Let's get IPVanish working with pfSense 2.0.3

  • Ok, I'm struggling trying to get IPVanish to work with pfSense 2.0.3. I'm going to document everything I've tried in this post. Hopefully someone can point out what's missing or what needs to be changed.

    So the first thing that needs to be done is to import the IPVanish certificate. It can be found here: http://www.ipvanish.com/software/configs/ca.ipvanish.com.crt

    [Steps to import IPVanish Certificate]
    1. Download the certificate from the URL http://www.ipvanish.com/software/configs/ca.ipvanish.com.crt
    2. From the pfSense web interface, go to "System" and select "Cert Manager"
    3. Click the "add or import ca" button
    4. Enter "IPVanish CA" in the "Descriptive name" field
    5. Open the file "ca.ipvanish.com.crt" in a text editor like WordPad (Notepad might mangle it) and copy the contents of it to the clipboard
    6. Paste the contents of the clipboard into the field "Certificate data"
    7. Click the "Save" button

    If you did everything right, you should see a new certificate with these specifics:

    Name - IPVanish CA
    Internal - NO
    Issuer - self-signed
    Certificates - 0
    Distingushed Name - emailAddress=support@ipvanish.com, ST=FL, OU=IPVanish VPN, O=IPVanish, L=Winter Park, CN=IPVanish CA, C=US

    Now we need to make an auth file with your IPVanish username and password. You apparently can't pass the username and password through an extra OpenVPN configuration option, so you have to create a text file that contains your IPVanish username and password.

    [Steps to make auth file]
    1. Go to "Diagnostics" and select "Edit file"
    2. In the field for "Save / Load from path:", put: /conf/ipvanish.auth
    3. In the text field, type in your username and hit enter
    4. Then type in your password and press enter again
    5. Click the "Save" button

    If you did everything correctly, you should be able to load that file and see your username on the first line, and your password on the second line.

    Now you need to create the OpenVPN interface.

    [Steps to create the OpenVPN interface]
    1. Go "Interfaces" and select "(assign)"
    2. Click the "add" button
    3. You should now see an interface labelled "OPT1" with "ovpnc1()" for "Network Port"
    4. Click the "Save" button

    The above may differ slightly from pfSense appliance to pfSense appliance. This will all depend on your base configuration, how many interfaces you have, etc.

    Now it's time to create the OpenVPN client. And unfortunately this is the part I can't get past. I haven't been able to get my pfSense appliance to actually establish a connection with the OpenVPN server. You can find the OpenVPN configuration files for IPVanish here: http://www.ipvanish.com/software/configs These are public, so I'm not posting anything that shouldn't be distributed. These config files are worthless unless you've signed up for the IPVanish service and have a username and password with them.

    Here is their OpenVPN configuration file for Cario for example:

    dev tun
    proto tcp
    remote cai-c01.ipvanish.com 443
    resolv-retry infinite
    ca ca.ipvanish.com.crt
    tls-remote cai-c01.ipvanish.com
    verb 3
    auth SHA256
    cipher AES-256-CBC
    keysize 256
    tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA

    [Steps to create OpenVPN Client]
    1. Go to "VPN" and select "OpenVPN"
    2. Click the "Client" tab
    3. Click the "add client" button
    4. Select "Peer to Peer ( SSL / TLS )" for "Server Mode"
    5. Select "TCP" for "Protocol"
    6. Select "tun" for "Device Mode"
    7. Select "WAN" for "Interface"
    8. Leave "Local port" blank
    9. Enter "cai-c01.ipvanish.com" for "Server host or address" (replace this with the IPVanish server of your choice)
    10. Enter "443" for the "Server port"
    11. Leave "Proxy host or address" blank
    12. Leave "Proxy port" blank
    13. Select "none" for "Authentication method" under "Proxy authentication extra options"
    14. Check the checkbox for "Infinitely resolve server" under "Server host name resolution"
    15. Enter "IPVanish Cario" for "Description" (replace this with the name of the IPVanish server you are using)
    16. Check the checkbox for "Enable authentication of TLS packets" under "TLS Authentication"
    17. Select "IPVanish CA" for "Peer Certificate Authority"
    18. Select "webConfigurator default *In use" for "Client Certificate"
    19. Select "AES-256-CBC (256-bit)" for "Encryption algorithm"
    20. Select "No Hardware Crypto Acceleration" for "Hardware Crypto"
    21. Leave "Tunnel Network" blank
    22. Leave "Remote Network" blank
    23. Leave "Limit Outgoing Bandwidth" blank
    24. Check the checkbox for "Compress tunnel packets using the LZO algorithm" under "Compression"
    25. Leave the checkbox for "Set the TOS IP header value of tunnel packets to match the encapsulated packet value" unchecked

