Messages

Can you please elaborate - and what was the end result?

For anyone coming here looking for the same question;
just replace the password (your old token, which is stated if you use 'full help' within OPNsense) with the new randomized token (after you've enabled v2) from the corresponding DynDNS in your account - https://freedns.afraid.org/dynamic/v2/

Woo, I've noticed the same.

I have done this using a ubuntu install to get the proper settings. Then I could forward any traffic coming from a subnet / VLAN interface through the NordVPN WireGuard tunnel. This is done reading other forum posts and other stuff online.

I'll try to post here, do not know if it will be formatted nicely though.

## Linux
### WireGuard
Install `WireGuard` on a linux machine. Check tutorial here; (https://www.wireguard.com/install/).

Code Select Expand

sudo apt install wireguard


### NordLynx
Install NordVPN. Check tutorial here; https://support.nordvpn.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Raspberry-Pi-Elementary-OS-and-Linux-Mint.htm

Code Select Expand

sudo sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)


Check internet IP address before you start:

Code Select Expand

curl ifconfig.me


NordVPN login:

Code Select Expand

sudo nordvpn login
Please enter your login details.
Email / Username: user@name.com
Password:

Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.


Change from default VPN protocol OpenVPN to NordLynx (WireGuard):

Code Select Expand

sudo nordvpn set technology NordLynx
Technology is successfully set to 'NordLynx'.


Connect with NordVPN:

Code Select Expand

sudo nordvpn connect
Connecting to France #111 fr111.nordvpn.com
You are connected to France #111 (fr111.nordvpn.com)!


You'll notice that your public IP has changed.

Code Select Expand

curl ifconfig.me


After a successfull connection, figure out the IP scheme of this particular connection:

Code Select Expand

sudo wg
interface: nordlynx
  public key: UTZ4PHmX5zAOSvdhqp0Ed8q4z0OHgMk8ztalChHaPU=
  private key: (hidden)
  listening port: 39069
  fwmark: 0xca6c

peer: 21dz9Y6HFRzaXKLpFpcZHjcI5AJQopJW/JZShKjTKkZ=
  endpoint: 11.112.192.11:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 39 seconds ago
  transfer: 3.09 KiB received, 3.46 KiB sent
  persistent keepalive: every 25 seconds

(These are not valid keys by the way).

What about tunnel address?

Code Select Expand

ip address show nordlynx
8: tun0: <POINTOPINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.5.0.2/16 scope global nordlynx
        valid_lft forever preferred_lft forever


Allright. Whats the opposite side's address?

Code Select Expand

ping 10.5.0.1
PING 10.5.0.1 (10.5.0.1) 56(84) bytes of data.
64 bytes from 10.5.0.1: icmp_seq=1 ttl=64 time=6.86 ms

Let's assume this is the gateway address :)

### Private key
Now, figure out which private key you have for your user:

Code Select Expand

sudo wg show nordlynx private-key
FSzJDH1171AJKldoqohndlakO3918djals/jkdjkfl0=

(This is not a valid key by the way).


Now you have everything you need. Your private key, your public key, servers public key, the endpoint address and the port. Let's try to configure OPNsense.

---

## OPNSense configuration
Allright, we have what we need to get things going regards to configuring our OPNsense firewall.

### WireGuard

#### Local
Add a server by pressing the little + icon

MAKE SURE TO SELECT "SHOW ADVANCED"
* Enabled: [-]
* Name: NordVPN
* Public Key: insert public key from `sudo wg` (`UTZ4PHmX5zAOSvdhqp0Ed8q4z0OHgMk8ztalChHaPU=`)
* Private Key: insert private key from `sudo wg show nordlynx private-key` (`FSzJDH1171AJKldoqohndlakO3918djals/jkdjkfl0=`)
* Listen Port: 51822 (use a random port which is not in use on the system)
* DNS Server: 103.86.96.100, 103.86.99.100 (https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm)
* Tunnel Address: insert inet address from `ip addr show nordlynx` (`10.5.0.2/16`)
* Peers: Nothing selected, leave blank for now
* Disable Routes: Check
* Gateway: 10.5.0.1

Click Save. Probably the DNS Server are used for allowing a FQDN on Endpoint Address instead of IP? Anyway, add the Address from which you have connected.

#### Endpoints
Create a new Endpoint by hitting the + icon. Here you will copy the information from the [peer] section (sudo wg).

