search

NordSecurity / nordvpn-linux

NordVPN Linux client
GNU General Public License v3.0
287 stars 44 forks source link

openvpn not connecting to the right country #449

Open chzurb opened 3 weeks ago

chzurb commented 3 weeks ago

I used your recommended Dockerfile here:

https://support.nordvpn.com/hc/en-us/articles/20465811527057-How-to-build-the-NordVPN-Docker-image

but changed the version of the nordvpn CLI v 3.17.4 (vs 3.17.1 in the above link) and then built and ran the image.

After spending 2+ solid days, I could never get your nordvpn CLI to work no matter what I did including trying it in it's native nordlynx "technology mode" and then switching to openvpn "technology mode".

So I decided to just run "vanilla" openvpn client and use your config files directly as described here

https://support.nordvpn.com/hc/en-us/articles/20164827795345-Connect-to-NordVPN-using-Linux-Terminal

I was amazed when it "just worked like that" compared to the CLI! Yesterday I was able to switch between French and German VPNs easily by using the different ovpn config files in your ovpn.zip file. I tested that the IP addresses and countries were indeed switching to the appropriate country specific IP addresses and using curl utilities to confirm that those IPs were indeed the countries I expected using.

curl ifconfig.co/ip
curl ifconfig.co/country

But when I went to reconnect today with either French or German country ovpn file just like yesterday, no matter what european specific country cfg file i use it is always logging into the United States when i connect with vanilla openvpn client???

I can see in the logs that it does connect and that there are no errors (not to my eye anyway). And the log output does show that it is indeed connecting to the French or German country specific IP specified inside the country specific OVPN file. But after it connects i'm always being routed through the United States and at some other USA public IP other than the FR or DE specific Ip/county to be expected from the OVPN Fr or De cfg file!?

Also the vanilla openvpn connection connected and worked 100% yesterday but today it is unreliable. Today the logs show no errors and it always connects, but ping and curl often do not work which means the basic networking is screwed up. If I wait long enough, eventually the networking starts to work again (probably a timeout waiting to reset something?). Alternatively I can try to kill the openvpn client and start it anew and sometimes that just works. Regardless it's unreliable.

Any thoughts? on either:

  1. Why would you on the backend be changing the country to USA when i'm connecting with French or German OVPN cfg?
  2. Why when it connects to the USA does it sometimes lose connectivity (ping of ip address doesn't work so it is not just the dns name resolution) but then suddenly comes back

Here's some sample output:

first this is the expected ip i should connect to in France

cat /etc/openvpn/client/fr888.nordvpn.com.udp.ovpn  | grep remote
remote 31.187.69.23 1194
remote-random
remote-cert-tls server

i go to run that profile

openvpn --verb 3 --log /var/log/openvpn/client --config /etc/openvpn/client/fr888.nordvpn.com.udp.ovpn --auth-user-pass env.vpn  &

The logs will show everything is fine but networking is NOT working (on this occasion)

curl ifconfig.co/country
^C
root@3e93a7d05b13:~# curl ifconfig.co/ip
curl: (6) Could not resolve host: ifconfig.co
root@3e93a7d05b13:~# curl ifconfig.co/ip
curl: (6) Could not resolve host: ifconfig.co
root@3e93a7d05b13:~# ping google.com
^C

If i wait a bit (no rhyme or reason in terms of how long that wait might be), ping comes back everything is working again.

ping google.com
PING google.com (192.0.0.88) 56(84) bytes of data.
64 bytes from 192.0.0.88 (192.0.0.88): icmp_seq=1 ttl=64 time=23.1 ms
--- google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5009ms

But now the country is NOT ip 31.187.69.23 / France like the ovpn cfg file and the log show it is. It is USA!!!? Note that If the connection had worked from the start it would give me the same exact USA and NOT France. And if i kill the openvpn client and run the same invocation to France over and over again, it will always be the USA but the USA IP address changes randomly on each invocation.

curl ifconfig.co/ip
91.205.106.138
curl ifconfig.co/country
United States

I kill the openvpn client and I'm back to my home ctry and correct public ip (redacted here)

kill 376

curl ifconfig.co/country
Switzerland

curl ifconfig.co/ip
77.xx.yy.zz

As I said yesterday it "did" connect correctly to Fr/De vpn servers, using the same exact commands specified here and there "were no unreliable connections"

