NordVPN Client only for specific hosts

TheNarc

@derelict Yeah so basically, if you select anything other than "Default" in that drop-down, you're overriding the system routing table and saying "use only this one specific gateway (or gateway group) that I specify" (i.e. policy routing), right? And when you select a default gateway (in System > Routing), you're selecting the gateway used for the default route in the system routing table. Just trying to get my terminology straight.

Derelict

https://www.netgate.com/docs/pfsense/book/

candybars

This post is deleted!

jordo_6

@luckyzor

waking an old thread but are you still using this method?

I've done exactly what you have initially done but only want one local IP to use the VPN.

I'm pretty new to this all and can't quite work out how to get only one device to use the nord gateway and the rest of the network to stay as normal.

Derelict

@jordo_6 Only policy route the source address(es) you want to shove out the VPN gateway like this https://forum.netgate.com/post/820908

You probably also need to enable "Don't Pull Routes" in the OpenVPN client so if they are sending you a default route (Really two routes, 0.0.0.0/1 and 128.0.0.0/1), you don't install it/them.

jordo_6

@Derelict @Derelict

Thank you for the response.

I clearly don't understand it enough to get it working without it being all or nothing.

Following the guide on nord's website will get it working for the whole network but I just can't seem to work out how to define it like you say.

I feel like there must be something else I'm not understanding that I shouldn't be following to get it to work as suggested.

I'm pretty sure I enabled to 'don't pull routes' as you mention and I see was also mentioned earlier on that fixed it for the OP but I just seem to break the whole thing when I try to do it as described.

to clarify, this is the guide i followed which works, but obviously isn't how I want it to be set haha

https://support.nordvpn.com/hc/en-us/articles/20382523899281-pfSense-2-5-Setup-with-NordVPN

Derelict

@jordo_6 You really can't be "pretty sure" about these things. Look at the client configuration and see.

johnpoz

@jordo_6 that guide is pretty lame to be honest.. The client cert, using your web cert is gibberish.. That should pretty much say to set it to none and use username and password, or it doesn't matter.. Not that you should leave it on the web gui cert and your numbers might be different. They have you set a username and password, so the client cert should be set to none to be honest.

They have you do dnskey prefetch, but turning off dnssec - which yeah when you forward to their dns it you should have dnssec disabled. But if you do then there is zero use to try and prefetch the dnskey..

The whole nonsense of going manual outbound nat is horrible suggestion on their part. Also they say to set a cbc cipher, which to be honest has been dead a really long time..

Just a few of the problems I see in that guide with a 20 second read through.

I would setup the client, don't pull routes.. Don't change your outbound nat from automatic.. And then setup a hybrid nat to use the nordvpn interface gateway you setup. Then just create a policy route, firewall rule that sends traffic out your nord gateway.

Tom777

@johnpoz said in NordVPN Client only for specific hosts:

I would setup the client, don't pull routes.. Don't change your outbound nat from automatic.. And then setup a hybrid nat to use the nordvpn interface gateway you setup. Then just create a policy route, firewall rule that sends traffic out your nord gateway.

Hi, I'm new here and having the same problem respectively the same goal, to rout only specific hosts trough NordVPN. I have set up everything linke in the NordVPN tutorial, so all ztrafics goes trough NordVPN

Can you be more detailed about how to turn it back respectively change it so that only specifics hosts are going trough?

What I already did was to create an alias (with one host) as source in the NAT outbound rule and in the Firewall rule but it did not work. (rest like in the tutorial).

Maybe you can create a kind of tutorial for this topic, since it is for sure a use case for everyone? That would be highly appreciated!

Thanks

Gertjan

@Tom777 said in NordVPN Client only for specific hosts:

Maybe you can create a kind of tutorial for this topic

To make a 'good' tutorial, he would have to have an subscription to this VPN.
Don't take me wrong here, but I like to state this : some one that understands pfSense, VPN in general, and N#rdVPN in this case, will not use N#rdVPN. I'm pretty sure johnpoz stays away from N#rdVPN as far as posible.
N#rdVPN has been discussed many times on this forum. Have a look at these post, and you will find answers and other info you really need to know.

N#rdVPN is advertising everywhere, paying everybody and every where on Youtube for their publicity. That's where their money goes. Not real, afaik, to end user support. It would be nice if I was wrong here.

Btw : pfSense, as a router, isn't unknown to them, there are just about one million pfSense users out there. N#rdVPN, as any other VPN ISP, actually wants you to use their 'app', as that app, they can support it. They are of course ojk if you use other "apps" like a the "OpenVPN client", the executable that comes with pfSense, but in that case they have to (do they ?) support all pfSense version ... and all OpenVPN client binary versions .... and all the different kind of set-up that these "1 million" (way less probably ^^) pfSense can create ...
Now you understand why they 'accept' that you use pfSense as a OpenVPN client, and you also know now that is supported "by you".

---

edit : I know, I really shouldn't talk about N#rdVPN as a product, as I'm not using their services.
If I would use a VPN ISP, I would put the "how do they support pfSense ?" very high if not at the top of my "how to chose' list. I don't care whatever or who ever tells me in a video that it is "so good" or how much "$$" I can deduct the first 3 months.

Derelict

@Tom777 When you are connected to the VPN service, look at Diagnostics > Routes.