Name: fr111.nordvpn.com
Public Key: insert public key from `sudo wg` (`21dz9Y6HFRzaXKLpFpcZHjcI5AJQopJW/JZShKjTKkZ=`)
Shared Secret:
Allowed IPs: 0.0.0.0/0
Endpoint Address: 11.112.192.11
Endpoint Port: 51820
Keepalive: 25

Click Save.

Now, go back to **Local**. Select the NordVPN WireGuard instance. Hit Edit (the little pencil).

* Under Peers, select the newly created `fr111.nordvpn.com` peer.

Click Save.

#### General
[-] Enable WireGuard

Hit Save.

After you have selected Save- go to List Configuration (might take some time to load).

Because of our persistent keepalive - you should see the received and sent transfer is steadily increasing. You'll also notice you have a successfull Handshake with the specific interface whenever this is > 0 (wg0).

### Assignments
Now go to Interfaces > Assignments. You'll have a new interface you can assign (`wg0`).

Assign this interface. After assignment, click the name of the interface (`OPT5` or something similar).

• Enable Interface
  * Description: WAN_WG_NordVPN_FR
  
  Leave rest of the configuration as is. Click Save.
  
  Apply the changes.
  
  ## Gateways
  Go System > Gateways
  Click +Add gateway.
  
  Name: GW_WG_NordVPN_FR
  Description: PIA through WAN_WG_NordVPN_FR
  Interface: WAN_WG_NordVPN_FR
  
  * IP address: 10.5.0.1
  
  * Far Gateway
• 
  
  Set rest to default.
  
  Click Save, Apply.
  
  ## Rules
  Go to Rules.
  
  Select the designated interface (10_VPN) for your net which you would like to go out on internet through this WireGuard VPN.
  
  Add Rule.
  
  Allow any any IPv4, but be sure to select
  * Gateway: GW_WG_NordVPN_FR - 10.5.0.1
  as your gateway under Advanced settings.
  
  
  While we are at it, do this to enable a kill-switch for your traffic should the WireGuard interface go down:
  * Set local tag: NO_WAN_EGRESS
  
  Click Add.
  
  Add another rule on the same interface, but this time - make sure to select `Block`.
  Leave the rest as default.
  
  This will also be our, additional, "kill switch". Make sure the `block` rule is below the allow rule.
  
  ### Kill switch NO_WAN_EGRESS
  Firewall > Rules > Floating > +Add
  
  Action: Block
  Interface: WAN
  Direction: out
  Description: NO_WAN_EGRESS match
  Match local tag: NO_WAN_EGRESS
  
  
  ## NAT
  Firewall > NAT > Outbound
  Select Hybrid outbound NAT rule generation. Click Save and Apply Rules.
  
  Then click +Add.
  
  Interface: WAN_WG_NordVPN_FR
  Source adress: 10_VPN net
  Translation / target: Interface address
  Description: 10_VPN to WG_NordVPN_FR
  
  Save. Apply changes.
  
  
  ## DNS
  Let us provide some security regards to DNS leaks on this 10_VPN interface of ours.
  
  Services > DHCPv4
  
  * 10_VPN
  
  Add DNS servers provided by NordVPN here, so that DHCP offers DNS servers provided by NordVPN:
  
  * DNS servers : 103.86.96.100, 103.86.99.100
  
  If you have devices that have hardcoded DNS servers, you want to redirect those requests to NordVPN' DNS servers. We'll define an ALIAS and use NAT port forwarding to achieve this.
  
  Firewall > Aliases. Hit the `+` icon.
  * Name: ALIAS_HOSTS_NordVPN_DNS
  * Type: Host(s)
  * Content: 103.86.99.100, 103.86.96.100
  * Description: NordVPN DNS servers
  
  Now, go to
  Firewall > NAT > Port Forward.
  
  +Add
  
  * Interface: 10_VPN
  * Protocol: TPC / UDP
  * Source: 10_VPN net
  * Destination / Invert: checked
  * Destination: ALIAS_HOSTS_NordVPN_DNS
  * Destination port range: DNS
  * Redirect target IP: ALIAS_HOSTS_NordVPN_DNS
  * Redirect target port: DNS
  
  
  
  This tutorial was of great help: https://imgur.com/gallery/JBf2RF6
  
  
  ### DNS leaktest
  
  ```bash
  resolvectl | grep 'DNS'
  ```
  Current DNS Server: 103.86.96.100
  
  Download `dnsleaktest.sh` from https://github.com/macvk/dnsleaktest
  
  Code Select Expand
  bash
./dnsleaktest.sh

Your IP:
123.123.123.123 [France BE1800 K19]

You use 1 DNS server:
123.123.123.123 [France BE1800 K19]

Conclusion
DNS is not leaking
  
  
  
  

This is how I would have redirected any DNS requests not going to my Firewall, but instead redirect those requests to Cloudflare's DNS (1.1.1.1).

