Moving from bubuntux/nordvpn

[MRobi1]

Looking for some guidance on replacing bubuntux/nordvpn with this instead based on this commend bubuntux/nordvpn#282 (comment)

I've got it up and running, it's connected, and I can connect other containers through it, I just can't seem to access them once they're connected.

I'm looking for the equivalent environment variables for:
1: NETWORK=192.168.1.0/24 # So it can be accessed within the local network
2: CONNECT=Canada
3: KILLSWITCH=Enabled

Also looking for the proper way to set the ports for the containers connecting through this one. On the NordVPN one you'd set the ports for the containers through the NordVPN container (ie: 3000:3000), is this handled the same or can you use a comma seperated list for LISTEN_PORTS?

The documentation isn't really clear on any of these.

[ThxAndBye]

NETWORK is named NET_LOCAL now but works the same.

Instead of CONNECT you have to use the QUERY parameter but with the syntax used for the API at: https://api.nordvpn.com/v1/servers/recommendations
E.g. for Switzerland it's QUERY=filters\[country_id\]=209, you just have to look up the country_id for Canada.

Ports work exactly the same. It's just how docker works and not specific to the old NordVPN container or this one.

[cschinis]

Have you managed to get this to work? I'm trying to do the same but struggling to make it work as it should. A guide & compose example for a working version would be really appreciated.

[ThxAndBye]

Yes, it now operates in the same way as the old nordvpn container did.
An example configuration is in the README.md you only have to add the QUERY in the environment: part where the PRIVATE_KEY is located. Also the NET_LOCAL should be set according to your network.
Not sure if there is a public list with all the country IDs though but the linked API does recommend servers from the same country as your connection. So, if you connect to a server in Switzerland and open the site, the servers in the list will display you the id for that country (209).

[cschinis]

Hi,

Thanks for this. This is my config which doesn't seem to work. Am I missing something? Items in [] are hidden.

version: "3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordlynx
    cap_add:
      - NET_ADMIN #required
    environment:              
      - PUID=998
      - PGID=100
      - PRIVATE_KEY=[KEY HIDDEN]= #required
      - QUERY=filters\[country_id\]=227
      - NET_LOCAL=10.10.[XX].0/24  # So it can be accessed within the local network
      - ALLOWED_IPS=10.10.[YY].0/24,10.10.[ZZ].0/24
    volumes:
      - /srv/[PATH]/Configs/NordLynx:/config     
    ports:
      - 9292:9090 #Prometheus
      - 3000:3000 #Grafana   
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recomended if using ipv4 only
    restart: unless-stopped  

[ThxAndBye]

You don't need a volume for the configs. They get created dynamically on startup and don't need a permanent location.
PUID and PGID probably don't do anything? It's also not really needed to change them at all as the processes will never interact with something outside the container directly.

I don't understand why you only allow some private IPs. If you want traffic to run via the VPN connection then you should use the default 0.0.0.0/0. Essentially you block all traffic because there is no IP addressable in this range behind the VPN.

[cschinis]

You don't need a volume for the configs. They get created dynamically on startup and don't need a permanent location. PUID and PGID probably don't do anything? It's also not really needed to change them at all as the processes will never interact with something outside the container directly.

I don't understand why you only allow some private IPs. If you want traffic to run via the VPN connection then you should use the default 0.0.0.0/0. Essentially you block all traffic because there is no IP addressable in this range behind the VPN.

Okay perfect! That all works as it should now. I misinterpreted what allowed IPs was. Thought it was the equivalent of firewall whitelisting.

