Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    22.05 and NordVPN tunneling

    Scheduled Pinned Locked Moved General pfSense Questions
    23 Posts 2 Posters 2.9k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      davidstoll @stephenw10
      last edited by

      @stephenw10
      So, if I use UDP, it cuts the speed way down. If I use Nord Lynx, it helps a LOT (testing with the same server). Is it possible to setup Nordlynx on pfsense?

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Nord Lynx is mostly Wireguard. So...maybe! I've never tried it and it may require some extra bits pfSense cannot currently do.

        OpenVPN over TCP is almost always significantly slower than UDP. So if you're seeing the opposite that's suspicious. What settings have you tried? What were you using for the results you have stated here?

        Steve

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          davidstoll @stephenw10
          last edited by

          @stephenw10
          I'm sorry I meant UDP vs Nord Lynx was slower vs faster. I can't get TCP to work, so no worry there.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Ok, well it looks like Nord Lynx can be made to work in pfSense. You just need to install their client in something else and extract the keys first because for some reason they won't give them to you directly.

            Or use one of the other VPN providers that do support Wireguard dircetly.

            But you still haven't said what client settings you're using in OpenVPN so you might just have very slow encryption. Or no fastio. Or too smaller buffers.

            Steve

            D 1 Reply Last reply Reply Quote 0
            • D Offline
              davidstoll @stephenw10
              last edited by

              @stephenw10
              Sorry about not getting the client config to you...

              dev tun
              persist-tun
              persist-key
              ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
              cipher AES-256-CBC
              auth SHA256
              tls-client
              client
              resolv-retry infinite
              remote xxx.xxx.xxx.xxx 1194 tcp-client
              nobind
              auth-user-pass
              remote-cert-tls server
              
              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Ok, so you have AES-128-GCM available as a cipher via ncp which should be the fastest available. Can you see if Nord is negotiating that in the connection logs?

                Since you're using UDP I would enable FastIO and increase the send/recv buffers to 512K. Both of those should give you an increase in throughput.

                Steve

                D 1 Reply Last reply Reply Quote 0
                • D Offline
                  davidstoll @stephenw10
                  last edited by

                  @stephenw10
                  The fast io option was already checked in the pfsense client GUI. The buffer was set to "default", whatever that is and I updated to 512k.

                  On a separate note...regarding wireguard...I found another page to setup the wireguard because the reddit post ws limited....and it is overwhelming. I get the interface to show as "up", but wasn't routing traffic even though I set the pass option in the new interface and set a lan firewall entry to use that gateway.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Do you see recent handshakes in the Wireguard status?

                    The interface status can be misleading there.

                    Steve

                    D 1 Reply Last reply Reply Quote 1
                    • D Offline
                      davidstoll @stephenw10
                      last edited by davidstoll

                      @stephenw10
                      I had a spot where I put the private IP that the provider gave me in the wrong spot, corrected now. It appears to be connected (handshake shows green/recent), now I just have to figure out why I'm not routing...maybe a DNS issue, maybe routing through the firewall rules. Not sure yet...

                      getting....so.....close.....thank...you.....

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Probably something in the crypto-routing that is generated by the allowed subnets.

                        Also remember that Wireguard doesn't add any routing for you so you must add that manually if you need it. Though you're probably using policy routing here.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.