Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
other:networking:opnsense:nordvpnplus

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

other:networking:opnsense:nordvpnplus [2025/07/12 01:17] – created rodolicoother:networking:opnsense:nordvpnplus [2025/07/12 02:39] (current) rodolico
Line 1: Line 1:
 ====== opnSense + NordVPN + otherVPN ====== ====== opnSense + NordVPN + otherVPN ======
  
-**Note**: This document assumes you have a second VPN client created that you wish to route to bypass the NordVPN connection. The same procedure can be used to bypass the VPN for other uses, but the example is for a second VPN that should handle some well defined subset of the network traffic. If that is not a need, you can simply stop when you get to that section.+This document assumes you have a working NordVPN instance which handles all network traffic from your LANThis is described in the article [[other:networking:opnsense:nordvpn|]]
  
-  - Set up new interface for secondary VPN (section is optional+It also assumes you have a second VPN connection already created, and you want to route some traffic through that, with the NordVPN being the default for everything else (aka //Split Tunnel//
-    - Create an alias containing all IP subnets you want handled via the secondary VPN + 
-    - Create Outbound NAT entry to correctly NAT LAN traffic destined for alias through secondary VPN +We'll call the NordVPN instance **NordVPN** and the other instance **OfficeVPN**. The goal is to send all office related traffic through the **OfficeVPN** and everything else through the **NordVPN**. 
-    - Create a firewall rule to force LAN traffic destined for subnets in alias through secondary VPN+ 
 +===== Summary ===== 
 + 
 +Basically, for each instance, we need to  
 + 
 +  - Create an alias containing all IP subnets you want handled 
 +  - Set up new interface 
 +  - Create Outbound NAT entry to correctly NAT LAN traffic destined 
 +  - Create a firewall rule to force LAN traffic destined for subnets 
 + 
 +For the default instance (NordVPN in this case), we use **any** instead of the aliased subnets. 
 + 
 +**Note**: this assumes we are only interested in traffic originating from the LAN. It is possible we could build **Floating** rules to allow, for example, LAN and Wireles to do the same thing. That is not tested at this time. 
 + 
 +**Note**: one of our routers has Multi-WAN for network failover. Tests so far show that the VPN instances hang when switching from one WAN to another. Further testing needed. 
 + 
 +===== Create second tunnel ===== 
 + 
 +Ok, we assume the NordVPN is set up and running, and all traffic is going through it. Now, we want to create a second (or third, or fourth) path for traffic to take. 
 + 
 +==== Alias target subnets ==== 
 + 
 +Find all target subnets. In this case, look at all subnets accessed through the **OfficeVPN**. A simple way is to edit the definition for the Site-To-Site VPN and look at all subnets. In my case, I chose: 
 +  * Remote Server: The public IP of the VPN server 
 +  * IPv4 Tunnel Network 
 +  * Everything in the IPv4 Remote Network entry 
 + 
 +Procedure 
 +  - **Firewall** | **Aliases** 
 +  - Create new alias by pressing the orange Plus sign 
 +    - Enabled: checked 
 +    - Name: Office_Subnets 
 +    - Type: Networks 
 +    - Categories: openvpn 
 +    - Content: list every subnet, separated by commas. For a single IP, use a /32 at the end. 
 +    - Description: All networks for OfficeVPN 
 + 
 +==== Create new interface ==== 
 + 
 +  - **Interfaces** | **Assignments** 
 +  - Under Assign a new interface, select the Device. It will have //Client// and the VPN name in it 
 +  - Description: Office (or OfficeVPN, or OfficeInterface, or whatever) 
 +  - Click the **Add** button 
 +  - Select the new interface, either from the menu on the left, or from the Assiments list 
 +  - Ensure the interface is enabled. 
 + 
 +At this point, clicking **System** | **Gateways** | **Configuration** will show you two new gateways, one for IPV4 and one for IPV6. 
 + 
 +==== Set up Outbound NAT ==== 
 + 
 +  - **Firewall** | **NAT** | **Outbound** 
 +  - Should be in **Hybrid** mode if you set the NordVPN (default) up 
 +  - Add new Manual Rule by pressing the orange plus sign 
 +  - Interface: OpenVPN 
 +  - TCP/IP Version: IPv4 
 +  - Source Address: Select the alias you created, ie //Office_Subnets// 
 +  - Translation/target: Interface address 
 +  - Click orange **Save** button 
 +  - Ensure this rule precedes the Nord (default) rule. Not sure if this is necessary. If it does not preced it 
 +    - Place a check in the box by the new rule 
 +    - Click the left arrow to the right of the Nord rule 
 +  - Click the **Apply Changes** button 
 + 
 +==== Create firewall rule ==== 
 + 
 +The final step is to set up a firewall rule to route all traffic destined for the Office through the OfficeVPN interface. Following is set up to route the LAN traffic only (still working on other networks) 
 + 
 +  - **Firewall** | **Rules | **LAN** 
 +  - Add new rule by clicking the orange plus sign 
 +    - Action: Pass 
 +    - Quick: checked (apply action immediately) 
 +    - Interface: LAN 
 +    - Source: LAN net 
 +    - Destination: Office_Subnets (hint, scroll UP to find aliases) 
 +    - Category: OpenVPN 
 +    - Description: Route Office VPN traffic through Office VPN 
 +    - Gateway: Select **Office** or whatever you called the new interface from the dropdown 
 +  - Click orange **Save** button 
 +  - Move this rule **before** the NordVPN rule 
 +    - Place a check in the new rule 
 +    - Click the left facing arrow (on right) on the rule for the Nord entry 
 +    - Rule should move to just before the Nord entry 
 +  - Click **Apply Changes** button 
 + 
 +===== Summary ===== 
 + 
 +I'm not sure how to verify it is all working. I'm sure Insight/NetFlow could probably give some information. I would suggest first pinging something in the Office network and verify it works. Assuming it does, stop all activity on public IP's, then look at the VPN statistics. Now, copy something over to the Office. You should see the OfficeVPN stats increase fast, and the NordVPN stats stay fairly stable. 
 + 
 +**System** | **Routes** | **Status** will show you the routing table. In my case, the first entry was everything, 0.0.0.0/1, going through the Nord connection, but the Office subnet was going through the OfficcVPN connection. 
 + 
 +Anyway, if anyone has an idea, let me know. Just go to [[https://dailydata.net]] and click the Contact Us link.
  
other/networking/opnsense/nordvpnplus.txt · Last modified: 2025/07/12 02:39 by rodolico