Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense constantly losing connectivity to NordVPN

    Scheduled Pinned Locked Moved OpenVPN
    18 Posts 4 Posters 4.2k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pftdm007 @viragomann
      last edited by pftdm007

      @viragomann said in pfsense constantly losing connectivity to NordVPN:

      So you might rather talk about DNS leaks than your upstream traffic going out to WAN?

      Yes I am. Long story short, if I do a "whats my IP" search, google returns Nord's IP, Duckduckgo returns my public (real) IP from ISP, expressvpn also returns my real IP, etc... Its all over the place. Clearly something's not right. Just to be clear, this ONLY happens when the system default GW is set to automatic or WAN... Not with Nordvpn. However setting the default GW to Nordvpn, the issue I described here initially will happen (Cannot resolve host address: ca1234.nordvpn.com:1194 (Name does not resolve))

      Also DNSBL is on pfsense, on the same machine as OpenVPN. DNSBL protects VLAN 1 & 2, while VLAN3 bypasses DNSBL completely (the DNS servers IP's are passed to the clients from the DHCP server settings).

      In short:
      VLAN 1 -> DNS servers blank in DHCP server so unbound is used , FW rules send traffic to Nord's gateway

      VLAN 2 -> Identical to VLAN1

      VLAN 3 -> DNS servers are specified by DHCP server so DNSBL is completely bypassed, FW rules send traffic to Nord's gateway

      @thenarc said in pfsense constantly losing connectivity to NordVPN:

      How do you have DNS configured? This makes me wonder if it's getting into a situation where it's trying to resolve hostnames via your VPN gateway when the VPN connection is down. I would highly recommend using IP addresses instead of hostnames in your VPN client configurations so that the establishment of VPN client connections is not dependent on DNS at all.

      I will try using Nord's IP instead of the FQDN in OpenVPN's client config and see what happens, but in the end, why do I need to set the system's default gateway to Nordvpn instead of automatic to prevent DNS leakage (or my real IP being visible)?

      V 2 Replies Last reply Reply Quote 0
      • V Offline
        viragomann @pftdm007
        last edited by

        @pftdm007
        So you will have to direct DNS upstream traffic from unbound is directed out to the VPN gateway.

        If you only need the Resolver for VLANs which should not get internet access, when the DNS is down anyway, you can simply state to VPN interface only for outgoing connections in the settings.

        If you want unbound to also resolve when the VPN is down, you will have to run it in forwarder mode. So it directs DNS requests to the servers stated in General settings accordingly to the routing table.

        P 1 Reply Last reply Reply Quote 0
        • P Offline
          pftdm007 @viragomann
          last edited by

          @viragomann said in pfsense constantly losing connectivity to NordVPN:

          So you will have to direct DNS upstream traffic from unbound is directed out to the VPN gateway.

          Not sure I understand that. Can you elaborate a bit? Unbound is serving VLAN 1 & 2 because I want DNSBL on those. VLAN3 doesnt need DNSBL (its a DMZ) so I am passing Nord's DNS servers directly via the DHCP server settings. Simple enough.

          @viragomann said in pfsense constantly losing connectivity to NordVPN:

          If you only need the Resolver for VLANs which should not get internet access, when the DNS is down anyway, you can simply state to VPN interface only for outgoing connections in the settings.

          Sorry, this sentence doesnt make sense to me.

          @viragomann said in pfsense constantly losing connectivity to NordVPN:

          If you want unbound to also resolve when the VPN is down, you will have to run it in forwarder mode.

          Its already running in FW mode, always has been.

          1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @pftdm007
            last edited by

            @pftdm007 said in pfsense constantly losing connectivity to NordVPN:

            why do I need to set the system's default gateway to Nordvpn instead of automatic to prevent DNS leakage (or my real IP being visible)?

            Presumably because NordVPN is not the default gateway.
            I guess, you have checked "Don't pull or don't add routes" in the client settings.

            @pftdm007 said in pfsense constantly losing connectivity to NordVPN:

            @viragomann said in pfsense constantly losing connectivity to NordVPN:

            So you will have to direct DNS upstream traffic from unbound is directed out to the VPN gateway.

            Not sure I understand that. Can you elaborate a bit? Unbound is serving VLAN 1 & 2 because I want DNSBL on those. VLAN3 doesnt need DNSBL (its a DMZ) so I am passing Nord's DNS servers directly via the DHCP server settings. Simple enough.

            pfSense routes out upstream traffic accordingly to its routing table as already mentioned. So if your WAN gateway is the default, DNS traffic goes out on WAN.

            Hence if you want VLAN 1 & 2 to use unbound cause of DNSBL you have to direct outgoing requests from unbound to the vpn gateway.

            My assumption is that VLAN 1 & 2 should never go out to the WAN, but only to the VPN. If that's the case, you can also direct ounbound's upstream strictly to the VPN gateway.
            But I think, that won't be possible in forwarder mode, except if you state the NordVPN's IP in the client settings.

            P 1 Reply Last reply Reply Quote 0
            • P Offline
              pftdm007 @viragomann
              last edited by

              @viragomann

              @viragomann said in pfsense constantly losing connectivity to NordVPN:

              I guess, you have checked "Don't pull or don't add routes" in the client settings.

              You are right. This was recommended by Nord's if I recall correctly to minimize chance of DNS leaks...

              @viragomann said in pfsense constantly losing connectivity to NordVPN:

              Hence if you want VLAN 1 & 2 to use unbound cause of DNSBL you have to direct outgoing requests from unbound to the vpn gateway.

