NordVPN Client only for specific hosts
-
@thenarc said in NordVPN Client only for specific hosts:
So you set the Gateway setting to Default, but that doesn't mean it uses the default gateway.
Huh? You leave the gateway at default - ie you don't touch it and then it uses routing.. Maybe its just me doing this stuff for 30+ years and using pfsense for 10 some years. But its pretty freaking clear..
Here is what I will say - pretty much every guide I have seen out there for all these BS vpn services is either just WRONG or not how you should be doing it... I have yet to see one that was good or actually went into the detail that should be setup. But then again they are catering to the people that would use them in the first place.. So they have to want to go over the most basic info - click this and you will use us sort of setups.
What I would suggest is understand how it works before attempting to route traffic out a vpn vs just clicking buttons on some "guide" you found from 3 versions back, etc.
-
This guy knows what he is talking about
:https://www.infotechwerx.com/blog/Creating-pfSense-Connection-VPNBook
But even he hasn't found the time to update it to a current pfSense version. Still relevant though.
-
@johnpoz All I mean is that from this:
It's not intuitively obvious to me whether "Default" means "use the default gateway." But your point about not needing to touch that setting at all is of course dead on.I enjoy contributing what I can to the forums, and I do my best not to misrepresent my level of knowledge or confidence. I never mind being corrected, and am willing to admit when I'm wrong. I've received and appreciated valuable assistance from you in the past, and I believe I have always deferred to your expertise. But sometimes the tone of responses is discouraging. If there's a concern that forum members below a certain level of expertise are routinely providing dangerous or misleading information, I can respect that. I can even accept if that's an opinion held of me, in which case I'll gladly stop attempting to provide answers and use the forums only when I have questions of my own. But a gentle correction suffices. I admittedly know less than you and many others on the forum, and enjoy learning more, but enthusiasm wanes when I'm made to feel stupid for trying to help others. That said, I may be more sensitive than others in that respect. And I pledge to try to better qualify any advice I give in the future with my relative level of confidence in its accuracy, or to not comment at all if my confidence is not relatively high. I promise that I don't want to give people bad advice just as much as you don't want me to give people bad advice.
-
It says it right there. use the system routing table
-
@derelict Yeah so basically, if you select anything other than "Default" in that drop-down, you're overriding the system routing table and saying "use only this one specific gateway (or gateway group) that I specify" (i.e. policy routing), right? And when you select a default gateway (in System > Routing), you're selecting the gateway used for the default route in the system routing table. Just trying to get my terminology straight.
-
https://www.netgate.com/docs/pfsense/book/
-
This post is deleted! -
waking an old thread but are you still using this method?
I've done exactly what you have initially done but only want one local IP to use the VPN.
I'm pretty new to this all and can't quite work out how to get only one device to use the nord gateway and the rest of the network to stay as normal.
-
@jordo_6 Only policy route the source address(es) you want to shove out the VPN gateway like this https://forum.netgate.com/post/820908
You probably also need to enable "Don't Pull Routes" in the OpenVPN client so if they are sending you a default route (Really two routes, 0.0.0.0/1 and 128.0.0.0/1), you don't install it/them.
-
Thank you for the response.
I clearly don't understand it enough to get it working without it being all or nothing.
Following the guide on nord's website will get it working for the whole network but I just can't seem to work out how to define it like you say.
I feel like there must be something else I'm not understanding that I shouldn't be following to get it to work as suggested.
I'm pretty sure I enabled to 'don't pull routes' as you mention and I see was also mentioned earlier on that fixed it for the OP but I just seem to break the whole thing when I try to do it as described.
to clarify, this is the guide i followed which works, but obviously isn't how I want it to be set haha
https://support.nordvpn.com/hc/en-us/articles/20382523899281-pfSense-2-5-Setup-with-NordVPN
-
@jordo_6 You really can't be "pretty sure" about these things. Look at the client configuration and see.
-
@jordo_6 that guide is pretty lame to be honest.. The client cert, using your web cert is gibberish.. That should pretty much say to set it to none and use username and password, or it doesn't matter.. Not that you should leave it on the web gui cert and your numbers might be different. They have you set a username and password, so the client cert should be set to none to be honest.
They have you do dnskey prefetch, but turning off dnssec - which yeah when you forward to their dns it you should have dnssec disabled. But if you do then there is zero use to try and prefetch the dnskey..
The whole nonsense of going manual outbound nat is horrible suggestion on their part. Also they say to set a cbc cipher, which to be honest has been dead a really long time..
Just a few of the problems I see in that guide with a 20 second read through.
I would setup the client, don't pull routes.. Don't change your outbound nat from automatic.. And then setup a hybrid nat to use the nordvpn interface gateway you setup. Then just create a policy route, firewall rule that sends traffic out your nord gateway.
-
@johnpoz said in NordVPN Client only for specific hosts:
I would setup the client, don't pull routes.. Don't change your outbound nat from automatic.. And then setup a hybrid nat to use the nordvpn interface gateway you setup. Then just create a policy route, firewall rule that sends traffic out your nord gateway.
