bubuntux / nordlynx

GNU General Public License v3.0
200 stars 42 forks source link

No connection. Ping and Curl fail #38

Closed danieleperera closed 2 years ago

danieleperera commented 2 years ago

Describe the bug

The logs says that the container is connected, however when I test the connection, it fails.

To Reproduce using docker CLI

Got the private key using: docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key

Then I created the below docker-compose.yml file:

version: "3"
services:
  nordlynx:
    image: ghcr.io/bubuntux/nordlynx:latest
    container_name: nordlynx
    cap_add:
      - NET_ADMIN #required
      - NET_RAW
    environment:
      - PRIVATE_KEY=REDACTED #required
      - TZ=REDACTED

To start the container: docker-compose up -d

LOGS

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-firewall: executing...
[2022-02-15T09:21:00+00:00] Firewall is up, everything has to go through the vpn
[cont-init.d] 00-firewall: exited 0.
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing...
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing...
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/

Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Bubuntux: https://github.com/sponsors/bubuntux
WireGuard: https://www.wireguard.com/donations/
To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    911
User gid:    911
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 10-validate: executing...
[cont-init.d] 10-validate: exited 0.
[cont-init.d] 20-inet: executing...
[2022-02-15T09:21:00+00:00] Enabling connection to eth0 172.19.0.2/16
[2022-02-15T09:21:00+00:00] Enabling connection to secure interfaces
[cont-init.d] 20-inet: exited 0.
[cont-init.d] 20-inet6: executing...
[2022-02-15T09:21:00+00:00] No interface network6 detected
[cont-init.d] 20-inet6: exited 0.
[cont-init.d] 30-route: executing...
[cont-init.d] 30-route: exited 0.
[cont-init.d] 30-route6: executing...
[cont-init.d] 30-route6: exited 0.
[cont-init.d] 40-allowlist: executing...
[cont-init.d] 40-allowlist: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[2022-02-15T10:21:00+01:00] Finding the best server...
[2022-02-15T10:21:01+01:00] Using server: { ... }
[2022-02-15T10:21:02+01:00] Connecting...
[#]
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.5.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#]
[2022-02-15T10:21:02+01:00] Connected! \(ᵔᵕᵔ)/

Expected behavior

The first test: docker exec -it nordlynx curl ifconfig.co -vv Output:

* Could not resolve host: ifconfig.co
* Closing connection 0
curl: (6) Could not resolve host: ifconfig.co

Expected behavior is to get the public IP address of the container.

The second test: docker exec -it nordlynx ping 8.8.8.8 Output:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
NO MORE RESULTS

Additional context

Docker version 20.10.12 Running on Ubuntu 20.04.3 LTS Running latest version of ghcr.io/bubuntux/nordlynx:latest

bubuntux commented 2 years ago

i'm on the same host/docker/image version and works fine at my end, seems like a dns issue tho. try adding a DNS env variable, and adding network bridge

danieleperera commented 2 years ago

Added the network_mode: bridge and DNS=1.1.1.1,8.8.8.8

version: "3"
services:
  nordlynx:
    image: ghcr.io/bubuntux/nordlynx
    container_name: nordlynx
    network_mode: bridge
    cap_add:
      - NET_ADMIN #required
      - NET_RAW
    environment:
      - PRIVATE_KEY=REDACTED #required
      - TZ=REDACTED 
      - DNS=1.1.1.1,8.8.8.8

But it's not working.

julio8a commented 2 years ago

if it helps, here's mine:

version: "3"
services:
  nordvpn:
    image: ghcr.io/bubuntux/nordlynx:latest
    container_name: nordvpn
    network_mode: bridge
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
#    sysctls:
#      - net.ipv4.conf.all.rp_filter=2
    environment:
      - PRIVATE_KEY=xxxXXXXXXXXXXXXXx
      - NET_LOCAL=192.168.1.0/24
      - TZ=America/Los_Angeles      
    ports:
      - 8080:8080 # qbittorrent web interface
      - 6881:6881 # qbittorrent P2P
      - 6881:6881/udp # qbittorrent P2P
    restart: unless-stopped

qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: service:nordvpn
    environment:
      - PUID=1000
      - PGID=1000
      - WEBUI_PORT=8080
      - TZ=America/Los_Angeles
      - DOCKER_MODS=ghcr.io/gilbn/theme.park:qbittorrent
    volumes:
      - /home/containers/qbittorrent/config:/config
      - /home/pi/downloads:/downloads
    restart: unless-stopped
    depends_on:
      - nordvpn

working fine

catchsudheera commented 2 years ago

@danieleperera What version of the docker image are you using ? Can you paste the output of docker image ls | grep nordlynx

danieleperera commented 2 years ago

@catchsudheera I'm running the latest version. ghcr.io/bubuntux/nordlynx latest 85b8908c90e5 4 days ago 33MB