Firewall: Aliases. Add a new alias, which is Type: Host(s) and in the Content section, add your IP addresses of the specific devices you would like to point to another DNS than Google's.

Name: ALIAS_HOSTS_DNS_REDIR

Then I would go;
Firewall: NAT: Port Forward and "+Add".

Interface: LAN / VLAN xx
Porto: TCP/UDP
(Source) Address: ALIAS_HOSTS_DNS_REDIR
(Source) Ports: *
(Destination) Address: !This Firewall
(Destination)) Ports: 53 (DNS)
(NAT) IP: 1.1.1.1 (Cloudflare DNS)
(NAT) Ports: 53 (DNS)
Description: Redirect external DNS to Cloudflare DNS

Disable NAT reflection (?).


When I come to think of it, you do not have to bother with creating an ALIAS for these hosts.

This rule above will direct TCP/UDP traffic destined for port 53 NOT (remember, "!") going to ANY of your OPNSense interfaces' IP (This Firewall), to the selected IP address (1.1.1.1) and port (53).

I think this will do what you want?

....

I might have misread. Or misunderstood..

It should not redirect to Unbound after you've hit apply. It should have been redirected to your preffered server. You might have to flush your DNS / do not try a name that is cached? Check drill / nslookup / dig.

Anyhow.
If you invert that alias, those devices will not go to your loopback, correct. They will go to whatever is configured.

You want to have some devices to use a prefferred external DNS? But redirect hardcoded ones? And some devices should use your Unbound resolver.
What about creating more rules and more aliases?

I think you've got this :)

Can't you just definert an ALIAS for those hosts that should go to an external / different DNS Server other than your Unbound,  and in the NAT port forward rule add this ALIAS as source, but only as inverted?

koushun

@ManuelOS

Do you have DHCP Registration / DHCP Static Mappings enabled? Under Services > Unbound.

I have another firewall which is on pfSense 2.5 where Unbound was upgraded, due to CVE. The temporarily solution was to disable those features mentioned above.

I am still on OPNsense 20.7.8_4-amd64 on my other site, and I have not experienced anything there yet.

https://forum.netgate.com/topic/160005/unbound-crashes-periodically-with-signal-11/73

A permanent fix was to upgrade Unbound and restart the service: https://forum.netgate.com/post/966932

Do not know if this is related or is of any help.

koushun

mimugmail

Great job! Looking forward to check this one out.

How about adding

Code Select Expand

chronyc clients
https://github.com/opnsense/plugins/issues/2162#issuecomment-757388998

..And what about the cron job workaround for synchronizing the firewall itself when Network Time is disabled?

:)

Great!

Please read the forum rules, and mark this post as [SOLVED]

:)

Nice.

Maybe mark this post as [SOLVED]?

I'm new to this forum- but I have browsed through every page of forum posts to check where I might be of help- and there were many posts which were solved, but not marked as such.

Should be a rule in the forum guidelines about this.

koushun

My guess is that whenever you use the wizard, the interfaces switch; your LAN is no longer the LAN, it is the WAN. What you think is your WAN is no longer the WAN, it has become your LAN interface.

Default for OPNsense, if I remember correctly, is to define the first available interface as the LAN.

Set a static IP adress within the same network range as the firewalls LAN address on a client. Detach all cables and try to do a simple ping test on each port available on your protectcli.

When you've got a reply, you have found your LAN interface and can continue your adventure :)

Check this site: https://www.cloudflare.com/en-gb/ssl/encrypted-sni/

I am just doing this with Unbound and I get a positive result on the "Secure DNS" check above;

Remove DNS Servers from System > Settings > General.

Add 1.1.1.1@853 1.0.0.1@853 under Services > Unbound DNS > Miscellaneous

Voilà.

@joelj

https://forum.opnsense.org/index.php?topic=21106.0

@thorneo

I suggest reading this guide, although it is for pfSense, it is basically the same - https://nguvu.org/pfsense/pfsense-baseline-setup/