Setting up OpenVPN client for NordVPN



  • Hi there,

    Has anyone ever tried NordVPN on pfSense 2.3.2? I followed their  tutorial, which is based on previous release of pfSense and actually not working. After some trial & error, I did manage to connect to NordVPN server (acquired an IP on the virtual interface) but client machines are not being routed through it. I just configured LAN network for testing purpose and all the clients are still publishing the WAN IP from my ISP. The screen-shots of my LAN F/W rule set and Outbound NAT ar attached. What am I still missing? I'm using their 3-days trial to try out and wnat to make sure if it works before the trail runs out. Can anyone pls help?

    Best,
    San






  • Same problem here. Tried several times to get NordVPN support, they can't or won't help.  Their 'how To' is useless..



  • Have you tried disabling outbound NAT on WAN interface?



  • The one gotcha about these setups that I read about over the years is after you assign the tunnel to an interface… you have to bounce the tunnel or it won't work.



  • Since, people are talking about Nord vpn here, i want to ask how can i make a Manual dialler for different IP's with Nord.
    Please Guide



  • I don't think it's NordVPN problem.
    pfsense clearly has issues with policy based routing with openvpn clients.



  • In the Nord pfSense setup directions (2.3) Step 9, you are instructed to create 4 rules.  All 4 rules call for the Interface to be OpenVPN but if you look at his screen shot of what it should look like, the last entry has your NordVPN as the interface for that one rule.  I changed mine to that and it started the interface up but I still have DHCP down so I still have to solve that problem.



  • Ok I got mine working fully now.  I'm routing all LAN traffic thru OpenVPN on a specific NordVPN server using my Netgate SG-1000 firewall appliance with pfSense 2.4.0.
    It's ok to use the NordVPN pfSense 2.3 guide but note a few things…

    1 In my above mentioned Step 9 issue, it's his screen shot example that is incorrect in two places.  Firstly ALL of the Interfaces should be OpenVPN.  Secondly, the IP Source is showing HIS LAN IP range.  It should be changed to YOUR LAN IP range in both entries.  He doesn't mention this.

    2. Another thing he didn't mention is to add a Rule to Firewall/Rules/WAN at the bottom:
    Action = Pass
    Disabled = Unchecked
    Interface = WAN
    AddressFamily = IPv4
    Protocol=UDP  (assuming your Nord connection is UDP otherwise TCP)
    Source section = All blank and unchecked
    Destination section:
      Invert Match = Unchecked  Dropdown = WAN Address
      Port Range From = OpenVPN (1194)  To = OpenVPN (1194)
    Extra Options section:
      Log = Unchecked
      Description = "Allow Traffic to OpenVPN Server"
    [Save]
    [Apply Changes]

    3.  Above I mentioned that in the Status/Interfaces opt1/ovpnc1 Interface it showed that the DHCP was Down.  It's supposed to be. (Status should be up, however)

    Make a connection on a client machine on the LAN side and do a 'What is my IP' search in Google and you should see your NordVPN assigned IP address.
    My email is available to members here so if you have things you would like to compare with mine, send me a line.



  • I assume the OP eventually got their VPN set up, but I found this topic while trying to set up my own connection to NordVPN. I got it working in pfSense, and I agree that NordVPN's tutorial is way off, at least for my version (2.3.4). So in case it helps someone else trying to do the same, here are my comments on the process.

    Step 4: Configuring the OpenVPN client
    -I used the server's IP address instead of its name. Theoretically, the name is fine, but in practice I found that occasionally there would be name resolution issues.
    -Be careful with the "auth digest algorithm" setting. Most NordVPN servers use SHA1, but some don't. Check your server's .ovpn file, as it may specify SHA512 somewhere in there.
    -I allowed routes to be pulled and added/removed automatically.
    -In the custom options, I only copy/pasted a few lines from the .ovpn file, since all the others get configured via the pfSense GUI:

    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    reneg-sec 0
    remote-cert-tls server
    key-direction 1
    

    Steps 5 & 6: Assigning the interface
    -I found that there was no need for these steps.

