Show Posts
1
Virtual private networks / Re: OPNSense multiple WAN links and NordVPN
« on: August 09, 2023, 12:58:58 pm »
I don't have 3 WAN interfaces, but I do use multiple NordVPN tunnels. Each tunnel for a different purpose. I tried IPSec tunnels, but had some issues getting them to work. Also, it seems that not every NordVPN VPN server support IPSec. So I used the OpenVPN version (and the tutorial they have on that is more than adequate when you're familiar with VPN's).
The traffic is directed towards the NordVPN gateway in the firewall policy of the interface (all traffic on my guest network (interface) is forwarded to a OVPN tunnel, while another OVPN tunnel handles traffic for geofenced media in the US.
In your case you might need to do some static routing to make sure the correct WAN interface is used for a tunnel.
The issue I ran into is that they assign you a tunnel address from the 10.x.y.z range, and it's quite possible that you get the same IP address on different OVPN tunnels (which obviously won't work).
But I found a way around that by using different protocols and/or ports for the different tunnels. So far, when I use TCP over 443 I get an IP adres from the 10.8.y.z. range and UDP over 1194 gives me a 10.7.y.z address.
So that's something you need to watch out for.
The traffic is directed towards the NordVPN gateway in the firewall policy of the interface (all traffic on my guest network (interface) is forwarded to a OVPN tunnel, while another OVPN tunnel handles traffic for geofenced media in the US.
In your case you might need to do some static routing to make sure the correct WAN interface is used for a tunnel.
The issue I ran into is that they assign you a tunnel address from the 10.x.y.z range, and it's quite possible that you get the same IP address on different OVPN tunnels (which obviously won't work).
But I found a way around that by using different protocols and/or ports for the different tunnels. So far, when I use TCP over 443 I get an IP adres from the 10.8.y.z. range and UDP over 1194 gives me a 10.7.y.z address.
So that's something you need to watch out for.