- In order to setup OPNsense with OpenVPN please access your OPNsense via browser.
- Navigate to System -> Trust -> Authorities and click on the +Add button.
You should see this screen:
- We will configure our OPNsense to connect to US 8561 server but you should connect to a server suggested to you at this page: https://nordvpn.com/servers/tools/ .
You can find the server hostname right under the server title.
Press on + Add button. Then fill the fields out like this:
Descriptive Name: NordVPN_US8561_CA
Method: Import an existing Certificate Authority
Certificate data: paste the contents below-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
Certificate Private Key: leave blank;
Serial for next certificate: leave as it is by default;
Press Save
-
Navigate to VPN -> OpenVPN -> Clients and press + Add button.
-
Fill in the fields:
GENERAL INFORMATION
Disabled: leave unchecked.
Description: Any name you like. We will use NordVPN_US8561.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP4 (you can also use TCP4);
Device mode: tun;
Interface: any;
Remote server:
Host or address: us8561.nordvpn.com (change to the hostname of the server you are going to use);
Port: 1194 (use 443 if you use TCP);
Retry DNS resolution: check;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: None;
USER AUTHENTICATION SETTINGS
User name/pass: fill in NordVPN service username and password;You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:
- Click Set up NordVPN manually.
- You will receive a verification code in your email that you use for NordVPN services. Type the code in:
- Copy the credentials using the “Copy” buttons on the right:
- Click Set up NordVPN manually.
Renegotiate time: leave blank;
CRYPTOGRAPHIC SETTINGS:
TLS Authentication: Enabled - Authentication only
TLS Shared Key: Paste the contents below
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
Peer Certificate Authority: NordVPN_US8601_CA;
Client Certificate: None (Username and Password required);
Encryption Algorithm: AES-256-GCM;
Auth Digest Algorithm: SHA512;
TUNNEL SETTINGS:
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network: leave blank;
IPv6 remote network: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Legacy - Disabled LZO algorithm (--comp-lzo no)
Type-of-service: leave unchecked;
Don’t pull routes: leave unchecked;
Don’t add/remove routes: check.
ADVANCED CONFIGURATION:
Advanced: paste the contents below
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;
Verbosity level: 3 (recommended);
Click Save.
- Navigate to Interfaces -> Assignments and click on + near New Interface. By default, it is ovpnc1.
- Click on the OPT1 to edit the interface.
- Click on the Enable Interface and do the following changes:
Description: NordVPN (or anything you want);
Block private networks: leave unchecked;
Block bogon networks: leave unchecked;
IPv4 Configuration Type: None;
IPv6 Configuration Type: None;
MAC address: leave blank;
MTU: leave blank;
MSS: leave blank;
No changes required on the DHCP client configuration so just click on Save button.
Click on the Apply changes button.
- Navigate to Services -> Unbound DNS -> General.
Enable: check;
Listen port: 53;
Network Interfaces: All;
DNSSEC: uncheck;
DHCP Registration: check;
DHCP Domain Override: leave blank;
DHCP Static Mappings: check;
IPv6 Link-local: unchecked;
TXT Comment Support: leave unchecked;
DNS Query Forwarding: check;
Local Zone Type: Transparent;
Custom options: leave blank;
Outgoing Network Interfaces: NordVPN (or whatever you named your OpenVPN interface);
WPAD Records: leave unchecked;
Click Save and Apply changes.
- Navigate to Services -> Unbound DNS -> Advanced and do the check the following options:
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Leave anything else as it is by default, click Save, and Apply Settings.
- Navigate to Firewall -> NAT -> Outbound, select Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules), click Save and Apply Changes.
- Click on the +Add button on top, on the edit menu, select Interface as NordVPN. Leave anything else by as it is by default, click Save, and Apply Changes.
- Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. After that, click on the edit button next to IPv4. Scroll down and under Advanced features, select Gateway as NORDVPN_VPN4. Click Save.
Next, click +Add, change Source to LAN net and Destination to LAN Address, don't change anything else, Save and Apply Changes.
- Navigate to System -> Settings -> General and do the following changes:
Under Networking, check the Prefer IPv4 over IPv6;
DNS servers:
103.86.96.100, Use Gateway: none;
103.86.99.100, Use Gateway: none.
On DNS server options, uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply Changes.
- Navigate to System -> Gateways -> Single and do the following changes:
Edit NORDVPN_VPN6 -> click Disabled
Save and Apply Changes.
- Now you can navigate to VPN -> OpenVPN -> Connection Status and it should state that the service is “up”:
Restart the connection to assign the OpenVPN Virtual Address to the interfaces.
- Navigate to Lobby -> Dashboard and confirm the NordVPN Interface has an IP Number
- You can also check the connection log file under VPN -> OpenVPN -> Log File. If you encounter any connection issues, please send the log file to our customer support for the further support.