• WireGuard package wireguard-tools

As of 2024 the "private key" can be retrieved using an "Access token" from the NordVPN web page "Services: NordVPN: Manual setup".

1. Copy the Access token
2. Retrieve credentials curl -s -u token:<ACCESS_TOKEN> https://api.nordvpn.com/v1/users/services/credentials
3. The JSON key nordlynx_private_key holds the private key.
   • Note: The private key had an escape character (backslash), which is an invalid Base-64 character. Remove if any.
4. Copy the IP and public key from an appropriate server
   • https://github.com/azinchen/nordvpn/blob/master/COUNTRIES.md
   • https://api.nordvpn.com/v1/servers?filters[country_id]=<ID>&filters[servers_technologies][identifier]=wireguard_udp&limit=3
5. Configure the network
   • systemd-networkd
6. If firewall, allow traffic from and to the WireGuard interface.
7. Print information about the WireGuard configuration:
   • wg or wg show
   • Confirm latest handshake was made.

Enable logging:

• echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control It is enabled until reboot.
• Print information:
  • dmesg -wH | grep wireguard
  • journalctl -kf | grep wireguard

Test if tunnel is established:

• ping -c3 10.5.0.1 (the gateway)

• Connect to NordVPN server:
  • nordvpn <connect, c> [[country]/[server]/[country_code]/[city] or [country] [city]]
• Connect to or reconnect to a new random server:
  • nordvpn connect
• Disconnect from NordVPN server:
  • nordvpn disconnect
• Connection status:
  • nordvpn status

• Print current settings nordvpn settings

1. Download the latest Debian package.
2. Install the package dpkg -i nordvpn_1.15.3.deb

• Technology: NORDLYNX
• Firewall: disabled
• Firewall Mark: 0xe1f1
• Routing: enabled
• Analytics: disabled
• Kill Switch: disabled
• Threat Protection Lite: disabled
• Notify: disabled
• Auto-connect: enabled
• IPv6: disabled
• Meshnet: disabled
• DNS: disabled

The DNS was configured using SystemdD NetworkD as described in Case (2022-07-15).

Armbian (4.9.255-sun50iw9) lacks support for NF tables.

• Enable "routing" in NordVPN
• Restart SystemD-NetworkD
• Create the necessary IP tables:

# FORWARD
# Allow traffic from internal to external
iptables-legacy -A FORWARD -i wlan0 -o nordlynx -j ACCEPT

# Allow returning traffic from external to internal
iptables-legacy -A FORWARD -i nordlynx -o wlan0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Drop all other traffic that shouldn't be forwarded
iptables-legacy -A FORWARD -j DROP

# NAT
iptables-legacy -t nat -A POSTROUTING -o nordlynx -j MASQUERADE

# INPUT
iptables-legacy --policy INPUT DROP
iptables-legacy -A INPUT -i lo -j ACCEPT
iptables-legacy -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-legacy -A INPUT -i nordlynx -m state --state ESTABLISHED,RELATED -j ACCEPT

The installation instructions (1-6) are basically a manual procedure of the Arch Linux AUR package nordvpn-bin as described in PKGBUUILD.

1. Download the latest Debian package.
2. Unpack the debian package.
3. Control the data integrity of the package.
   • The public key from NordVPN public key (link no longer valid) belongs to [email protected]. Importing the key to GPG and then veryfing the _gpgbuilder (signed message) results in Can't check signature: No public key.
   • Instead, gpg --verify _gpgbuilder and use the information about the RSA key 6B219E535C964CA1 to download the public key gpg --receive-keys 6B219E535C964CA1. The key belongs to [email protected].
4. Extract data.tar.gz:
   • var/lib/nordvpn to /var/lib/
   • usr/bin/nordvpn to /usr/bin/
   • usr/sbin/nordvpnd to /usr/bin/
   • usr/lib/systemd/system/* to /usr/lib/systemd/system
   • usr/share/man/man1/nordvpn.1.gz to /usr/share/man/man1/nordvpn.1.gz
5. Create /usr/lib/sysusers.d/nordvpn-bin.conf with content:
   • g nordvpn - -
6. Change file attributes:
   • chattr -i /var/lib/nordvpn/data/*
   • chmod 644 /usr/lib/sysusers.d/nordvpn-bin.conf
7. Create NordVPN group:
   • groupadd -r nordvpn
8. Add relevant users to group.
   • gpasswd -a <USER NAME> nordvpn
   • This may be required after an update to a newer version of NordVPN.
9. Reboot in order for the group to be created.
10. Enable and start the NordVPN daemon:
    • systemctl enable nordvpnd
    • systemctl start nordvpnd
11. Login to NordVPN with account email and password:
    • As of v3.12.2 the login procedure has changed.
      1. nordvpn login --nordaccount returns
      2. Continue in the browser: https://zwyr157wwiu6eior.com/v1/users/oauth/login-redirect?attempt=f26...e6.
      3. Open a browser and enter the link, login.
      4. On successful login, right click on the button "Return to the app" and copy link.
      5. Paste link as nordvpn login --callback <link>.
    • I have not been able to login with the new method; receiving the error Exchange token not provided.. However, there is an undocumented parameter that enables the login in terminal nordvpn login --legacy.