              Already setup Unbound to use only the VPN gateways.

              @viragomann said in pfsense constantly losing connectivity to NordVPN:

              My assumption is that VLAN 1 & 2 should never go out to the WAN, but only to the VPN

              NONE of the VLAN's should go out thru WAN, all should go thru VPN. The only distinction is that VLAN3 doesnt use Unbound for DNS resolution but use Nord's DNS directly. However, it is forced to go out thru VPN because of the FW rule which forces traffic to use the VPN gateway.

              Thats the only interface behaving 100% as expected. Bypassing unbound seems to do the trick........

              1 Reply Last reply Reply Quote 0
              • P Offline
                pftdm007
                last edited by pftdm007

                Regarding the main issue of this thread

                It is still a no go... A few days ago I setup a multi-gateway VPN group following the instructions found here. First of all, congrats to whoever wrote this site, its flawless and super well detailed.

                Things worked out very reliably until now. FYI I work from home and use my internet connection with pfsense all day. About 10mins ago, I got a notification email from pfsense saying

                Notifications in this message: 1
                ================================
                16:49:13 MONITOR: NORDVPN3_VPNV4 has packet loss, omitting from routing group NORDVPN_Group
                10.8.0.1|10.8.0.3|NORDVPN3_VPNV4|15.596ms|4.6ms|27%|down|highloss
                

                I tried to send emails, browse the web, here we go again. No internet.

                I am no longer seeing DNS resolution issues in OpenVPN's logs because it is now configured with Nord's IP adresses instead of their FQDN.

                When the connection crashed, the dashboard widget had the 3rd VPN gateway (from the group) saying Status = "Unknown" & RTT, RTTsd & Loss = "Pending"

                I restarted all three OpenVPN services under Status > OpenVPN and the internet came back. However, things are not perfect yet (see screenshot).

                pfs.png
                So whats going on with this ? Is it Nordvpn having issues ? I will send them this forum thread so they can see for themselves, but I suspect an issue with pfsense or openvpn more than anything else at this point.

                Not to complain per se, but before setting up this VPN "stuff" (!) pfsense was rock solid for many years...

                T 1 Reply Last reply Reply Quote 0
                • T Offline
                  TheNarc @pftdm007
                  last edited by

                  @pftdm007 I can say from experience that Nord's servers (and I would venture to guess most VPN providers' servers) have relatively frequent transient latency and packet loss spikes. It's definitely not something you'd want to rely on for anything where ~100% uptime is mission critical.

                  P 1 Reply Last reply Reply Quote 0
                  • P Offline
                    pftdm007 @TheNarc
                    last edited by

                    @thenarc

                    I feel the same, but why pfsense doesnt use the leftover interface from the VPN group that still is connected to their servers?

                    In other words, why am I losing 100% connectivity to the internet if only one or 2 of the gateways are down? Shouldn't the 3rd one take over and cover everything until the other two that are down or experiencing timeouts,packet loss come back to normal?

                    T 1 Reply Last reply Reply Quote 0
                    • T Offline
                      TheNarc @pftdm007
                      last edited by

                      @pftdm007 You're correct, it should. And in my experience it does, but in can take a minute or two as existing connections through the tunnel that went down are broken and then need to be re-established through one that's still up. So it's not something that would be transparent for sure, but you're saying it just doesn't happen at all no matter how long you wait?

                      I'm wondering whether you may want to try this option ( System > Advanced > Miscellaneous) to immediately kill all connections when a gateway goes down to (hopefully/maybe) reduce the lag time between a tunnel going down and any active connections using it being forced to reestablish over a tunnel that's still up. Of course it will have the byproduct of also killing any connections that are already going through a tunnel that's still up and making them reestablish as well. But maybe worth trying to see if it improves your observed behavior.

                      fd9ddecd-6676-486a-a0b3-4f707b39d00d-image.png

                      P 1 Reply Last reply Reply Quote 0
                      • P Offline
                        pftdm007 @TheNarc
                        last edited by pftdm007

                        @thenarc said in pfsense constantly losing connectivity to NordVPN:

                        So it's not something that would be transparent for sure, but you're saying it just doesn't happen at all no matter how long you wait?

                        Yes, at least whne it happened yesterday I waited about 5 minutes or so but the status of the gateways stayed the same, and the connection was still down. After I force restarted the Openvpn service, the gateways went back up (albeit 2 of them still screwed up as per screenshot I posted above).

                        @thenarc said in pfsense constantly losing connectivity to NordVPN:

                        making them reestablish as well. But maybe worth trying to see if it improves your observed behavior.

                        I agree with you, that makes sense, it has pretty much the same effect as issuing a force restart on the underlying services (without of course restarting them for real)... But I wonder, can it cause data corruption or other issues with services that are actively communicating, etc? I have in mind, for example, if I am on a VOIP call, will my call be dropped or will I only see a small "hiccup" and nothing else? This is more of a general networking question than a VPN question.....

                        EDIT: I just realised that my VOIP ATA has been offline for many hours, if not for more than a day hence causing me to miss several phone calls... The ATA couldnt, for some esoteric reasons, establish a connection to the VOIP server even if the FW rules are all in order (and worked for many years before implementing this disaster of vpn). Rebooting pfsense solved it but I dont trust this for long. Will give myself a few days then I'm reverting everything and cancelling nordvpn.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.