NordVPN Client only for specific hosts
-
@Tom777 When you are connected to the VPN service, look at Diagnostics > Routes.
Do you see routes for 0.0.0.0/1 and 128.0.0.0/1 out the OpenVPN interface?
If so, you are pulling those routes from Nord. That needs to be disabled in the OpenVPN client configuration using Don't pull routes. Once that is done, no traffic will go out the VPN connection unless it is specifically policy routed that way by matching traffic and setting the VPN Gateway in the firewall rule.
-
@Gertjan said in NordVPN Client only for specific hosts:
I'm pretty sure johnpoz stays away from N#rdVPN as far as posible.
You got that right - I wouldn't piss on these services if they were on fire and I had just drank a six pack and had to go really really bad.. I would let my bladder explode first ;)
-
I don't see anything like this.
However, in the OpenVPN Client
Don't pull routes - "Bars the server from adding routes to the client's routing table" is unchecked
Don't add/remove routes - "Don't add or remove routes automatically" is checked
I have added two screenshots to be sure.
I understand your point. I'm using Nord because of the reliability and speed, for surfing the i-net, nothing else, and also for location change if needed for som sites or apps.
Maybe a tutorial is to much, but some tips how to get to the desired goal, might still not be that much of a burden. I'm also open for other good vpn provider, don't get me wrong.
Since I'm working remotely, I don't want to mess up my router. Well, yes I have a backup , a Vilfo router, unfortunately they paused the project, so I need to switch. I've also tried with OpenSense, but that was a complete mess. With pfsense I got so far, which is good. No I need to go into the details.
Thank you for your support!!
What is strange, or maybe the root of the problem and maybe also the solution approach, is that the IPv4 Rule now goes trough the Nord as gateway.
-
@Tom777 said in NordVPN Client only for specific hosts:
Don't pull routes - "Bars the server from adding routes to the client's routing table" is unchecked
I think I read it a few times here already that that should be checked! Even if you are new here, you should have too.
-
@Tom777 said in NordVPN Client only for specific hosts:
What is strange, or maybe the root of the problem and maybe also the solution approach, is that the IPv4 Rule now goes trough the Nord as gateway.
Yeah because your policy routing it out that gateway. If you don't want all your clients going out that route, then create a rule that only sends the clients you want out that gateway and add a rule that allows access that doesn't go out that gateway.
-
This :
makes me think a third rule is missing.
The second, 'policy routed' rules with the "DE1073NORDVPNCOM_VPN4" gateway is for the IPs you want to route through the VPN.
This second rules also needs Source alias. In this alias you put all the IPs you want to route over to the VPN. Now, you route all you 65535 LAN IPs = /16 (really ? 65535 ??) over to the 'VPN' gateway.
A third rule, where you can use "192.168.0.0/16" as a source, and where you do not specify a gateway, is for all the 'other' devices that need to get routed over over the default == WANv4 interface.And here is a free tip of the day : have a look at this : https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/ - and start at point 3 : "Route WAN through the VPN tunnel".
-
Thanks guys!
So I will do the following
check Don't pull routes - "Bars the server from adding routes to the client's routing table"
change the IPV4 rule to Nord only for Alias (specific hosts)
Create a second IPV4 rule for the local network, that goes trough WAN below the one already there for Nord@Gertjan I will check this tutorial and adapt. At a first glance is looking like to one from Nord.
-
Hey guys, I've messed it up.
I started (during a Teams cal
) to add an Alias, and to edit another one. None of them were in use.Teams showed suddenly that I do not have I-net connection but I was able to continue the call. After a restart no internet.
What I saw in the status is that the WAN_PPPoE has no connection but the NordVPN Gateway has? That is strange. How can this be, VPN connection without internet?? see screenshot
I thought, maybe I've clicked something else by mistake, and restored the config it worked before this.
But no change!! I had a manual backup under automatic backups, and also downloaded a file under backup service or status, don't remember where it is. Both did not restore the previous state.
That is even more crazy! How can I dare to do something, if the backup and restore function do not work??
I'm now on my old router.
-
@Tom777 said in NordVPN Client only for specific hosts:
What I saw in the status is that the WAN_PPPoE has no connection but the NordVPN Gateway has? That is strange. How can this be, VPN connection without internet?? see screenshot
Your real question is : why the DE103NORD ..... gateway says it's "online" ?
Because an gateway is considered online when ping request are send out on that interface to some 'host', and answers are coming back ! The gateway is shows green and online.
And there you have it : who is getting pinged here ? Answer : the interface VPN itself - the one on your side : 10.100.0.1 :
Normally - and now you know why, a monitor IP like '8.8.8.8' is chosen. Or any remote (!) IP as long it on your site.
If your WAN_PPPOE is down, then your VPN can't work niether, as it needs WAN to get out.
Btw :
I guess I don't need to tell you now that this :
isn't gona work neither.
The 10.0.0.1 is a PPPOE connection, which stands for PPP over Ethernet. Such a connections has to be establish first also, a bit like a VPN connection. It isn't up yet, so the 10.0.0.1 isn't valid right now.
-
@Gertjan Thanks, now I understand the false online state.
But how did that happen? Editing/adding aliases that are not in use, should not have any effect, should they?
More important: How can I restore the functioning state? I have i-net connection with the old router.
-
Restart, and go by steps.
First, out of the default pfSense state (WAN uses DHCP), switch WAN to use PPPOE and make that work.
Be aware this is PPPOE so modem (ISPs) can be MAC locked.Then, and only then, save (export) the config of pfSense and give is this special name "known-to-be-good-at-20240924.xml" and from now on you can start thinking about a VPN.
-
@Gertjan said in NordVPN Client only for specific hosts:
First, out of the default pfSense state (WAN uses DHCP), switch WAN to use PPPOE and make that work.
Oh boy, so no chance to restore what I have backed up yesterday? It worked perfect, but everything went over NordVPN. I thought, I can restore this state.
@Gertjan said in NordVPN Client only for specific hosts:
Be aware this is PPPOE so modem (ISPs) can be MAC locked.
I have an ONT, the (any) router can be connected via cable ONT LAN - router WAN,
-
@Tom777 said in NordVPN Client only for specific hosts:
Oh boy, so no chance to restore what I have backed up yesterday?
Look in /cf/conf/backup/
there are a lot of backed up copies.
With the SSH (or console) option 15 :
you can take your pick and go back.
-
Hi, I've set up pfsense from scratch. Restoring via xml file did not work trough GUI, and I was not able to connect via ssh. Later I found the ssh enabler in the GUI, but too late. Still, to not be able to restore a backuo is giving me quite big concerns, as I'm using it for work.
But still no IPS connection on WAN via PPPoE
This is now strange since the old router gets connected asap. And it is not the Router from the ISP, it is a Vilfo router. Maybe I have done something wrong in the setup of the pfsense? But the first time I've done it the same way. I'm really lost now.
-
Do you have the pppoe login credentials from your ISP ?
Can we see the PPP logs ? (Under System, or PPP ? Not sure, as I've not used pppoe for a long time)
-
@Gertjan said in NordVPN Client only for specific hosts:
Do you have the pppoe login credentials from your ISP ?
sure, using them with the Vilfo router.
@Gertjan said in NordVPN Client only for specific hosts:
Can we see the PPP logs ?
Will do this after work today or maybe tomorrow.
Edit:
I saw on the ISP account site that there was a sucesfull connection with the pfsense but it last only for 2 or 3 minutes
-
