OpenVPN needs to be restarted at pfsense reboot

strangegopher

1. In order to setup pfSense 2.4.1 with OpenVPN please access your pfSense via browser. Then navigate to System -> Cert. Manager -> CAs. And select +Add.

You should see this screen:

2. We will configure our pfSense to connect to NL120 server. Press on “+ Add” button. Then fill the fields out like this:

Descriptive Name: NordVPN_NL120_CA
Method: Import an existing Certificate Authority
Certificate data: (you can get this certificate by downloading our CA and TLS files from here:  https://downloads.nordcdn.com/configs/archives/certificates/servers.zip

–---BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAO6JioltoPZUMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwxMjAubm9yZHZw
bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
ZHZwbi5jb20wHhcNMTcxMDI2MDk1MzIwWhcNMjcxMDI0MDk1MzIwWjCBnjELMAkG
A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEW5sMTIwLm5vcmR2
cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2m1YMMaT
i78Whnb5bQ1WGVBzEQrvwfXLwTBaIJ3WcoyOdzweqt/85YaP4gIBefoiqKyCXja0
Zuh9AKxt/LBkH11GDxLpNzMzRgd9j7zHExJd2k7AGfuGFWF6A5lCEN+82mS+xOqu
Zmzfu/c2uyLGOWsb6DkAEQmx+qLZ2j2JtdFotinRqluPkG5mjU3BUCR4iwty8XI8
R7sGOLqkH2wY0pM06ywgedTC0M7Bfl0G2W18UNUJY8/1/P4u90ZGWpmmzgh7DeYi
r9nqIzOlqMkBZ+AKxoZ8O6m1MqZ3UsFXFouoAAgiJBxmN9eY0kbKCLzPb6jzbHCa
LKqr9s6HI3k8jwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFCVsAOOJHCM7mbeVJr6L
SRf1WCCuMIHTBgNVHSMEgcswgciAFCVsAOOJHCM7mbeVJr6LSRf1WCCuoYGkpIGh
MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwx
MjAubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
EGNlcnRAbm9yZHZwbi5jb22CCQDuiYqJbaD2VDAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBGsb6q917R1JkszsWD5QxQWO2A++r1OA8rgoyYe9yENVeL
y3W387gOvXN6XHTN8LEJ2UGlvykp5PYcfLGu6j34f20rw02NzOlljF1377OLcxSg
nXYkd3xKdM3gVSjV6v1OgBmlgpXasjhNN3K9n0lvkSVZK2hEz/LuDkU1i9BAKtO2
FPfXjuIsx6yC+9CeLN+N8+el6GGI9c0zp3t0ZYW1abSNN6rRccFz+ww/84c9gojR
xVVn2vcs6K6zPXoi/yUZwgcM5k7B7/TN7uHCd5X1QOKOCbLz+6gdUzYcos2rZjC9
jqFj3HJ/vLv7lVdX16Hg3ruF+npFwFZ/jTgTGK0S
-----END CERTIFICATE-----

Press “Save“

3. Then navigate to VPN -> OpenVPN -> Clients and press “+Add”

Fill in the fields:

Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP on IPv4 only (you can also use TCP);
Device mode: tun – Layer 3 Tunnel Mode;
Interface: WAN;
Local port: leave blank;
Server host or address: nl120.nordvpn.com;
Server port: 1194 (use 443 if you use TCP);
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options:
Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like.We will use NordVPN_NL120.

USER AUTHENTICATION SETTINGS

User name: Your NordVPN username
Password: Your NordVPN password in both fields.
Authentication Retry: leave unchecked
CRYPTOGRAPHIC SETTINGS
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck

-----BEGIN OpenVPN Static key V1-----
004853a6d6a156c71bfa3d08332ad880
f2fb8cfc15bf15634f6b3e76f457aa05
9fec5ac90277c6b51d38cbb56d783506
cc5a8d04948b15b04dbe015bf3507de0
13539e63812685af4ea779d352f45921
7b94ba7f06fd5c5bdd5c5a6b39d86669
763faa1a63453c07871d1e9be348520c
01b7de80eaa9e423a215954409cc490f
f9704c91e1776892454f96d253bf5517
36c85335ab3e4998c9c6dc182ff261ef
f628d9994ae86773d5756b96dee9ede5
2f00f03f544b644fa99767e74023e365
35f5b094268385fb131fc828d2d51ec1
340b739a91a729f7ca89c818add53f66
63e30cdb599b75a16196c9444afe8923
13d3a5c8da74ce7368b92b6bdeebe089
-----END OpenVPN Static key V1-----

Peer certificate authority: NordVPN_NL120_CA;
Peer Certificate Revocation list: do not define.
Client certificate: webConfigurator default (59f92214095d8)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM and AES-256-CBC.
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.

