Closed danieleperera closed 2 years ago
i'm on the same host/docker/image version and works fine at my end, seems like a dns issue tho. try adding a DNS env variable, and adding network bridge
Added the network_mode: bridge
and DNS=1.1.1.1,8.8.8.8
version: "3"
services:
nordlynx:
image: ghcr.io/bubuntux/nordlynx
container_name: nordlynx
network_mode: bridge
cap_add:
- NET_ADMIN #required
- NET_RAW
environment:
- PRIVATE_KEY=REDACTED #required
- TZ=REDACTED
- DNS=1.1.1.1,8.8.8.8
But it's not working.
if it helps, here's mine:
version: "3"
services:
nordvpn:
image: ghcr.io/bubuntux/nordlynx:latest
container_name: nordvpn
network_mode: bridge
cap_add:
- NET_ADMIN
- SYS_MODULE
# sysctls:
# - net.ipv4.conf.all.rp_filter=2
environment:
- PRIVATE_KEY=xxxXXXXXXXXXXXXXx
- NET_LOCAL=192.168.1.0/24
- TZ=America/Los_Angeles
ports:
- 8080:8080 # qbittorrent web interface
- 6881:6881 # qbittorrent P2P
- 6881:6881/udp # qbittorrent P2P
restart: unless-stopped
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
network_mode: service:nordvpn
environment:
- PUID=1000
- PGID=1000
- WEBUI_PORT=8080
- TZ=America/Los_Angeles
- DOCKER_MODS=ghcr.io/gilbn/theme.park:qbittorrent
volumes:
- /home/containers/qbittorrent/config:/config
- /home/pi/downloads:/downloads
restart: unless-stopped
depends_on:
- nordvpn
working fine
@danieleperera What version of the docker image are you using ? Can you paste the output of docker image ls | grep nordlynx
@catchsudheera
I'm running the latest version.
ghcr.io/bubuntux/nordlynx latest 85b8908c90e5 4 days ago 33MB
I also tried the edge version
ghcr.io/bubuntux/nordlynx edge e874e4f5db25 43 hours ago 33MB
But there is still no connection
@danieleperera Strange, I've just ran the exact same image with exact same docker-compose as you and got it working. My only (wild) guess is a possible docker host issue. Can you test this theory by using a ubuntu
or alpine
image to spin up a container in the same way, then use the same tests to verify...
I experienced the same issue for a couple of days. Just recreated my stack (same config, Synology host) and everything seems to work again? Pinned nordlynx to version 2022-02-12. @danieleperera you may want to check as well?
Exact same situation for me. It seems to be connected. Logs is similar to OP. No traffic can go through. I have tried forcing DNS. No luck. I have tried using 2022-02-12 image same thing... As I am running a VM on proxmox, I have started another "fresh" VM same result. Ideas are welcome :)
I'm having the same problem. No ping or curl possible. Details can be found here: https://github.com/bubuntux/nordlynx/discussions/1#discussioncomment-2115926 Ping and curl work after adding iptables -A OUTPUT -o eth0 -j ACCEPT; at post up env variables. I wonder if this, as a test, makes your setup work. Then it must be something in the iptables.
@ginodesilva do you mean that you have:
environment:
- POST_UP="/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT;"
in your compose file?
It gives me an error:
[#] "/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT;"
/usr/bin/wg-quick: line 295: /sbin/iptables -A OUTPUT -o eth0 -j ACCEPT;: No such file or directory
@golfvert
You don't have to put it in your post up. You can also add it after the VPN connection has been established. Just run "iptables -A OUTPUT -o eth0 -j ACCEPT" at the console.
When adding it to the post up i have:
POST_UP=sleep 6 ; ip route add 10.5.0.0/16 dev %i;iptables -A OUTPUT -o eth0 -j ACCEPT;
My knowledge about iptables is to limited, but it feels like this is not the way to make it work. It can be used for troubleshooting (does the problem occurs because of the iptables?).
No difference for me with this POST_UP...
It seems however, that iptables -A OUTPUT -o eth0 -j ACCEPT;
is already done.
If without it you do iptables -L OUTPUT -n
you'll see that the ACCEPT is there.
And, I don't think we should have to do this kind of command after the tunnel is up.
Before going to bed, I tried one last thing...
docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
And surprisingly the PRIVATE_KEY was not the same than before.
I tried with this new one and it works.
Strangely enough with the old PRIVATE_KEY it said it was connected (same output as first post) but was not ? or badly ?
