HOWTO - Routing Traffic over Private VPN

[Bennyhaha68]

Hi,

I've been trying to get NordVPN and OPNSense to connect to the internet through the tunnel. I tried to use this tutorial on NordVPN website.

https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm

No real luck with 19.1.

Spun up a couple of VirtualBox VM's, an OPNSense 18.7 and 19.1 and a Win10 client. Using the 18.7 VM the only way I can connect to the internet from the Win10 client behind the VM OPNSense 18.7 is by putting the tunnel virtual IP into the alias box for the NordVPN interface, screenshot attached.

It works until the virtual IP for the tunnel changes. Then have to go to VPN -> OpenVPN -> Connection Status and copy new tunnel virtual ip and copy it to the NordVPN (OPT1(ovpnc1)) interface alias box, like in the snip attached.

I had it working this way with 19.1, but not for long, only worked for about 15 min, but have not been able to make it repeatable since.

Have also tried to create a LAN network alias and made a rule like in the OP's post.

Is there any way to make the alias IP box take on whatever the OpenVPN client has for it's tunnel, or is there a way to include a range of IP's instead?

I have tried to insert 10.0.0.0/24, and 10.8.0.0/24 but that does not work. I have tried to use the NordVPN's hostname for the server I was trying to connect to as well, in the alias hostname box in the interface menu, that does not work either. The only way it works is with the specific IP address from the OpenVPN connection virtual IP. (In 18.7) The virtual IP in the Connection Status changes frequently.

Thoughts? Pointers? I am relatively green to OPNSense. Maybe I'm missing a really simple check box or setting/rule?

Would really prefer to use 19.1 as it's the latest, and is running in my real environment now.

Thanks for your time!

Edit for pic...

[Northguy]

OK, had the same struggles as a lot of you. Finally managed to solve this for Surfshark VPN.
 
I started out with the NordVPN guidelines and could get the Tunnel connected, but could not reach the internet. DNS issues and such. For me, there were some critical differences in configuration to make VPN work with the guide.

Tunnel was connecting, but I never got internet to work. After reading this thread over and over again, the most helpful information I gathered came from this reply from user NilsS

My learnings/changes in configuration:

• Interface Configuration Type: DHCP NONE;
• Create a LAN pass rule for DNS to your Gateway IP (192.168.1.1)
• Solve DNS leak by forwarding VPN traffic to Cloudflare

See attached screenshots for my setup. Good luck in replicating.

[Bennyhaha68]

Thanks Northguy!

I believe I have it working now. Although, can't tell you why. Setting the Interface Config Type to NONE, helped a lot at first. Then updated the 18.7 VM to 18.7.10. Lost DNS. Copied your rules, a few reboots later and DNS still not working.

Tried a few other things, lost internet connectivity again, until I switched Interface Config Type back to DHCP and copied the tunnel address to the alias. Weird thing is, at this point, only have to do that once. When the tunnel changes it's virtual IP, I still have connectivity, even through a reboot of client and router (VMs). *shrug*

Then all of a sudden DNS started working. Undid the few things I had tried, rebooted after undoing each one, and it still works. 

Updated the VM to 19.1 and then to the latest 19.1.8 and after router VM and client VM reboot. DNS and internet still working...

...now to integrate this setup on my real network....

Just curious, can I ask what you have in your VPN_DNS_Servers alias?

I had the one that NordVPN has in the tutorial, and then also added Cloudflare's as well.  Does yours only contain Couldflare's?


Once I get this working on the real deal, I would like to try grouping gateways that NilsS had posted on page 2 of this thread.


Thanks again!!

[mimugmail]

Regarding the SharkVPN guide, it should be AES-CBC and not GCM, GCM doesn't make sense and produces errors in log.

[Northguy]

Regarding the SharkVPN guide, it should be AES-CBC and not GCM, GCM doesn't make sense and produces errors in log.

Correct. This is also stated in the SurfShark *.ovpn file. Don't know about NordVPN though, so Bennyhaha68 should check that for himself

[Bennyhaha68]

Yes, that was very early in the troubleshooting process. Matching the cipher algos with the .opvn files from NordVPN for the specific server that I was attempting to connect to. It did throw errors if they did not match, however the connection would still show as "up". 

Felt better about it if they did match though, probably works better too.

Also, I see the tun-mtu (or mss?, can't remember off hand) number mismatched when connecting at times, log states it decides to match them, and does not seem to affect connection.