I also tried the edge version ghcr.io/bubuntux/nordlynx edge e874e4f5db25 43 hours ago 33MB

But there is still no connection

catchsudheera commented 2 years ago

@danieleperera Strange, I've just ran the exact same image with exact same docker-compose as you and got it working. My only (wild) guess is a possible docker host issue. Can you test this theory by using a ubuntu or alpine image to spin up a container in the same way, then use the same tests to verify...

b-kamphorst commented 2 years ago

I experienced the same issue for a couple of days. Just recreated my stack (same config, Synology host) and everything seems to work again? Pinned nordlynx to version 2022-02-12. @danieleperera you may want to check as well?

golfvert commented 2 years ago

Exact same situation for me. It seems to be connected. Logs is similar to OP. No traffic can go through. I have tried forcing DNS. No luck. I have tried using 2022-02-12 image same thing... As I am running a VM on proxmox, I have started another "fresh" VM same result. Ideas are welcome :)

ginodesilva commented 2 years ago

I'm having the same problem. No ping or curl possible. Details can be found here: https://github.com/bubuntux/nordlynx/discussions/1#discussioncomment-2115926 Ping and curl work after adding iptables -A OUTPUT -o eth0 -j ACCEPT; at post up env variables. I wonder if this, as a test, makes your setup work. Then it must be something in the iptables.

golfvert commented 2 years ago

@ginodesilva do you mean that you have:

environment:
      - POST_UP="/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT;"

in your compose file?

It gives me an error:

[#] "/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT;"
/usr/bin/wg-quick: line 295: /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT;: No such file or directory
ginodesilva commented 2 years ago

@golfvert You don't have to put it in your post up. You can also add it after the VPN connection has been established. Just run "iptables -A OUTPUT -o eth0 -j ACCEPT" at the console. When adding it to the post up i have: POST_UP=sleep 6 ; ip route add 10.5.0.0/16 dev %i;iptables -A OUTPUT -o eth0 -j ACCEPT;

My knowledge about iptables is to limited, but it feels like this is not the way to make it work. It can be used for troubleshooting (does the problem occurs because of the iptables?).

golfvert commented 2 years ago

No difference for me with this POST_UP... It seems however, that iptables -A OUTPUT -o eth0 -j ACCEPT; is already done. If without it you do iptables -L OUTPUT -n you'll see that the ACCEPT is there. And, I don't think we should have to do this kind of command after the tunnel is up.

golfvert commented 2 years ago

Before going to bed, I tried one last thing... docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key And surprisingly the PRIVATE_KEY was not the same than before. I tried with this new one and it works. Strangely enough with the old PRIVATE_KEY it said it was connected (same output as first post) but was not ? or badly ? I thought my PRIVATE_KEY would stay the same forever. Apparently not. Don't know if it is related but yesterday I extended my subscription. Hope it helps.

bubuntux commented 2 years ago

executing iptables -A OUTPUT -o eth0 -j ACCEPT; renders useless the vpn

ginodesilva commented 2 years ago

executing iptables -A OUTPUT -o eth0 -j ACCEPT; renders useless the vpn

I know, I only used if for testing purposes. The thing is, after establishing the vpn connection, I can get a IP address and check it with curl ifconfig.me. Can ping general DNS servers such as 8.8.8.8 and 1.1.1.1 but as soon as I want to ping for instance a google server, I get an "operation is not permitted" response. After adding the iptables command, everything is allowed.