1. Install Arch Linux Wireguard package wireguard-tools.
2. The Wireguard protocol is implemented as "NordLynx". Enable it:
   • nordvpn set technology nordlynx
3. Print information about the Wireguard configuration:
   • wg

• Logs journalctl -u nordvpnd

A correct configured DNS is important in order to prevent "DNS leaks". According to NordVPN support (email 2021-12-12), the expected result should be:

• If IP from country X then DNS from country X.

The NordVPN DNS servers are 103.86.96.100, 103.86.99.100.

The DNS could be configured with:

• The NordVPN program DNS setting
• Glibc resolver Openresolv
• SystemD Resolved Service
• Routers connected to computer

• The NordVPN support (email 2021-12-12) requested results from tests done with DNS Leak test "Extended test".
• For testing in terminal or console, try DNS Leak Test.

• Assigning the NordVPN name servers to the DNS setting in the NordVPN program seems to be neither sufficent nor necessary, why it was set to off.
• The NordVPN program seems to automatically add the name servers to /etc/resolv.conf.
• However, I explicitly assigned the name servers
  • in /etc/resolvconf.conf as
  • name_servers="103.86.96.100 103.86.99.100"
  • and then updated /etc/resolv.conf with resolvconf -u.
    • If error message /usr/lib/resolvconf/libc: line 230: /etc/resolv.conf: Operation not permitted then possibly because nordvpn locks /etc/resolv.conf.
• The web-based DNS leak tests indicated that the DNS provider was cloudflare. NordVPN support (email 2021-12-12) confirmed that they use neither Cloudflare nor any other third party DNS servers. That is, there was a DNS leak. Compare answer by Cat (2021-02- 13) to question Does it make sense to use CloudFlare's DNS in addition to NordVPN? on Stackexhange Information Security.
  • The source of the problem was that "Enable DNS over HTTPS" was enabled in Firefox. The default service provider is Cloudflare. Disable DNS over HTTPS.
• The DNS leak tests indicated that the DNS provider was NordVPN. However, it was not the same as the source of IP. That is, there was a DNS leak. If on a local network, perform the test both on the client and the server computers.
  • Two sources to the problem, both of which had to be remedied.
    1. The local name server 192.168.0.1 caused the selection of unintended DNS servers, which was the reason to explicitly configure /etc/resolvconf.conf.
    2. The computer was connected to a router with the "Internet configuration" for DNS servers assigned to 0.0.0.0, which caused the selection of DNS servers from the ISP provider. The value of the settings were changed to the NordVPN DNS servers.
• All tests successful.

• Strange connection problems prompted me to update NordVPN.
• The installation procedure was basically the same as last documented.
• For unknown reasons the local name server 192.168.0.1 was being added to the /etc/resolv.conf resulting in strange behaviors. I had to activate systemd-resolved in order to generate a correct /etc/resolv.conf.

• Using systemd-networkd and DHCP, for the WAN network interface configuration, set UseDNS=false under section [DHCP].
• Using systemd-resolved, set DNS=103.86.96.100 103.86.99.100 and FallbackDNS=in /etc/systemd/resolved.conf.
• A resolvectl status should show that the VPN DNS servers are provided by the nordlynx interface. No other DNS servers should be present.

The NordVPN login and configuration requires an Internet connection. After that is done, the basic [/etc/nftables.conf](../blob/master/fhs/etc/nftables.conf) should suffice with the following modifications:

1. The forwarding rules must allow packages from LAN to VPN intefaces:
   • iifname { "enp1s0", "enp2s0", ... } oifname "nordlynx" accept
2. Masquerade LAN to VPN traffic:
   • iifname { "enp1s0", "enp2s0", ... } oifname "nordlynx" masquerade
3. Traffic from LAN to WAN should be disabled in order to prevent fallback to WAN on VPN failure.