For future reference to others the working docker compose for me is :

version: "3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordlynx
    cap_add:
      - NET_ADMIN #required
    environment:              
      - PRIVATE_KEY=[KEY HIDDEN]= #required
      - QUERY=filters\[country_id\]=227 #UK Servers
      - NET_LOCAL=10.10.[XX].0/24  # So it can be accessed within the local network
      - ALLOWED_IPS=0.0.0.0/0
    ports:
      - 9292:9090 #Prometheus
      - 3000:3000 #Grafana   
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recomended if using ipv4 only
    restart: unless-stopped 

[Gandalf-]

I'm moving over from bubuntux/nordvpn as well and got close following @cschinis 's example. However
I'm seeing the same behavior (and same output from the same setup) as #10. I can access other containers with network_mode: service:vpn via the LAN but they (the dependent containers) can't get any traffic back from the WAN (including DNS).

version: "3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordlynx
    container_name: vpn
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PRIVATE_KEY=...
      - NET_LOCAL=10.1.10.0/24
      - ALLOWED_IPS=0.0.0.0/0
    ports:
      - 8090:8090 # torrent
      - ...
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv4.conf.all.src_valid_mark=1

  torrent:
    image: linuxserver/qbittorrent
    container_name: torrent
    network_mode: service:vpn
    restart: unless-stopped
    environment:
      - WEBUI_PORT=8090
      - ...
    volumes:
      - ...
    depends_on:
      - vpn

$ docker exec torrent curl -sS --verbose google.com
* Could not resolve host: google.com
* Closing connection 0
curl: (6) Could not resolve host: google.com

The docker host is on Ubuntu 18.04.6, 4.15.0-163-generic if that helps

[cschinis]

Don't forget to add:
- QUERY=filters\[country_id\]=227 #UK Servers

Change the ID to your recommended server id from (Example extract for UK "{"id":227,"name":"United Kingdom","code":"GB","):
https://api.nordvpn.com/v1/servers/recommendations

Also try commenting out:
- net.ipv4.conf.all.src_valid_mark=1

[Gandalf-]

Thanks for the reply! Neither of those changes affect the behavior unfortunately. Neither the vpn container or the dependent containers can access the WAN

Unrelatedly, I thought the QUERY var was optional and it'd auto select the best by default?

[cschinis]

Thanks for the reply! Neither of those changes affect the behavior unfortunately. Neither the vpn container or the dependent containers can access the WAN

Unrelatedly, I thought the QUERY var was optional and it'd auto select the best by default?

How are you deploying the stack? With the exception of the issue I had above which was resolved with allowing 0.0.0.0, every other time dependant containers were not connecting to the wan was because the vpn did not have a successful connection.

I use docker in combination with Portainer and similar issues were fixed by stopping all containers, deleting the images and networks and redeployed the stack. Obviously make sure the private key is correct. (I got mine through the bubintux/NordVPN image.)

[haygoodhtpc]

EDIT: fixed it myself by changing to a different container. Here's my torrent stack now for posterity:

#torrent stack
version: "3.7"
services:
    vpn:
        image: ghcr.io/bubuntux/nordlynx
        cap_add:
           - NET_ADMIN #required
        container_name: nordlynx
        environment:
           - PRIVATE_KEY=[HIDDEN] #required
           - QUERY=filters\[country_id\]=209 #Switzerland
           - NET_LOCAL=192.168.1.0/24  # So it can be accessed within the local network
           - ALLOWED_IPS=0.0.0.0/0
        ports:
           - 8080:8080
           - 8118:8118
        sysctls:
           - net.ipv6.conf.all.disable_ipv6=0
        restart: unless-stopped
    torrent:
        container_name: qbittorrent
        image: lscr.io/linuxserver/qbittorrent
        network_mode: service:vpn
        depends_on:
           - vpn
        volumes:
          - /opt/torrent:/config
          - /mnt/media/downloads:/downloads
           

The portion of the old container I wanted, the vuetorrent front end, can be installed manually by simply unzipping the package from the vuetorrent github into /opt/torrent/qBittorrent/vuetorrent or /config/qBittorrent/vuetorrent within the container. Everything working perfectly.

[NoLooseEnds]

I'm having issues with this too.