`root@f2eaa53da02c:/# ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=60 time=99.029 ms ^C --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 99.029/99.029/99.029 ms

root@f2eaa53da02c:/# ping 172.217.168.196 PING 172.217.168.196 (172.217.168.196): 56 data bytes ping: sendto: Operation not permitted `

I wonder if @golfvert has the same issue?

b-kamphorst commented 2 years ago

What is your ALLOWED_IPS? I used to have the same issue, also for pinging google.com, but that was explained by my ALLOWED_IPS=0.0.0.0/1. Changing to ALLOWED_IPS=0.0.0.0/1,128.0.0.0/2 fixed this.

ginodesilva commented 2 years ago

What is your ALLOWED_IPS? I used to have the same issue, also for pinging google.com, but that was explained by my ALLOWED_IPS=0.0.0.0/1. Changing to ALLOWED_IPS=0.0.0.0/1,128.0.0.0/2 fixed this.

Thanks for the suggestion. I had - ALLOWED_IPS=0.0.0.0/1, 128.0.0.1 but changed it to 128.0.0.0/2 but this didn't resolve it unfortunately.

This is my compose now:

version: "3" services: nordlynx: container_name: nordlynx image: ghcr.io/bubuntux/nordlynx:latest network_mode: bridge healthcheck: test: ["CMD-SHELL", "curl https://api.nordvpn.com/vpn/check/full | grep '\"status\":\"Protected\"' && exit 0 || exit 1"]
cap_add:

Route table:

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 128.0.0.0 U 0 0 0 wg0 default 172.17.0.1 0.0.0.0 UG 0 0 0 eth0 10.5.0.0 255.255.0.0 U 0 0 0 wg0 128.0.0.2 255.255.255.255 UH 0 0 0 wg0 172.16.0.0 172.17.0.1 255.240.0.0 UG 0 0 0 eth0 172.17.0.0 255.255.0.0 U 0 0 0 eth0 192.168.1.0 172.17.0.1 255.255.255.0 UG 0 0 0 eth0

btw I'm running on a Synology DS216+ii

b-kamphorst commented 2 years ago

Your ALLOWED_IPS in the compose is incorrect; it states 128.0.0.2 rather than 128.0.0.0/2. Might be the culprit?

ginodesilva commented 2 years ago

Your ALLOWED_IPS in the compose is incorrect; it states 128.0.0.2 rather than 128.0.0.0/2. Might be the culprit?

You legend. Changing to - ALLOWED_IPS=0.0.0.0/1, 128.0.0.2/2 fixed everything. Also the other containers running through the nordvpn container. Thanks a billion. Dank je!

golfvert commented 2 years ago

I am happy that it works for you. But, out of curiosity, why 0.0.0.0/1 (and not /0...) and 128.0.0.0/2 are needed. In theory 0.0.0.0/1 and 128.0.0.0/1 are equivalent to 0.0.0.0/0 but the /2 ??? Where is this coming from?

ginodesilva commented 2 years ago

I am happy that it works for you. But, out of curiosity, why 0.0.0.0/1 (and not /0...) and 128.0.0.0/2 are needed. In theory 0.0.0.0/1 and 128.0.0.0/1 are equivalent to 0.0.0.0/0 but the /2 ??? Where is this coming from?

It's a synology/wireguard thing. See https://github.com/bubuntux/nordlynx/issues/2

b-kamphorst commented 2 years ago

Indeed. It is quite non-trivial to get Nordlynx working on Synology (see also #1, which was not meant to discuss that). I'll share my seemingly working configuration tonight in a dedicated discussion, together with some of the things that I ran into (e.g. 128.0.0.0/1 did not work, don't know why).

WINOFFRG commented 2 years ago

Hello! Has anyone found any solution to this yet? This is cauing a lot of issue to me. I have tried both the tech nordvpn client as well as wiregaurd technology. Both both are now facing same issue, Still don't know the issue.

So, has anyone found any solution or alternate to this NordVPN in Docker ? Please share that would be a great help, As I urgently need to start up my services.

b-kamphorst commented 2 years ago

Some of the contributors to this issue don't experience problems anymore. Issue was resolved by correcting PRIVATE_KEY or ALLOWED_IPS, or for no clear reason. If you are on Synology, please have a look at #41.

I wonder whether the author of the OP, @danieleperera, has any updates to share?

