I will describe how I have setup my pFsense and ESXi network settings to allow all internet traffic generated by a certain (or more) VM’s to be routed trough the VPN connection whilst maintaining LAN communication between all VM’s.

Preparing network structure in ESXi

This can be skipped for now, i’ll update this section when i have found the best way to separate all LAN and VPN traffic

Adding a new LAN network to be used for all (virtual) machines connected via VPN.

This can be skipped for now, i’ll update this section when i have found the best way to separate all LAN and VPN traffic

Go to Interfaces -> Assignments and select the newly connected Network card (check the MAC address to be sure) click Add.

Adding NordVPN as a client to pFsense

Download the server certificates list here servers.zip and unzip the .key and .crt file from the server you choose to connect to. I’m choosing a seemingly random server NL30. In pFsense go to System > Cert Manager and add a new CA. Enter NordVPN_NL30_CERT or anything you like as a descriptive name. Select Import an Existing Certificate Authority as a method and paste the content of the file nl30_nordvpn_com_ca.crt under certificate data.

Six simultaneous connections can be made with NordVPN servers on a single account. However, only one connection to a single server can be made per account. So we’ll use the following:
Akira NL111
Cctl01 SE125
Witte NL31
Thedon NL32
Mol NL66

-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAIAZH5smtw/jMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmwzMC5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTAeFw0xNjEwMDUwNjMxMzVaFw0yNjEwMDMwNjMxMzVaMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmwzMC5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPoUpIvyUk5
bBe4Tjiu+/L5RB3D1MU8XWhT24maZxKu9nyPx1T+rKGsRfhx7ugRjHX+xX+xZXQg
Ke4b2SxCs0EJXdORHA8xSgL7rHBy8estyVGt31VKvKRancdDXVZ/nHCZgVT+mkF7
x2mQ69YSOiUCtOitExti546g+yd+o1U/wv5l7mycYYK0w5UDWIMA9dbtnGGKZdI3
lGx7t84lQWaOoRarGvIRTLVTst+vnynd+6vSfFIv5ELhDGpzxkAuHNUHaGXQXRLr
b7aOiNY5nHROTX3SpRl3YhK9bvr2W5vj4hu3JETIhexqZp1cexNxuEc7nTAQQ4/o
++tvmoOwUUECAwEAAaOCAQYwggECMB0GA1UdDgQWBBSt5kJdrGAZcFy95fTZWELd
PiDRKDCB0gYDVR0jBIHKMIHHgBSt5kJdrGAZcFy95fTZWELdPiDRKKGBo6SBoDCB
nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEG5sMzAu
bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
cnRAbm9yZHZwbi5jb22CCQCAGR+bJrcP4zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQA3Gj4y3rIYk+BJnTfrSvt3+UlIRIknkBSPS8LVPFV6SBgjTdfc
p9duVEXiiAkdGxQJieMmUBSeOQKk7mPVxYUyFSQyQ7S0Q5P68kgKlv/yH4w1NESY
ZXjOM4f9JBlpCRB43kt/jjL4c++0LZ0HbYhRQFxGfj5+U+t2tjwQCrd3Z1tjfKCf
n/vASN92cPiHAxLiGQIXoTMxLGDGX7SksaJBMj510tRhvhb0FlPZSuv3uFnLckwW
IYjqkmGblQprauOl1TaP7ZhBrClGDGzGH2rDPGBJdkMxB49bgbX9em7278+lg8/9
22Y0v1LeuBUaNyZX5jxMv7RUTDZzXXILw70N
-----END CERTIFICATE-----

Now to add the VPN connection go to VPN > OpenVPN > Clients and add a new connection. Fill in the fields:

Disable this client: leave unchecked.
Server mode: Peer to Peer (SSL/TLS);
Protocol: UDP (you can also use TCP);
Device mode: TUN;
Interface: WAN;
Local port: leave blank;
Server host or address: nl30.nordvpn.com;
Server port: 1194;
Proxy host or address: leave blank;
Proxy port: leave blank;
Proxy authentication extra options: Authentication method: None;
Server host name resolution: check Infinitely resolve server;
Description: Any name you like. In our case it was nordvpn nl30
USER AUTHENTICATION SETTINGS
User name/pass: Your NordVPN username / your NordVPN password.
CRYPTOGRAPHIC SETTINGS
TLS Authentication: Check
Automatically generate a shared TLS authentication key: Uncheck

Paste the content of the file nl30_nordvpn_com_tls.key in the TLS Key field.

