Post by Admin on Apr 21, 2018 16:10:02 GMT
Hit go.nordvpn.net/aff_c?offer_id=15&aff_id=261 to set up NordVPN on your own pfSense router today! Learn more?
This is a tutorial on how to set up an OpenVPN connection to NordVPN from your pfSense router.
pfSense version 2.2.3
1. Download the latest CA certificates from www.nordvpn.com/api/static/ca_and_tls_auth_certificates.zip and extract the package.
2. Open the pfSense WebUI and go to System -> Cert Manager.
3. In the CAs tab fill in:
Descriptive name: name it NordVPN;
Method: choose Import an existing Certificate Authority;
Certificate data (this is the CA certificate of the South African server, if you wish to set up other server, you need to use that server’s certificate accordingly):
—–BEGIN CERTIFICATE—–
EXAMPLE
—–END CERTIFICATE—–
Certificate Private Key: leave blank;
Serial for next certificate: leave blank;
Click Save.
4. Now go to VPN and select OpenVPN from the drop-down menu.
5.GENERAL INFORMATION
Select Client tab and enter the configuration as listed below:
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP (you can also use TCP);
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: za1.nordvpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it was NordVPN.
USER AUTHENTICATION SETTINGS
User name/pass: Your NordVPN username / your NordVPN password.
CRYPTOGRAPHIC SETTINGS
TLS Authentication (remember, it is for the EXAMPLE above):
—–BEGIN OpenVPN Static key V1—–
EXAMPLE
—–END OpenVPN Static key V1—–
Peer certificate authority: NordVPN;
Client certificate: webConfigurator default (557de1a2a90c7) *In use (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA1 (160-bit);
Hardware crypto: No hardware crypto acceleration.
TUNNEL SETTINGS
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Enabled with adaptive compression;
Type-of-service: leave uncheked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: check This option effectively bars the server from adding routes to the client’s routing table, however note that this option still allows the server to set the TCP/IP properties of the client’s TUN?TAP interface;
Don’t add/remove routes: leave unchecked.
ADVANCED CONFIGURATIONS
Advanced: leave blank;
Verbosity level: 3 (recommended);
Click Save.
6. Go to Interface and select assign drop the drop-down list. Then click on the + button. A new interface will be created. Name it Nord_ZA for instance. Also, change the interface port to ovpncX where X is the number of the interface you have created. Usually it will be 1. Save changes.
7. Now go to Firewall -> NAT -> Outbound. For the outbound rule mode select Hybrid outbound NAT rule generation (Automatic outbound NAT + rules below). You will now need to copy Mappings listed and change Interface to Nord_ZA) (or whatever other name you have used in the previous step). You should now see something like in the picture below.
The last step is to configure Firewall rules. Go to Firewall -> Rules -> LAN. Create a new rule. The settings should be:
Action: Pass;
Disabled: leave unchecked;
Interface: LAN;
TCP/IP version: IPv4;
Protocol: any;
Source: Type: any;
Destination: any;
Log: leave uncheked;
Description: name it whatever you like;
ADVANCED FEATURES
In the advanced features you only need to change one setting:
Gateway: Type: Interface that we have created (in our case it is Nord_ZA).
Click Save and then Apply the changes to the firewall settings.
DONE ↑
pfSense version 2.3.2
1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:
2. We will configure our pfSense to connect to DK3 server. Press on "+ Add" button. Then fill the fields out like this:
Desctiprive Name: NordVPN_DK3_CERT
Method: Import an existing Certificate Authority
Certificate data: (you can get this certificate by downloading NordVPN CA and TLS files from here: nordvpn.com/api/static/ca_and_tls_auth_certificates.zip)
-----BEGIN CERTIFICATE-----
EXAMPLE
-----END CERTIFICATE-----
Press "Save"
You should see something like this:
3. Then navigate to VPN -> OpenVPN -> Clients and press "+Add"
4. Fill in the fields:
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP (you can also use TCP);
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: dk3.nordvpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it was NordVPN DK3
USER AUTHENTICATION SETTINGS:
User name/pass: Your NordVPN username / your NordVPN password.
CRYPTOGRAPHIC SETTINGS:
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck
Then type in TLS key of DK3 server which can be found here: nordvpn.com/api/static/ca_and_tls_auth_certificates.zip
-----BEGIN OpenVPN Static key V1-----
EXAMPLE
-----END OpenVPN Static key V1-----
Peer certificate authority: NordVPN_DK3_CERT;
Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA1 (160-bit);
Hardware crypto: No hardware crypto acceleration.
TUNNEL SETTINGS:
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Enabled with adaptive compression;
Type-of-service: leave uncheked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: check;
Don’t add/remove routes: leave unchecked.
