I struggled for a little bit to get this working, and figured I would share with everyone else - how to use VyprVPN on pfSense (2.4.3 latest).
Get your OpenVPN certificate from: https://support.goldenfrog.company/hc/en-us/article_attachments/201553633/CA_Cert.txt. Download the file and open in notepad (or your fav text editor). Copy all the content to your clipboard.
Adding Cert to pfSense:
- System -> Certificate Manager -> Add
- Name: VyprVPN
- Certificate Data: Paste the cert here.
- Leave all remaining fields as default / blank.
- Click Save.
If everything worked, you will be redirected to the certificate page and should see an email address, valid dates, etc. We are done here.
Setup OpenVPN in pfSense (assume all fields are default unless otherwise mentioned):
- VPN -> OpenVPN -> Clients (tab) -> Add
- Server Mode: Peer to Peer (SSL/TLS)
- Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)
- Device Mode: tun - Layer 3 Tunnel Mode
- Interface: WAN
- Server host or address: us3.vpn.giganews.com (Can be whichever server suites you best. Note: I get my VyprVPN as a part of my Giganews sub, so I needed to use their domain to resolve the server - if you just have a VyprVPN sub, then use a domain they provide https://support.goldenfrog.com/hc/en-us/articles/203733723-What-are-the-VyprVPN-server-addresses).
- Server port: 443
- Description: VyprVPN Texas (or whatever server you used)
- Username: fill this in with your credentials
- Password: fill this in with your credentials
- TLS Configuration: (uncheck)
- Peer Certificate Authority: VyprVPN (the certificate we added earlier)
- Client Certificate: none
- Encryption Algorithm: AES-256-CBC
- Enable NCP: (uncheck)
- NCP Algorithms: AES-256-CBC (should be the only one in the grey box)
- Auth Digest Algorithm: SHA256
- Hardware Crypto: If you got it, use it (e.g. - Intel RAND)
- Compression: Adaptive LZO Compression
Do not click save yet… Now In the Advanced Configuration:
Custom options: Copy the following into this box…
keepalive 10 60
verify-x509-name us3.vpn.giganews.com name
Change the domain / server address in the above text, to the same one you used above in step 6.
Next set, Verbosity level: 3 (recommended)
Finally click save. To confirm the VPN is established and working, click on the Graph Icon (Tool Tip: Related Status). You should now see Status as UP and have a new IP Address. At this point, you will lose the ability to surf the web, this brings us to our last needed configuration.
Configure the Firewall in pfSense:
- Firewall -> NAT -> Outbound (tab)
- Mode: Select the third option, Manual.
- Click Save. (This will populate some default mappings)
For each mapping you will do the following:
- Copy the mapping (Under actions, the Paper on top of a Paper icon)
- This will bring you into the edit mapping, here you will change the Interface to OpenVPN.
- Click Save.
After you have done this for all of the mappings (there should have been 4 by default, 8 when you have copied each rule), you will have access to the internet again and be tunneling through VyprVPN service.
You can confirm with their page:
Hope this helps out anyone using pfSense and was wanting to route all traffic through their VyprVPN service!
Edit: Since VyprVPN does not currently support IPv6, ensure you disable IPv6 in pfSense, or you will leak your IPv6 address, then what was the point of all of this.
To disable IPv6:
- System -> Advanced -> Networking (tab)
- Allow IPv6: (uncheck)
- Click Save