2

Goal
Set up NordVPN on my Raspberry Pi and use it as a gateway.

Current set-up

  • Raspberry Pi2 running Arch ARM, connected to my router via ethernet cable
  • NordVPN account
  • nordvpn installed on my Rpi

Configuration
Here is how I configured my Raspberry. The first step is running nordvpn and selected the desired country. Then I have to take care of the traffic routing.

Enabling IP forwarding:
echo -e 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf

Settig up NAT:

sudo iptables -t nat -A POSTROUTING -o nordlynx  -j MASQUERADE
sudo iptables -A FORWARD -i nordlynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o nordlynx -j ACCEPT

The problem
At this point, everything is working smoothly and I get an IP that is located in the right country. Unfortunately, most of the services like Netflix, Youtube, and some other websites, won't recognize I'm in another country. I know it's not a NordVPN issue because the Chrome extension works properly.

Any ideas?

Improve this question
6
  • 1
    Do you really use nnet.ipv4.ip_forward = 1? It should be net.ipv4.ip_forward = 1 Commented Dec 3, 2020 at 15:44
  • My bad, I've written on n more :) Commented Dec 3, 2020 at 15:52
  • Just some ideas: the website can still detect timezone, locale, cookies etc. They might be running a rather sophisticated "VPN identification" check. Commented Dec 3, 2020 at 15:59
  • It looks like you are leaking: If it were me I would run the VPN proxy as a different use. I would block direct net access for my normal users. I would add a rule to redirect normal traffic to the proxy. I would also use nftables, as they are easier. Commented Dec 3, 2020 at 16:02
  • There are online services that will check a few common leaks, like veryfing the DNS query comes from the same source. Just search for it. DNS affects answers about geolocalized services. Typical: home router provides DHCP and DNS. clients change their default route to the RPi, but keep using the home router for DNS. Commented Dec 3, 2020 at 18:42

2 Answers 2

Reset to default
0

I don't use a browser plugin, I just connect from the terminal. These are the steps I took to get everything running with Raspberry Pi OS 64 bit:

$ sudo wget -qnc https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn-release_1.0.0_all.deb
$ sudo dpkg -i /pathToFile/nordvpn-release_1.0.0_all.deb
$ sudo apt update 
$ sudo apt install nordvpn
$ sudo usermod -aG nordvpn $USER
$ sudo nordvpn login

If you need local traffic, to use VNC for example, whitelist your local ip range, in my case:

$ nordvpn whitelist add subnet 192.168.1.0/24

Not sure why, but on Linux I could not get NordVPN running without changing technologies:

$ nordvpn set technology nordlynx

Finally, we can connect!

$ nordvpn connect
Improve this answer
0

UPDATED 2024-10-20 I was right the first time. In many case the mangle rule is required. It doesn't hurt the remaining cases. I have put it back in.

I don't like being told I can only use a feature if I use only one preselected-at-setup configuration, especially when the infrastructure supports, and provides a tool for, allowing dynamic selection of the best available path at any given time on the fly.

The options I have found on the interwebs all share a common OpenVPN-only solution. Lather, rinse, repeat.

The currrent solution is as follows:

Select a single server. Download a static config file for that single server which is only available for the more inferior protocol. Walk through an unnecessarily complex setup and configuration process. Finally, keep your fingers crossed that the chosen server continues to perform consistently over time, or repeat the process again when performance degrades again, and again, and again.............. That doesn't work for me, so I went to work cracking this problem. For those interested, I believe I have cracked the 'dynamic-nordlynx-whole-network-router' problem.

My solution:

It boils down to 4 iptables rules. Since this uses the native linux app, it can use all the features available. That means you can tell which server to connect to or let it dynamically connect to the current best one in the category you choose, such as p2p, onion, etc. Autoconnect works. I think you get the idea. It would probably work using the OpenVPN protocol, but I haven't tried it because moving on from OpenVPN was part of my reason for doing this. Killswitch is always on and cannot be disabled.

The iptables rules are the real key. We all know the 3 basic rules to forward traffic. You must use 'nordlynx' as the WAN interface. The 4th is a mangle rule to mark lan traffic so nordvpn's rules allow lan traffic to pass. You can change or even remove the comment part of the mangle rule.

iptables -t mangle -A PREROUTING -i <LAN> -m comment --comment nord-router -j CONNMARK --set-xmark 0xe1f1/0xffffffff
iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
iptables -A FORWARD -i <LAN> -o nordlynx -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <LAN> -o nordlynx -j ACCEPT

Set to your lan facing interface.

I have deployed this on several Proxmox VMs and lxc containers on various consumer and enterprise equipment. I'm certain this can easily be adapted to a pi. I may dig one out to try it if I find some time. My current configuration is running as an lxc on Proxmox along side a pihole lxc and pfsense vm on a N100 sff computer with 4 NICs. This setup is noticealby faster than the OpenVPN-on-pfsense combo. Although it is still in place, it's bypassed. Kept as a backup option just in case.

         internet
             |
           modem
             |
          Proxmox
             |<---physical port
************ | ************
*          * | *          *
*       NordVPN lxc       *
*   vmbr---->|            *
*         pfsense   vmbr  *
*          * | * \<----   *
*          * | *  pihole  *
************ | ************
   |         |        |<---physical ports
  LAN      WiFi     Guest

I tried to post this on the nordvpn subreddit, but apparently I don't have enough karma.

I just want to help others when I can.

My project and fairly complete writeup for my linux-based router can be found here: https://github.com/theOtherLuke/nordlynx-router/tree/main

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.