NordVPN installation on OPNSense

Import the Certificate Authority in OPNSense:

- In OPNSense, go to ‘System’ -> ‘Trust’ -> ‘Authorities’ and click on the + sign.
- Provide an identifiable name (just for yourself) such as NordVPN_CA
- Copy paste the following certificate information, leave all else blank and click on Save (taken from here):

Now it’s time to add info about the VPN provider and utilize the CA certificate that we defined earlier. In OPNSense, go to ‘VPN’ -> ‘Clients’ and click on the ‘+ Add’ button.

General Information section:

Proceed as per the screenshot below (or click here to expand the text):

Disabled: leave unchecked
Description: add something meaningul such as ‘NordVPN UK server’.
Server mode: Peer to Peer (SSL / TLS)
Protocol: UDP4 (to enforce IPv4 only since IPV6 is not currently supported)
Device mode: tun
Interface: any
Remote server:
- Host or address: uk1977.nordvpn.com (select your server here)
- Port: 1194
- Leave the ‘Select remote server at random’ unticked unless you add more and prefer that
Retry DNS resolution: Tick the box to ‘Infinitely resolve remote server’
Proxy host or address: leave blank
Proxy port: leave leave blank
Proxy authentication extra options: none
Local port: leave blank

User Authentication Settings:
- Find your credentials from NordVPN’s website here (Dashboard -> NordVPN -> scroll down to ‘Advanced Configuration’.
- In OPNSense, fill in the username and password as requested.
- Renegotiate time: leave blank

Cryptographic Settings:
- TLS Authentication:
  - Enable authentication of TLS packet: tick
  - Automatically generate shared TLS authentication key: untick and copy paste this:

Click here to expand:

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----

- - Peer certificate authority: choose your CA ceriticate
  - Client Certificate: None (Username and Password required)
  - Encryption Algorytm: AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
  - Auth Digest Algorythm: SHA512
  - Hardware Crypto: No hardware crypto acceleration

- Tunnel Settings:
  - Leave all blank until
  - Compression: Disabled – No compression
  - Disable IPv6: tick
  - Don’t pull routes: tick
  - Don’t add/remove routes: tick

- Advanced configuration:
  - Copy paste the following parameters:

Click here to expand:

remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

- - Verbosity level: 3 (recommended)

3. Create a new virtual interface

In OPNSense, go to ‘Interfaces’ -> ‘Assignments’.
You will notice a new interface named ‘ovpnc1’ (the number can differ). Click on the + sign to add it.

Click on the ‘Save’ button and then click on the new interface.

Proceed as per the screenshot below (or click here to expand the text):

Enable: tick
Lock: leave unticked
Description: change to something more meaningful such as ‘Nord VPN’.
Block private networks: leave unticked
Block bogon networks: leave unticked
IPv4 Configuration Type: None
IPv6 Configuration Type: None
Leave all else blank and click on the “Save’ button and then on ‘Apply changes’.

4. Set up Unbound DNS services

In OPNSense, go to ‘Services’ -> ‘Unbound DNS’ -> ‘General’.

Proceed as per the screenshot below (or click here to expand the text):

Enable: tick ‘Enabled Unbound’
Listen port: leave blank (or 53)
Network interfaces: select all interfaces (or as you see fit)
DNSSEC: leave unticked
DNS64: leave unticked
DHCP Registration: tick to ‘Register DHCP leases’
DHCP Domain Override: leave blank
DHCP Static Mappings: tick
IPv6 Link-local: untick
TXT Comment Support: leave unticked
DNS Query Forwarding: tick
Local Zone Type: transparent
Click on the ‘Advanced’ button
Custom options: leave blank
Outgoing network interfaces: select all interfaces (or at least NordVPN’s)
WPAD Records: leave unticked
Click on the ‘Save’ button and then on ‘Apply changes’

To further support hiding identify, we will need to enable a few more advanced Unbound DNS parameters.
In OPNSense, go to ‘Services’ – ‘Unbound’ -> ‘Advanced’.

Proceed as per the screenshot below (or click here to expand the text):

Tick the first four boxes, that is:
- Hide Identity: tick
- Hide version: tick
- Prefetch support: tick
- Prefetch DNS key Support: tick
Leave the rest as-is, click on ‘Save’ and then ‘Apply changes’.

5. Set up outbound NAT rule

The idea of this step is to set that outgoing traffic should go via the VPN’s interface.
In OPNSense, go to ‘Firewall’ -> “NAT’ -> ‘Outbound’. Select ‘Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules)’. Click on ‘Save’ and then ‘Apply changes’.

Click on the ‘+ Add’ button (while in the ‘Firewall: NAT Ounbound page’). The only thing to modify in there is the ‘Interface’ – set it to your new interface, e.g. ‘Nord VPN’. Leave the rest as-is, click on ‘Save’ and ‘Apply changes’.

Sources:

Official NordVPN’s manual
Selective routing – NordVPN’s manual (for pFsense)
OPNSense’s forum – 1

NordVPN installation on OPNSense

Leave a Comment Cancel Reply