Differences

This shows you the differences between two versions of the page.

--- other:networking:opnsense:nordvpn [2025/07/12 00:07] – rodolico
+++ other:networking:opnsense:nordvpn [2025/07/12 01:23] (current) – rodolico
@@ Line 1: / Line 1: @@
 ====== NORD VPN on opnSense ======
-Setting up NordVPN on an opnsense router is poorly documented (several years old) and assumes all LAN traffic will be pushed through Nord. We have a different need in that we have a Net-2-Net (Site-to-Site) VPN to our office that should not go through the Nord connection. That was //interesting//, or as my friend David said, "a foot and anvil situation".
+Setting up NordVPN on an opnsense router is poorly documented (several years old) and assumes all LAN traffic will be pushed through Nord.
-This document will take it step by step, and you can feel free to stop any time you are happy with the result. Also, note that one of our routers also uses a Multi-WAN setup (for failover), and that has not been tested at this time.
+This document will set up an opnSense firewall using the OpenVPN configuration for NordVPN. When done, all network traffic from the LAN will go through the NordVPN instance. Upon completion, you should have enough information to be able to add additional subnets (say, wireless, or part of it).
+How do you know if it works? If you do not know your current public IP, visit [[https://www.whatsmyip.org/]] and record it. The final step in these instructions suggest you visit this same site, and success is indicated when the IP Address returned is the IP address of the NordVPN service.
+**Note**: In our case, we have a second VPN instance which should supercede the NordVPN for certain subnets. After you have completed these instructions, you can see how to do this in [[other:networking:opnsense:nordvpnplus|]]
 ===== Overview =====
 **Note**: This document has been specifically written for the new OpenVPN setup which can be used in 2025, and will be the only one available in 2026.
-**Note**: This document assumes you have a second VPN client created that you wish to route to bypass the NordVPN connection. The same procedure can be used to bypass the VPN for other uses, but the example is for a second VPN that should handle some well defined subset of the network traffic. If that is not a need, you can simply stop when you get to that section.
 **Note**: This document assumes you have a working opnSense firewall/router. There are other documents on how to do that. We also assume you have a valid NordVPN account.
@@ Line 20: / Line 22: @@
     - Create a firewall rule to force all LAN traffic to use NordVPN
       - Test
-  - Set up new interface for secondary VPN (section is optional)
-    - Create an alias containing all IP subnets you want handled via the secondary VPN
-    - Create Outbound NAT entry to correctly NAT LAN traffic destined for alias through secondary VPN
-    - Create a firewall rule to force LAN traffic destined for subnets in alias through secondary VPN
 ===== Set up NordVPN =====
@@ Line 47: / Line 45: @@
 ==== Set up OpenVPN connection ====
+We will be copying information from the ovpn file you downloaded from Nord. An ovpn file is kind of confusing to some people, so keep the following in mind:
+A **block** means copying the data between two XML looking tags. So, for example, the //ca block// would be all of the lines between <ca> and </ca> in the ovpn file. The //tls-auth// block is everything between <tls-auth> and </tls-auth>. You do **not** include the <blockname> or the </blockname>, only the things between them
+A **value** means to copy the value of a line. For example, the line //auth SHA512// has a name of //auth// and a value of //SHA512//, so you would only copy the latter (//SHA512//)
   - Open both documents you got from Nord (credentials, and open vpn configuration file)
@@ Line 55: / Line 59: @@
     - Method: **Import an existing Certificate Authority**
     - Description: **NordCA** (or anything memorable)
-    - Locate
+    - Locate the <ca> block in the ovpn file and copy the contents (everything between <ca> and </ca>
-  - Go to **VPN** | **OpenVPN** | **Instances**
+    - Paste that into the **Certificate Data** box
+    - Click **Save** (do not fill out anything else, leave them blank)
+  - Copy the TLS Auth Key
+    - Go to **VPN** | **OpenVPN** | **Instances**
     - Click **Static Keys** tab
     - Click plus sign to add a new key
@@ Line 64: / Line 71: @@
       - Locate block beginning with <tls-auth> and ending with </tls-auth>