-----BEGIN OpenVPN Static key V1-----
eeb4bcd5209ae77161329608314b45b1
0124e40963c764a55008423c6762a098
dcda2d021f59a89e4c9e3a3b588a193c
39025830f61bdee82b1557fc58734034
50d6315b6ed33513e4139b14de59c055
6bec976330c53a6ecc72aad56fa5d4b8
88af7e56e5bd5b74cc30863192e04cfa
c01d0f4ca7713c202d3568098c7a0d88
01de789e8f50cfda2cb38bc2aa27ce36
8e5b6aac7d6ce6c0024c1770d43c8de8
ba9d4cae9f3594896439aaa687a74121
1cbeadcab20b9ad353eb0715090b1a62
dd1fd101dea40c5e2e7654b83b32a14a
4db3bd3b9a7ffe276be319b2933e8c7a
5f7a27ddf29ad1ffa460d22b34342264
5921aae8239bb3b0d6374b3a3fc6ccc2
-----END OpenVPN Static key V1-----

Peer certificate authority: NordVPN_NL30_CERT
Client certificate: webConfigurator default (557de1a2a90c7)(Server: Yes, In Use) (please note that the numbers on your machine could be different);
Encryption algorithm: AES-256-CBC (256-bit);
Auth digest algorithm: SHA1 (160-bit); (On newer servers, this would be SHA-512)
Hardware crypto: No hardware crypto acceleration. If your pFsense host supports hardware crypto feel free to use it.

TUNNEL SETTINGS

IPv4 tunnel network: leave blank;
IPv6 tunnel network: leave blank;
IPv4 remote network/s: leave blank;
IPv6 remote network/s: leave blank;
Limit outgoing bandwidth: leave blank;
Compression: Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
Topology: Subnet – One IP address per client in a common subnet
Type-of-service: leave uncheked;
Disable IPv6: check Don’t forward IPv6 traffic;
Don’t pull routes: check;
Don’t add/remove routes: leave unchecked.

ADVANCED CONFIGURATIONS

Custom Options:

tls-client;
remote-random;
tun-mtu 1500;
tun-mtu-extra 32;
mssfix 1450;
persist-key;
persist-tun;
reneg-sec 0;
remote-cert-tls server;

Verbosity level: 3 (recommended);

Click Save.

Go to to Interfaces -> Interface Assignments and Add NORDVPNNL30 interface.

Click the interface name to edit the settings and complete as below:

Description: nordvpn nl30
IPv4 Configuration Type: None
IPv6 Configuration Type: None
Mac Address: leave blank
MTU: leave blank
MSS: leave blank
Block private networks and loopback addresses: Check
Block bogon networks: Check
At the bottom and press “Save”

Back on the home screen you should now see the VPN interface receives an IP address.

Navigate to Firewall -> NAT -> Outbound and select “Hybrid Outbound NAT rule generation”. Press “Save“. Then rules will appear.

Add a new mapping Select
Interface NORDVPNNL30
Protocol Any
Source Network Source network [lan_subnet]/24
Destination Any
Address Interface Addres
Description NAT for LAN to NORDVPN

Add a new mapping Select
Interface NORDVPNNL30
Source Network Source network 127.0.0.0/8
Destination Any
Address Interface Addres
Description NAT for Local to NORDVPN

Finally we need to set the VPN connection as the gateway for all outgoing connections from the vm’s and/or pc’s we want. And block all other data coming from those hosts. To be able to apply one set of rules for all hosts we’ll setup aliases. Go to Firewall -> Aliases  and click Add to create a new alias. Give a Name “NordVPN_group” and add all the ip’s of computers you want to connect to the internet via VPN.

Finally we need to apply some firewall rules under the LAN interface. Go to Firewall -> Rules -> LAN and add a new rule with the following settings.

Action Pass
Adress Family IPv4
Protocol Any
Source Single host or alias > NordVPN_group
Destination any
Tag NO_WAN_EGRESS
Gateway NORDVPNNL30_VPNV4 –

Save the rule.

Create another rule above the previous with the following settings

Action Block
Address Family IPv6
Protocol Any
Source Single host or alias > NordVPN_group
Description Drop Nord group ipv6 traffic
Tag NO_WAN_EGRESS

Save the rule.

Create another rule above the previous with the following settings

Action Block
Address Family IPv4
Protocol TCP/UDP
Source Single host or alias > NordVPN_group
Destination This firewall (self)
Destination Port Range DNS (53)
Description Block VPN local DNS leak
Save the rule.

Save and apply everything. Your rule set should look similar to this.

Finally to block all trafic from the hosts that is not routed over the vpn (for instance DNS requests when the VPN goes down. We need to add a floating rule blocking all traffic tagged with “NO_WAN_EGRESS”.

Go to Firewall > Rules > Floating and add a new rule with the following parameters:

Action Block
Interface WAN
Direction any
Address Family IPv4+IPv6
Protocol Any
Description disable WAN_EGRESS
Under advanced options
Tagged NO_WAN_EGRESS

Save the rule.

Now all internet traffic generated by this computer should take place via the VPN connection.

To test the functioning of the VPN and the “Kill Switch” I recommend pinging a website from a host that uses the VPN connection. While the ping is running disable the VPN connection by going to VPN > OpenVPN > Clients Edit the nordVPN connection. Check the Disabled box and Save. The ping should stop immediately, if it does not something is wrong in the setup. Finally if you have an internet browser in any of the connected clients I recommend you check DNS leak protection on https://www.dnsleaktest.com/ the test should not be able to detect your ISP.