NordVPN OpenVPN client

[Hollywood]

Hello,
I successfully created an OpenVpn client with my Nord credentials. Connection Status shows Connected. After that I have been trying to follow web instructions, Youtube videos, and google AI instructions. Basically, I can't get my traffic to go Through the VPN. My test is that I am in the USA and the VPN server is in Canada and I use one of the websites that show your location.

These are the AI instructions I am using without any luck.
    • Instance Configuration (VPN > OpenVPN > Instances):
        ◦ Role: Client.
        ◦ Advanced Mode: Essential for detailed settings.
        ◦ Server Details: Protocol, port, CA, TLS key, credentials.
        ◦ Important Settings: Check "No (no) pull" under Miscellaneous to prevent server-pushed routes from overriding OPNsense's routing, or manage them carefully.
I GOT THIS FAR. Can anyone guide me with the next parts so that my traffic goes through the VPN? At some point I will also need split tunneling as some sites I visit will not allow access from a VPN, but at this point I just want to get it working. :)
Thanks! BTW, my skill level is following instructions, not necessarily understanding some of the technical aspects.

    • Firewall Rules:
        ◦ WAN Rules: Allow incoming VPN connection attempts (e.g., UDP 1194) to your OPNsense box.
        ◦ OpenVPN Interface Rules: Rules on the assigned OpenVPN interface (e.g., OPT1, VPN) control traffic leaving the tunnel towards your local network or the internet.
        ◦ Killswitch: Create a rule on the WAN to block traffic tagged with NO_WAN_EGRESS to prevent leaks if the VPN drops.
    • Traffic Management (Split Tunneling):
        ◦ Client Specific Overrides (CSO): Found under VPN > OpenVPN > Client Specific Overrides, these allow you to define unique routes or behavior for specific VPN users/clients, ideal for per-user split tunneling.
        ◦ Pushed Routes: The server can push routes (e.g., push "route 192.168.1.0 255.255.255.0") to clients, directing traffic to internal networks.

[viragomann]

Can anyone guide me with the next parts so that my traffic goes through the VPN? At some point I will also need split tunneling as some sites I visit will not allow access from a VPN, but at this point I just want to get it working. :)

If you intend to pass the most of the traffic over the VPN remove the "route-nopull" Option. Assuming the server passes the default route to you, all traffic should go the VPN server then.

For exceptions create an alias and add all destination IP to it.
Then add a pass rule to the LAN interface (or which your client devices are connected to) and select the alias at destination and at gateway select the WAN gateway. Move this rule up to the top of the rule set.

• Firewall Rules:
        ◦ WAN Rules: Allow incoming VPN connection attempts (e.g., UDP 1194) to your OPNsense box.

There is no WAN rule needed, since you only need outbound traffic.

◦ OpenVPN Interface Rules: Rules on the assigned OpenVPN interface (e.g., OPT1, VPN) control traffic leaving the tunnel towards your local network or the internet.

There is also no rule on the VPN interface necessary as long as you don't need incoming traffic from  the VPN server.
All rules have to be defined on the respective incoming interface. So if your LAN devices should be able to access someting in the internet across the VPN, you only need a proper rule on the LAN interface. Since the default route points to the VPN server, traffic will be directed to it.

◦ Killswitch: Create a rule on the WAN to block traffic tagged with NO_WAN_EGRESS to prevent leaks if the VPN drops.

This requires that you tag the traffic before.
In case that the VPN is the default gateway, you have to edit LAN rule for default gateway and state the tag in the advanced features. Then you can use this tag for blocking outbound.

• Traffic Management (Split Tunneling):
        ◦ Client Specific Overrides (CSO): Found under VPN > OpenVPN > Client Specific Overrides, these allow you to define unique routes or behavior for specific VPN users/clients, ideal for per-user split tunneling.

CSOs are meant for clients connecting to local OpenVPN servers. You don't need it for client connections.

Split tunneling you outbound connections can be realized with policy-routing rules (with a gateway stated) as recommended above.

◦ Pushed Routes: The server can push routes (e.g., push "route 192.168.1.0 255.255.255.0") to clients, directing traffic to internal networks.

As mentioned above, I assume that NordVPN pushes the default route to the clients as most other providers do. By default the OpenVPN client accepts and install the route then (without "route-nopull" option). So all traffic is by default directed to the VPN gateway. To pass traffic out to WAN you have to add a policy-routing rule as suggested above.

You can also do it the other way round, however. Set route-nopull in the VPN client and then policy-route traffic, which should go through the VPN to the VPN gateway.
This requires that you assing an interfaca to the VPN client instance before to get the gateway.

[Hollywood]

@viragomann
I wrote my post late last night as I spent 2 afternoons of trying to get this to work. It's morning now and I am seeing your reply. I quickly read your reply and it was written in not too technical way as I requested. Still, it takes some time to digest all of this. I want to thank you very much right now so I can have some time to retry slowly step by step.

I will get back after I try again. I saved a config file of settings with just my reserved static IPs and the actual VPN so if (when) I mess up I can get back to the place where I know it works. It looks like I just have to remove the "route-nopull" and then follow your notes.

Your help is very much appreciated and I didn't want to leave you hanging as I sometimes go slow.

Thanks!