Here's the logfile from the above connection session

root@3e93a7d05b13:~# cat /var/log/openvpn/client
2024-06-08 22:17:06 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2024-06-08 22:17:06 WARNING: file 'env.vpn' is group or others accessible
2024-06-08 22:17:06 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2024-06-08 22:17:06 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2024-06-08 22:17:06 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2024-06-08 22:17:06 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-08 22:17:06 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-08 22:17:06 TCP/UDP: Preserving recently used remote address: [AF_INET]31.187.69.23:1194
2024-06-08 22:17:06 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-08 22:17:06 UDP link local: (not bound)
2024-06-08 22:17:06 UDP link remote: [AF_INET]31.187.69.23:1194
2024-06-08 22:17:06 TLS: Initial packet from [AF_INET]31.187.69.23:1194, sid=2a7532dc b47cb040
2024-06-08 22:17:06 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-06-08 22:17:06 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2024-06-08 22:17:06 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
2024-06-08 22:17:06 VERIFY KU OK
2024-06-08 22:17:06 Validating certificate extended key usage
2024-06-08 22:17:06 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-08 22:17:06 VERIFY EKU OK
2024-06-08 22:17:06 VERIFY X509NAME OK: CN=fr888.nordvpn.com
2024-06-08 22:17:06 VERIFY OK: depth=0, CN=fr888.nordvpn.com
2024-06-08 22:17:06 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-06-08 22:17:06 [fr888.nordvpn.com] Peer Connection Initiated with [AF_INET]31.187.69.23:1194
2024-06-08 22:17:07 SENT CONTROL [fr888.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2024-06-08 22:17:07 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.100.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.100.0.2 255.255.255.0,peer-id 5,cipher AES-256-GCM'
2024-06-08 22:17:07 OPTIONS IMPORT: timers and/or timeouts modified
2024-06-08 22:17:07 OPTIONS IMPORT: explicit notify parm(s) modified
2024-06-08 22:17:07 OPTIONS IMPORT: compression parms modified
2024-06-08 22:17:07 OPTIONS IMPORT: --ifconfig/up options modified
2024-06-08 22:17:07 OPTIONS IMPORT: route options modified
2024-06-08 22:17:07 OPTIONS IMPORT: route-related options modified
2024-06-08 22:17:07 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-06-08 22:17:07 OPTIONS IMPORT: peer-id set
2024-06-08 22:17:07 OPTIONS IMPORT: adjusting link_mtu to 1657
2024-06-08 22:17:07 OPTIONS IMPORT: data channel crypto options modified
2024-06-08 22:17:07 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-06-08 22:17:07 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-06-08 22:17:07 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-06-08 22:17:07 net_route_v4_best_gw query: dst 0.0.0.0
2024-06-08 22:17:07 net_route_v4_best_gw result: via 172.17.0.1 dev eth0
2024-06-08 22:17:07 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:05
2024-06-08 22:17:07 TUN/TAP device tun0 opened
2024-06-08 22:17:07 net_iface_mtu_set: mtu 1500 for tun0
2024-06-08 22:17:07 net_iface_up: set tun0 up
2024-06-08 22:17:07 net_addr_v4_add: 10.100.0.2/24 dev tun0
2024-06-08 22:17:07 net_route_v4_add: 31.187.69.23/32 via 172.17.0.1 dev [NULL] table 0 metric -1
2024-06-08 22:17:07 net_route_v4_add: 0.0.0.0/1 via 10.100.0.1 dev [NULL] table 0 metric -1
2024-06-08 22:17:07 net_route_v4_add: 128.0.0.0/1 via 10.100.0.1 dev [NULL] table 0 metric -1
2024-06-08 22:17:07 Initialization Sequence Completed
2024-06-08 22:20:07 [fr888.nordvpn.com] Inactivity timeout (--ping-restart), restarting
2024-06-08 22:20:07 SIGUSR1[soft,ping-restart] received, process restarting
2024-06-08 22:20:07 Restart pause, 5 second(s)
2024-06-08 22:20:12 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-08 22:20:12 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-08 22:20:12 TCP/UDP: Preserving recently used remote address: [AF_INET]31.187.69.23:1194
2024-06-08 22:20:12 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-08 22:20:12 UDP link local: (not bound)
2024-06-08 22:20:12 UDP link remote: [AF_INET]31.187.69.23:1194
2024-06-08 22:20:12 TLS: Initial packet from [AF_INET]31.187.69.23:1194, sid=c32dadcd bd002489
2024-06-08 22:20:12 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2024-06-08 22:20:12 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
