VyprVPN on pfSense (Working)

Hello all,

I struggled for a little bit to get this working, and figured I would share with everyone else - how to use VyprVPN on pfSense (2.4.3 latest).

Get your OpenVPN certificate from: https://support.goldenfrog.company/hc/en-us/article_attachments/201553633/CA_Cert.txt. Download the file and open in notepad (or your fav text editor). Copy all the content to your clipboard.

Adding Cert to pfSense:

  1. System -> Certificate Manager -> Add
  2. Name: VyprVPN
  3. Certificate Data: Paste the cert here.
  4. Leave all remaining fields as default / blank.
  5. Click Save.

If everything worked, you will be redirected to the certificate page and should see an email address, valid dates, etc. We are done here.

Setup OpenVPN in pfSense (assume all fields are default unless otherwise mentioned):

  1. VPN -> OpenVPN -> Clients (tab) -> Add
  2. Server Mode: Peer to Peer (SSL/TLS)
  3. Protocol: UDP IPv4 and IPv6 on all interfaces (multihome)
  4. Device Mode: tun - Layer 3 Tunnel Mode
  5. Interface: WAN
  6. Server host or address: us3.vpn.giganews.com (Can be whichever server suites you best. Note: I get my VyprVPN as a part of my Giganews sub, so I needed to use their domain to resolve the server - if you just have a VyprVPN sub, then use a domain they provide https://support.goldenfrog.com/hc/en-us/articles/203733723-What-are-the-VyprVPN-server-addresses).
  7. Server port: 443
  8. Description: VyprVPN Texas (or whatever server you used)
  9. Username: fill this in with your credentials
  10. Password: fill this in with your credentials
  11. TLS Configuration: (uncheck)
  12. Peer Certificate Authority: VyprVPN (the certificate we added earlier)
  13. Client Certificate: none
  14. Encryption Algorithm: AES-256-CBC
  15. Enable NCP: (uncheck)
  16. NCP Algorithms: AES-256-CBC (should be the only one in the grey box)
  17. Auth Digest Algorithm: SHA256
  18. Hardware Crypto: If you got it, use it (e.g. - Intel RAND)
  19. Compression: Adaptive LZO Compression

Do not click save yet… Now In the Advanced Configuration:

Custom options: Copy the following into this box…

resolv-retry infinite
keepalive 10 60
persist-key
persist-tun
persist-remote-ip
verify-x509-name us3.vpn.giganews.com name
verb 3
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
redirect-gateway autolocal

Change the domain / server address in the above text, to the same one you used above in step 6.

Next set, Verbosity level: 3 (recommended)

Finally click save. To confirm the VPN is established and working, click on the Graph Icon (Tool Tip: Related Status). You should now see Status as UP and have a new IP Address. At this point, you will lose the ability to surf the web, this brings us to our last needed configuration.

Configure the Firewall in pfSense:

  1. Firewall -> NAT -> Outbound (tab)
  2. Mode: Select the third option, Manual.
  3. Click Save. (This will populate some default mappings)

For each mapping you will do the following:

  1. Copy the mapping (Under actions, the Paper on top of a Paper icon)
  2. This will bring you into the edit mapping, here you will change the Interface to OpenVPN.
  3. Click Save.

After you have done this for all of the mappings (there should have been 4 by default, 8 when you have copied each rule), you will have access to the internet again and be tunneling through VyprVPN service.

You can confirm with their page: https://www.goldenfrog.company/whatismyipaddress

Hope this helps out anyone using pfSense and was wanting to route all traffic through their VyprVPN service!

Edit: Since VyprVPN does not currently support IPv6, ensure you disable IPv6 in pfSense, or you will leak your IPv6 address, then what was the point of all of this.

To disable IPv6:

  1. System -> Advanced -> Networking (tab)
  2. Allow IPv6: (uncheck)
  3. Click Save

Hey @buckeyez,

That’s awesome! Thank you very much for sharing!

Regards,
Tyler | Customer Support

When I enter that cert in the CA’s I get an “x” that it does not function properly. Am I missing something?

Nevermind, got that to work… but Netflix is being blocked and if I include your advanced properties tab it doesn’t connect at all. I get a tls-auth failure.

I’m using the Austin server and on pfsense it denies me, but on the client on Windows 10 it works fine.