Anywhere
The 7 Little Johnstons will return to TLC soon with another season that will provide deeper insight into these people's lives. Keep...
How to Watch Leonardo Online From Anywhere
It's time to check out Leonardo, another interesting series coming to The CW this August, and we're looking forward to learning more...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari