bubuntux / nordvpn

NordVpn Docker Client
GNU Affero General Public License v3.0
745 stars 196 forks source link

Unable to connect v3.10.0 #199

Closed beloso closed 3 years ago

beloso commented 3 years ago

Describe the bug Unable to connect to nordvpn.

To Reproduce without docker CLI docker-compose.yml if used (hide credentials)

version: '3'
services:
  nordvpn:
    image: ghcr.io/bubuntux/nordvpn:latest
    container_name: nordvpn
    restart: always
    cap_add:
      - NET_ADMIN
    # ports:
    #   - $QBITTORRENT_PORT:8080
    #   - $FLOOD_PORT:3000
    #   - $JACKETT_PORT:9117
    #   - $FIREFOX_PORT:5800
    #   - $XTEVE_PORT:34400
    environment:
      TECHNOLOGY: NordLynx
      USER: $NORD_USERNAME
      PASS: $NORD_PASSWORD
      TZ: $TZ
      DEBUG: trace

Expected behavior I expect the container to connect to NordVPN

Logs

++ cat /etc/timezone
+ '[' /UTC '!=' Europe/Lisbon ']'
+ '[' -d /usr/share/zoneinfo/Europe/Lisbon ']'
+ '[' '!' -e /usr/share/zoneinfo/Europe/Lisbon ']'
+ '[' -z Europe/Lisbon ']'
+ ln -fs /usr/share/zoneinfo/Europe/Lisbon /etc/localtime
+ dpkg-reconfigure -f noninteractive tzdata
++ date -Iseconds
[2021-06-04T10:11:13+01:00] Firewall is up, everything has to go through the vpn
+ echo '[2021-06-04T10:11:13+01:00] Firewall is up, everything has to go through the vpn'
++ ip -o addr show dev eth0
++ awk '$3 == "inet" {print $4}'
+ docker_network=172.18.0.11/16
++ ip -o addr show dev eth0
++ awk '$3 == "inet6" {print $4; exit}'
+ docker6_network=
++ date -Iseconds
+ echo '[2021-06-04T10:11:13+01:00] Enabling connection to secure interfaces'
[2021-06-04T10:11:13+01:00] Enabling connection to secure interfaces
+ [[ -n 172.18.0.11/16 ]]
+ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -i lo -j ACCEPT
+ iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -A OUTPUT -o tap+ -j ACCEPT
+ iptables -A OUTPUT -o tun+ -j ACCEPT
+ iptables -A OUTPUT -o nordlynx+ -j ACCEPT
+ iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
+ iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
+ iptables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE
+ [[ -n '' ]]
++ date -Iseconds
+ echo '[2021-06-04T10:11:13+01:00] Enabling connection to nordvpn group'
[2021-06-04T10:11:13+01:00] Enabling connection to nordvpn group
+ [[ -n 172.18.0.11/16 ]]
+ iptables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT
+ [[ -n '' ]]
++ date -Iseconds
+ echo '[2021-06-04T10:11:13+01:00] Enabling connection to docker network'
[2021-06-04T10:11:13+01:00] Enabling connection to docker network
+ [[ -n 172.18.0.11/16 ]]
+ iptables -A INPUT -s 172.18.0.11/16 -j ACCEPT
+ iptables -A FORWARD -d 172.18.0.11/16 -j ACCEPT
+ iptables -A FORWARD -s 172.18.0.11/16 -j ACCEPT
+ iptables -A OUTPUT -d 172.18.0.11/16 -j ACCEPT
+ [[ -n '' ]]
+ [[ -n 172.18.0.11/16 ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ mkdir -p /dev/net
+ [[ -c /dev/net/tun ]]
+ mknod -m 0666 /dev/net/tun c 10 200
+ restart_daemon
++ date -Iseconds
+ echo '[2021-06-04T10:11:13+01:00] Restarting the service'
+ service nordvpn stop
[2021-06-04T10:11:13+01:00] Restarting the service
+ rm -rf /run/nordvpn/nordvpnd.sock
+ service nordvpn start
++ date -Iseconds
+ echo '[2021-06-04T10:11:13+01:00] Waiting for the service to start'
+ attempt_counter=0
+ max_attempts=50
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 0 -eq 50 ']'
+ attempt_counter=1
+ sleep 0.1
[2021-06-04T10:11:13+01:00] Waiting for the service to start
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
++ date -Iseconds
+ echo '[2021-06-04T10:11:13+01:00] Logging in'
+ nordvpn logout
[2021-06-04T10:11:13+01:00] Logging in
+ nordvpn login --username <REDACTED_USERNAME> --password <REDACTED_PASSWORD>
It's not you, it's us. We're having trouble reaching our servers. If the issue persists, please contact our customer support.
++ date -Iseconds
+ echo '[2021-06-04T10:12:18+01:00] Invalid Username or password.'
+ exit 1
[2021-06-04T10:12:18+01:00] Invalid Username or password.

