Ever since I switched from a Juniper SRX to an Opnsense firewall, I was able to use a VPN provider to circumvent certain geofenced websites (mostly news outlets in other countries). Opnsense has the option to create OpenVPN client tunnels, and by creating (firewall) policies, you can direct traffic to a different destination (gateway).

My VPN provider (NordVPN) has a nice support page on how to achieve this, but it’s based on a relative old Opnsense version (v21). Since the release of v24, the configuration of (client) OpenVPN configurations can (also) be done through instances, and the old way is being depricated (and gone in v26.1)

In case you’re wondering why I have two different client VPN’s with different protocol and ports… Well that because if you have multiple client VPN’s from the same provider based on the same protocol and port the routing in Opnsense won’t work properly. When I make sure that I have selected different protocols and ports for the individual client VPN’s everything works fine. It’s just that you need to find those VPN servers that operate on different protocol and port.

I tried to convert my legacy VPN clients to instances in the past, but were unable to do so. Mainly because the way of configuring is very different, and the documentation is not up-to-par if you ask me.

This week I ran into a Reddit post with a reference to a youtube video where OpenVPN client instances on Opnsense was explained. Not with NordVPN, but it had enough info for me to try again, and SUCCEED!!!!

There’s one piece of advice; first make a backup of the Opnsense firewall. Second, document all the current legacy settings of the VPN’s, Interface(s), Gateway(s), NAT rule(s) and firewall rule(s). THe why is the third reason; remove all openVPN clients and related settings (interfaces, gateways, NAT rules. The firewall rules (when using policy based routing through the OpenVPN gateway) can remain in place, but change de gateway to the default, of something. After recreating everything the firewall rules can be modified to reflect the new gateway(s).

Initially, I didn’t do the third part and it left me troubleshooting over an hour. Turned out I was re-using an interface left behind from the legacy VPN client in NAT and the Gateway setting. And that doesn’t work. If all goes well, the entire migration takes less than 15 minutes (for 2 client OpenVPN connections).

The backup is just for good measure, so that you can always go back to a working environment.

The configuration explained in the NordVPN manual and the video can be used in regards to importing of the Trusted, CA, creating of the Interface(s), gateways etc. Only the part of the actual Client VPN is different. These settings will be explained below. I’ll assume that you’ve downloaded a NordVPN config file, because most of the info needed is in there. Just open the ovpn file with a tekst editor to extract the relevant info.

Below is a (shortened) sample of a OpenVPN config file (ovpn)

First you need to create a static key reference.

Click the add (+) button to create a key. Give it a relevant name (e.g. tls-auth-key), set the mode to auth and past the block text (starting with -----BEGIN OpenVPN Static key V1-----, and ending with -----END OpenVPN Static key V1-----) from the ovpn config file.

After creating the Trusted CA, the Client VPN can be created. Make sure you enable the advanced mode.

• Role: Client

• Description: Something fancy 😁

• Protocol: UDP, or TCP (it’s on the proto line in the ovpn file)

• Portnumber: 1194 (at the end of the line starting with remote)

• Remote: FQDN or IP address of the remote Nord VPN server (the name or IP address on the remote line in the ovpn file)

• Certificate Authority: The name of the Trusted CA you created earlier following the manual/video

• TLS Static Key: Select the Static Key created earlier.

• Auth: a setting also present in the ovpn config file (line starting with auth)

• Username/Password: get those from your NordVPN account panel.

• Miscellaneous options: route-nopull

Save the client VPN configuration and enable the client VPN

The OpenVPN Connection Status should reflect the connection status of the configured VPN’s. In order for the traffic counters to increase you have to (re)create the rest of the components as well.

This is all that is needed to create the OpenVPN client on Opnsense. Of course, there’s still more to do if you actually want to use it (like creating the interface, gateway, NAT settings, and firewall policies), but those are well documented in other (official) documentation and/or youtube videos.

If you’re migrating from the legacy setting you can easily switch to the new VPN by assigning the newly created OpenVPN instance to your existing Interface

• Navigate to Intefaces > Assignments;

• Find your *existing* NordVPN interface;

• Assign the interface to the new OpenVPN instance device;

• (Optional) Disable the old legacy OpenVPN client so that you can be sure that you're using the new OpenVPN instance

B.t.w., the killswitch option in the video using tags was something I didn’t know, but I have incorporated that as well in my setup.

Special thanks to u/Enderby for testing and providing feedback.