OPNsense Forum
English Forums => General Discussion => Topic started by: logan23 on February 07, 2021, 12:18:31 pm
-
Hi,
I'd like to use NordLynx but OPNSense currently doesn't support it.
https://nordvpn.com/blog/nordlynx-protocol-wireguard/ (https://nordvpn.com/blog/nordlynx-protocol-wireguard/)
Any news to come?
Thanks
-
It's stated in the blog that
We will soon provide tutorials on how to set it up on any third-party WireGuard client.
So ideally you could just ask NordVPN for the config, but from what I've read they haven't been that forthcoming regarding this issue.
I did however find a forum post with instructions on how to use the NordVPN Linux client to obtain the configuration
https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27 (https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27)
-
Thanks but I'm afraid these instructions won't work on FreedBSD 12.1. and may crash OPNSense.
Berkeley Unix is different from the AT&T System V Unix based systems...
-
Perhaps I was a bit unclear, I'm not suggesting you should try and install anything / run the commands listed on OPNsense, but rather on any available Linux distribution (if none at hand use a WM, Live disc etc.) to obtain the configuration which can then be used in OPNsense.
-
Thank you.
I doubt we can directly use the standard WireGuard protocol since NordVPN made its own version called NordLynx.
(see the link in my first post).
The .rpm and .deb they provide includes their customized WireGuard version, am I wrong?
-
From NordVPN:
Keep in mind that NordLynx is NOT available yet for manual connection methods such as router setups.
In other words, there are no configuration files for it.
-
I have done this using a ubuntu install to get the proper settings. Then I could forward any traffic coming from a subnet / VLAN interface through the NordVPN WireGuard tunnel. This is done reading other forum posts and other stuff online.
I'll try to post here, do not know if it will be formatted nicely though.
## Linux
### WireGuard
Install `WireGuard` on a linux machine. Check tutorial here; (https://www.wireguard.com/install/).
sudo apt install wireguard
### NordLynx
Install NordVPN. Check tutorial here; https://support.nordvpn.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Raspberry-Pi-Elementary-OS-and-Linux-Mint.htm
sudo sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)
Check internet IP address before you start:
curl ifconfig.me
NordVPN login:
sudo nordvpn login
Please enter your login details.
Email / Username: user@name.com
Password:
Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.
Change from default VPN protocol OpenVPN to NordLynx (WireGuard):
sudo nordvpn set technology NordLynx
Technology is successfully set to 'NordLynx'.
Connect with NordVPN:
sudo nordvpn connect
Connecting to France #111 fr111.nordvpn.com
You are connected to France #111 (fr111.nordvpn.com)!
You'll notice that your public IP has changed.
curl ifconfig.me
After a successfull connection, figure out the IP scheme of this particular connection:
sudo wg
interface: nordlynx
public key: UTZ4PHmX5zAOSvdhqp0Ed8q4z0OHgMk8ztalChHaPU=
private key: (hidden)
listening port: 39069
fwmark: 0xca6c
peer: 21dz9Y6HFRzaXKLpFpcZHjcI5AJQopJW/JZShKjTKkZ=
endpoint: 11.112.192.11:51820
allowed ips: 0.0.0.0/0
latest handshake: 39 seconds ago
transfer: 3.09 KiB received, 3.46 KiB sent
persistent keepalive: every 25 seconds
(These are not valid keys by the way).
What about tunnel address?
ip address show nordlynx
8: tun0: <POINTOPINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.5.0.2/16 scope global nordlynx
valid_lft forever preferred_lft forever
Allright. Whats the opposite side's address?
ping 10.5.0.1
PING 10.5.0.1 (10.5.0.1) 56(84) bytes of data.
64 bytes from 10.5.0.1: icmp_seq=1 ttl=64 time=6.86 ms
Let's assume this is the gateway address :)
### Private key
Now, figure out which private key you have for your user:
sudo wg show nordlynx private-key
FSzJDH1171AJKldoqohndlakO3918djals/jkdjkfl0=
(This is not a valid key by the way).
Now you have everything you need. Your private key, your public key, servers public key, the endpoint address and the port. Let's try to configure OPNsense.
---
## OPNSense configuration
Allright, we have what we need to get things going regards to configuring our OPNsense firewall.
### WireGuard
#### Local
Add a server by pressing the little + icon
MAKE SURE TO SELECT "SHOW ADVANCED"
* Enabled: [-]
* Name: NordVPN
* Public Key: insert public key from `sudo wg` (`UTZ4PHmX5zAOSvdhqp0Ed8q4z0OHgMk8ztalChHaPU=`)
* Private Key: insert private key from `sudo wg show nordlynx private-key` (`FSzJDH1171AJKldoqohndlakO3918djals/jkdjkfl0=`)
* Listen Port: 51822 (use a random port which is not in use on the system)
* DNS Server: 103.86.96.100, 103.86.99.100 (https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm)
* Tunnel Address: insert inet address from `ip addr show nordlynx` (`10.5.0.2/16`)
* Peers: Nothing selected, leave blank for now
* Disable Routes: Check
* Gateway: 10.5.0.1
Click Save. Probably the DNS Server are used for allowing a FQDN on Endpoint Address instead of IP? Anyway, add the Address from which you have connected.