Testing with the bare minimum:

version: '3.7'

services:
  vpn-test:
    container_name: nordlynx
    image: ghcr.io/bubuntux/nordlynx:edge
    cap_add:
        - NET_ADMIN #required
    environment:
        - PRIVATE_KEY=<key>
        - NET_LOCAL=10.0.0.0/24 # So it can be accessed within the local network
        - ALLOWED_IPS=0.0.0.0/0
    sysctls:
        - net.ipv6.conf.all.disable_ipv6=1
    restart: unless-stopped

This allows me to i.e ping 10.0.0.1 on the local network, but I'm not allowed to ping or resolve anything else.

[cschinis]

What IP range are you trying to cover with NET_LOCAL=10.0.0.0/24? If it's 10.0.0.1-10.254.254.254 then you should use 10.0.0.0/8?

…

On Sun, 19 Dec 2021 at 20:57, NoLooseEnds ***@***.***> wrote: I'm having issues with this too. Testing with the bare minimum: version: '3.7' services: vpn-test: container_name: nordlynx image: ghcr.io/bubuntux/nordlynx:edge cap_add: - NET_ADMIN #required environment: - PRIVATE_KEY=<key> - NET_LOCAL=10.0.0.0/24 # So it can be accessed within the local network - ALLOWED_IPS=0.0.0.0/0 sysctls: - net.ipv6.conf.all.disable_ipv6=1 restart: unless-stopped This allows me to i.e ping 10.0.0.1 on the local network, but I'm not allowed to ping or resolve anything else. [image: image] <https://user-images.githubusercontent.com/4103531/146690493-8021fc65-8df9-45e0-b86d-d174e036334a.png> — Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACSF5AIY4L4QGM2JIZ3LGDTURZBMJANCNFSM5JDHFRFA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[NoLooseEnds]

What IP range are you trying to cover with NET_LOCAL=10.0.0.0/24?

This is just to test, I'm running the simplest docker-compose I can to debug. It's just to open up my local network to see if I can get through. In my actual setup, it's a bit more advanced with multiple ranges.

Anyhow, if I understand this correctly, opening up for the local network is not the issue. The issue is that I can't get out on the internet. I can add public IP's to NET_LOCAL and be able to connect to them via the docker image, but then it uses my actual ISP IP – which defeats the purpose.

So I'm hoping somebody can spot something obviously wrong, and or help me debug it further.

This is the iptables rules:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   33 10244 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    5   309 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       172.17.47.0/24       0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       10.0.0.0/24          0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            172.17.47.0/24
    0     0 ACCEPT     all  --  eth0   *       172.17.47.0/24       0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            10.0.0.0/24
    0     0 ACCEPT     all  --  eth0   *       10.0.0.0/24          0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1710  299K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    5   309 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
   18  1044 ACCEPT     all  --  *      wg+     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            172.17.47.0/24
    5   309 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:53
    1   176 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:51820
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            104.17.49.74         tcp dpt:443
    1    60 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            104.17.50.74         tcp dpt:443
    1    84 ACCEPT     all  --  *      eth0    0.0.0.0/0            10.0.0.0/24

[haygoodhtpc]

It looks like the issue is with your firewall rather than the VPN container. Can you route it so that your VPN machine bypasses the firewall?

[NoLooseEnds]

@haygoodhtpc

I don't think that should be an issue. It's a VM running PhotonOS. I can do anything natively – and I've never had to add any iptables rules because any docker container previously. And the previous nordvpn-image worked flawlessly in that regard.