TUNNEL SETTINGS

IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: LZO Compression [Legacy style,comp-lzo yes];
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave unchecked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: check;
Don’t add/remove routes: leave unchecked.

ADVANCED CONFIGURATIONS

Custom Options:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
auth-retry nointeract;

UDP FAST I/O: leave unchecked.
Send/Receive Buffer: Default
Verbosity level: 3 (recommended);

​

​

​

​

​

5. Navigate to Interfaces -> Interface Assignments and Add NordVPN NL120 interface.

​

6. Press on the OPT1 to the left of your assigned interface and fill in the following information:

Enable: check
Description: NordVPN
IPv4 Configuration Type: DHCP
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blankDo not change anything else. Just scroll down to the bottom and press “Save”

​

7. Navigate to Services -> DNS Resolver -> General Settings

Enable: check
Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Save

​

​

8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:

Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Save

​

9. Navigate to Firewall -> NAT -> Outbound and select “Manual Outbound NAT rule generation.”. Press “Save“. Then four rules will appear. Leave the 127.0.0.0 rules untouched and edit both rules which have your Network address as a source specified.
9.1. Change the Interface to NordVPN;
9.2. Click Save. At the end it should look like this:

​

10. Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. Also, edit the IPv4 rule:10.1. Press on Show Advanced Options;
10.2. Change Gateway to NordVPN;
10.3. Click Save.

At the end it should look like this:

​

11. Go to System -> General Setup and fill in:

DNS Server 1: 162.242.211.137 ; none
DNS Server 2: 78.46.223.24 ; NordVPN_DHCP-…
Save

​

12. Now you can navigate to Status -> OpenVPN and it should state that the service is “up”

​

13. You can also check the connection log file under Status -> System Logs -> OpenVPN:

.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)
.png)
.png_thumb)

strangegopher

One thing i'll say is that Encryption Algorithm should be AES-256-CBC (it will produce whole bunch of errors if not set)
and keep the logging to default or it will spam the logs every 5 minutes.

They did say the guide is in beta and not for public.

bcruze

to best honest that looks the exact same as my setup when i tried their service.

several steps different that other providers that i could not understand.    my service would work.  but on a 100Mb download i could not get above 25Mb

the ONLY thing i could come up with was their super high level encryption…

if i reboot my pfsense my connection starts on startup.  here are my custom options you may try adding them to see if it starts... sorry i am not an openvpn expert hopefully someone else can chime in:

remote-cert-tls server;
reneg-sec 0;
resolv-retry infinite;
persist-key;
persist-tun;
cipher aes-256-cbc;
auth sha256;
tls-client;
pull-filter ignore "auth-token"

strangegopher

Still no luck.

I do get following errors when connecting:

Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])

strangegopher

I also get following error message on first connection try after reboot (when connection fails):

ioctl(TUNSIFMODE): Device busy (errno=16)

but the error disappears when I restart openvpn (and the connection works)

TheNarc

I run NordVPN clients too ad don't have this problem.  Some notes on your configuration (and I realize I may be repeating some points already brought up by other posters):

• In your client config, use the raw IP of the server instead of its hostname.  So instead of nl120.nordvpn.com, put 109.236.87.76.  Since you're routing DNS queries through your VPN, you have a chicken-and-egg problem.  You can't perform DNS queries until your VPN tunnel is up, but you can't bring your VPN tunnel up until you can resolve nl120.nordvpn.com.  Using the raw IP works around this.

• Encryption algorithm needs to be AES-256-CBC, and uncheck the "Enable NCP" option.