    Now that's look at the OpenVPN config file and see what options we have to specify manually:

    client - covered since it's under OpenVPN client
    dev tun - specified in GUI config
    proto tcp - specified in GUI config
    remote cai-c01.ipvanish.com 443 - specified in GUI config
    resolv-retry infinite - specified in GUI config
    nobind - omit since we are binding to the OPT1 interface
    ca ca.ipvanish.com.crt - specified  in the GUI config
    tls-remote cai-c01.ipvanish.com
    auth-user-pass - need to specify the auth file we created earlier since you can't enter your username and password interactively
    comp-lzo - specified in the GUI config
    verb 3
    auth SHA256
    cipher AES-256-CBC - specified in the GUI config
    keysize 256
    tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA

    So that leaves these as custom options to add at the end:

    tls-remote cai-c01.ipvanish.com
    auth-user-pass /conf/ipvanish.auth
    verb 3
    auth SHA256
    keysize 256
    tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA

    So in the "Advanced" text field at the very end, you would enter the following:

    persist-key;persist-tun;persist-remote-ip;tls-remote cai-c01.ipvanish.com;auth-user-pass /conf/ipvanish.auth;verb 3;auth SHA256;keysize 256;tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA

    At least, that is what I could follow. Now the above doesn't actually work. It just fails to connect and retries indefinetly so I ended up disabling it. However, I'm hoping someone here can point out what I have wrong so I can correct my configuration and this guide.


  • i got it to work just fine, i use UDP instead of TCP, unticked Enable authentication of TLS packets and used the below custom commands

    fast-io;route-delay 2;route-nopull;tun-mtu 1500;persist-key;persist-tun;persist-remote-ip;auth-user-pass /conf/ipvanish.auth;verb 3;auth SHA256;keysize 256;tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA;

    i use route-nopull option so it doesnt push default gateway for pfsense so i can then use AON and then custom route specific things through vpn tunnel using firewall rules

    works great for me

  • interesting, what kind of speed do you get from it?

  • i havent done a speed test but i find it much better than exprevvpn which i have been using since past one year but wanted to try something new as most of the times the expressvpn servers i use go down so had to switche very now and then

  • ok, so please make a speed test, and also let me know what your actual speed without vpn is.

    thank you.

  • thank you for your post, well thats not a great speed, but i guess that openvpn kills more speed than pptp do?!

  • the speeds vary from server to server and i guess the 256bit encryption is a bit of a overkill, expressvpn uses 128bit. i tried the Singapore server and getting better speeds.

    pptp client connection not possible in pfsense but sometime back some1 had created a package for it enabling it, check the bounty section for it

  • ok it sounds good that the spped can be better and i also Think that 256bit is a bit overkill.
    i have looked in the Bounty section but i didnt find any of pptp pasthrough,
    is there anyone else that have seen this?

  • tjabas, let me know if you still don't have it working.  I have it connected just fine (in the USA) and get 30mbps down/6 mbps up reliably.

    The only thing that I am still struggling with is making sure the data is only passed through the IPVANISH OpenVPN session.  It works when the vpn is up, but broadcasts my non-vpn when it drops.

    BTW, I am working on a write up when I get it completely finalized.

  • xbipin, can you describe the steps you took with the AON to route select traffic out the VPN tunnel? If you can give me a synopsis, I'll ammend the step-by-step guide I started here so other people can take advantage of the information (including myself): http://forum.pfsense.org/index.php/topic,66467.0.html

  • yes sure, first goto firewall->NAT, outbound tab and select Manual Outbound NAT rule generation and hit save, rules will get generated below as shown in image, leave it as they are. Then goto firewall->rules and under lan tab create a rule as shown below, source and destination can be of anything of ur choice but in gateway, select the vpn gateway to route out of and traffic matching that will go out of vpn tunnel

    if u dont use route-nopull then u dont need to use AON also in which case the vpn server will push default gateway for pfsense and then by default all ur lan traffic will go out of the vpn, u need that command to not use the vpn as default gateway and then after AON u can selectively route out of the vpn or ur internet gateway

  • i moved back to expressvpn coz ipvanish has speed issues at peak times and the 256bit cipher is a bit too heavy also

  • I've got the setup working without a problem. The only thing is that I modified the "Firewall - Rules - LAN" Default LAN rule to take the new gateway. Now all my traffic is routed through the VPN. This is not exactly like I want it, I just want 1 or 2 hosts (read IP's) to go through the VPN. But when I make an extra rule "IP - all ports - all destinations - all ports - default gateway - none queue" the traffic still goes over the VPN gateway and not the default gateway.

    PS: I also use the route-nopull in the openvpn settings.

  • have u enabled advanced outbound nat

  • yes, but I found the solution. The Firewall Rules are descending. They were in the wrong order. I found out by deleting and creating them manually again. Then aftwerwards I found the arrow icon to move the rules, gave myself a big slap on the forehead ::)
    But thanks for the help though

Log in to reply