This is the iptables of the PhotonOS vm

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain DOCKER (18 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.22.2          tcp dpt:31337
ACCEPT     udp  --  anywhere             172.17.11.2          udp dpt:openvpn
ACCEPT     udp  --  anywhere             172.17.2.2           udp dpt:scp-config
ACCEPT     tcp  --  anywhere             172.17.2.2           tcp dpt:cddbp-alt
ACCEPT     tcp  --  anywhere             172.17.2.2           tcp dpt:8843
ACCEPT     tcp  --  anywhere             172.17.2.2           tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             172.17.2.2           tcp dpt:sunproxyadmin
ACCEPT     tcp  --  anywhere             172.17.2.2           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             172.17.2.2           tcp dpt:smc-https
ACCEPT     udp  --  anywhere             172.17.2.2           udp dpt:nat-stun-port
ACCEPT     tcp  --  anywhere             172.17.22.4          tcp dpt:af
ACCEPT     tcp  --  anywhere             172.17.22.5          tcp dpt:33400
ACCEPT     tcp  --  anywhere             172.17.22.5          tcp dpt:32469
ACCEPT     udp  --  anywhere             172.17.22.5          udp dpt:32414
ACCEPT     udp  --  anywhere             172.17.22.5          udp dpt:32413
ACCEPT     udp  --  anywhere             172.17.22.5          udp dpt:32412
ACCEPT     udp  --  anywhere             172.17.22.5          udp dpt:32410
ACCEPT     tcp  --  anywhere             172.17.22.5          tcp dpt:32400
ACCEPT     tcp  --  anywhere             172.17.22.5          tcp dpt:8324
ACCEPT     tcp  --  anywhere             172.17.22.5          tcp dpt:geniuslm
ACCEPT     udp  --  anywhere             172.17.22.5          udp dpt:ssdp
ACCEPT     tcp  --  anywhere             172.17.2.9           tcp dpt:http
ACCEPT     udp  --  anywhere             172.17.2.9           udp dpt:bootps
ACCEPT     tcp  --  anywhere             172.17.2.9           tcp dpt:domain
ACCEPT     tcp  --  anywhere             172.17.2.10          tcp dpt:snapenetio
ACCEPT     udp  --  anywhere             172.17.2.9           udp dpt:domain
ACCEPT     udp  --  anywhere             172.17.2.10          udp dpt:21027
ACCEPT     tcp  --  anywhere             172.17.2.11          tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.2.10          tcp dpt:8384
ACCEPT     tcp  --  anywhere             172.17.2.11          tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (18 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

[walmer26]

Hi Guys! Apologies for the noobie question but How I get the Rekired Nord_Private_key? Ised the following as instructed:

docker run --rm --cap-add=NET_ADMIN -e USER=MYUSERHERE -e PASS=MYPASSHERE bubuntux/nordvpn nord_private_key

But says NordVPN is using a new app and do many try to connecto with no providing any private key. I proceeded to contatc NordVPN and they say unfortunately they are con allowing Nordlynx thechnology for manual use anymore. So how you got it? If I don;t have the private key I can't even try any compose file at first.

Am I wrong?

Please help.

[bubuntux]

@walmer26 try following the manual steps to get the private key https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976

[mircoianese]

Hello,

why should we migrate to /nordlynx image? I imagine is not using the nordvpn client, but I have a question: I need the ability to change servers dinamically, would this still work using the private key that the /nordvpn gave me? From my understanding, the private key will change based on the server, is that correct?

Thanks

[bubuntux]

@mircoianese The private key is link to you account no to a server, you can use your private key to connect to any of the server, and yes you can dynamically change servers using the query parameter @ThxAndBye listed a few very useful ones.

[mircoianese]

@mircoianese The private key is link to you account no to a server, you can use your private key to connect to any of the server, and yes you can dynamically change servers using the query parameter @ThxAndBye listed a few very useful ones.
@ThxAndBye

Thanks both! I will migrate to the new image. I guess that the same PK can't be used to open multiple concurrent connection tho. Right? Can I generate multiple valid private keys in an easy way?

[mircoianese]

Hello again. I was doing the migration but I'm getting into the issue I expected: i need to have two different containers connected to different servers (using the same NordVPN account). The old image generated the same Private Key on both containers, but now if I try to connect two different containers using the new image with the same private key I have issues where I randomly loose internet connection (DNS resolution failures). Maybe this issue was also present with the other image tho, as I had to restart the containers once in a while.

Do you know if there is a correct way to do this?
Thanks!

[NoLooseEnds]

Why do you need two different servers, why don't you use the same container for both?