ADVANCED CONFIGURATIONS:
Custom Options: leave blank;
Verbosity level: 3 (recommended);
Click Save.
5. Navigate to Interfaces -> Interface Assignments and Add NordVPN DK3 interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Enable: check
Description: NordVPN
IPv4 Configuration Type: DHCP
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press "Save"
7. Navigate to Services -> DNS Resolver -> General Settings
Enable: check
Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Save.
8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Save.
9. Navigate to Firewall -> NAT -> Outbound and select "Hybrid Outbound Nat rule generation". Press "Save". Then click on "Bottom Add" and fill in the fields:
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 127.0.0.0 / 8 ; Port: leave blank
Destination: Any ; greyed out ; Port: 500
Static port: check
Description: ISAKMP - Lan to NordVPN
Save. Now you need to create 3 more rules with these settings:
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 127.0.0.0 / 8 ; Port: leave blank
Destination: Any ; greyed out ; Port: leave blank
Static port: uncheck
Description: localhost to NordVPN
Save.
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 192.168.10.0 / 24 ; Port: leave blank
Destination: Any ; greyed out ; Port: 500
Static port: check
Description: ISAKMP - Lan to NordVPN
Save.
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 192.168.10.0 / 24 ; Port: leave blank
Destination: Any ; greyed out ; Port: leave blank
Static port: uncheck
Description: localhost to NordVPN
Save. At the end it should look like this:
10. Navigate to Firewall -> Rules -> LAN and add this rule at the top by click on "Top Add" button:
Action: Pass
Disabled: uncheck
Interface: LAN
Address Family: IPv4
Protocol: any
Source: Invert: uncheck ; any ; blank
Click on Show Advanced and fill in the single field:
Gateway: NordVPN_DHCP-...
Save. At the end it should look like this:
11. Go to System -> General Setup and fill in:
DNS Server 1: 162.242.211.137 ; none
DNS Server 2: 78.46.223.24 ; NordVPN_DHCP-...
Save.
12. Now you can navigate to Status -> OpenVPN and it should state that the service is "up".
13. You can also check the connection log file under Status -> System Logs -> OpenVPN:
DONE
pfSense version 2.2.3
1. Download the latest CA certificates from www.nordvpn.com/api/static/ca_and_tls_auth_certificates.zip and extract the package.
2. Open the pfSense WebUI and go to System -> Cert Manager.
3. In the CAs tab fill in:
Descriptive name: name it NordVPN;
Method: choose Import an existing Certificate Authority;
Certificate data (this is the CA certificate of the South African server, if you wish to set up other server, you need to use that server’s certificate accordingly):
—–BEGIN CERTIFICATE—–
EXAMPLE
—–END CERTIFICATE—–
Certificate Private Key: leave blank;
Serial for next certificate: leave blank;
Click Save.
4. Now go to VPN and select OpenVPN from the drop-down menu.
5.GENERAL INFORMATION
Select Client tab and enter the configuration as listed below:
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP (you can also use TCP);
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: za1.nordvpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it was NordVPN.
USER AUTHENTICATION SETTINGS
User name/pass: Your NordVPN username / your NordVPN password.
CRYPTOGRAPHIC SETTINGS
TLS Authentication (remember, it is for the EXAMPLE above):
—–BEGIN OpenVPN Static key V1—–
EXAMPLE
—–END OpenVPN Static key V1—–
Peer certificate authority: NordVPN;
Client certificate: webConfigurator default (557de1a2a90c7) *In use (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA1 (160-bit);
Hardware crypto: No hardware crypto acceleration.
TUNNEL SETTINGS
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Enabled with adaptive compression;
Type-of-service: leave uncheked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: check This option effectively bars the server from adding routes to the client’s routing table, however note that this option still allows the server to set the TCP/IP properties of the client’s TUN?TAP interface;
Don’t add/remove routes: leave unchecked.
ADVANCED CONFIGURATIONS
Advanced: leave blank;
Verbosity level: 3 (recommended);
Click Save.
6. Go to Interface and select assign drop the drop-down list. Then click on the + button. A new interface will be created. Name it Nord_ZA for instance. Also, change the interface port to ovpncX where X is the number of the interface you have created. Usually it will be 1. Save changes.
7. Now go to Firewall -> NAT -> Outbound. For the outbound rule mode select Hybrid outbound NAT rule generation (Automatic outbound NAT + rules below). You will now need to copy Mappings listed and change Interface to Nord_ZA) (or whatever other name you have used in the previous step). You should now see something like in the picture below.
The last step is to configure Firewall rules. Go to Firewall -> Rules -> LAN. Create a new rule. The settings should be:
Action: Pass;
Disabled: leave unchecked;
Interface: LAN;
TCP/IP version: IPv4;
Protocol: any;
Source: Type: any;
Destination: any;
Log: leave uncheked;
Description: name it whatever you like;
ADVANCED FEATURES
In the advanced features you only need to change one setting:
Gateway: Type: Interface that we have created (in our case it is Nord_ZA).
