Setting up NordVPN on an opnsense router is poorly documented (several years old) and assumes all LAN traffic will be pushed through Nord. We have a different need in that we have a Net-2-Net (Site-to-Site) VPN to our office that should not go through the Nord connection. That was interesting, or as my friend David said, “a foot and anvil situation”.

This document will take it step by step, and you can feel free to stop any time you are happy with the result. Also, note that one of our routers also uses a Multi-WAN setup (for failover), and that has not been tested at this time.

Note: This document has been specifically written for the new OpenVPN setup which can be used in 2025, and will be the only one available in 2026.

Note: This document assumes you have a second VPN client created that you wish to route to bypass the NordVPN connection. The same procedure can be used to bypass the VPN for other uses, but the example is for a second VPN that should handle some well defined subset of the network traffic. If that is not a need, you can simply stop when you get to that section.

Note: This document assumes you have a working opnSense firewall/router. There are other documents on how to do that. We also assume you have a valid NordVPN account.

1. Set Up NordVPN
   1. Configure NordVPN as an OpenVPN instance
      1. Test
   2. Set up a NordVPN interface
   3. Create an Outbound NAT entry to correctly NAT LAN traffic through the NordVPN
   4. Create a firewall rule to force all LAN traffic to use NordVPN
      1. Test
2. Set up new interface for secondary VPN (section is optional)
   1. Create an alias containing all IP subnets you want handled via the secondary VPN
   2. Create Outbound NAT entry to correctly NAT LAN traffic destined for alias through secondary VPN
   3. Create a firewall rule to force LAN traffic destined for subnets in alias through secondary VPN

While the Nord site has some instructions, they are really difficult to follow and have a lot of questions. Instead, we'll download a copy of the OpenVPN configuration file Nord provides, and get the username and password. With this information, we can create an OpenVPN Client instance in opnSense.

1. Log into your NordVPN account at https://nordaccount.com/
   1. Go to Advanced Settings (you may need to scroll down) and select Set up NordVPN Manually
2. Get credentials
   1. Select Credentials tab
   2. you may have to validate via e-mail
   3. copy your username and password to a secure file on your computer
3. Get openVPN configuration file
   1. Go to the Server Recommendations tab
      1. If you do not want to use the recommended server, select one from the list below
      2. If you want one of the servers not in your location, Select the OpenVPN Config Files tab
   2. Click Get Setup Configuration button (big blue button, as this is being written)
   3. Select OpenVPN (default)
   4. Select UDP or TCP (I prefer UDP for speed, choose TCP for stability)
   5. Save that file someplace convenient

1. Open both documents you got from Nord (credentials, and open vpn configuration file)
2. Log into your opnSense router
3. Copy Nord Certificate of Authority
   1. Go to System | Trust | Authorities
   2. Add new (orange plus sign)
   3. Method: Import an existing Certificate Authority
   4. Description: NordCA (or anything memorable)
   5. Locate
4. Go to VPN | OpenVPN | Instances
   1. Click Static Keys tab
   2. Click plus sign to add a new key
   3. Give it a good Description (I used 'NordVPN - ' and the URL to the endpoint server)
   4. Set Mode to auth
   5. open the ovpn file
      1. Locate block beginning with <tls-auth> and ending with </tls-auth>
      2. Copy everything between those lines (do not include the <tls-auth> stuff, but do include everything else)
   6. Paste contents of the <tls-auth> block from th ovpn file into Static Key
   7. Click Save button