You are not logged in.
Hello all, back with another question.
I downloaded nordvpn-bin from AUR and I suspect this version is doing something that is messing with the ability to use a machine as a gateway, as I do with all my other VPN services. For some reason just Nord in particular isn't working as expected.
What I really need is someone who also has nordvpn to try and replicate these steps for me, would be amazing!
- Fresh Arch install, 192.168.0.200 local IP for example
- Install nordvpn-bin from AUR
- # sysctl net.ipv4.ip_forward=1
- Enabled NAT using the commands here: https://wiki.archlinux.org/title/Intern … Enable_NAT . My NIC is ens18 and nordvpn tunnel device is nordlynx.
# iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i ens18 -o nordlynx -j ACCEPT
- Internet forwarding seems to be working fine - client phone for testing using 192.168.0.200 as a gateway working for all traffic
- # systemctl start nordvpn
- use nordvpn CLI to login and then connect
- Connectivity on the server itself is all good, opening IP check page shows the VPN IP and everything is all as intended
However, now is where I am stuck, because when I go back to my phone and open web pages to test with - the traffic is still coming through as my unsecured public IP address and NOT the NordVPN address. Why?
Also just in case I did the iptables commands in the wrong order (before nordvpn tunnel is up vs. afterwards) I experimented with both ways, zero success still
Traffic on the server itself = goes through VPN
Traffic sent to the server from another client trying to use it as a gateway = doesn't go through VPN
Hopefully this all makes sense
Thanks again Team Arch Linux!
Offline
First please make sure that your router doesn't provide your clients (e.g. your phone) with a globally routable IPv6 address and itself as the IPv6 router - thus enabling an IPv6 bypass.
Does your router provide the non-VPN IPv4 route? If yes - how did you configure your phone to use a different IPv4 gateway?
Offline
Hi thc!
IPv6 is disabled entirely on the router/dhcp server. It's a checkmark in Pi Hole and it's been disabled since day 1..
I thought maybe that would be the eureka moment because I realized a few of these were indeed set to 1 by mistake
[root@gateway-nord ~]# sysctl -a |grep 6 |grep forward
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.ens18.forwarding = 0
net.ipv6.conf.ens18.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.nordlynx.forwarding = 1
net.ipv6.conf.nordlynx.mc_forwarding = 0
but then I did
[root@gateway-nord /etc/sysctl.d]# sysctl net.ipv6.conf.default.forwarding=0
net.ipv6.conf.default.forwarding = 0
[root@gateway-nord /etc/sysctl.d]# sysctl net.ipv6.conf.all.forwarding=0
net.ipv6.conf.all.forwarding = 0
[root@gateway-nord /etc/sysctl.d]# sysctl -a |grep 6 |grep forward
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.ens18.forwarding = 0
net.ipv6.conf.ens18.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.nordlynx.forwarding = 0
net.ipv6.conf.nordlynx.mc_forwarding = 0
And crossed my fingers thinking this would be the hurrah! moment - but sadly - no. The Arch is still curling the correct NordVPN IP when I do it directly from that machine, but outside clients are not going through the VPN and public IP is displayed.
Does your router provide the non-VPN IPv4 route? If yes - how did you configure your phone to use a different IPv4 gateway?
I'm a newbie user and not 100% sure what this means so my apologies if this isn't what you asked. IPv6 Configuration is strictly set to DISABLED in NetworkManager altogether on both 'nordlynx' and 'Wired Ethernet 1 (ens18)'
So at this point there definitely should be no more IPv6 anywhere that's unchecked.
[root@gateway-nord ~]# nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.0.2
Whitelisted subnets:
192.168.0.0/24
Here are the nordvpn-bin settings as well - IPv6 disabled.
And then lastly you asked how did I configure the phone to use a different gateway, I just always pick manual setup instead of DHCP and then assign myself an IP address, my Pi-Hole as DNS server, and 192.168.0.200 (or any other of my several Arch gateway IPs) as the gateway and it works amazingly for ALL other vpn's like my ProtonVPN and WindScribe. I can play Xbox Live and PSN network through them even without any kind of bad lag etc. super fast speeds
https://i.imgur.com/Any28P1.jpeg
It's JUST nordvpn giving me trouble.
Maybe it's something to do with Routing: enabled in the nordvpn-bin client? But when I disable that, I have zero internet connectivity after VPN connection is established
Thanks again for reading all of this. I am available to provide any kind of output or debug needed! I would love to get this working.
Mod edit: Replaced oversized image with link -- V1del
Last edited by V1del (2023-09-05 19:41:19)
Offline
O.K. - no IPv6 bypass and no stale DHCP.
Please post the output of
ip route
without and with nordvpn enabled. If they are both the same, please post the output of
ip rule
without and with nordvpn enabled.
Offline
Hi thc!
default via 192.168.0.1 dev ens18 proto static metric 20100
192.168.0.0/24 dev ens18 proto kernel scope link src 192.168.0.200 metric 100
It is the same for both indeed. Then,
With NordVPN connected:
[root@gateway-nord ~]# ip rule
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xe1f1 lookup 205
32766: from all lookup main
32767: from all lookup default
With NordVPN disconnected and freshly rebooted just so I can show the state its in before nord is even executed
[genji@gateway-nord ~]$ ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Happy to provide anything else as required, thanks again for your help
Last edited by genji (2023-09-05 21:04:36)
Offline
The NordVPN client uses "rule based" routing for packets destined for the default route:
- Every packet created (not forwarded) on the Arch box has no firewall mark (fwmark)
- The ip rule sends those packets as a special default route to the nordlynx interface
- Packets emerging from the nordlynx interface get the fwmark set by the VPN interface
- The packets with the fwmark (VPN tunnel packets headed for the NordVPN endpoint) are routed via the normal default route
Here's what I think happens:
- The packets forwarded from other clients emerge from the nordlynx interface with the fwmark set
- They get routed via the normal default route
In layman's terms: The forwarded packets are treated like packets that have already passed through the VPN client.
