Vyos OpenVPN Client Configuration for ExpressVPN

gistfile1.txt

# Download the OVPN file from ExpressVPN for the server you wish to access https://www.expressvpn.com/setup#manual

# Create files for certs and keys, use vi or nano, example is vi
cd /config/auth
sudo vi ca.cert
# type i and paste in your client certificate after <cert> up to </cert>
# type :wq

sudo vi cert.crt
# type i and paste in your certificate authority after <ca> up to </ca>
# type :wq

sudo vi host.key
# type i and paste in your host key after <key> up to </key>
# type :wq
chmod 700 host.key

sudo vi tls.key
# type i and paste in your OpenVPN static key after <tls-auth> up to </tls-auth>
# type :wq

# Set VPN client
set int openvpn vtun0
set int openvpn vtun0 encryption aes256 
set int openvpn vtun0 hash sha512 
set int openvpn vtun0 mode client 
set int openvpn vtun0 openvpn-option "--persist-key" 
set int openvpn vtun0 openvpn-option "--persist-tun" 
set int openvpn vtun0 openvpn-option "--nobind" 
set int openvpn vtun0 openvpn-option "--pull" 
set int openvpn vtun0 openvpn-option "--comp-lzo" 
set int openvpn vtun0 openvpn-option "--cipher AES-256-CBC"
set int openvpn vtun0 openvpn-option "--tls-auth /config/auth/tls.key 1"
set int openvpn vtun0 openvpn-option "--auth-retry nointeract" 
set int openvpn vtun0 openvpn-option "--script-security 2" 
set int openvpn vtun0 openvpn-option "--auth-user-pass /config/auth/secret.txt" 
set int openvpn vtun0 openvpn-option "--route-method exe" 
set int openvpn vtun0 openvpn-option "--ns-cert-type server" 
set int openvpn vtun0 openvpn-option "--key-direction 1" 
set int openvpn vtun0 openvpn-option "--route-delay 2" 
set int openvpn vtun0 openvpn-option "--mssfix 1450" 
set int openvpn vtun0 openvpn-option "--keysize 256" 
set int openvpn vtun0 openvpn-option "--auth SHA512" 
set int openvpn vtun0 openvpn-option "--sndbuf 524288" 
set int openvpn vtun0 openvpn-option "--rcvbuf 524288" 
set int openvpn vtun0 openvpn-option --auth-user-pass 
set int openvpn vtun0 openvpn-option "--fragment 1300" 
set int openvpn vtun0 openvpn-option "--tun-mtu 1500" 
set int openvpn vtun0 openvpn-option --fast-io 
set int openvpn vtun0 openvpn-option "--verb 3" 
set int openvpn vtun0 persistent-tunnel 
set int openvpn vtun0 protocol udp 
set int openvpn vtun0 remote-host <xpressvpn-hostname-here> 
set int openvpn vtun0 remote-port 1195 
set int openvpn vtun0 tls 
set int openvpn vtun0 tls ca-cert-file /config/auth/ca.crt 
set int openvpn vtun0 tls cert-file /config/auth/cert.crt 
set int openvpn vtun0 tls key-file /config/auth/host.key 

# Option A: Set NAT for all internal traffic to use VPN
set nat source rule 1000 
set nat source rule 1000 desc "LAN to internet via OpenVPN"
set nat source rule 1000 outbound-interface vtun0
set nat source rule 1000 source address <xxx.xxx.xxx.xxx/24>
set nat source rule 1000 translation address masquerade

# Option B: Alternatively set individual addresses or subnets to use VPN
set policy route src-route rule 1000
set policy route src-route rule 1000 desc "Individual route for blah to vtun0"
set policy route src-route rule 1000 destination address 0.0.0.0/0
# Could split this up by geo-location subnet Netflix/HBO tables etc
set policy route src-route rule 1000 set table 1
set policy route src-route rule 1000 source address <xxx.xxx.xxx.xxx/32>
set protocols static table 1 interface-route 0.0.0.0/0
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0

Hiya, i just tried to do this in my env, but i found out that openvpn to vpn services like this does not supporting route pushes to the routing table by default, but instead tries to push routes to the default routing table. Using this detailed link should solve that issue
https://forums.openvpn.net/viewtopic.php?t=8682#p14992