2024-06-08 22:20:12 VERIFY KU OK
2024-06-08 22:20:12 Validating certificate extended key usage
2024-06-08 22:20:12 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-08 22:20:12 VERIFY EKU OK
2024-06-08 22:20:12 VERIFY X509NAME OK: CN=fr888.nordvpn.com
2024-06-08 22:20:12 VERIFY OK: depth=0, CN=fr888.nordvpn.com
2024-06-08 22:20:12 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-06-08 22:20:12 [fr888.nordvpn.com] Peer Connection Initiated with [AF_INET]31.187.69.23:1194
2024-06-08 22:20:13 SENT CONTROL [fr888.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2024-06-08 22:20:13 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.100.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.100.0.2 255.255.255.0,peer-id 12,cipher AES-256-GCM'
2024-06-08 22:20:13 OPTIONS IMPORT: timers and/or timeouts modified
2024-06-08 22:20:13 OPTIONS IMPORT: explicit notify parm(s) modified
2024-06-08 22:20:13 OPTIONS IMPORT: compression parms modified
2024-06-08 22:20:13 OPTIONS IMPORT: --ifconfig/up options modified
2024-06-08 22:20:13 OPTIONS IMPORT: route options modified
2024-06-08 22:20:13 OPTIONS IMPORT: route-related options modified
2024-06-08 22:20:13 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-06-08 22:20:13 OPTIONS IMPORT: peer-id set
2024-06-08 22:20:13 OPTIONS IMPORT: adjusting link_mtu to 1657
2024-06-08 22:20:13 OPTIONS IMPORT: data channel crypto options modified
2024-06-08 22:20:13 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-06-08 22:20:13 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-06-08 22:20:13 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-06-08 22:20:13 Preserving previous TUN/TAP instance: tun0
2024-06-08 22:20:13 Initialization Sequence Completed
2024-06-08 22:23:13 [fr888.nordvpn.com] Inactivity timeout (--ping-restart), restarting
2024-06-08 22:23:13 SIGUSR1[soft,ping-restart] received, process restarting
2024-06-08 22:23:13 Restart pause, 5 second(s)
2024-06-08 22:23:18 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-08 22:23:18 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-06-08 22:23:18 TCP/UDP: Preserving recently used remote address: [AF_INET]31.187.69.23:1194
2024-06-08 22:23:18 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-06-08 22:23:18 UDP link local: (not bound)
2024-06-08 22:23:18 UDP link remote: [AF_INET]31.187.69.23:1194
2024-06-08 22:23:18 TLS: Initial packet from [AF_INET]31.187.69.23:1194, sid=c4124132 63fd8cd6
2024-06-08 22:23:18 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2024-06-08 22:23:18 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
2024-06-08 22:23:18 VERIFY KU OK
2024-06-08 22:23:18 Validating certificate extended key usage
2024-06-08 22:23:18 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-06-08 22:23:18 VERIFY EKU OK
2024-06-08 22:23:18 VERIFY X509NAME OK: CN=fr888.nordvpn.com
2024-06-08 22:23:18 VERIFY OK: depth=0, CN=fr888.nordvpn.com
2024-06-08 22:23:18 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-06-08 22:23:18 [fr888.nordvpn.com] Peer Connection Initiated with [AF_INET]31.187.69.23:1194
2024-06-08 22:23:19 SENT CONTROL [fr888.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2024-06-08 22:23:19 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.100.0.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.100.0.2 255.255.255.0,peer-id 3,cipher AES-256-GCM'
2024-06-08 22:23:19 OPTIONS IMPORT: timers and/or timeouts modified
2024-06-08 22:23:19 OPTIONS IMPORT: explicit notify parm(s) modified
2024-06-08 22:23:19 OPTIONS IMPORT: compression parms modified
2024-06-08 22:23:19 OPTIONS IMPORT: --ifconfig/up options modified
2024-06-08 22:23:19 OPTIONS IMPORT: route options modified
2024-06-08 22:23:19 OPTIONS IMPORT: route-related options modified
2024-06-08 22:23:19 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-06-08 22:23:19 OPTIONS IMPORT: peer-id set
2024-06-08 22:23:19 OPTIONS IMPORT: adjusting link_mtu to 1657
2024-06-08 22:23:19 OPTIONS IMPORT: data channel crypto options modified
2024-06-08 22:23:19 Data Channel: using negotiated cipher 'AES-256-GCM'
2024-06-08 22:23:19 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-06-08 22:23:19 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2024-06-08 22:23:19 Preserving previous TUN/TAP instance: tun0
2024-06-08 22:23:19 Initialization Sequence Completed