Additional context Using Ubuntu 20.04 on Intel NUC connected via wired connection. I have entered the container and tried pinging google which worked, the container has connectivity.

I have been using the container for some time now, never had this problem. Unsure this is related to a recent change or update.

Even if the log says the user/password are invalid I have tested them on NordVPN's site and they are correct. This setup has been working for me for the last 3~4 months. I didn't change it.

Jansza commented 3 years ago

I also pulled a new image this morning and now vpn doesn't seem to want to connect anymore.

aprate commented 3 years ago

same problem here

[2021-06-04T12:50:10+02:00] Unable to connect. [2021-06-04T12:50:10+02:00] Firewall is up, everything has to go through the vpn [2021-06-04T12:50:10+02:00] Enabling connection to secure interfaces [2021-06-04T12:50:10+02:00] Enabling connection to nordvpn group [2021-06-04T12:50:10+02:00] Enabling connection to docker network [2021-06-04T12:50:10+02:00] Enabling connection to network 172.22.89.0/24 [2021-06-04T12:50:11+02:00] Restarting the service start-stop-daemon: warning: failed to kill 84: No such process [2021-06-04T12:50:11+02:00] Waiting for the service to start [2021-06-04T12:50:11+02:00] Logging in Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'. [2021-06-04T12:50:12+02:00] Setting up NordVPN Version 3.10.0 Firewall is already set to 'enabled'. Technology is already set to 'NordLynx'. Subnet 172.17.0.0/16 is whitelisted successfully. Subnet 172.22.89.0/24 is whitelisted successfully. [2021-06-04T12:50:12+02:00] Connecting... Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support. Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support. Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.

kesoapa commented 3 years ago

Describe the bug I've got the same issue as above after pulling the new version: 3.10.0-1 Unable to connect to nordvpn. Pullling the earlier version v3.9.5-1 makes it work again.

To Reproduce without docker CLI docker-compose.yml if used (hide credentials)

# Compose file for transmission connecting via NordVPN container
# Requirements: Set shared environment variables in external file .env

version: "3"
services:
########## VPN ##########
  nordvpn:
#    image: ghcr.io/bubuntux/nordvpn:v3.9.5-1
    image: ghcr.io/bubuntux/nordvpn:latest
    hostname: nordvpn
    container_name: nordvpn
    cap_add:
      - NET_ADMIN               # Required
    environment:                # Review https://github.com/bubuntux/nordvpn#environment-variables
      - ${PUID}
      - ${PGID}
      - ${TZ}
      - USER=<REDACTED_USERNAME>     # Required
      - "PASS=<REDACTED_PASSWORD>"         # Required
      - CONNECT=Sweden --group p2p
      - TECHNOLOGY=OpenVPN
      - NETWORK=192.168.0.0/24
      - DEBUG=Trace
    ports:
      - 9091:9091 # transmission WebUI
      - 51413:51413/tcp # Torrent TCP
      - 51413:51413/udp # Torrent UDP

########## TRANSMISSION ##########
# transmission - Torrent client
  transmission:
    image: ghcr.io/linuxserver/transmission:latest
    network_mode: service:nordvpn
    container_name: transmission
    restart: unless-stopped
    environment:
      - ${PUID}
      - ${PGID}
      - ${TZ}
      - USER=<REDACTED_USERNAME>
      - PASS=<REDACTED_PASSWORD>
    volumes:
      - ${DOCKERDIR}/transmission/config:/config
      - ${DOCKERDIR}/transmission/downloads:/downloads
      - ${DOCKERDIR}/transmission/watch:/watch
      - ${DOWNLOADS1}/:/downloads1
      - ${DOWNLOADS2}/:/downloads2
    depends_on:
      - nordvpn

