Expected behavior:
· He has three VPN clients established between his pfSense and Nord VPN to different regions
· He has different vlans, setup to route traffic to those connections, using a firewall rule, traffic is indeed routing out via VPN’s
· NAT rules are configured
What’s actually happening:
It would appear each client, has been given the same ‘Virtual Address’ or Gateway, this appears to be acting as a load balance or similar logic, even though He has a rule to force traffic from VLAN64 to Nord’s Ukraine it actually goes out the Australia Nord connection, unless He stops the (Australian) connection.
He did see some posts suggesting this is caused by using the same CA/TLS cert on multiple connections, He’s tried unchecking pull routes within the client config, no change after restarting the services.
He received the following response from Nord. (He’s using OPNsense, but has the exact same issue.)
Thank you for his reply.
Unfortunately, connecting multiple clients is no longer possible, as all profiles will assign the same internal address.
Their developers have informed him that this was done to improve a known security vulnerability, but have not yet provided the full details, so He would not be able to give an in-depth explanation why the change was made right now.
Let him know if He needs any further assistance!
He tried to do a support chat with NordVpn and basically they told him is that he should open a ticket with Netgate. 
He went as far as telling them that He uses a different vpn provider and He doesn’t have that issue. Hopefully, they give him a different answer.
Even the windows nord app, give him a 10.100.0.2 ip address.
Forget the virtual address. OpenVPN is generally a tunneled protocol- that means the OVPN connection shows up to the OS as a NIC, and traffic can be routed down it. Chances are every connection to every NordVPN customer everywhere has 10.100.0.2. If He’s using 10.100.0.1 or something like that in his rule, it’s not gonna work.
What He thinks He’d have to do, is for each OpenVPN connection, go in interfaces-assign and ‘enable’ each connection. Leave all the settings blank, just enable it. Then in the Routing - gateways page, He can define 3 copies of 10.100.0.1 (or whatever), but make sure each one has an interface assigned as well. Then He can use firewall rules to distribute traffic to those 3 gateways and it should select the right one.
He all Guys are late to party. Thats the first thread about problem https://www.reddit.com/r/PFSENSE/comments/1c5brk5/two_tunnels_same_gateway/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
They changed config on their servers. Virtual address is set on server side only and it will not work with pfsense, opensense if they got same ip. You cant do nothing about it - thats just like openvpn works. You can try set one connection to openvpn, 2nd with wireguard ( but i didnt test it). Now Nordvpn is unusable for him, so he will try chargeback with bank since their support cant help with it ( they didnt even know about this change month ago). Support dont know how openvpn connection works thats being said - they need to contact with engineer :). Sorry for his english, hope he can understand it. Good luck guys.
Found this on the netgate forum…
He later goes on to say that the route-to for can’t be the same as the native virtual address, but other than not doing that, that it seems to work…going to try it.
After 2 weeks of tinkering, I found this post and as disappointed as I am at least now I know there is no way to do it. I will definitely be changing VPN providers; problem is all of our family members have it and apart from this issue it works well. What a strange decision by NordVPN!
A few months ago I noticed the virtual address was the same for each of my VPNs and I utilised selective routing for different vlan traffic.
After reading this thread then contacting Nord I had the below response.
"Due to a recent change to our infrastructure, unfortunately, establishing multiple VPN tunnels simultaneously is no longer possible.
While the change to limit connections available through OpenVPN tunneling protocol through one address, namely 10.100.0.2, was implemented due to security concerns and the measure is necessary to properly investigate it, we understand the inconvenience this may have caused.
Sadly, currently, there is no workaround to set up a few different profiles."
Since they have changed their infrastructure with no workaround He has cancelled his subscription and looking to use another supplier.
Interesting thanks
At least it’s a known issue and not just a couple people.
this is incredibly frustrating. this worked perfectly until recently then just stopped working because of this change on their end. would have been nice had they let us know what was going on…
Thanks for sharing this. Did they communicated further if or when it will restored like old days? I feel like this is cost cutting measure because they are now forcing you to connect to the same server.
Thank you for this! I thought I was going crazy since I couldnt figure out why my setup wouldnt work that way anymore…
DId Nord ever reply with a solution? I am at least very happy I found this thread as I’ve been going crazy thinking this was pfsense config issue. And nobody has figured out a pfSense kludge around?
Interesting, I’ll see how they go, I still don’t fully understand the issue , I tried selecting
Don’t pull routes & Don’t add/remove routes, somehow the Open VPN client is still grabbing ‘10.100.0.2’
All part of homelab I guess, learning new things
Interesting thanks I’ll have a tinker with routing
pfSense is all about experimenting for me really, #honelab
I believe Pfsense will not allow you to create more than 1 gateway with the same ip address.
I was struggling with this same issue for a couple months now. This is something new with NordVPN, it used to hand out different virtual IP’s, and if you somehow got a duplicate one, just disconnect and reconnect the vpn unitl you have unique Virtual ip’s.
Still looking at it…on pfSense unlike WG, OPVPN forces the gateway address (“dynamic” is how referenced), so I don’t see a way to override it…going to start a thread on the netgate forum.
Have you been able to find an alternative yet? He’s in the same boat. He’s in the NordVPN trial phase, and he’s been pleased with the speed, but not supporting multiple VPNs is the biggie that will cause him not to go with it.
I feel like this is cost cutting measure because they are now forcing you to connect to the same server. Is there any other reliable provider that still support this?
No, He hasn’t heard anything else from Nord, but He also didn’t press them on it. He thinks it’s a lost cause, which sucks because He’s paid up for at least another year.