Last edited by -thc (2023-09-06 19:18:14)
Offline
I disabled the Firewall option and disabled the Routing option and I made an error above when describing what happens when I do this : the tunnel goes up but no traffic is routed through it, that's all. I mistakenly said there's no connectivity above which is wrong - there's connectivity and the tunnel logs in and stays up, with nordlynx device etc, but since no routing rules are issued, no traffic goes through it.
Since it is now fully disabled in the app itself, would it be possible to issue the commands manually? I know for example when a WireGuard tunnel goes up for example it usually self-issues a series of ip commands, is this the route that it's setting up, and how would I set it manually if so?
Thanks for your help
[root@gateway-nord ~]# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@gateway-nord ~]# nordvpn settings
Technology: NORDLYNX
Firewall: disabled
Firewall Mark: 0xe1f1
Routing: disabled
Analytics: disabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.0.2
Whitelisted subnets:
192.168.0.0/24
[root@gateway-nord ~]# curl icanhazip.com
(my public IP)
[root@gateway-nord ~]# nordvpn connect canada
Connecting to Canada #1505 (ca1505.nordvpn.com)
You are connected to Canada #1505 (ca1505.nordvpn.com)!
[root@gateway-nord ~]# ping google.ca
PING google.ca (142.251.41.67) 56(84) bytes of data.
64 bytes from yyz10s20-in-f3.1e100.net (142.251.41.67): icmp_seq=1 ttl=118 time=5.38 ms
64 bytes from yyz10s20-in-f3.1e100.net (142.251.41.67): icmp_seq=2 ttl=118 time=5.77 ms
[root@gateway-nord ~]# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@gateway-nord ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 62:80:2d:69:43:30 brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute ens18
valid_lft forever preferred_lft forever
4: nordlynx: <POINTOPOINT,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.5.0.2/32 scope global nordlynx
valid_lft forever preferred_lft forever
[root@gateway-nord ~]# curl icanhazip.com
(still public IP, not VPN, even though nordlynx is established)
Offline
If you really want to go there - here's the list of commands executed by "wg-quick" for a "default gateway" wireguard connection with IPv4 and IPv6:
[#] ip link add interface_name type wireguard # create the interface
[#] wg setconf interface_name /dev/fd/63 # prepare for nft rules
[#] ip -4 address add interface_ipv4/24 dev interface_name # ipv4 address
[#] ip -6 address add interface_ipv6/64 dev interface_name # ipv6 address
[#] ip link set mtu 1420 up dev interface_name # mtu
[#] resolvconf -a interface_name -m 0 -x # update /etc/resolv.conf
[#] wg set interface_name fwmark 51820 # the fwmark will be set for all packets emerging from the VPN interface
[#] ip -6 route add ::/0 dev interface_name table 51820 #
[#] ip -6 rule add not fwmark 51820 table 51820 # ip rule based routing for ipv6
[#] ip -6 rule add table main suppress_prefixlength 0 #
[#] nft -f /dev/fd/63 # apply nft rules
[#] ip -4 route add 0.0.0.0/0 dev interface_name table 51820 #
[#] ip -4 rule add not fwmark 51820 table 51820 # ip rule based routing for ipv4
[#] ip -4 rule add table main suppress_prefixlength 0 #
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 # ?
[#] nft -f /dev/fd/63
Here is the nft ruleset created for IPv4 (IPv6 looks the same):
table ip wg-quick-connection_name {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "interface_name" ip daddr interface_ipv4 fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
}
Offline
Yikes, yeah I wouldn't know where to begin here in trying to do this myself. This issue is still unresolved and I think it has something to do with however nordvpn is configuring itself, as I have multiple identical VM's here acting as gateways for other major providers and none have this issue - it's exclusive to the nord gateway sadly
Thanks for trying to assist as always, if you ever think of anything else to try, please keep me in mind. I will post back if I ever get it working.
Offline
Since NordVPN allows you to disable the rule-based routing there may be a silver lining.
Compare the routing tables (as above) with one of your other VPN gateways. If my theory is correct those clients use a from of routing I know from OpenVPN (double default route with different metrics and a host route for the VPN endpoint).
If you can determine the "inner" IPv4 address of your NordVPN endpoint (e.g. via traceroute while connected to the VPN) you may be able to create a much simpler routing solution - which in turn should work with forwarding.
Offline
Wow! It's the freaking software, 100% confirmed.
I did some research on how to install old versions from AUR. I downloaded the aur .tgz file from the old release, installed it, and just like magic, it works instantly.
So it's absolutely something that the software is doing. They changed something along the way and I forget where I read about it but there was just a one-off random comment in all of the research I was doing on reddit from a guy claiming he couldn't get some feature to work on the newest nordvpn release and had to downgrade. The second I dropped back to 3.15.0 it works absolutely perfectly, using it as we speak with zero problems, and zero frustration.
Strange stuff indeed. I think disabling routing in the newest version and issuing the proper set of commands would be great, just not sure how to begin really.. I wish there was a way to reach someone that mattered at nordvpn about this. I see their tool is on github.
Thank you for sticking with me through all of this even if we didn't get it resolved. As far as I'm concerned I'll just use 3.15.0 forever until I absolutely need some kind of feature in the later versions (or they fix it!)
Offline