Expected behavior I expect the container to connect to NordVPN

Logs

++ cat /etc/timezone
+ '[' /UTC '!=' Europe/Stockholm ']'
+ '[' -d /usr/share/zoneinfo/Europe/Stockholm ']'
+ '[' '!' -e /usr/share/zoneinfo/Europe/Stockholm ']'
+ '[' -z Europe/Stockholm ']'
+ ln -fs /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
+ dpkg-reconfigure -f noninteractive tzdata
++ date -Iseconds
+ echo '[2021-06-04T13:33:19+02:00] Firewall is up, everything has to go through the vpn'
[2021-06-04T13:33:19+02:00] Firewall is up, everything has to go through the vpn
++ ip -o addr show dev eth0
++ awk '$3 == "inet" {print $4}'
+ docker_network=192.168.32.2/20
++ ip -o addr show dev eth0
[2021-06-04T13:33:19+02:00] Enabling connection to secure interfaces
++ awk '$3 == "inet6" {print $4; exit}'
+ docker6_network=
++ date -Iseconds
+ echo '[2021-06-04T13:33:19+02:00] Enabling connection to secure interfaces'
[2021-06-04T13:33:19+02:00] Enabling connection to nordvpn group
[2021-06-04T13:33:19+02:00] group match failed, fallback to open necessary ports
[2021-06-04T13:33:19+02:00] Enabling connection to docker network
[2021-06-04T13:33:19+02:00] Enabling connection to network 192.168.0.0/24
+ [[ -n 192.168.32.2/20 ]]
+ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A FORWARD -i lo -j ACCEPT
+ iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -A OUTPUT -o tap+ -j ACCEPT
+ iptables -A OUTPUT -o tun+ -j ACCEPT
+ iptables -A OUTPUT -o nordlynx+ -j ACCEPT
+ iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
+ iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
+ iptables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE
+ [[ -n '' ]]
++ date -Iseconds
+ echo '[2021-06-04T13:33:19+02:00] Enabling connection to nordvpn group'
+ [[ -n 192.168.32.2/20 ]]
+ iptables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT
iptables: No chain/target/match by that name.
++ date -Iseconds
+ echo '[2021-06-04T13:33:19+02:00] group match failed, fallback to open necessary ports'
+ iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+ iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
+ iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
+ iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
+ iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
+ [[ -n '' ]]
++ date -Iseconds
+ echo '[2021-06-04T13:33:19+02:00] Enabling connection to docker network'
+ [[ -n 192.168.32.2/20 ]]
+ iptables -A INPUT -s 192.168.32.2/20 -j ACCEPT
+ iptables -A FORWARD -d 192.168.32.2/20 -j ACCEPT
+ iptables -A FORWARD -s 192.168.32.2/20 -j ACCEPT
+ iptables -A OUTPUT -d 192.168.32.2/20 -j ACCEPT
+ [[ -n '' ]]
+ [[ -n 192.168.32.2/20 ]]
+ [[ -n 192.168.0.0/24 ]]
++ ip route
++ awk '/default/ {print $3}'
+ gw=192.168.32.1
+ for net in ${NETWORK//[;,]/ }
++ date -Iseconds
+ echo '[2021-06-04T13:33:19+02:00] Enabling connection to network 192.168.0.0/24'
+ ip route
+ grep -q 192.168.0.0/24
+ ip route add to 192.168.0.0/24 via 192.168.32.1 dev eth0
+ iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
+ iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
+ iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
+ iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT
+ [[ -n '' ]]
+ [[ -n '' ]]
+ mkdir -p /dev/net
+ [[ -c /dev/net/tun ]]
+ mknod -m 0666 /dev/net/tun c 10 200
+ restart_daemon
++ date -Iseconds
[2021-06-04T13:33:20+02:00] Restarting the service
+ echo '[2021-06-04T13:33:20+02:00] Restarting the service'
+ service nordvpn stop
+ rm -rf /run/nordvpn/nordvpnd.sock
+ service nordvpn start
++ date -Iseconds
+ echo '[2021-06-04T13:33:20+02:00] Waiting for the service to start'
+ attempt_counter=0
+ max_attempts=50
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 0 -eq 50 ']'
+ attempt_counter=1
+ sleep 0.1
[2021-06-04T13:33:20+02:00] Waiting for the service to start
+ attempt_counter=2
+ sleep 0.1
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 2 -eq 50 ']'
+ attempt_counter=3
+ sleep 0.1
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 3 -eq 50 ']'
+ attempt_counter=4
+ sleep 0.1
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 4 -eq 50 ']'
+ attempt_counter=5
+ sleep 0.1
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 5 -eq 50 ']'
+ attempt_counter=6
+ sleep 0.1
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
+ '[' 6 -eq 50 ']'
+ attempt_counter=7
+ sleep 0.1
+ '[' -S /run/nordvpn/nordvpnd.sock ']'
++ date -Iseconds
[2021-06-04T13:33:21+02:00] Logging in
+ echo '[2021-06-04T13:33:21+02:00] Logging in'
+ nordvpn logout
+ nordvpn login --username <REDACTED_USERNAME> --password <REDACTED_PASSWORD>
Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.
[2021-06-04T13:33:23+02:00] Setting up NordVPN Version 3.10.0
++ date -Iseconds
Technology is already set to 'OpenVPN'.
Subnet 192.168.32.0/20 is whitelisted successfully.
++ nordvpn -version
+ echo '[2021-06-04T13:33:23+02:00] Setting up NordVPN Version 3.10.0'
+ [[ -n '' ]]
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 0 -eq 15 ']'
+ attempt_counter=1
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 1 -eq 15 ']'
+ attempt_counter=2
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 2 -eq 15 ']'
+ attempt_counter=3
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 3 -eq 15 ']'
+ attempt_counter=4
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 4 -eq 15 ']'
+ attempt_counter=5
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 5 -eq 15 ']'
+ attempt_counter=6
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 6 -eq 15 ']'
+ attempt_counter=7
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 7 -eq 15 ']'
+ attempt_counter=8
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 8 -eq 15 ']'
+ attempt_counter=9
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 9 -eq 15 ']'
+ attempt_counter=10
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 10 -eq 15 ']'
+ attempt_counter=11
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 11 -eq 15 ']'
+ attempt_counter=12
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 12 -eq 15 ']'
+ attempt_counter=13
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 13 -eq 15 ']'
+ attempt_counter=14
+ sleep 5
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 14 -eq 15 ']'
+ attempt_counter=15
+ nordvpn connect Sweden --group p2p
Whoops! Something went wrong. Please try again. If the problem persists, contact our customer support.
+ '[' 15 -eq 15 ']'
+ tail -n 200 /var/log/nordvpn/daemon.log

