OpnSense Firewall OpenVPN client (working)

It requires a few steps, but this will get you up and running with an OpenVPN client on your OpnSense and probably pfSense) router.

Steps:

  • Download VyprVPN Certificate

  • Identify the server you want to use

  • System --> Trust --> Authorities --> Import Golden Frog CA Cert (copy & paste it in from a text editor), name it VyprVPN

  • VPN --> OpenVPN --> Clients --> Add (with following settings)

  • Server Mode: Peer to Peer (SSL/TLS)

  • Protocol: UDP

  • Device Mode: tun

  • Interface: WAN

  • Local port: (blank/empty)

  • Server host or address: us6.vpn. goldenfrog.com (use your server of choice here)

  • Server port: 443

  • Proxy host or address: (blank/empty)

  • Proxy port: (blank/empty)

  • Proxy authentication extra options: none

  • Server host name resolution: (unchecked)

  • Description: VyprVPN

  • User name/pass: Username: (your email address)

  • Password: (your password)

  • Cryptographic Settings

  • TLS Authentication: (unchecked)

  • Peer Certificate Authority: VyprVPN (see above, Import CA)

  • Client Certificate: None (Username and Password Required)
    Encryption algorithm: AES-266-CBC (256 bit key, 128 bit block)
    Auth Digest Algorithm: SHA256 (256-bit)
    Hardware Crypt: (use it if you have it, e.g. Intel RDRAND engine - RAND)

  • Tunnel Settings (all blank or unchecked except)

  • Compression: Enable with Adaptive Compression

  • Advanced (add these to advanced):
    resolv-retry infinite keepalive 10 60 persist-key persist-tun persist-remote-ip verify-x509-name us6.vyprvpn.com name verb 3 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA redirect-gateway autolocal

(Check the logs to validate the name above [us6.vyprvpn.com] to match the certificate and server you are connecting to)

  • Verbosity Level: 3 (Recommended)

Start your client and look at the logs, you should get a successful startup, but you are not done yet.

openvpn[49494]: Initialization Sequence Completed

  • Firewall --> NAT --> Outbound --> Set to Hybrid

  • Add a manual rule

  • Interface: OpenVPN, leave the rest as defaults and save

  • Now go the web and see what it says, your home city or your VPN location.
    Check What’s My IP

*Try a trace route and you should go through the VPN IP address. Look at the VPN logs to see the VPN IP and static routes being created.

Good luck!

Note, you may need to add some static routes for DynamicDNS services otherwise your public IP address will look like your VPN address and not your home router’s public IP address.

I use DynDNS and added 3 static routes for checkip.dyndns.org.

Awesome guide @bradandersen! Thanks for sharing with the community!

I am using these steps from 1st post in opnsense and its working well for the most part. Is there a way to only allow the dhcp range I set in my subnet to use the VPN tunnel and the rest of the subnet go through the ISP normal? For example if my gateway is 10.25.25.250 and my dhcp is set for 10.25.25.101 to 10.25.25.150 and I only want that range to go through vyprvpn and the rest of the subnet go through the ISP normal. Is that possible? My issue is I have a obi200 VoIP adaptor configured for two providers and it finiky with registration of the VoIP through tunnel. Or can I just set up a vlan that is not the same subnet as VPN and it just goes to ISP normal? Any guidance please is helpful with steps too. Thank you in advance.

Hello @neftv,

While there may be a way to get your configuration set the way you mentioned, we do not offer any guidance as we do not officially support Opnsense.

I would suggest searching other forums or reach out to Opnsense support and see if there are any guides that will point you in the right direction.

We apologize that we do not have any information to provide to you in regards to your configuration.

Regards,

I was wondering do you guys only use CA certificate and the log in credentials? I been reading some would not use any VPN service that didn’t use certificates to mutually authenticate servers and clients. Servers use certificate authority to issue client certificate (“client.crt”) and key (“client.key”). Clients use server certificate (“ca.crt”) to authenticate communications from servers, and they use their certificates to sign communications to servers.

Username and password provide second layer of client authentication to servers. While such two factor authentication is crucial for gmail etc, here it mainly prevents unauthorized use.

Some providers also issue keys (“ta.key”) for TLS authentication. That helps protect servers from DoS attacks, in that unsigned packets are simply dropped.