So, because the VM OPNSense is attached to a bridged VM adapter, all traffic still travels through my physical machine, and does not change my public ip. However, I was suffering the wrath of wifey and kids messing with the physical machine trying to troubleshoot. Now that I have the VM passing internet with the VPN service as the interface, I believe it can be repeated with the physical machine.

Thanks again!

[JhonnyMnemonic]

Someone had any lucky in forwarding a port trought the VPN tunnel?
If yes can you please explain how you configured OPNsense. Thanks

[mweis]

i am rly struggling with adding "privateinternetaccess" to my opnsense.

everything is fine, till the step "Firewall-Nat-Outbound" actually i am on hybrid, and after i click on "Manual outbound NAT" and click save and reply. i got no rules autogenerated and i am offline.

Hybrid-Mode-Settings:


Manual Mode Settings:



My goal is to have some clients specific to use PIA, the rest just go online the usual way. How can i do this?

[mimugmail]

When you switch from Hybrid to manual you need those auto rules already manually added. Otherwise they are gone.

[mweis]

okay i got it work, but i dont know if this is the best way. the problem was the dns server from pia i have to add to the client by dhcp reservation. is this fine? i dont know if there is a better way to tell the clients the dns server from pia

[koAllen]

I just got this working using a fresh OPNsense install (18.1.6).  In the VPN client configuration, you definitely want to leave "Don't pull routes" unchecked and check "Don't add/remove routes".

I do have the DNS problem that some people mentioned, though.  Basically, from the machine I'm forcing to go through the VPN tunnel, I am able to ping addresses on the Internet, but DNS look-ups fail. 

Using Wireshark, I see the DNS requests go out from the client to OPNsense, but I never see a reply.

In the OPNsense log, I see the DNS request come in from the client, and then a DNS reply seems to come from the OpenVPN client IP assigned to the interface.

If I manually configure my client machine to use another DNS server (e.g. 8.8.8., then everything works.

I'm using the default DNS server - "Unbound DNS" - so the next thing I'll be trying is to use Dnsmasq instead.

The changes you mentioned for the OpenVPN client config got it working (I'm running 20.7), though I haven't figure out why. Thanks a ton!

For the DNS problem you are facing, it might be because you have your DNS configured as your router and if you only have 2 rules (one to route via VPN, one to block), you won't be able to reach your router. I have to add yet another rule on top to pass traffic to "LAN net" with the default gateway setting.

[Gustl]

Hi All.

I could manage doing selective routing by performing the NordVPN OPNsense 19.x online tutorial on the newest and latest OPNsense 20.7..., additionally created (DE, UK-) Aliases with Host IPs and defining them in the rules after the basic ones and defining within the clients "Don't pull routes" selected. I have clients in the network going direct to WAN, to NordVPN servers in Germany and UK. Works fine every Alias does have his own dedicated VPN. I've used pfSense 2.4.5 before and now using the same NordVPN servers as before. In OPNsense everything behaves feelable slower. Every change takes a while to be approved from the system and a restart takes very long comparing to pfSense. Everything would be fine but the VPN d/l speed is much slower now than under pfSense - about 40% loss in speed. OPNsense gives me about 60Mbps whereas under pfSense I measured full ISP speed (105Mbps). Hardware is a APU2C4 which does have the capability of at least 150Mbps - may be I have to update the APU-BIOS which I couldn't figure out until now what BIOS it has and what BIOS Flashrom software is compatible. Does somebody have experiences in OpenVPN speed differences using different BIOS'es? The flashrom pkg I've installed already via OPNsense ssh but more was not possible. I can't give a feedback about stability now....need to await. I was not unhappy with pfSense, just want to try out. But the speed would be an issue to go back to pf when I can't optimise it. On pf for example there was an "Use fast I/O operation with UDP writes to tun/tab.Experimental."-option which really pushed up the speed. I also used pfBlocker_NG_Devil which worked perfect. No I use Unbound with Blacklists but I think I have to manually adjust some more. Nice regards.

