In the year or so, OPNSense revamped its VPN configurations, moving from client and server to instance. Most posts and documentation – including OPNSense’s – had not caught up with this new paradigm, leaving novices flailing. Fortunately, that’s changed, and this week I implemented a VPN server for remote access to my home network. Whoo hoo!
Today I followed this incredibly clear and understandable blog for routing outbound traffic through NordVPN to remove any concerns that my internet provider is tracking my browsing habits for marketing reasons! [Spoiler alert: they are!]
Some additional nodes and comments to share:
- Single Internal Network: For simplicity, the post assumes a single internal network on the LAN interface. If your network has multiple internal networks segregated by VLANs, you may need to do some steps (such as firewall rules) to multiple networks.
- NordVPN Server Recommendations: The recommended servers are those closest to you, which may not be desired when located in state with onerous laws (e.g., Nebraska’s Online Age Verification Liability Act or Florida’s Online Protections for Minors Act). Use NordVPN on your desktop/laptop/MacBook/whatever to connect to a more friendly jurisdiction and refresh to get a new set of recommended servers.
- Unchanged Security: NordVPN’s certificate authority, static key and server credentials do not appear to change when different servers are selected.
- OpenVPN Instances: Creating multiple OpenVPN client instances for multiple NordVPN servers is a simple technique to allow you to switch between servers as desired. Remember that each Enabled instance creates an active connection to NordVPN (viewed on VPN >> OpenVPN >> Connection Status). To avoid exceeding NordVPN’s concurrent limits, disable unused client instances.
- Interface Description: After creating the instances, I stopped suffixing names and descriptions with the specific NordVPN server, e.g. just interface_nordvpn.
- VPN Interface: After the VPN interface is created, changing the NordVPN server is just a matter of selecting a different client instance. I defined two NordVPN servers – Lakeville, MN and Chicago, IL – and am currently using Chicago. Note that Lakeville is not active and must be enabled before assigning to the interface.
- Aliases: The post identifies clients whose traffic should be routed through NordVPN by MAC address which is not scalable/manageable with even a moderate number of devices. I may use Network(s) to route specific subnets through NordVPN. NordVPN offers different Type choices, so Investigate to determine what works for you.
- Killswitch: I want traffic routed through the normal WAN gateway as a fallback if NordVPN is unavailable, so I did not create the blocking rule suggested. Your use case may require it, mine did not.
- Multi-WAN?: My OPNSense router is configured to support two WAN gateways for two different internet providers with failover from primary to secondary, though currently only my primary internet provider is active. The question is whether OpenVPN automatically re-establishes the connection to NordVPN upon failover over if manual steps are required.
- Multi-VLAN: I require a firewall rules to allow traffic between VLANs; the rule for routing external traffic through NordVPN must be after the local VLAN rule.
- DNS: When connecting to a VPN directly on your computer or device, your local DNS entries are replaced with those provided by the VPN; an OPNSense-enabled VPN does not. Running a local DNS server, such as Pi-hole, continues to work as expected. Other use cases may require local VPN services.
So far no problems, but need more devices for a larger sample size. Crossing my fingers!
