nordvpn whitelist ports not work

[tm4ig]

When I add ports (for example 22/ssh, 443/https) to nordvpn whitelist and connect to VPN server, whitelist's ports not work and I can not to connect to them from external network.

o/s ubuntu 20.04

[bjlockie]

Do you have a router? Maybe it is blocking the ports.

[tm4ig]

I have OVH VPS with public IP. When I not use NordVPN on VPS I can connect to VPS by SSH or HTTPS (I use shadowsocks+v2ray plugin on 443 port). If I connect to nordvpn server, ssh and https ports are not available, but they have listed in nordvpn whitelist ports.

Only if I manually add ssh and https ports to ip rule I can connect to them when nordvpn connect is active so it like as nordvpn bug

[giaythuytinh176]

I have the same problem, it seems it is not designed for external connection if we are connecting vpn

[keliramu]

Thank you for your feedback! We reproduced the problem you described. Working on resolving it and will come back with fix ASAP.

[zzggbb]

@giaythuytinh176

Only if I manually add ssh and https ports to ip rule I can connect to them when nordvpn connect is active so it like as nordvpn bug

How did you use IP rules to fix this? I am unfamiliar with ip rules and would greatly appreciate some help fixing this problem.

[tm4ig]

How did you use IP rules to fix this? I am unfamiliar with ip rules and would greatly appreciate some help fixing this problem

In my case for VPS with public internet IP for https as example I have: 1) added 443 port as allowed with nordvpn cli nordvpn whitelist add port 443 2) added custom record (200) for nordvpn in rt_tables file

cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep

200 nordvpn

3) added systemd autostart script with rules

cat /etc/systemd/system/nordvpn-allow-https.service [Unit] Description=add ip route and rule for allow https with nordvpn After=network.target nordvpnd.service

[Service] Type=oneshot ExecStart=/usr/sbin/ip route add table nordvpn default via GATEWAY_ADDRESS ExecStartPost=/usr/sbin/ip rule add table nordvpn from PUBLIC_IP_ADDRESS ipproto tcp sport 443 priority 10001

[Install] WantedBy=multi-user.target

[keliramu]

Please try these iptable rules to utilize conntrack, in the following example replace port number 22 with your port and also change protocol to udp if needed.

iptables -t mangle -I PREROUTING -p tcp --dport 22 -j MARK --set-mark 0xe1f1
iptables -t mangle -I OUTPUT -p tcp --sport 22 -j MARK --set-mark 0xe1f1

When fix will be implemented, all this stuff will be done by NordVPN app automatically.

[tm4ig]

@keliramu I also have problem with ip address renew from dhcp when nordvpn is connected. I must manually add dhcp server address and/or 67/68 udp ports to nordvpn whitelist or iptables rules that dhcp renew address works. Otherwise when nordvpn is active dhcp renew does not work and after lease time exipired I lost network connection on my host.

Can you fix them?

[sarahhenkens]

@keliramu do you have an example of those iptables commands but for an entire subnet regardless of protocol?

[keliramu]

Hi, @sarahhenkens, here are FW rules for whitelisted subnet:

iptables -t mangle -I PREROUTING -s 192.168.99.0/24 -j MARK --set-mark 0xe1f1
iptables -t mangle -I OUTPUT -d 192.168.99.0/24 -j MARK --set-mark 0xe1f1

[keliramu]

Hi, @tm4ig, port and subnet whitelisting was fixed in commit 6f16daf and will be released with next version (approx in 2weeks).

Now closing this issue.