As is well known, NordVPN does not provide support for native router configurations utilizing the WireGuard protocol. However, NordLynx, which has been developed by NordVPN, is fundamentally based on the WireGuard VPN protocol. Consequently, if we can obtain the appropriate configuration, it is possible to establish a WireGuard tunnel for the router. This guide aims to demonstrate the process of configuring NordVPN on OPNSense version 24.1 or higher using the WireGuard VPN protocol. This setup will enable the router to offer NordVPN protection to all devices connected to it. This tutorial is based on original notes from bluewalk@github: https://bit.ly/4acEzEC. Acknowledgment is also given to dumbasPL@github for providing an efficient alternative method for retrieving this configuration.
** Note:
- This tutorial does not cover DNS leaks, as each user may have a different setup for their DNS service. I’ll cover this in another tutorial. Link: Coming soon…
- Alternatively, you can follow my tutorial to set up DNS over TLS using NextDNS. With NextDNS, you have the option to disable the log or set the log retention from 1 hour to up to 2 years. Here is the link to the tutorial: https://bit.ly/3rWVDwz.
Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:
Step 1. Create a NordVPN Access Token
- Sign in to NordVPN using your NordVPN Account username and password at https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/.
- Select Get Access token. NordVPN may ask you to verify your email. Enter the one-time login code to continue.
- Select Generate new token.
- Select expire in 30 days (30 days is fine as we only need this to retrieve the configuration parameters).
- Select Generate Token.
- Copy the Token and temporarily keep it in a note or text file. In the next step, you will need it to receive WireGuard configuration.
Step 2. Retrieve configuration parameters for WireGuard
- For MacOS/Linux, copy and paste the below command in Terminal to get the Endpoint IP address and PublicKey:
curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1" | jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'
- Copy and paste the second command into the note or text file, replacing TOKEN with the token you generated in Step 1. Then copy and paste that into the Terminal to retrieve the PrivateKey.
curl -s -u token:TOKEN https://api.nordvpn.com/v1/users/services/credentials | jq -r .nordlynx_private_key
- From the above command, we can interpret the parameters below:
- [Interface]
- PrivateKey = KNligv6Aom*************************UPazTZJGm3sgzTg=
- Address = 10.5.0.2/32 # This IP is always the same
- DNS = 103.86.96.100,103.86.99.100 (NordVPN DNS Servers).
- [Peer]
- PublicKey = V1WC7wt34kcSDyqPuUhN56NJ0v+GlqY9TwZR5WlzzB4=
- AllowedIPs = 0.0.0.0/0, # route everything
- Endpoint = 152.89.204.247:51820
- [Interface]
- For Windows
- Open Windows Powershell and install git using this command:
winget install -e --id Git.Git
- Install jq using this command:
winget install jqlang.jq
- Close Windows Powershell.
- Open Git Bash and pass the same command as the one in the MacOS/Linux section.
- Open Windows Powershell and install git using this command:
- This will give you the server closest to your location. See the screenshots below for visual aid.
Step 3. Create a Backup of System Configuration
- It’s essential to create a backup of your system configuration. If anything happens unexpectedly, having a backup file lets you quickly restore your settings. You should consider automating this process using the Google Drive API for seamless automatic backups. I have provided a step-by-step tutorial on how to back up your configuration in case of a system failure or if you need to restore your settings. Check it out here: https://sysadmin102.com/2024/03/opnsense-automatic-configuration-backup-with-google-drive/.
- Go to System ‣ Configuration ‣ Backup
Step 4. Create a WireGuard Peer
- Go to VPN ‣ WireGuard ‣ Peers
- Click + to add a new Peer
- Configure the Peer as follows (if an option is not mentioned below, leave it as the default):
- Public Key: obtain and insert this key from Step 2.
- Allowed IPs: 0.0.0.0/0,::/0 # route everything
- Endpoint Address: insert the address from Step 2.
- Endpoint Port: Blank if 51820 was provided.
- Instances: Nothing selected.
- Keepalive interval: 25
- Save.
Step 5. Create a WireGuard Instance
- Go to VPN ‣ WireGuard ‣ Settings ‣ Instances
- Click + to add a new Instance
- Configure the Instance as follows (if an option is not mentioned below, leave it as the default):
- Advance Mode: Toggled.
- Name: WG_NordVPN (or whatever you choose).
- PublicKey: Leave Blank. It will be generated based on your PrivateKey
- PrivateKey: Obtain from step 2.
- MTU: 1420 (WireGuard default) or 1412 when connecting to a PPPoE network (like most DSL connections).
- DNS Servers: 103.86.96.100,103.86.99.100 (NordVPN DNS Servers).
- Tunnel Address: 10.5.0.2/32. (same for all NordVPN tunnel).