I thought my PRIVATE_KEY would stay the same forever. Apparently not. Don't know if it is related but yesterday I extended my subscription. Hope it helps.
executing iptables -A OUTPUT -o eth0 -j ACCEPT; renders useless the vpn
executing iptables -A OUTPUT -o eth0 -j ACCEPT; renders useless the vpn
I know, I only used if for testing purposes. The thing is, after establishing the vpn connection, I can get a IP address and check it with curl ifconfig.me. Can ping general DNS servers such as 8.8.8.8 and 1.1.1.1 but as soon as I want to ping for instance a google server, I get an "operation is not permitted" response. After adding the iptables command, everything is allowed.
`root@f2eaa53da02c:/# ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=60 time=99.029 ms ^C --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 99.029/99.029/99.029 ms
root@f2eaa53da02c:/# ping 172.217.168.196 PING 172.217.168.196 (172.217.168.196): 56 data bytes ping: sendto: Operation not permitted `
I wonder if @golfvert has the same issue?
What is your ALLOWED_IPS
? I used to have the same issue, also for pinging google.com, but that was explained by my ALLOWED_IPS=0.0.0.0/1
. Changing to ALLOWED_IPS=0.0.0.0/1,128.0.0.0/2
fixed this.
What is your
ALLOWED_IPS
? I used to have the same issue, also for pinging google.com, but that was explained by myALLOWED_IPS=0.0.0.0/1
. Changing toALLOWED_IPS=0.0.0.0/1,128.0.0.0/2
fixed this.
Thanks for the suggestion. I had - ALLOWED_IPS=0.0.0.0/1, 128.0.0.1 but changed it to 128.0.0.0/2 but this didn't resolve it unfortunately.
This is my compose now:
version: "3"
services:
nordlynx:
container_name: nordlynx
image: ghcr.io/bubuntux/nordlynx:latest
network_mode: bridge
healthcheck:
test: ["CMD-SHELL", "curl https://api.nordvpn.com/vpn/check/full | grep '\"status\":\"Protected\"' && exit 0 || exit 1"]
cap_add:
Route table:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 128.0.0.0 U 0 0 0 wg0 default 172.17.0.1 0.0.0.0 UG 0 0 0 eth0 10.5.0.0 255.255.0.0 U 0 0 0 wg0 128.0.0.2 255.255.255.255 UH 0 0 0 wg0 172.16.0.0 172.17.0.1 255.240.0.0 UG 0 0 0 eth0 172.17.0.0 255.255.0.0 U 0 0 0 eth0 192.168.1.0 172.17.0.1 255.255.255.0 UG 0 0 0 eth0
btw I'm running on a Synology DS216+ii
Your ALLOWED_IPS
in the compose is incorrect; it states 128.0.0.2
rather than 128.0.0.0/2
. Might be the culprit?
Your
ALLOWED_IPS
in the compose is incorrect; it states128.0.0.2
rather than128.0.0.0/2
. Might be the culprit?
You legend. Changing to - ALLOWED_IPS=0.0.0.0/1, 128.0.0.2/2 fixed everything. Also the other containers running through the nordvpn container. Thanks a billion. Dank je!
I am happy that it works for you.
But, out of curiosity, why 0.0.0.0/1
(and not /0...) and 128.0.0.0/2
are needed.
In theory 0.0.0.0/1
and 128.0.0.0/1
are equivalent to 0.0.0.0/0
but the /2
??? Where is this coming from?
I am happy that it works for you. But, out of curiosity, why
0.0.0.0/1
(and not /0...) and128.0.0.0/2
are needed. In theory0.0.0.0/1
and128.0.0.0/1
are equivalent to0.0.0.0/0
but the/2
??? Where is this coming from?
It's a synology/wireguard thing. See https://github.com/bubuntux/nordlynx/issues/2
Indeed. It is quite non-trivial to get Nordlynx working on Synology (see also #1, which was not meant to discuss that). I'll share my seemingly working configuration tonight in a dedicated discussion, together with some of the things that I ran into (e.g. 128.0.0.0/1
did not work, don't know why).
Hello! Has anyone found any solution to this yet? This is cauing a lot of issue to me. I have tried both the tech nordvpn client as well as wiregaurd technology. Both both are now facing same issue, Still don't know the issue.
So, has anyone found any solution or alternate to this NordVPN in Docker ? Please share that would be a great help, As I urgently need to start up my services.
Some of the contributors to this issue don't experience problems anymore. Issue was resolved by correcting PRIVATE_KEY
or ALLOWED_IPS
, or for no clear reason. If you are on Synology, please have a look at #41.
I wonder whether the author of the OP, @danieleperera, has any updates to share?
Thanks for your response. I wonder what do you mean by correcting PRIVATE_KEY
? As I do get Connected! \(ᵔᵕᵔ)/
in the end.