2021/06/04 13:34:41 PRE_CONNECT system info:
App Version: 3.10.0
OS Info:
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

System Info:Linux nordvpn 4.4.59+ #25556 SMP PREEMPT Thu Mar 18 13:00:35 CST 2021 x86_64 x86_64 x86_64 GNU/Linux

++ date -Iseconds
Routes for ipv4 routing tables:
default via 192.168.32.1 dev eth0
192.168.0.0/24 via 192.168.32.1 dev eth0
192.168.32.0/20 dev eth0 proto kernel scope link src 192.168.32.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.32.0 dev eth0 table local proto kernel scope link src 192.168.32.2
local 192.168.32.2 dev eth0 table local proto kernel scope host src 192.168.32.2
broadcast 192.168.47.255 dev eth0 table local proto kernel scope link src 192.168.32.2

IP rules for ipv4:
32767:  from all lookup default

Routes for ipv6 routing tables:
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
+ echo '[2021-06-04T13:34:41+02:00] Unable to connect.'
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium

IP rules for ipv6:
0:      from all lookup local
32766:  from all lookup main

IP tables for ipv4:
filter:
+ exit 1
-P INPUT DROP
-P FORWARD DROP
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DEFAULT_OUTPUT
-N DEFAULT_POSTROUTING
-N DOCKER_POSTROUTING
-A OUTPUT -j DEFAULT_OUTPUT
-A POSTROUTING -j DEFAULT_POSTROUTING
-A POSTROUTING -o tap+ -j MASQUERADE
-A POSTROUTING -o tun+ -j MASQUERADE
-A POSTROUTING -o nordlynx+ -j MASQUERADE
-A DEFAULT_OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
-A DEFAULT_POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:33713
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:55058
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 33713 -j SNAT --to-source :53
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 55058 -j SNAT --to-source :53

mangle:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

IP tables for ipv6:
filter:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

[2021-06-04T13:34:41+02:00] Unable to connect.
klara31 commented 3 years ago

Same here... which version is still working?

kesoapa commented 3 years ago

Same here... which version is still working?

I went back to the version before the latest. It works for me. It's this one. ghcr.io/bubuntux/nordvpn:v3.9.5-1

bubuntux commented 3 years ago

This seems like an issue with the binary itself, unfortunately i don't have control over it.