• Compression should be Adaptive LZO

• My custom options (for UDP) are:  tls-client;remote-random;auth-nocache;remote-cert-tls server;tun-mtu 1500;tun-mtu-extra 32;mssfix 1450;persist-key;persist-tun;reneg-sec 0;auth-retry nointeract;pull-filter ignore "redirect-gateway";pull-filter ignore "dhcp-option"

• I have "Use fast I/O operations" checked and buffer size set to 512KB (again, for UDP)

A few other comments:

• I find that, on a reboot, unbound consistently comes up before my VPN clients.  And when this happens, unbound reverts to its defaults of using all interfaces for outgoing queries.  So you can end up in a situation where you think all your DNS queries are being routed through your VPN, but they're really not.  Right now, I know of no automatic workaround for this, so I just remember to manually restart unbound after a reboot.

• I also notice that on a reboot, gateway monitoring will frequently indicate that my VPN clients are down even though they're not.  I don't know why this is, but if I just edit the settings for one of my VPN client gateways and then save and apply without making any changes, the system seems to re-spawn the dpinger instances responsible for the monitoring and everything is happy.

strangegopher

@TheNarc:

I run NordVPN clients too ad don't have this problem.  Some notes on your configuration (and I realize I may be repeating some points already brought up by other posters):

• In your client config, use the raw IP of the server instead of its hostname.  So instead of nl120.nordvpn.com, put 109.236.87.76.  Since you're routing DNS queries through your VPN, you have a chicken-and-egg problem.  You can't perform DNS queries until your VPN tunnel is up, but you can't bring your VPN tunnel up until you can resolve nl120.nordvpn.com.  Using the raw IP works around this.

• Encryption algorithm needs to be AES-256-CBC, and uncheck the "Enable NCP" option.

• Compression should be Adaptive LZO

• My custom options (for UDP) are:  tls-client;remote-random;auth-nocache;remote-cert-tls server;tun-mtu 1500;tun-mtu-extra 32;mssfix 1450;persist-key;persist-tun;reneg-sec 0;auth-retry nointeract;pull-filter ignore "redirect-gateway";pull-filter ignore "dhcp-option"

• I have "Use fast I/O operations" checked and buffer size set to 512KB (again, for UDP)

A few other comments:

• I find that, on a reboot, unbound consistently comes up before my VPN clients.  And when this happens, unbound reverts to its defaults of using all interfaces for outgoing queries.  So you can end up in a situation where you think all your DNS queries are being routed through your VPN, but they're really not.  Right now, I know of no automatic workaround for this, so I just remember to manually restart unbound after a reboot.

• I also notice that on a reboot, gateway monitoring will frequently indicate that my VPN clients are down even though they're not.  I don't know why this is, but if I just edit the settings for one of my VPN client gateways and then save and apply without making any changes, the system seems to re-spawn the dpinger instances responsible for the monitoring and everything is happy.

You sir are a life saver. Thank you for the help!

TheNarc

No problem, I hope it works for you.  I realize that I should have also noted that I use policy routing (i.e. assign traffic to either go through the VPN or not using firewall rules).  I think I assumed that you were doing this too, but if you're not and don't have your VPN client gateway set as the default gateway, then traffic won't go through the VPN unless you make firewall rules assigning it to.  If that's not clear, let me know and I can provide some examples.  Also, if you haven't already, using the "NO_WAN_EGRESS" packet matching/marking strategy is a great way to prevent traffic from unknowingly bypassing your VPN if it goes down:  https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

strangegopher

for stopping traffic from leaving vpn, I have "Skip rules when gateway is down" checked under System/Advanced/Miscellaneous but I have seen the NO_WAN_EGRESS method before. But my method is not as fine grained as NO_WAN_EGRESS method where you can deny specific hosts on the network. I also have like 5 vlans and only 2 of those vlans have their traffic going out over vpn, so I think that works well enough for me.

I am not sure what you mean by policy routing. Please elaborate. I used your settings and the network seems to be behind vpn.

TheNarc

Okay, well it sounds like you're set.  Policy routing is just using firewall rules to assign certain traffic to certain gateways and other traffic to other gateways (at least that's my high level understanding of it).  The alternative would be to be to assign traffic to gateways via static routes.  In any case, if you're set up with VLANs I trust you know what you're doing :)