[mircoianese]

Each NordVPN account can connect from up to 6 different "devices". I have two different containers (in two different servers) that needs to connect to different countries to perform some downloading tasks.
Btw now it seems to be working, but I'm guessing using the same private key at the same time is the cause of the sporadic DNS resolution issue

[azumukupoe]

I can't migrate from nordvpn
am I doing something wrong?

version: "3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordvpn
    cap_add:
      - NET_ADMIN
    environment:
      - USER=xxxxxxxxx
      - PASS=xxxxxxxxx
      - CONNECT=P2P
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.1.0/24
      - TZ=Asia/Tokyo
    ports:
      - 8080:8080
    restart: unless-stopped

  torrent:
    image: lscr.io/linuxserver/qbittorrent:14.3.9
    network_mode: service:vpn
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Tokyo
      - WEBUI_PORT=8080
    volumes:
      - .\config:/config
      - D:\Downloads:/downloads
    depends_on:
      - vpn
    restart: unless-stopped

version: '3'
services:
  vpn:
    image: ghcr.io/bubuntux/nordlynx
    cap_add:
      - NET_ADMIN
    environment:
      - PRIVATE_KEY=xxxxxxxxx
      - QUERY=filters\[country_id\]=108&filters\[servers_groups\]\[identifier\]=legacy_p2p
      - NET_LOCAL=192.168.1.0/24
      - TZ=Asia/Tokyo
    ports:
      - '8080:8080'
    restart: unless-stopped
    
  torrent:
    image: lscr.io/linuxserver/qbittorrent:14.3.9
    network_mode: 'service:vpn'
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Tokyo
      - WEBUI_PORT=8080
    volumes:
      - '.\config:/config'
      - 'D:\Downloads:/downloads'
    depends_on:
      - vpn
    restart: unless-stopped

[Kruk79]

I can't migrate from nordvpn am I doing something wrong?

version: "3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordvpn
    cap_add:
      - NET_ADMIN
    environment:
      - USER=xxxxxxxxx
      - PASS=xxxxxxxxx
      - CONNECT=P2P
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.1.0/24
      - TZ=Asia/Tokyo
    ports:
      - 8080:8080
    restart: unless-stopped

  torrent:
    image: lscr.io/linuxserver/qbittorrent:14.3.9
    network_mode: service:vpn
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Tokyo
      - WEBUI_PORT=8080
    volumes:
      - .\config:/config
      - D:\Downloads:/downloads
    depends_on:
      - vpn
    restart: unless-stopped

version: '3'
services:
  vpn:
    image: ghcr.io/bubuntux/nordlynx
    cap_add:
      - NET_ADMIN
    environment:
      - PRIVATE_KEY=xxxxxxxxx
      - QUERY=filters\[country_id\]=108&filters\[servers_groups\]\[identifier\]=legacy_p2p
      - NET_LOCAL=192.168.1.0/24
      - TZ=Asia/Tokyo
    ports:
      - '8080:8080'
    restart: unless-stopped
    
  torrent:
    image: lscr.io/linuxserver/qbittorrent:14.3.9
    network_mode: 'service:vpn'
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Tokyo
      - WEBUI_PORT=8080
    volumes:
      - '.\config:/config'
      - 'D:\Downloads:/downloads'
    depends_on:
      - vpn
    restart: unless-stopped

Try to remove apostrophes from:

• '8080:8080'
• network_mode: 'service:vpn'
• '.\config:/config'
• 'D:\Downloads:/downloads'
  rest seems to be fine

[azumukupoe]

well, no luck still
seems like wireguard is incompatible with WSL2

[ThxAndBye]

seems like wireguard is incompatible with WSL2

The WSL2 kernel isn't compatible with Wireguard ootb. You need to replace the kernel for it to work like you expect on a compatible system.
I haven't tried it myself, but check here: https://itgaertner.net/posts/wireguard-in-wsl/

[azumukupoe]

I can't seem to recompile the kernel, so I tried a compiled one, https://github.com/nathanchance/WSL2-Linux-Kernel but it still didn't work for me

[EinarasGar]

How do I select city to connect to using QUERY? I can only select country