@kesoapa you can try modifying your CONNECT variable to
- CONNECT=--group p2p Sweden i noticed that they changed that, the group has to come first, again this type of changes do not depend on me, those are made at nordvpn

if an older version works for you, you can stick to it, or try to troubleshoot the latest, removing unessential variables one at the time, keeping DEBUG=trace and try to find the problem.

everything works at my end using the provided parameters.

bubuntux commented 3 years ago

@beloso i think you problem could be the dns is not resolving, so probably the group matching is not working for you.. i'm thinking on adding a variable to avoid the group matching just to test it..

bubuntux commented 3 years ago

@beloso if you can give it a try the version basic_ports

ghcr.io/bubuntux/nordvpn:basic_ports

if my assumptions are correct that version should work for you, basically it just open the basic ports to establish the connection, this should happen if the matching groups fails but seems like is not working properly in latest version.

so please give it a try and report back, thanks!

kesoapa commented 3 years ago

@bubuntux Thanks for the tip. I tried with your suggestion, but using - CONNECT=--group p2p Sweden didn't work either. I have also tried with "CONNECT" removed from the docker-compose.yml all together.

The login is successful, but still connection to VPN server fails.

[2021-06-04T19:42:41+02:00] Logging in
+ echo '[2021-06-04T19:42:41+02:00] Logging in'
+ nordvpn logout
+ nordvpn login --username <REDACTED_USERNAME> --password <REDACTED_PASSWORD>
Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.
++ date -Iseconds
++ nordvpn -version
+ echo '[2021-06-04T19:42:44+02:00] Setting up NordVPN Version 3.10.0'
+ nordvpn connect
Whoops! Connection failed. Please try again. If the problem persists, contact our customer support.

I noticed this in the debug log, but don't know if that would make it fail. It says it's falling back to open necessary ports.

[2021-06-04T19:42:39+02:00] Enabling connection to nordvpn group
+ iptables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT
iptables: No chain/target/match by that name.
++ date -Iseconds
+ echo '[2021-06-04T19:42:39+02:00] group match failed, fallback to open necessary ports'

Edit: Also tried the basic_ports version of the image that you suggested to beloso, just to see if that would do the trick for me. Sadly this didn't solve the problem either.

beloso commented 3 years ago

@bubuntux I was able to get it working with your version. I had some headache to reconfigure my forwardings to other containers, but that is unrelated I think.

Is there any change I need to do on my end or will the change you made on basic_ports make it into the main release?

w0ndersp00n commented 3 years ago

For me all versions I tried are no longer working with login errors. I was on 3.9.1, which for me behaves the same as 3.10 and basic_ports. I went back all the way to 3.7.4, which was working fine, but now shows "some of X-Digest, X-Authorization headers are missing". It seems NordVPN has changed something and now connecting is impossible :( Installing the binary on bare metal shows the same error, so I guess we can only wait for NordVPN to fix the issue. NordVPN Error

bubuntux commented 3 years ago

@beloso just so we are clear, version basic_ports works fine but latest or 3.10.0 does not ?

if so then it must me an issue at you host, i'm thinking on maybe adding a env variable to open basic ports always rather than just when need it, i would like to came up with a better solution but without a reproducible environment i don't see how.

bubuntux commented 3 years ago

@w0ndersp00n can you provide information about the host envs (distro, kernel, arch, etc)?

jschroebel commented 3 years ago

I had the same issue, I was able to resolve it by removing p2p from the CONNECT option altogether.

w0ndersp00n commented 3 years ago

@bubuntux I'm running on an Odroid N2 with Armbian Buster. It's arm64 and kernel is 5.10.34-meson64. It seems that this morning the connection started working again, both bare metal and in docker with 3.10.

This is the compose btw:


#    image: bubuntux/nordvpn:armv7hf-3.7.4
    image: bubuntux/nordvpn
    container_name: media-vpn
    network_mode: bridge
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    devices:
      - /dev/net/tun
    environment:
      - GROUPID=${PGID}
      - USER=${EMAIL}
      - PASS=**********
      - CONNECT=--group p2p
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.1.0/24
      - TZ=${TZ}
      - DEBUG=Trace
    ports:
      - 5076:5076
      - 6789:6789
      - 6881:6881
      - 6881:6881/udp
      - 7878:7878
      - 8081:8081
      - 8989:8989
      - 9117:9117
    restart: unless-stopped ```
beloso commented 3 years ago

@beloso just so we are clear, version basic_ports works fine but latest or 3.10.0 does not ?

if so then it must me an issue at you host, i'm thinking on maybe adding a env variable to open basic ports always rather than just when need it, i would like to came up with a better solution but without a reproducible environment i don't see how.