       - Copy everything //between// those lines (do not include the <tls-auth> stuff, but do include everything else)
-    - Paste contents of the <tls-auth> block from th ovpn file into **Static Key**
+    - Paste contents of the <tls-auth> block from the ovpn file into **Static Key**
+    - Click **Save** button
+  - Set up the Instance
+    - Click the **Instance** Tab
+    - Add a new one by clicking the plus sign
+    - Click the **Advanced Mode** selector (upper left)
+      - Role: Client
+      - Description: NordVPN (or whatever you want)
+      - Protocol: same as **proto** in ovpn file
+      - Port Number: Find four digit number in ovpn file after the **remote**. Something like 1194
+      - Type: Same as **dev** in ovpn file
+      - Remote: IP address in **remote** line of ovpn (do not include the port)
+        - You can also use the DNS name, for example, I chose us8120.nordvpn.com, so I can use that
+      - Certificate Authority: Select the Certificate of Authority you imported (I called it NordCA)
+      - TLS static key: choose the static key you created in the previous block (dropdown)
+      - Auth: Use value of **auth** from ovpn file
+      - Username and Password: Use the username and password you downloaded from Nord (second file)
     - Click Save button
+At this point, you should have a VPN connection set up. To verify, go to **VPN** | **OpenVPN** | **Connection Status**. You should see an entry for NordVPN, and it should say **Connected**. Note that the first time you make this connection, it may take up to a minute to actually say **Connected**. Click the **Connection Status** link until you see Connected, or go back and fix your problem.
+Do not proceed until you get a good connection. After you get a good connection, you may close the two files you downloaded from Nord.
+==== Set up a NordVPN interface ====
+This seems strange, but the fact is that the firewall rules are easily configured using an interface. There are likely people who can set this up without doing it, but we'll do it the easy way. We're going to create a fake //interface// that is associated with the NordVPN service
+  - Go to **Interfaces** | **Assignments**
+  - Under **Assign a new interface**, click the dropdown to select the one that says //OpenVPN Client NordVPN//
+  - Under Description, choose **Nord** or **Nord IF**. Something you can find easily
+  - Click the Add button
+  - Click the new Nord interface (either from the list, or from the menu)
+  - Ensure **Enable** is checked
+  - Click **Save**
+==== Create an Outbound NAT entry ====
+This will allow traffic going out on the Nord interface (the NordVPN instance) to handle multiple connections and be correctly translated so, when the data returns, the router will know where to send it.
+  - **Firewall** | **NAT** | **Outbound**
+  - Assuming **Mode** is set to Automatic, change it to **Hybrid**
+  - Add new Manual rule by clicking the plus sign
+    - Name: Nord
+    - TCP/IP Version: IPv4
+    - Protocol: any
+    - Source Address: Lan net
+    - Translation Target: Interface address
+    - Category: OpenVPN
+    - Description: NAT Traffic from LAN through Nord
+    - Leave everything else blank
+  - Click orange **Save** button
+==== Force all LAN traffic through Nord ====
+This is the final step. It will force all LAN traffic through the NordVPN connection by adding a rule in the LAN firewall. Once this rule matches, no other processing will occur, so any rules that supercede this should be placed physically before this rule
+  - **Firewall** | **Rules** | **LAN**
+  - Add new rule by pressing the orange +
+    - Action: Pass
+    - Quick: Checked (apply immediately)
+    - Interface: LAN
+    - Direction: in
+    - TCP/IP Version: IPv4
+    - Protcol: any
+    - Source: Lan net
+    - Log: check if you want to see what is happening, uncheck to save disk space
+    - Category: ovpn
+    - Description: Everything else goes through NORD
+    - Gateway: NORD_VPNV4 (the VPNV4 was added automagically when you defined your Nord interface)
+  - Click orange **Save** button
+  - Click **Apply Changes**
+At this point, all LAN traffic should go through the NordVPN. A simple way to check is to open a web browser to [[https://www.whatsmyip.org/]] and see that it is different from your WAN IP (which you saw before we started)
+To perform split tunnelling, where some traffic goes through nordVPN and other traffic goes through other services, see [[other:networking:opnsense:nordvpnplus|]]