[Broodjeworst]

Hi Guys,

Seems that what I'm trying to do is almost the same as topics starter M4DM4NZ (thanks to Koldnitz for pointed me to this topic!)
And that is adding a VPN (Nord) enabled (physical) Interface, so that one of the ports on my opensense (supermicro) box is a VPN Interface that allows me to
connect it to a switch (plain cisco) and then use any switch port to attach a device that is then "protected/behind" the VPN connection

I've combined the guide from M4DM4NZ and NilsS to combine them into something that works for me, well i thought I did and of course it doesn't work
I'm on OPNsense 20.7.7

Here we go:

STEP 1:
####################################################################
Firewall -> Aliases
[ hit the + sign to add a new alias ]
[ Type ]        Network(s)
[ Name ]        Firewall_Alias_LocalNetwork
[ Description ] All local Networks
[ Content ]
    192.168.1.1/24,192.168.2.1/24 (my current local networks)
[SAVE]

[ hit the + sign to add a new alias ]
[ Type ]        Network(s)
[ Name ]        Firewall_Alias_VPNNetwork
[ Description ] All Hosts/Networks that should use VPN
[ Content ]
    192.168.3.1/32
    (This one has got me confused a bit, it has netmask 255.255.255.255 aka 32 and that's just for 1 ip? I use 192.168.3.1/24 for my new Interface in step 6)
[SAVE]

[ hit the + sign to add a new alias ]
[ Type ]        Host(s)
[ Name ]        Firewall_Alias_Allowed_DNS
[ Description ] Allowed DNS Servers
[ Content ]
    103.86.99.100 (These are the ones from VPN provider NordVPN)
    103.86.96.100
[SAVE]

[ hit the + sign to add a new alias ]
[ Type ]        Port(s)
[ Name ]        Firewall_Alias_MS_Port_Block
[ Description ] Blocked MS Ports
[ Content ]
    137
    138
    139
    445
[SAVE]

STEP 2:
####################################################################
Firewall -> NAT -> Outbound
[X] Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)
## Used this option instead of:
##     Manual outbound NAT rule generation (no automatic rules are being generated)
## So that the automatically generated rules are not removed.
## Change the rest of the settings in step 10

STEP 3:
####################################################################
Setup Nord VPN connection, this is different then the original writeup (since I use Nord)
I've used the guide from:
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-19-1-setup-with-NordVPN.htm

However I've changed "Encryption Algorithm: AES-256-GCM" to "Encryption Algorithm: AES-256-CBC" in the TLS Authentication section
since I got a waring in the OpenVPN logs

STEP 4:
####################################################################
VPN -> OpenVPN -> Clients:
[ Server Mode ]                 Peer to Peer (SSL/TLS)
[ Protocol ]                    UDP4 (As mentioned in the Nord guide)
[ Device mode ]                 tun
[ Interface ]                   WAN
[ Server host ]                 xxxxx.nordvpn.com
[ Server port ]                 1194
[ Retry DNS resolution ]        [X] Infinitely resolve remote server
[ User name/pass ]              Copied from by Nord Account page
[ TLS Authentication ]          [X] enable authentication of TLS packets
[ Peer Certificate Authority ]  As per the Nord guide
[ Encryption Algorithm ]        AES-256-CBC
[ Auth Digest Algorithm ]       SHA512 (512-bit)
[ Hardware Crypto ]             No Hardware Crypto Acceleration
[ Compression ]                 Disabled - No Compression
[ Disable IPV6 ]                [X]
[ Don't add/remove routes ]     [X]
[ Description ]                 NordVPN_1
[ Advanced ]
    remote-random;
    tun-mtu 1500;
    tun-mtu-extra 32;
    mssfix 1450;
    persist-key;
    persist-tun;
    reneg-sec 0;
    remote-cert-tls server;
[ Verbosity level ]             3 (recommended)
[SAVE]

STEP 5:
####################################################################
VPN -> OpenVPN -> Clients: [ NordVPN_1 -> clone ]
[ Server host ] use a different server
[ Server port ] 1194 used the same port, not sure if the tip to use a different port holds for Nord as well?
[ Description ] NordVPN_2
[SAVE]

STEP 6:
####################################################################
Interfaces -> Assignments
New interface: ovpnc1       [ + ]
New interface: ovpnc2       [ + ]
[ OPTx ]
    [ Enable Interface ]        [X]
    [ Description ]           NORDVPN1
    [ Block bogon networks ]    [X]
[SAVE]

[ OPTx ]
    [ Enable Interface ]        [X]
    [ Description ]           NORDVPN2
    [ Block bogon networks ]    [X]
[SAVE]