Do you see routes for 0.0.0.0/1 and 128.0.0.0/1 out the OpenVPN interface?

If so, you are pulling those routes from Nord. That needs to be disabled in the OpenVPN client configuration using Don't pull routes. Once that is done, no traffic will go out the VPN connection unless it is specifically policy routed that way by matching traffic and setting the VPN Gateway in the firewall rule.

johnpoz

@Gertjan said in NordVPN Client only for specific hosts:

I'm pretty sure johnpoz stays away from N#rdVPN as far as posible.

You got that right - I wouldn't piss on these services if they were on fire and I had just drank a six pack and had to go really really bad.. I would let my bladder explode first ;)

Tom777

@Derelict

I don't see anything like this.

However, in the OpenVPN Client

Don't pull routes - "Bars the server from adding routes to the client's routing table" is unchecked

Don't add/remove routes - "Don't add or remove routes automatically" is checked

I have added two screenshots to be sure.

@Gertjan @johnpoz

I understand your point. I'm using Nord because of the reliability and speed, for surfing the i-net, nothing else, and also for location change if needed for som sites or apps.

Maybe a tutorial is to much, but some tips how to get to the desired goal, might still not be that much of a burden. I'm also open for other good vpn provider, don't get me wrong.

Since I'm working remotely, I don't want to mess up my router. Well, yes I have a backup , a Vilfo router, unfortunately they paused the project, so I need to switch. I've also tried with OpenSense, but that was a complete mess. With pfsense I got so far, which is good. No I need to go into the details.

Thank you for your support!!

What is strange, or maybe the root of the problem and maybe also the solution approach, is that the IPv4 Rule now goes trough the Nord as gateway.

Bob.Dig

@Tom777 said in NordVPN Client only for specific hosts:

Don't pull routes - "Bars the server from adding routes to the client's routing table" is unchecked

I think I read it a few times here already that that should be checked! Even if you are new here, you should have too.

johnpoz

@Tom777 said in NordVPN Client only for specific hosts:

What is strange, or maybe the root of the problem and maybe also the solution approach, is that the IPv4 Rule now goes trough the Nord as gateway.

Yeah because your policy routing it out that gateway. If you don't want all your clients going out that route, then create a rule that only sends the clients you want out that gateway and add a rule that allows access that doesn't go out that gateway.

Gertjan

@Tom777

This :

makes me think a third rule is missing.
The second, 'policy routed' rules with the "DE1073NORDVPNCOM_VPN4" gateway is for the IPs you want to route through the VPN.
This second rules also needs Source alias. In this alias you put all the IPs you want to route over to the VPN. Now, you route all you 65535 LAN IPs = /16 (really ? 65535 ??) over to the 'VPN' gateway.
A third rule, where you can use "192.168.0.0/16" as a source, and where you do not specify a gateway, is for all the 'other' devices that need to get routed over over the default == WANv4 interface.

And here is a free tip of the day : have a look at this : https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/ - and start at point 3 : "Route WAN through the VPN tunnel".

Tom777

Thanks guys!

So I will do the following

check Don't pull routes - "Bars the server from adding routes to the client's routing table"
change the IPV4 rule to Nord only for Alias (specific hosts)
Create a second IPV4 rule for the local network, that goes trough WAN below the one already there for Nord

@Gertjan I will check this tutorial and adapt. At a first glance is looking like to one from Nord.

Tom777

Hey guys, I've messed it up.

I started (during a Teams cal ) to add an Alias, and to edit another one. None of them were in use.

Teams showed suddenly that I do not have I-net connection but I was able to continue the call. After a restart no internet.

What I saw in the status is that the WAN_PPPoE has no connection but the NordVPN Gateway has? That is strange. How can this be, VPN connection without internet?? see screenshot

I thought, maybe I've clicked something else by mistake, and restored the config it worked before this.

But no change!! I had a manual backup under automatic backups, and also downloaded a file under backup service or status, don't remember where it is. Both did not restore the previous state.

That is even more crazy! How can I dare to do something, if the backup and restore function do not work??

I'm now on my old router.

Gertjan

@Tom777 said in NordVPN Client only for specific hosts:

What I saw in the status is that the WAN_PPPoE has no connection but the NordVPN Gateway has? That is strange. How can this be, VPN connection without internet?? see screenshot

Your real question is : why the DE103NORD ..... gateway says it's "online" ?
Because an gateway is considered online when ping request are send out on that interface to some 'host', and answers are coming back ! The gateway is shows green and online.
And there you have it : who is getting pinged here ? Answer : the interface VPN itself - the one on your side : 10.100.0.1 :

Normally - and now you know why, a monitor IP like '8.8.8.8' is chosen. Or any remote (!) IP as long it on your site.

If your WAN_PPPOE is down, then your VPN can't work niether, as it needs WAN to get out.

Btw :
I guess I don't need to tell you now that this :

isn't gona work neither.

The 10.0.0.1 is a PPPOE connection, which stands for PPP over Ethernet. Such a connections has to be establish first also, a bit like a VPN connection. It isn't up yet, so the 10.0.0.1 isn't valid right now.

Tom777

@Gertjan Thanks, now I understand the false online state.

But how did that happen? Editing/adding aliases that are not in use, should not have any effect, should they?

More important: How can I restore the functioning state? I have i-net connection with the old router.