Click Save and then Apply the changes to the firewall settings.
DONE ↑
pfSense version 2.3.2
1. In order to setup pfSense 2.3.2 with OpenVPN please access your pfSense via browser. Then navigate to System -> Certificate Manager -> CAs. You should see this screen:
2. We will configure our pfSense to connect to DK3 server. Press on "+ Add" button. Then fill the fields out like this:
Desctiprive Name: NordVPN_DK3_CERT
Method: Import an existing Certificate Authority
Certificate data: (you can get this certificate by downloading NordVPN CA and TLS files from here: nordvpn.com/api/static/ca_and_tls_auth_certificates.zip)
-----BEGIN CERTIFICATE-----
EXAMPLE
-----END CERTIFICATE-----
Press "Save"
You should see something like this:
3. Then navigate to VPN -> OpenVPN -> Clients and press "+Add"
4. Fill in the fields:
Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP (you can also use TCP);
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: dk3.nordvpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it was NordVPN DK3
USER AUTHENTICATION SETTINGS:
User name/pass: Your NordVPN username / your NordVPN password.
CRYPTOGRAPHIC SETTINGS:
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck
Then type in TLS key of DK3 server which can be found here: nordvpn.com/api/static/ca_and_tls_auth_certificates.zip
-----BEGIN OpenVPN Static key V1-----
EXAMPLE
-----END OpenVPN Static key V1-----
Peer certificate authority: NordVPN_DK3_CERT;
Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA1 (160-bit);
Hardware crypto: No hardware crypto acceleration.
TUNNEL SETTINGS:
IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Enabled with adaptive compression;
Type-of-service: leave uncheked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: check;
Don’t add/remove routes: leave unchecked.
ADVANCED CONFIGURATIONS:
Custom Options: leave blank;
Verbosity level: 3 (recommended);
Click Save.
5. Navigate to Interfaces -> Interface Assignments and Add NordVPN DK3 interface.
6. Press on the OPT1 to the left of your assigned interface and fill in the following information:
Enable: check
Description: NordVPN
IPv4 Configuration Type: DHCP
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Do not change anything else. Just scroll down to the bottom and press "Save"
7. Navigate to Services -> DNS Resolver -> General Settings
Enable: check
Listen port: leave what it already is
Network Interfaces: All
Outgoing Network Interfaces: NordVPN
System Domains Local Zone Type: Transparent
DNSSEC: uncheck
DNS Query Forwarding: check
DHCP Registration: check
Static DHCP: check
Save.
8. While in DNS Resolver, select Advanced Setting at the top and then fill in the following:
Hide Identity: check
Hide Version: check
Prefetch Support: check
Prefetch DNS Key Support: check
Save.
9. Navigate to Firewall -> NAT -> Outbound and select "Hybrid Outbound Nat rule generation". Press "Save". Then click on "Bottom Add" and fill in the fields:
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 127.0.0.0 / 8 ; Port: leave blank
Destination: Any ; greyed out ; Port: 500
Static port: check
Description: ISAKMP - Lan to NordVPN
Save. Now you need to create 3 more rules with these settings:
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 127.0.0.0 / 8 ; Port: leave blank
Destination: Any ; greyed out ; Port: leave blank
Static port: uncheck
Description: localhost to NordVPN
Save.
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 192.168.10.0 / 24 ; Port: leave blank
Destination: Any ; greyed out ; Port: 500
Static port: check
Description: ISAKMP - Lan to NordVPN
Save.
Disabled: uncheck
Do not NAT: uncheck
Interface: OpenVPN
Protocol: any
Source: Network ; 192.168.10.0 / 24 ; Port: leave blank
Destination: Any ; greyed out ; Port: leave blank
Static port: uncheck
Description: localhost to NordVPN
Save. At the end it should look like this:
10. Navigate to Firewall -> Rules -> LAN and add this rule at the top by click on "Top Add" button:
Action: Pass
Disabled: uncheck
Interface: LAN
Address Family: IPv4
Protocol: any
Source: Invert: uncheck ; any ; blank
Click on Show Advanced and fill in the single field:
Gateway: NordVPN_DHCP-...
Save. At the end it should look like this:
11. Go to System -> General Setup and fill in:
DNS Server 1: 162.242.211.137 ; none
DNS Server 2: 78.46.223.24 ; NordVPN_DHCP-...
Save.
12. Now you can navigate to Status -> OpenVPN and it should state that the service is "up".
13. You can also check the connection log file under Status -> System Logs -> OpenVPN:
DONE