WINOFFRG commented 2 years ago

Thanks for your response. I wonder what do you mean by correcting PRIVATE_KEY? As I do get Connected! \(ᵔᵕᵔ)/ in the end. Talking about ALLOWED_IPS, here is the service block of VPN in my docker-compose.yml file

vpn:
    container_name: Nord-VPN-2
    image: ghcr.io/bubuntux/nordlynx
    ports:
      - 8080:8080
    networks:
      - primary-net
    security_opt:
      - no-new-privileges:true
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recommended if using ipv4 only
    volumes:
      - /lib/modules:/lib/modules:ro # Required to install wireguard module
    environment:
      - PRIVATE_KEY=XXXXX
      - DNS=103.86.96.100,103.86.99.100,127.0.0.11
      - ALLOWED_IPS=0.0.0.0/1,128.0.0.0/2
      - NET_LOCAL=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

I still don't see any success, The same error where host name isn't resolved. Any idea?

Moreover, my NodeJS application which is using this VPN makes a external API call to some address. And it says Node-Application | connect ETIMEDOUT 45.64.104.32:443.

b-kamphorst commented 2 years ago

I wonder what do you mean by correcting PRIVATE_KEY?

https://github.com/bubuntux/nordlynx/issues/38#issuecomment-1046337775

On first glance, your configuration looks fine to me. If the nordlynx container doesn't ping or resolve then I wouldn't expect the NodeJS container to do so either. Are you able to ping 8.8.8.8? What host are you on?

WINOFFRG commented 2 years ago

Oh Yes, I have made sure my private key is same. Right! The issue is with VPN itself. So, No both ping and curl fails with the error Unable to resolve host. I am on Server Ubuntu 20.04.3 LTS with docker version 20.10.10.

Here is the screenshot attached below for reference:

  1. NordLynx image

  2. NordVPN image

Moreover, this machine was on Azure, Just for fresh start I created a new VM on AWS and faced the same issue there for the same config file. Both nordvpn and nordlynx are facing exact same issue. It happend to me a month ago as well and solved on it owns, now the same.

It used to work on my current machine few weeks ago and just another day it stopped, and since then no success. 😢

danieleperera commented 2 years ago

@WINOFFRG did you change your Nordvpn password recently?

WINOFFRG commented 2 years ago

No I didn't. But finally I understood, The issue was with account itself. Even though ID/Pass/PrivateKey all were correct and working, But due to some or the other reason it had issue. I just asked my friend's account, and it worked in a go. Thanks a lot @b-kamphorst @danieleperera :)

Maybe we could add some checks, If APIs give us something in response maybe some error and we can then warn the user. Would be great and save a lot of time.

bubuntux commented 2 years ago

@WINOFFRG happy to accept merge requests

Kyrluckechuck commented 2 years ago

Just wanted to chime in that I was having the same issue as this thread (with it claiming to succeed starting up but couldn't ping anything while in the shell) and for the life of me I couldn't figure out why since I tried the three fixes suggested in the thread, however I finally got it working by commenting out/removing the ALLOWED_IPS.

FWIW this is running in a Debian VM (running on Truenas), though I'm not sure that impacts it at all since my other clients were working just fine (such as the transmission-openvpn docker image).

Final working config for me:

version: "3"
services:
  nordlynx:
    image: ghcr.io/bubuntux/nordlynx
    cap_add:
      - NET_ADMIN #required
      - NET_RAW
      - SYS_MODULE
    environment:
      - PRIVATE_KEY=<redacted>
      - NET_LOCAL=192.168.0.0/24
      - TZ=America/Toronto
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recomended if using ipv4 only
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
danieleperera commented 2 years ago

I was able to get the container working with the above docker-compose file. Now it shows a new IP address when I connect to the internet using the container.

titou4307 commented 2 years ago

Hi at all I need support because because my level of newbee don't help !! lol

I have since many month the container bubuntux/nordvpn who give access under VPN at other container (like Jdownloader) on a raspberry PI4 8gb

Since a time this container nordvpn not access to internet (=not function) so in the log I have seen :+1:

Please migrate to the NordLynx container (https://github.com/bubuntux/nordlynx

So I done this in the "same" config of my container bubuntux/nordVPN like here (before I install my container under SSH and now I use docker compose on Portainer....)

sudo docker run -ti \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --device /dev/net/tun \ --name nordvpn \ --restart=always \ -e USER=XXXXXX@XXXXXX \ -e PASS=XXXXXXXXXXXXX \ -e CONNECT=fr \ -e TECHNOLOGY=NordLynx \ -e NETWORK=192.168.1.0/24 \ -e TZ=Europe/France \ -p 5800:5800 \ -p 5801:5801 \ -p 3129:3129 \ --label=com.centurylinklabs.watchtower.enable=true \ -d bubuntux/nordvpn

