New to pfSense and NordVPN - Is there a 2.7.2 guide for configuring them?

DaveC0

Welcome to you all. Please be gentle, I am a rookie in many ways. I have configured pfSense on a Protectli 4 port AMD box. I successfully have it running using OpenDNS as my DNS servers to keep content safer for us and to protect visitors. I want to use NordVPN for their VPN services running on the pfSense router as well as their other products they offer. I am using Norton 360 but it is really expensive and continually nags me to spend more money with them.

I have tried several guides for installing NordVPN on pfSense that I found on the Interweb but none of them match the configuration fields found in 2.7.2 Has anyone built a guide for pfSense 2.7.2 and NordVPN? The latest one I found was 2.5.2 and there are a lot of differences in the fields in the various functions. I bailed on NordVPN today telling them I can't get it configured to work with my running 2.7.2 system. I really want to get it working so I can dump Norton 360.

Thanks in advance.
Dave

Bob.Dig

@DaveC0 said in New to pfSense and NordVPN - Is there a 2.7.2 guide for configuring them?:

Welcome to you all.

Welcome to me.
Now what part of your config is not working? Show some screenshots of what you have done so far.

Ghost 0

I'm currently running 2.7.0 with NordVPN without any issues. NordVPN takes a long time to update or sometimes never updates its instructions for the latest pfSense update. The current NordVPN instructions work for the latest pfSense version. Just follow the directions as close as possible or you can always restore a functioning saved backup from a previous pfsense version that configured with NordPVN like I have done for 2.7.0. Question for you... You have version 2.7.2? I'm running 2.7.0 and pfSense says I have the latest version when it checks for updates. What gives?

DaveC0

Ghost 0
Here is what I am running:
Version 2.7.2-RELEASE (amd64)
built on Wed Dec 6 13:10:00 MST 2023
FreeBSD 14.0-CURRENT

Bob.Dig:

I used this guide: https://support.nordvpn.com/hc/en-us/articles/20382523899281-pfSense-2-5-Setup-with-NordVPN
You can open this and follow along in your system to see the differences between 2.5 and 2.7.2, if you want. I know this is asking a lot and I appreciate this.

What I am finding is that a few fields are not on the page listed in the guide, there are many more fields per page than documented, some confusion as to which Nord username and password to use (is it the readable or the hashed version). Some of the NAT rules seem vague to me and the firewall rules are a bit confusing.

I asked for a refund from Nord as my 30 day free trial expires in a couple days but I told them I would be back if I had a guide document that worked. My configuration is Google Fiber ==> Google modem ==> 192.168.x.x ==> Router ==> 10.72.x.x ==> Wi-Fi and local LAN. I do not have the Google modem in bridge mode as it wipes out the Google meshed Wi-Fi in my home but I have a Wi-Fi network behind the firewall I can use. I am using OpenDNS servers for content filtering. Nord wants you to use their DNS servers so I configured pfSense to use their servers.

When I looked at the OpenVPN status the line I saw said paused and a few other possible errors. I am running without NordVPN right now because I needed to get my home back online and I cancelled their service. I am not able to test it right now so I am guessing that I hope someone can develop a step by step guide like the 2.5 Setup mentioned above only for version 2.7.2+.

Here are some log messages:

OpenVNS:
Feb 29 15:19:58 openvpn 69835 Note: --data-cipher-fallback with cipher 'AES-256-CBC' disables data channel offload.
Feb 29 15:19:58 openvpn 69835 WARNING: file '/var/etc/openvpn/client1/up' is group or others accessible
Feb 29 15:19:58 openvpn 69835 OpenVPN 2.6.8 amd64-portbld-freebsd14.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
Feb 29 15:19:58 openvpn 69835 library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Feb 29 15:19:58 openvpn 69835 DCO version: FreeBSD 14.0-CURRENT amd64 1400094 #1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F
Feb 29 15:19:58 openvpn 69835 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Feb 29 15:19:58 openvpn 69835 Exiting due to fatal error

I increased my GUI display log entries from 500 to 1000 as the logs from yesterday although I only have 50 OpenVPN entries in the log.

So bottom line is I can't really test things until I reenroll with NordVPN. My Norton subscription is coming due in May so I still have some time to repurchase NordVPN and test before Norton expires if I can get something that is simple enough for me to try with this version of pfSense. Make sense? (Pun intended).

Again, I wished I had posted this before I killed my Nord purchase. Thanks for offering.

Ghost 0

@DaveC0

It can be a bit frustrating to get NordVPN to play nice with the latest pfSense version. I initially had the same issue that you are currently experiencing. NordVPN support is a joke when it involves other third party software, e.g., pfSense. But, I like NordVPN for its stability/ cipher and pricing. However, My internet speed takes a big hit, a bit slow because I lose approximately 50% bandwidth with NordVPN enabled. But is is a necessary evil since it allows me the freedom to do things under the prying eyes of my ISP, which used to send me those pesky letters... no more DMCA letters and bandwidth throttling after enabling NordVPN. And I make sure that I have a pfSense rule that will automatically shutdown the secondary WAN gateway (no internet) if the default NordVPN gateway is down for some reason like one of the NordVPN servers is suddenly shuts down for maintenance without warning. This is akin to a VPN kill switch, which is very important. You don't want to be surfing the net without your VPN always enabled. I also enabled several pfSense VLANs that I could still have access to the internet without the VPN for those situations when NordVPN is down for the count.

Anyway, IMHO: the easiest way to mitigate your situation is to temporarily rollback to pfSense 2.5 if you can find a copy. This way you can properly follow NordVPN instructions for pfSense version 2.5. And once NordVPN is implemented and running, backup pfSense 2.5 openvpn config (diagnostics/backup & restore), then do a clean install of pfSense to 2.7.2 and restore the pfsense 2.5 config openvpn file. You mentioned PW and ID for NordVPN for pfSense; you have the option of using a special id/pw codes... Don't use your true NordVPN login credentials in pfSense in case your network gets hacked. Use the NordVPN special codes for the id and pw fields in pfSense; the codes are available from NordVPN. It will generate them for you. Just log into your NordVPN account to trigger the codes. This is how I got NordVPN to work /play nice with the latest pfSense version. However, I'm running pfSense 2.7.0. This is weird because pfSense auto-update keeps saying 2.7.0 is the latest when it checks for updates. Furthermore, if you need help with pfSense rules or have other issues, reach out to one of the moderators on this forum because I'm only at the intermediate level and still learning when it comes to pfSense.

DaveC0

In doing some more research I think I may use PIA (Private Internet Access) for my VPN rather than NordVPN. It is easier to configure. I appreciate all of the help I have received so far. Thanks to all.