- Peers: Select the peer that you created in step 4.
- Gateway: any unused IP within the tunnel address. For instance, the tunnel address is 10.5.0.2/32. we can use 10.5.0.3 as the Gateway IP address.
Step 6. Assign an interface to WireGuard
- Go to Interfaces ‣ Assignments
- Select the WireGuard – WG_NordVPN (wg0 if this is your first one) in the dropdown.
- Add a description (ex WG_NordVPN).
- Click Add to add it, then click Save.
- Configure it as follows (if an option is not mentioned below, leave it as the default):
- Then, select your new interface under the Interfaces menu.
- Enable Interface: checked.
- Prevent interface removal: checked (optional).
- Save.
- Apply chances.
Step 7. Create a Gateway
- Go to System ‣ Gateway ‣ Configuration
- Click + to add a new Gateway.
- Configure the Gateway as follows (if an option is not mentioned below, leave it as the default):
- IP Address: Endpoint IP Address from step 1 or the config file.
- Far Fateway: Checked.
- Disable Gateway Monitoring: Unchecked.
- Monitor IP: Endpoint IP Address from step 1 or the config file.
- Save.
Step 8. Create an Alias for local Host(s)/Net(s)
- Go to Firewall ‣ Alias.
- Click + to add a new alias.
- Configure the Alias as follows (if an option is not mentioned below, leave it as the default):
- Name: WG_NordVPN_Tunnel (or whatever you choose).
- Type: if you select a single host or multiple hosts, then select Host(s). If you want to tunnel the whole subnet, then select Network(s).
- Description: Local hosts/nets that will access the tunnel (optional).
- Save.
- Repeat the same step to create a second Alias for all local (private) networks.
- Configure the Alias as follows (if an option is not mentioned below, leave it as the default):
- Name: RFC1918_Networks
- Type: Network(s)
- Content:
- 192.168.0.0/16
- 10.0.0.0/8
- 172.16.0.0/12
- Description: All local (RFC1918) networks
- Save.
- Apply.
Step 9. Create Firewall for LAN
- Go to Firewall ‣ Rules ‣ LAN
- Click Add to add a new rule
- Configure the LAN Rule as follows (if an option is not mentioned below, leave it as the default):
- Source: WG_NordVPN_Tunnel (the first alias you created in step 8).
- Destination/Invert: Checked.
- Destination: RFC1918_Networks (the second alias you created in step 8).
- Set local tag: NO_WAN_EGRESS (optional for adding a VPN kill Switch).
- Save
- LAN rules are evaluated on a first-match basis by default (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you will have to pay attention to the rule order. Everything that is not explicitly passed is blocked by default.
- Clicked on the Arrow on IPv6 Protocol to disable IPv6. (As this tutorial was written, NordVPN did not support IPv6 routing on routers). Enabling IPv6 will cause IPv6 leak.
Step 10. Create a Floating Firewall Rule to route traffic to the VPN gateway
- Go to Firewall ‣ Rules ‣ Floating
- Click Add to add a new rule
- Configure the Floating Rule as follows (if an option is not mentioned below, leave it as the default):
- Quick: Unchecked.
- Source: WG_NordVPN address
- Destination / Invert: Checked.
- Destination: WG_NordVPN net
- Gateway: WAN_NordVPN.
- Allow options: checked.
- Save the rule, and then click Apply changes
Step 11. Create an outbound NAT rule
- Go to Firewall ‣ NAT ‣ Outbound
- Select “Hybrid outbound NAT rule generation” If it is not already selected, click Save and then Apply changes.
- Interface: WG_NordVPN
- Source Address: WG_NordVPN_Tunnel (the first Alias that you created.
- Description: Outbound rule for NordVPN (optional).
- Save and Apply changes.
Step 12. Create a VPN Kill Switch (optional)
- Go to Firewall ‣ Rules ‣ Floating
- Click Add to add a new rule
- Configure the Floating Rule as follows (if an option is not mentioned below, leave it as the default):
- Action: Block
- Interface: WAN
- Direction: Out
- Description: VPN Kill Switch
- Match local tag: NO_WAN_EGRESS
Ways to support my channel
If you think this tutorial is helpful, please support my channel by subscribing to my YouTube channel or using the affiliated links below (Full Disclaimer). I will get a small commission from your purchase to grow my channel:
🚀 NextDNS: https://nextdns.io/?from=btsm4vsx
🚀 Things I used for my server: https://amzn.to/3hudohP
🚀 Tools I used: https://amzn.to/3uXaSUr
🚀 Devices I used: https://amzn.to/3FYlfxk
🚀 Networking/Cybersecurity/Programming Books: https://amzn.to/3HEYwb0
🚀 TrueNAS HBA SAS controller IT Mode from the Art of Server: https://ebay.us/cBWEvJ