I confirm basic_ports version works for me. latest does not. Which ports are you opening? It may be a setting on my network, I have two routers in bridged mode. Or it could be something on the host. Let me know which ports/rules I should enable. I'll try to do that.

EDIT: I went back to v3.9.5-1 and it was not connecting as well. I am starting to realize that it may be a problem with my network setup. I did recently change how my two routers are set up. Unfortunately I have no idea what I need to do in order to fix it. If you can give me an idea of the ports the container needs I'll do some research on the topic.

Subject2Risk commented 3 years ago

I'm having the same issue when running the image on my Synology NAS; the same image runs fine on Xubuntu 20.04. Ubuntu Environment:

$ sudo docker version Client: Version: 20.10.2 API version: 1.41 Go version: go1.13.8 Git commit: 20.10.2-0ubuntu1~20.04.2 Built: Tue Mar 30 21:24:57 2021 OS/Arch: linux/amd64 Context: default Experimental: true

Server: Engine: Version: 20.10.2 API version: 1.41 (minimum version 1.12) Go version: go1.13.8 Git commit: 20.10.2-0ubuntu1-20.04.2 Built: Mon Mar 29 19:10:09 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.3.3-0ubuntu2.3 GitCommit:
runc: Version: spec: 1.0.2-dev GitCommit:
docker-init: Version: 0.19.0 GitCommit:
$ $ uname -a Linux L-KANJRISK-LNX 5.8.0-53-generic #60~20.04.1-Ubuntu SMP Thu May 6 09:52:46 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Synology:

$ sudo docker version Password: Client: Version: 18.09.8 API version: 1.39 Go version: go1.11 Git commit: bfed4f5 Built: Thu Mar 18 02:58:09 2021 OS/Arch: linux/amd64 Experimental: false

Server: Engine: Version: 18.09.8 API version: 1.39 (minimum version 1.12) Go version: go1.11 Git commit: c09d3c4 Built: Thu Mar 18 02:56:16 2021 OS/Arch: linux/amd64 Experimental: false $ $ uname -a Linux Moria 4.4.59+ #25556 SMP PREEMPT Thu Mar 18 13:00:34 CST 2021 x86_64 GNU/Linux synology_geminilake_1520+

Each image was created using this command:

$ sudo docker run -ti --cap-add=NET_ADMIN --name nordvpn -e USER='emailaddress+nordvpn@provider.com' -e PASS='#####' -e TECHNOLOGY=NordLynx -d ghcr.io/bubuntux/nordvpn

bubuntux commented 3 years ago

@beloso i'm confident that the issue is not in your network, seems like a problem with you kernel host, i have code in place to open basic port if you host doesn't support group matching for the iptables, but only executes if the command fails, this is in place this way to prevent dns leaks , seems like in some cases the command doesn't fail but it doesn't work either, there must be a way to identify that in the container itself but since i can reproduce the issue is gonna be hard to fix, I'm thinking on adding a variable that you can turn on to open basic ports no matter what, but i would prefer a better solution.

I think it could be related to the host using iptables-nft instead of iptables-legacy

can you guys execute update-alternatives --display iptables in the host and container ? try to change it to iptables-legacy in the host and see if that fixes it

seeslug commented 3 years ago

I am quite new to unraid I just wanted to get that out of the way.

I've got the docker up and running but the log file is left on connecting and nothing more.

I don't know how to show the more detailed log that everyone here is posting.

I have deluge set up to work through this docker and when its started (nordvpn and deluge) I can see that my ip address has changed in deluge. It wont let me connect to the webui in deluge, (I tried using the ip address of the the server then the port 8112 to connect and also the server name and then the port neither work) I am guessing this is because in the log file it says that nordvpn is connecting.

I have nordvpn set up using nordlynx and openvpn, it doesnt make a difference on which one I use they both get left on connecting.

Any help would be much appreciated.