    Steps 7 & 8: DNS Resolver
    -I skipped these steps as well.

    Step 9: NAT setup
    -Their instructions are OK, but if you skipped steps 5 & 6, pick OpenVPN from the dropdowns.

    Step 10: Firewall rules
    -I skipped this step

    Step 11: DNS servers
    -I did this step, but I believe the VPN will push these settings to you if you skip it.

    Hope this helps.  Good luck!



    • Not sure why there are so many issues, I set up Nord on 2.2 and 2.3 with no issues.

    • I see their tutorial is updated from when I looked at it in the past - subnet assumption as mentioned by androidian yes, but generally looks ok.

    • You don't need a WAN rule as per androidian for the setup to work, in fact it is not correct and a noop.

    • Room 7609 didn't need to do anything with rules because he allowed routes to be added / removed automatically.. and the tutorial is not explicit enough about this
        - It configures the VPN in a way that supports per host routing but then applies that capability to the whole lan subnet
        - You could actually make the firewall rule apply to specific hosts. This implies that you do not automatically add/remove routes, using the route-noexec advanced option.
        - Not applying routes automatically will be required if you connect to multiple VPN clients otherwise each one will mess with routes on startup. ie If you want specific hosts to go over specific VPN tunnels.

    Here's the big one.

    • Nord servers are a b!tch because
        - there is no load balanced DNS / failover
        - they do not share the the same TLS auth key
        - as i've now learned, different servers have different digest algos

    .. which means if you set up any kind of monitoring to restart a server goes down or has high latency, it will simply reconnect to the same troublesome server. OpenVPN has a notion of connection profiles, but they don't include tls-auth yet - submitted a feature request so its added - now it looks like digest algo is another problem.



  • I agree with duren's comments and obviously the steps worked for whoever wrote the tutorial. It just seems like it would be wiser for the tutorial to start simple and get an initial "hello world" type of setup working, and then explain how to perform various customizations from there.

    I am curious about the comments regarding NordVPN's servers, because I am seeing some randomness in the connection behavior. Each hour there is a TLS rekeying which usually succeeds but often doesn't. For those times when it doesn't succeed, there is a ping restart that happens after a few minutes (typically 6). The restart succeeds. In the meantime, everyone trying to use the VPN is dead in the water. There doesn't seem to be a pattern as to how much time passes between this type of failure. Sometimes an hour, sometimes 3, sometimes 5 etc. But in any case, it happens several times a day.

    Less frequently, say once a week, I will get an AUTH_FAILURE out of the blue, which causes OpenVPN to shut down. I installed the watchdog package to detect when that happens, and so far the restart always succeeds. But I'm obviously not happy with bogus authorization failures.



  • Room 7609,

    • I have seen this TLS issue sometimes too bit haven't looked into it specifically because I'm trying to figure out a catch all solution for when the tunnel is misbehainvg, be it connection or packetloss or no traffic. They usually resolve themselves within a few minutes, definitely longer than required for a proper uptime.

    • the auth problem I've seen across different providers and have had success by using the following advanced option: auth-retry nointeract



  • Thanks for the tip on auth-retry nointeract. I was looking for an option like that in the OpenVPN docs but missed it, I guess because I was searching for SIGTERM rather than AUTH_FAILURE. I'm going to add that and see what happens. If I can go a couple of weeks without watchdog getting triggered, that'll be a good result.



  • Just thought I'd update this thread. Adding "auth-retry nointeract" has fixed the random AUTH_FAILURE problem for me. Actually, the AUTH_FAILURE still happens, but it now retries automatically, and the next attempt always succeeds.

    I'm not sure why we are seeing authorization failures in the first place, but I'm guessing this is some kind of timing issue with NordVPN's policy of only allowing one connection to a particular server at a time.

    In any case, "auth-retry nointeract" seems to be a great workaround.



  • FYI, it appears that NordVPN has addressed whatever issue was causing random ping timeouts after TLS renegotiation. I haven't seen it happen in the past two weeks, which is by far the longest stretch ever.


Log in to reply