Talking about ALLOWED_IPS
, here is the service block of VPN
in my docker-compose.yml
file
vpn:
container_name: Nord-VPN-2
image: ghcr.io/bubuntux/nordlynx
ports:
- 8080:8080
networks:
- primary-net
security_opt:
- no-new-privileges:true
cap_add:
- NET_ADMIN
- NET_RAW
- SYS_MODULE
sysctls:
- net.ipv6.conf.all.disable_ipv6=1 # Recommended if using ipv4 only
volumes:
- /lib/modules:/lib/modules:ro # Required to install wireguard module
environment:
- PRIVATE_KEY=XXXXX
- DNS=103.86.96.100,103.86.99.100,127.0.0.11
- ALLOWED_IPS=0.0.0.0/1,128.0.0.0/2
- NET_LOCAL=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
I still don't see any success, The same error where host name isn't resolved. Any idea?
Moreover, my NodeJS
application which is using this VPN makes a external API call to some address. And it says
Node-Application | connect ETIMEDOUT 45.64.104.32:443
.
I wonder what do you mean by correcting
PRIVATE_KEY
?
https://github.com/bubuntux/nordlynx/issues/38#issuecomment-1046337775
On first glance, your configuration looks fine to me. If the nordlynx container doesn't ping or resolve then I wouldn't expect the NodeJS container to do so either. Are you able to ping 8.8.8.8
? What host are you on?
Oh Yes, I have made sure my private key is same. Right! The issue is with VPN itself. So, No both ping and curl fails with the error Unable to resolve host
.
I am on Server Ubuntu 20.04.3 LTS
with docker version 20.10.10
.
Here is the screenshot attached below for reference:
NordLynx
NordVPN
Moreover, this machine was on Azure, Just for fresh start I created a new VM on AWS and faced the same issue there for the same config file. Both nordvpn and nordlynx are facing exact same issue. It happend to me a month ago as well and solved on it owns, now the same.
It used to work on my current machine few weeks ago and just another day it stopped, and since then no success. 😢
@WINOFFRG did you change your Nordvpn password recently?
No I didn't. But finally I understood, The issue was with account itself. Even though ID/Pass/PrivateKey all were correct and working, But due to some or the other reason it had issue. I just asked my friend's account, and it worked in a go. Thanks a lot @b-kamphorst @danieleperera :)
Maybe we could add some checks, If APIs give us something in response maybe some error and we can then warn the user. Would be great and save a lot of time.
@WINOFFRG happy to accept merge requests
Just wanted to chime in that I was having the same issue as this thread (with it claiming to succeed starting up but couldn't ping anything while in the shell) and for the life of me I couldn't figure out why since I tried the three fixes suggested in the thread, however I finally got it working by commenting out/removing the ALLOWED_IPS
.
FWIW this is running in a Debian VM (running on Truenas), though I'm not sure that impacts it at all since my other clients were working just fine (such as the transmission-openvpn docker image).
Final working config for me:
version: "3"
services:
nordlynx:
image: ghcr.io/bubuntux/nordlynx
cap_add:
- NET_ADMIN #required
- NET_RAW
- SYS_MODULE
environment:
- PRIVATE_KEY=<redacted>
- NET_LOCAL=192.168.0.0/24
- TZ=America/Toronto
sysctls:
- net.ipv6.conf.all.disable_ipv6=1 # Recomended if using ipv4 only
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
I was able to get the container working with the above docker-compose file. Now it shows a new IP address when I connect to the internet using the container.
Hi at all I need support because because my level of newbee don't help !! lol
I have since many month the container bubuntux/nordvpn who give access under VPN at other container (like Jdownloader) on a raspberry PI4 8gb
Since a time this container nordvpn not access to internet (=not function) so in the log I have seen :+1:
Please migrate to the NordLynx container (https://github.com/bubuntux/nordlynx
So I done this in the "same" config of my container bubuntux/nordVPN like here (before I install my container under SSH and now I use docker compose on Portainer....)
