Opnsense NordVPN does not work

[gandizzle]

Hello everyone,

I'm looking for a step-by-step guide to help me set up NordVPN on OPNsense. My goal is to have one of my VLANs use the VPN connection exclusively for internet access.

I've already tried several tutorials, but none of them worked. Usually, the process fails when I need to create a new gateway — at that point, I lose my internet connection. My default gateway is a FRITZ!Box, and as I understand it, it makes sense that I lose connectivity once I stop using the FRITZ!Box gateway, since the newly created NordVPN gateway doesn't actually provide internet access by itself.

Currently, my FRITZ!Box acts more or less as a modem, and the OPNsense firewall is configured as an exposed host. The setup then connects to a managed switch, and I'd like to have one of the VLANs use the VPN for outbound internet traffic.

Here are the Screenshots of my Settings.

I follwed this Guide :https://sysadmin102.com/2025/01/opnsense-wireguard-nordvpn-setup/

This are the NordVPN Settings that i get with Git-Bash

de963.nordvpn.com

5.180.62.45

Frankfurt

Germany

de963.proxy.nordvpn.com

de963.proxy.nordvpn.com

m0tej5P6pYfBivkJc8yRV4KqQXmM81AChLlzlsOSjSs=

8443

15

[gandizzle]

Has realy nobody an idea?

[gandizzle]

I found a similar tutorial on YouTube: https://youtu.be/fFszlJpTBoc?si=sS3dea6xXUlFxcpl�. The steps are pretty much the same, but with Mullvad VPN. I also tried that and even bought a Mullvad subscription, but I ended up with the same issue — as soon as the new gateway becomes active, I lose my internet connection. I just don't understand what the problem is.

[meyergru]

You should always consult the official documentation. It seems you use the wrong gateway settings, note in step 6 of the official guide, it says:

Insert the gateway IP that you configured under the WireGuard Instance configuration

What you configured is the IP of the NordVPN wireguard server, which is a different thing.

I have exactly this running with the following setup:

1. Setup Wireguard VPN peers and instance (steps 1 and 2 of the official guide):

You cannot view this attachment.

You cannot view this attachment.

Note that I have several peers, but enable only one of them at a time.

Then follow steps 3-5 of the official documentation (i.e. turn on wiregard, assign an interface and restart wireguard).

2. Create a gateway (step 6 of the official guide):

You cannot view this attachment.

3. Create an Alias for the relevant local hosts that will access the tunnel with either MACs or IPv4 of the VPN clients (i.e. step 7):

You cannot view this attachment.

[meyergru]

4. Create an RFC1918 alias and a firewall rule (step 8 of the official guide):

You cannot view this attachment.

You cannot view this attachment.

Note that I created the rule in the VLAN for the VPN_CLIENTS.

5. Configure routing for traffic generated by the router (step 9):

You cannot view this attachment.

6. Create an outbound NAT rule (step 10):

You cannot view this attachment.

[meyergru]

8. Add a kill switch (step 11):

You cannot view this attachment.

9. Add a kill switch for IPv6:

You cannot view this attachment.

The floating firewall rules should be arranged like so afterwards:

You cannot view this attachment.

Oh, and BTW: The NORDVPN wireguard interface must not block RFC1918 addresses:

You cannot view this attachment.

It has also to be noted that this way, local access is still possible (which it should, so you can control your VPN clients or transfer files), however, you have to implement steps to prevent DNS leaks (check if this works with https://www.dnsleaktest.com/).