- In order to setup OPNsense with OpenVPN please access your OPNsense via browser.
- Navigate to System -> Trust -> Authorities and click on the +Add button.
You should see this screen:
- We will configure our OPNsense to connect to US 8561 server but you should connect to a server suggested to you at this page: https://nordvpn.com/servers/tools/ .
You can find the server hostname right under the server title.
Press on + Add button. Then fill the fields out like this:
Descriptive Name: NordVPN_US8561_CA
Method: Import an existing Certificate Authority
Certificate data: paste the contents below
Certificate Private Key: leave blank;
Serial for next certificate: leave as it is by default;
Navigate to VPN -> OpenVPN -> Clients and press + Add button.
Fill in the fields:
Disabled: leave unchecked.
Description: Any name you like. We will use NordVPN_US8561.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP4 (you can also use TCP4);
Device mode: tun;
Host or address: us8561.nordvpn.com (change to the hostname of the server you are going to use);
Port: 1194 (use 443 if you use TCP);
Retry DNS resolution: check;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy Authentication: None;
USER AUTHENTICATION SETTINGS
User name/pass: fill in NordVPN service username and password;
You can find your NordVPN service credentials at the Nord Account dashboard. Copy the credentials using the buttons on the right.
Renegotiate time: leave blank;
TLS Authentication: Enabled - Authentication only
TLS Shared Key: Paste the contents below
Peer Certificate Authority: NordVPN_US8601_CA;
Client Certificate: None (Username and Password required);
Encryption Algorithm: AES-256-GCM;
Auth Digest Algorithm: SHA512;
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network: leave blank;
IPv6 remote network: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Legacy - Disabled LZO algorithm (--comp-lzo no)
Type-of-service: leave unchecked;
Don’t pull routes: leave unchecked;
Don’t add/remove routes: check.
Advanced: paste the contents below
Verbosity level: 3 (recommended);
- Navigate to Interfaces -> Assignments and click on + near New Interface. By default, it is ovpnc1.
- Click on the OPT1 to edit the interface.
- Click on the Enable Interface and do the following changes:
Description: NordVPN (or anything you want);
Block private networks: leave unchecked;
Block bogon networks: leave unchecked;
IPv4 Configuration Type: None;
IPv6 Configuration Type: None;
MAC address: leave blank;
MTU: leave blank;
MSS: leave blank;
No changes required on the DHCP client configuration so just click on Save button.
Click on the Apply changes button.
- Navigate to Services -> Unbound DNS -> General.
Listen port: 53;
Network Interfaces: All;
DHCP Registration: check;
DHCP Domain Override: leave blank;
DHCP Static Mappings: check;
IPv6 Link-local: unchecked;
TXT Comment Support: leave unchecked;
DNS Query Forwarding: check;
Local Zone Type: Transparent;
Custom options: leave blank;
Outgoing Network Interfaces: NordVPN (or whatever you named your OpenVPN interface);
WPAD Records: leave unchecked;
Click Save and Apply changes.
- Navigate to Services -> Unbound DNS -> Advanced and do the check the following options:
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Leave anything else as it is by default, click Save, and Apply Settings.
- Navigate to Firewall -> NAT -> Outbound, select Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules), click Save and Apply Changes.
- Click on the +Add button on top, on the edit menu, select Interface as NordVPN. Leave anything else by as it is by default, click Save, and Apply Changes.
- Navigate to Firewall -> Rules -> LAN and delete the IPv6 rule. After that, click on the edit button next to IPv4. Scroll down and under Advanced features, select Gateway as NORDVPN_VPN4. Click Save.
Next, click +Add, change Source to LAN net and Destination to LAN Address, don't change anything else, Save and Apply Changes.
- Navigate to System -> Settings -> General and do the following changes:
Under Networking, check the Prefer IPv4 over IPv6;
126.96.36.199, Use Gateway: none;
188.8.131.52, Use Gateway: none.
On DNS server options, uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
Click Save and Apply Changes.
- Navigate to System -> Gateways -> Single and do the following changes:
Edit NORDVPN_VPN6 -> click Disabled
Save and Apply Changes.
- Now you can navigate to VPN -> OpenVPN -> Connection Status and it should state that the service is “up”:
Restart the connection to assign the OpenVPN Virtual Address to the interfaces.
- Navigate to Lobby -> Dashboard and confirm the NordVPN Interface has an IP Number
- You can also check the connection log file under VPN -> OpenVPN -> Log File. If you encounter any connection issues, please send the log file to our customer support for the further support.