#### Endpoints
Create a new Endpoint by hitting the + icon. Here you will copy the information from the [peer] section (sudo wg).
Name: fr111.nordvpn.com
Public Key: insert public key from `sudo wg` (`21dz9Y6HFRzaXKLpFpcZHjcI5AJQopJW/JZShKjTKkZ=`)
Shared Secret:
Allowed IPs: 0.0.0.0/0
Endpoint Address: 11.112.192.11
Endpoint Port: 51820
Keepalive: 25
Click Save.
Now, go back to **Local**. Select the NordVPN WireGuard instance. Hit Edit (the little pencil).
* Under Peers, select the newly created `fr111.nordvpn.com` peer.
Click Save.
#### General
[-] Enable WireGuard
Hit Save.
After you have selected Save- go to List Configuration (might take some time to load).
Because of our persistent keepalive - you should see the received and sent transfer is steadily increasing. You'll also notice you have a successfull Handshake with the specific interface whenever this is > 0 (wg0).
### Assignments
Now go to Interfaces > Assignments. You'll have a new interface you can assign (`wg0`).
Assign this interface. After assignment, click the name of the interface (`OPT5` or something similar).
* Description: WAN_WG_NordVPN_FR
Leave rest of the configuration as is. Click Save.
Apply the changes.
## Gateways
Go System > Gateways
Click +Add gateway.
Name: GW_WG_NordVPN_FR
Description: PIA through WAN_WG_NordVPN_FR
Interface: WAN_WG_NordVPN_FR
* IP address: 10.5.0.1
* Far Gateway
Set rest to default.
Click Save, Apply.
## Rules
Go to Rules.
Select the designated interface (10_VPN) for your net which you would like to go out on internet through this WireGuard VPN.
Add Rule.
Allow any any IPv4, but be sure to select
* Gateway: GW_WG_NordVPN_FR - 10.5.0.1
as your gateway under Advanced settings.
While we are at it, do this to enable a kill-switch for your traffic should the WireGuard interface go down:
* Set local tag: NO_WAN_EGRESS
Click Add.
Add another rule on the same interface, but this time - make sure to select `Block`.
Leave the rest as default.
This will also be our, additional, "kill switch". Make sure the `block` rule is below the allow rule.
### Kill switch NO_WAN_EGRESS
Firewall > Rules > Floating > +Add
Action: Block
Interface: WAN
Direction: out
Description: NO_WAN_EGRESS match
Match local tag: NO_WAN_EGRESS
## NAT
Firewall > NAT > Outbound
Select Hybrid outbound NAT rule generation. Click Save and Apply Rules.
Then click +Add.
Interface: WAN_WG_NordVPN_FR
Source adress: 10_VPN net
Translation / target: Interface address
Description: 10_VPN to WG_NordVPN_FR
Save. Apply changes.
## DNS
Let us provide some security regards to DNS leaks on this 10_VPN interface of ours.
Services > DHCPv4
* 10_VPN
Add DNS servers provided by NordVPN here, so that DHCP offers DNS servers provided by NordVPN:
* DNS servers : 103.86.96.100, 103.86.99.100
If you have devices that have hardcoded DNS servers, you want to redirect those requests to NordVPN' DNS servers. We'll define an ALIAS and use NAT port forwarding to achieve this.
Firewall > Aliases. Hit the `+` icon.
* Name: ALIAS_HOSTS_NordVPN_DNS
* Type: Host(s)
* Content: 103.86.99.100, 103.86.96.100
* Description: NordVPN DNS servers
Now, go to
Firewall > NAT > Port Forward.
+Add
* Interface: 10_VPN
* Protocol: TPC / UDP
* Source: 10_VPN net
* Destination / Invert: checked
* Destination: ALIAS_HOSTS_NordVPN_DNS
* Destination port range: DNS
* Redirect target IP: ALIAS_HOSTS_NordVPN_DNS
* Redirect target port: DNS
This tutorial was of great help: https://imgur.com/gallery/JBf2RF6
### DNS leaktest
```bash
resolvectl | grep 'DNS'
```
Current DNS Server: 103.86.96.100
Download `dnsleaktest.sh` from https://github.com/macvk/dnsleaktest
bash
./dnsleaktest.sh
Your IP:
123.123.123.123 [France BE1800 K19]
You use 1 DNS server:
123.123.123.123 [France BE1800 K19]
Conclusion
DNS is not leaking
-
Thanks koushun!
That worked perfectly!
Do the settings change over time and have to be updated in OPNsense?
Edit: Sorry, old thread, but still relevant.
-
mattti, maybe you could answer your own question by now? ;D
-
I wanted to say Thank You koushun!!! You're step by step guide helped me get nordlynx working.
-
:)