With bubuntux/nordlinx I have do this under docker compose on Portainer :

version: "3" services: nordlynx: image: ghcr.io/bubuntux/nordlynx container_name: nordlynx cap_add:

After create the container I would try to ping google with the Command line under the container (ping www.google.com) but impossible.... And it mentionned "Connected" in the logs

I have install the module Wireguard on the PI4

In the portal container the container is unhealthy......see the pics

Nordlinx

Here's the log :

    "id": 74,
    "name": "France",
    "code": "FR",
    "city": {
      "id": 2867102,
      "name": "Marseille",
      "latitude": 43.285413,
      "longitude": 5.37606,
      "dns_name": "marseille",
      "hub_score": 0

} } } ], "groups": [ { "id": 11, "created_at": "2017-06-13 13:43:00", "updated_at": "2017-06-13 13:43:00", "title": "Standard VPN servers", "identifier": "legacy_standard", "type": { "id": 3, "created_at": "2017-06-13 13:40:17", "updated_at": "2017-06-13 13:40:23", "title": "Legacy category", "identifier": "legacy_group_category" } }, { "id": 15, "created_at": "2017-06-13 13:43:38", "updated_at": "2017-06-13 13:43:38", "title": "P2P", "identifier": "legacy_p2p", "type": { "id": 3, "created_at": "2017-06-13 13:40:17", "updated_at": "2017-06-13 13:40:23", "title": "Legacy category", "identifier": "legacy_group_category" } }, { "id": 19, "created_at": "2017-10-27 14:17:17", "updated_at": "2017-10-27 14:17:17", "title": "Europe", "identifier": "europe", "type": { "id": 5, "created_at": "2017-10-27 14:16:30", "updated_at": "2017-10-27 14:16:30", "title": "Regions", "identifier": "regions" } } ], "specifications": [ { "id": 8, "title": "Version", "identifier": "version", "values": [ { "id": 257, "value": "2.1.0" } ] } ], "ips": [ { "id": 295892, "created_at": "2021-04-14 07:01:30", "updated_at": "2021-04-14 07:01:30", "server_id": 979115, "ip_id": 205247, "type": "entry", "ip": { "id": 205247, "ip": "138.199.16.92", "version": 4 } } ] } [2022-03-16T11:29:59+00:00] Connecting... [#] [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.5.0.2/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] iptables-restore -n [#] [2022-03-16T11:30:00+00:00] Connected! (ᵔᵕᵔ)/

Many thanks for your return

tauzN commented 2 years ago
  • NET_LOCAL=192.168.0.0/24

Had same issue. This made it work for me

FBoucher commented 2 years ago

What's the trick to run docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key with 2fa??

crsantos commented 2 years ago

@danieleperera is this working for you? I think your main issue was resolved, so could we close this issue?

bubuntux commented 2 years ago

@FBoucher

What's the trick to run docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key with 2fa??

disable 2fa

alexporth commented 2 years ago

Not sure if this is the case for everyone but my private key seems to have changed after I changed my password.

ddimitriou commented 2 years ago

I was having the exact issue in Windows. Looked like the preconfigured DNS wasn't working, and as soon as I provided the:

- DNS=103.86.96.100,103.86.99.100

It worked.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

BobCelso commented 1 year ago

Hey guys the ping to 8.8.8.8 and "curl ifconfig.me" just doesn't work. Can someone help me please ?

docker-compose on Synology NAS DSM 7.1


version: "3" services: nordlynx: image: ghcr.io/bubuntux/nordlynx cap_add:

b-kamphorst commented 1 year ago

Hi @BobCelso, this issue was closed half a year ago so you may want to start a fresh issue. However, before you do so, please have a look at the wiki with Synology-specific instructions. I hope it can help you out!

CaTeNdrE commented 1 year ago

Before going to bed, I tried one last thing... docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key And surprisingly the PRIVATE_KEY was not the same than before. I tried with this new one and it works. Strangely enough with the old PRIVATE_KEY it said it was connected (same output as first post) but was not ? or badly ? I thought my PRIVATE_KEY would stay the same forever. Apparently not. Don't know if it is related but yesterday I extended my subscription. Hope it helps.

Thanks for this! Running docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key triggered "Your account has expired. Renew your subscription now to continue enjoying the ultimate privacy and security with NordVPN." Oops!