*Work in progress* Tutorial: Install Vypr VPN under Pfsense
-
Hi All,
Here is a short tutorial for getting Vypr VPN to work a a open-vpn vlient under PFsense.
First you need to download a configuration file from:
https://www.goldenfrog.com/NL/en/support/vyprvpn/vpn-setup/windows-7-open
You can choose for 160 or 256 bit encryption.
Open the downloaded package and open the: "ca.vyprvpn.com.crt" file, and copy the contents to your clipboard.
Open your Pfsense interface and navigate to: System, certmanager.
Add a new CA cert, and paste the contents of your clipboard there.
Because Vypr VPN needs a username and password we have to create then for use with Pfsense.
Navigate to diagnostics, edit file.
Paste the following line into the "Save / Load from path:" form
/cf/conf/Vypr.pas
Then in the box below, first type in your Vypr VPN username. And one line under it your password. So you have 2 lines now.
USERNAME
PASSWORDPress save!
Navigate to: VPN, OpenVPN, client.
Create a new client.
Put in all the info like in the pictures below, change the servername for the server you are going to use from Vypr VPN.
The client certificate is not used, so you can select the default info there.
And put in the advanced field this information:
verb 5;engine cryptodev;auth-user-pass /cf/conf/Vypr.pas;tls-remote eu1.vpn.giganews.com
Change the server address to the server you want to use.
Press save, and the client should connect to Vypr VPN.
Follow the steps of section 2 of this tutorial:
http://forum.pfsense.org/index.php/topic,29944.0.html
To complete.
–---------------------------------------------------------------------
But I still have to get it to route traffic over the VPN connection, from within PfSense I can ping over the Vypr VPN interface. But not from the lan.... :(So any help figuring this out is welcome.
Found the solution in this post:
http://forum.pfsense.org/index.php/topic,29944.msg177387.html#msg177387
Now I have to do some testing.
-
thanks for this great post.
-
thank you for typing this up.
sadly i'm still stuck at the same point. I have two choices available in the client certificate drop down, both begin with IPSec and end with a hostname… no matter which I select the error message in the openvpn logs is always the same:
openvpn[31354]: Cannot load certificate file /var/etc/openvpn/client1.cert: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
any ideas what's wrong with my config/setup?
-
ok, I got a little further, here's what I had to do:
In Cert Manager I first created an internal CA and then an internal certificate, which I then selected in the OpenVPN client certificate dropdown.
Edit:
Never mind – while the certificate info might be helpful to some other users -- I just found out that my vyprvpn service doesn't include openvpn access! argh, all the wasted hours trying ;) So now I'll have to see if I can get it working with l2tp/ipsec...
thanks for all the help with openvpn...
-
Did you create the password file ?
Did you paste this in the advanced feild?
verb 5;engine cryptodev;auth-user-pass /cf/conf/Vypr.pas;tls-remote eu1.vpn.giganews.com
Ofcourse change the giganews server to the serveryou want to use.
-
Seeing that there were some people here who had gotten VyprVPN working, I renewed my subscription last night.
However, I'm fighting a losing battle on this. The OpenVPN status shows that a connection has been made, but I can't get any traffic to pass through the tunnel, not even from the pfsense box itself.
One thing worth noting is that I'm getting a regular stream of "Authenticate/Decrypt packet error: cipher final failed" in the OpenVPN Logs.
-
Ok, if I pick BF-CBC (128-bit) for the encryption method then I can connect, pass a tiny bit of traffic, and am then, according to the logs, disconnected, even though the status page shows as connected. Why am I being disconnected almost immediately?
Also, why, when the encryption method in the config file I downloaded from them shows AES-256-CBC, can't I actually select that and have it work?
EDIT: Ok, I think I got it working well under BF-CBC. I checked the config I downloaded from them and there were three "persist" lines in there. I added those to the advanced options in pfSense and now the tunnel stays online. This isn't real useful to me though as I can't accelerate BF-CBC with my vpn1411 card, so I'm stuck around 13Mbit/s.
Does anyone have AES-256-CBC working?
EDIT 2: Got AES-256-CBC working. I needed to switch the port to 443 and add a bunch more options to the advanced section (which now says "verb 5;auth-user-pass /cf/conf/vyprvpn.pas;tls-remote us2.vyprvpn.com;persist-key;persist-tun;persist-remote-ip;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA").
Speed test stinks though. I'm only getting about 9Mbit/s which says to me that the vpn1411 isn't working correctly or something else is slowing me down. top says the openvpn process is using 55-60% of my CPU during the test, so I don't really know what's happening.
-
Thanks. I got it to work by what was said here. First I added the OpenVPN service on VyprVpn (I had only standard vpn).
Followed the info from the first post.
Except that I added the 3 persists lines what was said about the advanced config. It now looks like this:verb 5;engine cryptodev;auth-user-pass /cf/conf/Vypr.pas;tls-remote us1.vpn.giganews.com
persist-key
persist-tun
persist-remote-ipThen did section 2 from the other post.
And now when I connect on the LAN side of pfSense, I come out on the VPN side. US IP so I can enjoy Netflix that they wont let Europeans enjoy :)