Hi, I'm new here and having the same problem respectively the same goal, to rout only specific hosts trough NordVPN. I have set up everything linke in the NordVPN tutorial, so all ztrafics goes trough NordVPN
Can you be more detailed about how to turn it back respectively change it so that only specifics hosts are going trough?
What I already did was to create an alias (with one host) as source in the NAT outbound rule and in the Firewall rule but it did not work. (rest like in the tutorial).
Maybe you can create a kind of tutorial for this topic, since it is for sure a use case for everyone? That would be highly appreciated!
Thanks
-
@Tom777 said in NordVPN Client only for specific hosts:
Maybe you can create a kind of tutorial for this topic
To make a 'good' tutorial, he would have to have an subscription to this VPN.
Don't take me wrong here, but I like to state this : some one that understands pfSense, VPN in general, and N#rdVPN in this case, will not use N#rdVPN. I'm pretty sure johnpoz stays away from N#rdVPN as far as posible.
N#rdVPN has been discussed many times on this forum. Have a look at these post, and you will find answers and other info you really need to know.N#rdVPN is advertising everywhere, paying everybody and every where on Youtube for their publicity. That's where their money goes. Not real, afaik, to end user support. It would be nice if I was wrong here.
Btw : pfSense, as a router, isn't unknown to them, there are just about one million pfSense users out there. N#rdVPN, as any other VPN ISP, actually wants you to use their 'app', as that app, they can support it. They are of course ojk if you use other "apps" like a the "OpenVPN client", the executable that comes with pfSense, but in that case they have to (do they ?) support all pfSense version ... and all OpenVPN client binary versions .... and all the different kind of set-up that these "1 million" (way less probably ^^) pfSense can create ...
Now you understand why they 'accept' that you use pfSense as a OpenVPN client, and you also know now that is supported "by you".
edit : I know, I really shouldn't talk about N#rdVPN as a product, as I'm not using their services.
If I would use a VPN ISP, I would put the "how do they support pfSense ?" very high if not at the top of my "how to chose' list. I don't care whatever or who ever tells me in a video that it is "so good" or how much "$$" I can deduct the first 3 months.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Tom777 When you are connected to the VPN service, look at Diagnostics > Routes.
Do you see routes for 0.0.0.0/1 and 128.0.0.0/1 out the OpenVPN interface?
If so, you are pulling those routes from Nord. That needs to be disabled in the OpenVPN client configuration using Don't pull routes. Once that is done, no traffic will go out the VPN connection unless it is specifically policy routed that way by matching traffic and setting the VPN Gateway in the firewall rule.
-
@Gertjan said in NordVPN Client only for specific hosts:
I'm pretty sure johnpoz stays away from N#rdVPN as far as posible.
You got that right - I wouldn't piss on these services if they were on fire and I had just drank a six pack and had to go really really bad.. I would let my bladder explode first ;)
-
I don't see anything like this.
However, in the OpenVPN Client
Don't pull routes - "Bars the server from adding routes to the client's routing table" is unchecked
Don't add/remove routes - "Don't add or remove routes automatically" is checked
I have added two screenshots to be sure.
I understand your point. I'm using Nord because of the reliability and speed, for surfing the i-net, nothing else, and also for location change if needed for som sites or apps.
Maybe a tutorial is to much, but some tips how to get to the desired goal, might still not be that much of a burden. I'm also open for other good vpn provider, don't get me wrong.
Since I'm working remotely, I don't want to mess up my router. Well, yes I have a backup , a Vilfo router, unfortunately they paused the project, so I need to switch. I've also tried with OpenSense, but that was a complete mess. With pfsense I got so far, which is good. No I need to go into the details.
Thank you for your support!!
What is strange, or maybe the root of the problem and maybe also the solution approach, is that the IPv4 Rule now goes trough the Nord as gateway.
-
@Tom777 said in NordVPN Client only for specific hosts:
Don't pull routes - "Bars the server from adding routes to the client's routing table" is unchecked
I think I read it a few times here already that that should be checked! Even if you are new here, you should have too.
-
@Tom777 said in NordVPN Client only for specific hosts:
What is strange, or maybe the root of the problem and maybe also the solution approach, is that the IPv4 Rule now goes trough the Nord as gateway.
Yeah because your policy routing it out that gateway. If you don't want all your clients going out that route, then create a rule that only sends the clients you want out that gateway and add a rule that allows access that doesn't go out that gateway.
-
This :
makes me think a third rule is missing.
The second, 'policy routed' rules with the "DE1073NORDVPNCOM_VPN4" gateway is for the IPs you want to route through the VPN.
This second rules also needs Source alias. In this alias you put all the IPs you want to route over to the VPN. Now, you route all you 65535 LAN IPs = /16 (really ? 65535 ??) over to the 'VPN' gateway.
A third rule, where you can use "192.168.0.0/16" as a source, and where you do not specify a gateway, is for all the 'other' devices that need to get routed over over the default == WANv4 interface.And here is a free tip of the day : have a look at this : https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/ - and start at point 3 : "Route WAN through the VPN tunnel".