And I've added a new Interface called NORD:
[ OPTx ]
    [ Enable Interface ]        [X]
    { Device ]                  igbX (in my case)
    [ Description ]           NORD
    [ Block bogon networks ]    [X]
    [ IPv4 Configuration Type]  Static IPv4
    [ IPv4 address ]            192.168.3.1/24
    [ IPv4 Upstream Gateway ]   Auto-detect
[SAVE]

Services -> DHCPv4 -> NORD
[ Enable ]                      [X]
[ Range ]                       [ 192.168.3.11 - 192.168.3.244 ]

STEP 7:
####################################################################
System -> Gateways -> Single
[ NORDVPN1_VPNV6 ]
    [ Disabled ]    [X]

[ NORDVPN2_VPNV6 ]
    [ Disabled ]    [X]

[ NORDVPN1_VPNV4 ]
    [ Disabled Gatetway Monitoring ]    [ ] uncheck

[ NORDVPN2_VPNV4 ]
    [ Disabled Gateway Monitoring ]    [ ] uncheck

STEP 8:
####################################################################
System -> Gateways -> Group

[ + Add ]
[ Group Name ]          GRP_NORDVPN
[ Gateway Priority ]
    [ WAN_GW ]              [ Never ]
    [ NORDVPN1_VPNV4 ]       [ Tier 1 ]
    [ NORDVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GROUP_NORDVPN_LOADBALANCE
[SAVE]

[ + Add ]
[ Group Name ]          GRP_NORDVPN_1_2
[ Gateway Priority ]
    [ NORDVPN1_VPNV4 ]       [ Tier 1 ]
    [ NORDVPN2_VPNV4 ]       [ Tier 2 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GROUP_NORDVPN_FAILOVER_1->-2
[SAVE]

[ + Add ]
[ Group Name ]          GRP_NORDVPN_2_1
[ Gateway Priority ]
    [ NORDVPN1_VPNV4 ]       [ Tier 2 ]
    [ NORDVPN2_VPNV4 ]       [ Tier 1 ]
[ Trigger Level ]       Packet Loss or High Latency
[ Description ]         GROUP_NORDVPN_FAILOVER_2->-1
[SAVE]

STEP 9:
####################################################################
Firewall -> Settings -> Advanced
[ Skip rules ]          [X] Skip rules when gateway is down
    # Does this mean that traffic will go over the "normal" connection (non VPN) in case the VPN tunnel fails?
    # OR does this mean that the rest of the network (in my case the LAN) will continue to function if the VPN Tunnel is down
    # A kill switch would be nice, so if the VPN Tunnel fails (in this case, if both of them fail because we defined a group of 2) i want interface NORD to
    # have no connection.
[ Sticky connections]   [X] Use sticky connections (for load balance group)

STEP 10:
####################################################################
Firewall -> NAT -> Outbound
[+ Add]
    [ Interface ]           NORDVPN1
    [ TCP/IP Version ]      IPv4
    [ Protocol ]            any
    [ Source address ]      Firewall_Alias_LocalNetwork
    [ Destination invert ]  [X]
    [ Destination address ] Firewall_Alias_LocalNetwork
    [ Translation/target ]  Interface address
[SAVE]

[ NORDVPN1 ] [CLONE]
    [ Interface ]           NORDVPN2
[SAVE]

STEP 11:
####################################################################
Firewall -> Rules -> NORD (The new interface I added in step 6)
[+ Add]
    [ Action ]                  block
    [ Interface ]               NORD
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  Firewall_Alias_VPNNetwork
    [ Destination invert ]      [X]
    [ Destination ]             Firewall_Alias_LocalNetwork
    [ Destination port range]    Firewall_Alias_MS_Port_Block
    [ Description ]             Block MS CIFS/SMB
    [ Gateway ]                 GRP_NORDVPN
[SAVE]

[+ Add]
    [ Action ]                  pass
    [ Interface ]               NORD
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                TCP/UDP
    [ Source ]                  Firewall_Alias_VPNNetwork
    [ Destination ]             Firewall_Alias_Allowed_DNS
    [ Destination port range]    DNS DNS
    [ Description ]             Allow traffic to allowed DNS Server
    [ Gateway ]                 GRP_NORDVPN
[SAVE]