Subject2Risk commented 3 years ago

@bubuntux I tried figuring out what iptables mode is being used on the Synology box, it's not a full featured debian install so update-alternatives wasn't (immediately) available; my suspicion is that it's legacy, as there's no sign of any NFT tools on it whatsoever. When I get back, I'll try switching the iptables mode on the Xubuntu desktop from legacy to NFT to see if that cripples it in the same manner.

beloso commented 3 years ago

@bubuntux I think my host is using iptables legacy:

Host:

beloso@nuc:~$ update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-legacy
  link currently points to /usr/sbin/iptables-legacy
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-legacy - priority 20
  slave iptables-restore: /usr/sbin/iptables-legacy-restore
  slave iptables-save: /usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft - priority 10
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save

Container:

root@da889483a251:/# update-alternatives --display iptables
update-alternatives: error: no alternatives for iptables
beloso commented 3 years ago

I think I was able to solve the issue for me. I remembered I had more options on my setup before. I think I removed them at some point while troubleshooting. I followed some tips provided in TROUBLESHOOTING.

My docker compose now looks like:

  nordvpn:
    image: ghcr.io/bubuntux/nordvpn:latest
    container_name: nordvpn
    restart: always
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    devices:
      - /dev/net/tun
    sysctls:
      - net.ipv4.conf.eth0.rp_filter=2
    ulimits: # set these to unlimited
      memlock:
        soft: -1
        hard: -1
    network_mode: bridge
    ports:
      - $QBITTORRENT_PORT:8080
      - $FLOOD_PORT:3000
      - $JACKETT_PORT:9117
      - $FIREFOX_PORT:5800
    environment:
      TECHNOLOGY: NordLynx
      USER: $NORD_USERNAME
      PASS: $NORD_PASSWORD
      NETWORK: $LOCAL_NETWORK
      TZ: $TZ
      DEBUG: trace

This got me working with version 3.10 on Ubuntu Server 20.04.

schklom commented 3 years ago

@beloso This works for me too, thanks :)

After some testing, it looks like this is not needed

    cap_add:
      - SYS_MODULE
    sysctls:
      - net.ipv4.conf.eth0.rp_filter=2

I only need to add this part to run on 3.10

    devices:
      - /dev/net/tun

Also, this is not needed either

    network_mode: bridge

TL;DR: This is the minimum docker-compose (at least for me)

  nordvpn:
    image: ghcr.io/bubuntux/nordvpn:latest
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      TECHNOLOGY: NordLynx
      USER: $NORD_USERNAME
      PASS: $NORD_PASSWORD
Subject2Risk commented 3 years ago

It seems that on the Synology box, the /dev/net/tun device isn't available.

I would like to say @bubuntux, that I've had excellent success with the image on other platforms (much appreciated, thank you), but I'd like to understand how to get it running on the Synology.

bubuntux commented 3 years ago

i guess those parameters are need it in some docker engines, i'll try to document all these caveats somewhere, for now i'm gonna close this ticket ,we can continue the discussions in the discuss section.

@Subject2Risk please also create a discussion thread for Synology research.

rusty1281 commented 3 years ago

It seems that on the Synology box, the /dev/net/tun device isn't available.

I would like to say @bubuntux, that I've had excellent success with the image on other platforms (much appreciated, thank you), but I'd like to understand how to get it running on the Synology.

Try this process on your NAS to get the TUN sorted: https://ruimarinho.github.io/post/fix-tun-tap-not-available-on-a-synology-nas/

rusty1281 commented 3 years ago

Just putting another post here on this matter. A while back I had this running just fine with 3.9.5-1 image but with 3.10.x (latest) it won't connect again.

To make matters worse I have 4 Synology NAS box and non of them work on any number of images (from 3.9.1 all the way up to the latest one) via docker-compose, docker run or compose over Portainer.

This is my setup:

version: "3.5"
services:
  vpn:
    image: bubuntux/nordvpn:latest
    network_mode: bridge
    container_name: nordvpnwireguard
    cap_add:
      - NET_ADMIN               # Required
    devices:
      - /dev/net/tun
    environment:                # Review https://github.com/bubuntux/nordvpn#environment-variables
      - USER=xxxxxx
      - PASS=xxxxxx
      - CONNECT=Switzerland
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.38.0/24  # So it can be accessed within the local network
    ports:
      - 8088:8088
      - 6881:6881
      - 6881:6881/udp
  torrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbitwireguard
    network_mode: service:vpn
    environment:
      - WEBUI_PORT=8088
      - PUID=xxxx
      - PGID=xxxx
    volumes:
      - /volume1/docker/qbitwireguard:/config
      - /volume1/Temp:/downloads
    depends_on:
      - vpn
    restart: always

Stack starts just fine but the log shows Connecting for a while and then reports that my account has expired. This is simply not true as the account works just fine using other images that use openvpn for example and I can even use the lynx protocol on my iOS Nord app without any problems. So the account is not a problem.

