NordVPN updated their OPNsense VPN setup guide to 19.1

[jkemp]

After many attempts to setup NordVPN as a client I called tech support and pointed out there are errors in that guide. I received an email stating they had updated the guide.

You can find it here:

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm

Notice the link still states 18.7 and I noticed a couple errors still remain. But others were fixed.

[jkemp]

They corrected the link:

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm

[Northguy]

Maybe it is worthwhile if you mention which errors remain, so other users of this forum are aware of it when they follow the guide in your link?

[FingerlessGloves]

After many attempts to setup NordVPN as a client I called tech support and pointed out there are errors in that guide. I received an email stating they had updated the guide.

You can find it here:

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm

Notice the link still states 18.7 and I noticed a couple errors still remain. But others were fixed.

Not a bad guide but what are the error you encounted?

[jkemp]

They already corrected one after contacting them

It showed in one of the images: 'Don't Pull Routes' was selected.
They updated that image.

Another issue that is not there, is Outbound DNS does not respect the System:Settings:General DNS entries when using the NordVPN interface. We had to enter them under each interface DHCPv4 DNS settings in order to get a resolve for hostnames.

I'm unsure if this causes each client to bypass Unbound DNS and resolve directly for each site visited.

In the advance options for the NordVPN client setup the guide mention to add:

remote-random;
reneg-sec 0;

When there is a setting for that in the GUI?
Renegotiate time: leave blank;
Select remote server at random

You can select the too settings above right in the in the GUI.

Renegotiate time: 0
Select remote server at random: checked

Inside the .ovpn file 'fast-io' is listed and should be put in the advance options as well. But I would check the server .ovpn file you are going to use. I also added the auth-nocache to prevent OpenVPN client from caching the user name and password in memory.

fast-io;
auth-nocache;

Mine looks like this:

tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
remote-cert-tls server;
fast-io;
auth-nocache;



 

[jkemp]

Another note to watch out for when setting up your own client.

The guide state to use:

AES-256-GCM

When using that cipher you may get this error:

openvpn[24738]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'

So be sure to check inside the .ovpn file. The server I choose uses:

AES-256-CBC

The guide does not mention some servers may use a different cipher:

[franco]

> Another issue that is not there, is Outbound DNS does not respect the System:Settings:General DNS entries
> when using the NordVPN interface. We had to enter them under each interface DHCPv4 DNS settings in order to
> get a resolve for hostnames.

Well, that's not a fundamental issue but simply how Unbound works: it doesn't care about global DNS servers if it doesn't run in forward mode. That would be the easiest "fix", although you lose the benefits of running Unbound as a resolver.

IMO NordVPN should rethink what they are doing there with the global server requirement.


Cheers,
Franco