[+ Add]
    [ Action ]                  pass
    [ Interface ]               NORD
    [ TCP/IP Version ]          IPv4
    [ Protocol ]                any
    [ Source ]                  Firewall_Alias_VPNNetwork
    [ Destination invert ]      [X]
    [ Destination ]             Firewall_Alias_LocalNetwork
    [ Description ]             Force traffic over VPN
    [ Gateway ]                 GRP_NORDVPN
[SAVE]

STEP 12:
####################################################################
Firewall -> NAT -> Port Forward
[ Interface ]                   NORD
[ TCP/IP Version ]              IPv4
[ Protocol ]                    TCP/UDP
[ Source ]                      Firewall_Alias_VPNNetwork
[ Destination invert ]          [X]
[ Destination ]                 Firewall_Alias_Allowed_DNS
[ Destination port range]        DNS DNS
[ Redirect Target IP ]          single Host or Network
                                103.86.96.100 (picked one of the 2 NordVPN DNS servers)
[ Redirect Target Port ]        DNS
[ Description ]                Redirect all DNS to allowed DNS
[SAVE]

After this I did some checks:
VPN -> OpenVPN -> Connection Status
Both are "UP"

System -> Gateways -> SIngle
All Green

I've added some widgets on the Dashboard page and:
Gateways all green
Interfaces connected and have an IP
OpenVPN
All green and Remote/Virtual IP is present

However... When I connect a device to the Switch (that is connected to the NORD interface on the OPNSense box) I get "nothing"
(the device is configured to use DHCP and gets an IP address so at least that part works )

I've no Internet at all (can't ping 8.8.8.8 for example)
And I cant ping any of the internal IP's
192.168.1.1
192.168.2.1
192.168.3.1

The only thing that I can ping is the switch on 192.168.3.254 however that's kind of expected

I think I made some kind of mistake between step 9 and 12

Any Hints would be appreciated

[Koldnitz]

Nothing is jumping out at me (I cursorily compared what you have to what I have)

My thoughts:

My local network alias looks like this 192.168.1.0/24

You need to put your 192.168.3.0/24 here (I am not sure if it needs to be 0 but my setup is definitely working)

I have other subnets (management subnet for when I hose main subnet) that will never see the VPN and I do not include them (they do not exist as far as these rules go).  If you are never going to force IPs on your 1 and 2 subnets I do not think they need to be in alias for now.

Your host / networks that should use vpn alias should look like this 192.168.3.2/24 (?) ... mine looks like this 192.168.1.240/28 but I have made it where IP 240 through 254 are forced through the vpn on this subnet.  I do not think you should start at 1 because your router dhcp service will be sitting there ... but I could be wrong.

Your range is 11 through 244.

try 192.168.3.11/25 (you will get 126 IP addresses) http://jodies.de/ipcalc

I think you might consider using a smaller range on the vpn switch, then you can hook up a device (I manually set my macmini's IP inside the range and see if it works / hook up outside the range to see if it worked / check for dns leakage).  If the outside range (whole switch) does not work you have narrowed down focus and you can work your way towards getting some IPs forwarded correctly.  Once you have that working it "should" be easy to make all IPs on switch go where you want.

I also recommend following NilsS naming conventions.  It makes it so much easier to figure out what the alias is meant to be when you have:
n_vpn_user

A network (192.168.1.240/8)

p_udp_callofduty

A port (to make call of duty work correctly)

h_allowed_dns

hosts where dns requests are allowed to go

Your aliases work they just were giving me a headache....imagine trying to figure this out again in 6 months (I did when I decided to lagg my interface and hosed the whole install).

I turned off sticky connections and now I sometimes use both interfaces together (much faster).  Fail over only randomly worked before and I have set it up to reconnect randomly to my VPN servers every 8 hours.

I also put this:
persist-key
persist-tun
auth-nocache
fast-io
explicit-exit-notify 5
remote-cert-tls server
server-poll-timeout 10
key-direction 1
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
reneg-sec 3600

inside advanced configuration.

I use AirVPN so your mileage may vary.

I am by no means an expert, just managed to get it to work for me.  I hope this helps you, if just a little bit.

Cheers,

[Broodjeworst]

Hi Koldnitz,

Great!!! That did the trick! thank you very much :)I've also renamed the aliases per your advice, my original ones didn't make that much sense indeed 

One thing left on the todo list is to be able to access a device that is connected to the VPN 
(behind that Cisco switch) through ssh from the 192.168.1.x/24 subnet so that I can check logs etc
or would this open up a can of worms?

Anyway, thank you very much for getting me up and running!