sudo docker run -ti \ --cap-add=NET_ADMIN \ --cap-add=SYS_MODULE \ --device /dev/net/tun \ --name nordvpn \ --restart=always \ -e USER=XXXXXX@XXXXXX \ -e PASS=XXXXXXXXXXXXX \ -e CONNECT=fr \ -e TECHNOLOGY=NordLynx \ -e NETWORK=192.168.1.0/24 \ -e TZ=Europe/France \ -p 5800:5800 \ -p 5801:5801 \ -p 3129:3129 \ --label=com.centurylinklabs.watchtower.enable=true \ -d bubuntux/nordvpn
With bubuntux/nordlinx I have do this under docker compose on Portainer :
version: "3" services: nordlynx: image: ghcr.io/bubuntux/nordlynx container_name: nordlynx cap_add:
After create the container I would try to ping google with the Command line under the container (ping www.google.com) but impossible.... And it mentionned "Connected" in the logs
I have install the module Wireguard on the PI4
In the portal container the container is unhealthy......see the pics
Here's the log :
"id": 74,
"name": "France",
"code": "FR",
"city": {
"id": 2867102,
"name": "Marseille",
"latitude": 43.285413,
"longitude": 5.37606,
"dns_name": "marseille",
"hub_score": 0
} } } ], "groups": [ { "id": 11, "created_at": "2017-06-13 13:43:00", "updated_at": "2017-06-13 13:43:00", "title": "Standard VPN servers", "identifier": "legacy_standard", "type": { "id": 3, "created_at": "2017-06-13 13:40:17", "updated_at": "2017-06-13 13:40:23", "title": "Legacy category", "identifier": "legacy_group_category" } }, { "id": 15, "created_at": "2017-06-13 13:43:38", "updated_at": "2017-06-13 13:43:38", "title": "P2P", "identifier": "legacy_p2p", "type": { "id": 3, "created_at": "2017-06-13 13:40:17", "updated_at": "2017-06-13 13:40:23", "title": "Legacy category", "identifier": "legacy_group_category" } }, { "id": 19, "created_at": "2017-10-27 14:17:17", "updated_at": "2017-10-27 14:17:17", "title": "Europe", "identifier": "europe", "type": { "id": 5, "created_at": "2017-10-27 14:16:30", "updated_at": "2017-10-27 14:16:30", "title": "Regions", "identifier": "regions" } } ], "specifications": [ { "id": 8, "title": "Version", "identifier": "version", "values": [ { "id": 257, "value": "2.1.0" } ] } ], "ips": [ { "id": 295892, "created_at": "2021-04-14 07:01:30", "updated_at": "2021-04-14 07:01:30", "server_id": 979115, "ip_id": 205247, "type": "entry", "ip": { "id": 205247, "ip": "138.199.16.92", "version": 4 } } ] } [2022-03-16T11:29:59+00:00] Connecting... [#] [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.5.0.2/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] wg set wg0 fwmark 51820 [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 [#] ip -4 rule add not fwmark 51820 table 51820 [#] ip -4 rule add table main suppress_prefixlength 0 [#] iptables-restore -n [#] [2022-03-16T11:30:00+00:00] Connected! (ᵔᵕᵔ)/
Many thanks for your return
- NET_LOCAL=192.168.0.0/24
Had same issue. This made it work for me
What's the trick to run
docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
with 2fa??
@danieleperera is this working for you? I think your main issue was resolved, so could we close this issue?
@FBoucher
What's the trick to run
docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
with 2fa??
disable 2fa
Not sure if this is the case for everyone but my private key seems to have changed after I changed my password.
I was having the exact issue in Windows.
Looked like the preconfigured DNS
wasn't working, and as soon as I provided the:
- DNS=103.86.96.100,103.86.99.100
It worked.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hey guys the ping to 8.8.8.8 and "curl ifconfig.me" just doesn't work. Can someone help me please ?
docker-compose on Synology NAS DSM 7.1
version: "3" services: nordlynx: image: ghcr.io/bubuntux/nordlynx cap_add:
Hi @BobCelso, this issue was closed half a year ago so you may want to start a fresh issue. However, before you do so, please have a look at the wiki with Synology-specific instructions. I hope it can help you out!
Before going to bed, I tried one last thing...
docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
And surprisingly the PRIVATE_KEY was not the same than before. I tried with this new one and it works. Strangely enough with the old PRIVATE_KEY it said it was connected (same output as first post) but was not ? or badly ? I thought my PRIVATE_KEY would stay the same forever. Apparently not. Don't know if it is related but yesterday I extended my subscription. Hope it helps.
Thanks for this! Running docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
triggered "Your account has expired. Renew your subscription now to continue enjoying the ultimate privacy and security with NordVPN." Oops!
Describe the bug
The logs says that the container is connected, however when I test the connection, it fails.
To Reproduce using docker CLI
Got the private key using:
docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
Then I created the below docker-compose.yml file:
To start the container:
docker-compose up -d
LOGS
Expected behavior
The first test:
docker exec -it nordlynx curl ifconfig.co -vv
Output:Expected behavior is to get the public IP address of the container.
The second test:
docker exec -it nordlynx ping 8.8.8.8
Output:Additional context
Docker version 20.10.12 Running on Ubuntu 20.04.3 LTS Running latest version of ghcr.io/bubuntux/nordlynx:latest