Thanks

ggediminass commented 3 weeks ago

Hello,

Thank you for reaching out to us!

You may see the wrong location on this website because they are using outdated databases which may be updated over time.

Each database has a different update period so it may take some time to display correct location information.

Meanwhile, we can assure you that this IP - 91.205.106.138 - is indeed in France.

Let us know if there is anything else we can assist you with.

chzurb commented 1 week ago

You may see the wrong location on this website because they are using outdated databases which may be updated over time.

Thanks for the reply. But isn't they you aka nordvpn? What I mean is that i wget the list of ip addresses from you directly and i create a docker container with them within minutes so how can they be outdated within a couple of hours of creating the image?

Are you saying that the ovpn zip file changes so frequently and so drastically that i need to rebuild an image that downloads a fresh ovpn zip file every time i try to connect to one of your servers? I mean if i'm connecting to a FR ip that you provide in the ovpn zip file how exactly is it that it's reporting i'm connecting to a different IP address in the USA? How can the ovpn file with a FR IP address connect to one of your servers (the logs say so!) which is in France but somehow report otherwise. That just doesn't make much sense.

To be clear, are you saying that I'm actually am connecting to FR but somehow only the IP test is erroneously reporting it's in the USA. That the site I want to connect to is in FR and has GEO restrictions but will still work regardless of the IP test being shown?

Sorry, but i don't understand which db is being updated here. Perhaps that would help clear this up. Is there some "external" geo db that nordvpn updates and that geo ip lookup services "subscribe" to and use to resolve the countries?

Thanks

pyro12 commented 1 week ago

Whoever owns ifconfig.co is subscribed to cloudflare and whois shows its owner is private. As far a I know, the owner is not NordVPN. Their database is apparently not up-to-date or just wrong. I think getting an IP geolocation is similar to resolving a DNS request where sometimes not all the servers have the same info and updated info has to sort of permutate from database to database.

You can check these databases. Maybe it'll make you feel better:

https://www.whatismyip.com/ip-address-lookup/

https://www.ip2location.com/

https://db-ip.com/

https://www.maxmind.com/en/geoip-web-services-demo?ip_address=91.205.106.138

https://ipdata.co/

chzurb commented 1 week ago

Ok. Thanks for the response.

I will go back and try this week and see how this goes.

Note though, that the report of the IP address was only one of the problems mentioned above. The other mentioned is that the vpn connections just stop intermittently working with no rhyme or reason. But then start working again "when they feel like it". The log shows it's connected but it's just not stable enough at times.

Fwiw, I wanted to use an API and not a website to check the IP because my scripts that use the VPN need to run unattended and I thought checking the country via API was just a way to confirm a connection was up and connected to the right country as well as logging that info since the script will be connecting to different countries depending on the operation when it runs.

pyro12 commented 1 week ago

@chzurb I've been using ifconfig.co to check my connected location the past couple of days. I'm currently connected to one of PIA's US servers and ifconfig.co says Romania. It's seems like a neat tool, but unfortunately I don't think it's reliable in general - not just with NordVPN's IP's. It's simply not up-to-date or accurate. Too bad.

I found a linux package called geoiplookup (geoip-bin (apt) or just geoip (pacman)) that seems to be more accurate. I don't know how to keep it up-to-date or if it updates itself yet, but if I use ifconfig.co to get actual IP and then use geoiplookup to get country my early testing seems accurate:

geoiplookup "$(curl ifconfig.co)"

YMMV but it's something to try.