Also, TUN missing is not the case, as again, as I said, I have other containers that run fine.

Synology is on DSM 6 atm (but I have tested this on DSM 7 as well) with the same results and Docker in 20.10.3 version.

This is the output of the log:

[2021-07-14T08:14:36+00:00] Firewall is up, everything has to go through the vpn
[2021-07-14T08:14:36+00:00] Enabling connection to secure interfaces
[2021-07-14T08:14:36+00:00] Enabling connection to nordvpn group
iptables: No chain/target/match by that name.
[2021-07-14T08:14:36+00:00] group match failed, fallback to open necessary ports
[2021-07-14T08:14:36+00:00] Enabling connection to docker network
[2021-07-14T08:14:36+00:00] Enabling connection to network 192.168.20.0/24
[2021-07-14T08:14:36+00:00] Restarting the service
[2021-07-14T08:14:36+00:00] Waiting for the service to start
[2021-07-14T08:14:36+00:00] Logging in

Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.
[2021-07-14T08:14:47+00:00] Setting up NordVPN Version 3.10.0
Technology is successfully set to 'NordLynx'.
Subnet 172.17.0.0/16 is whitelisted successfully.
Subnet 192.168.38.0/24 is whitelisted successfully.
[2021-07-14T08:14:47+00:00] Connecting...
Opening the web browser...
If nothing happens, please visit https://join.nordvpn.com/order/?utm_medium=app&utm_source=linux
Your account has expired. Renew your subscription now to continue enjoying the ultimate privacy and security with NordVPN.

Any info on this matter would be helpful.

One more thing I have tried using every other element discussed in other topics, but nothing helps.

Regards.

ClemaX commented 3 years ago

The solution posted here is weird but works fine: https://github.com/bubuntux/nordvpn/discussions/202 .

rusty1281 commented 3 years ago

Well even with the latest image and several variations of the compose file, I get

It's not you, it's us. We're having trouble reaching our servers. If the issue persists, please contact our customer support.
[2021-07-28T07:05:30+00:00] Invalid Username or password.

The account is valid, as its running other containers via VPN (openvpn protocol). Also, I have tried using my main Nord account credentials as well as the service credentials via Nord UI, but in both case I get the same result.

schklom commented 3 years ago

@rusty1281 Do you use PASSFILE env variable? Try using the regular PASS instead

rusty1281 commented 3 years ago

@rusty1281 Do you use PASSFILE env variable? Try using the regular PASS instead

Regular

jonatasgz commented 3 years ago

As mentioned on #227 I had to reset nord password to get this working again.

schklom commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client.

Is your password longer than 48 characters?

rusty1281 commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client.

Is your password longer than 48 characters?

No it is not. Don’t worry about it, I have moved to other Nord containers that work just fine.

Tnx for the effort.

jonatasgz commented 3 years ago

I believe this is about Nord’s 6 devices limit. When resetting password it logs out of all devices. There’s no other way to do it since they have no dashboard. I realised that might be the problem because I had recently login in a new device and I saw some threads about the login limit and some users said that after reaching it some devices would login but just wouldn’t connect.

bubuntux commented 3 years ago

i added a logout command once the container is done, hopefully will help with the device limit.

NL-TCH commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client. Is your password longer than 48 characters?

No it is not. Don’t worry about it, I have moved to other Nord containers that work just fine.

Tnx for the effort.

hey, no fix is working for me, to what container did you switch? do you have a link because i have the same error as you

rusty1281 commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client. Is your password longer than 48 characters?

No it is not. Don’t worry about it, I have moved to other Nord containers that work just fine. Tnx for the effort.

hey, no fix is working for me, to what container did you switch? do you have a link because i have the same error as you

Ended using azinchen/nordvpn but not via wireguard. Stuck with ovpn for the time beeing. Needed a stable and working vpn container running under DSM7, and not many Nord Wireguard images out there so decided to go back to ovpn.

NL-TCH commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client. Is your password longer than 48 characters?

No it is not. Don’t worry about it, I have moved to other Nord containers that work just fine. Tnx for the effort.

hey, no fix is working for me, to what container did you switch? do you have a link because i have the same error as you

Ended using azinchen/nordvpn but not via wireguard. Stuck with ovpn for the time beeing. Needed a stable and working vpn container running under DSM7, and not many Nord Wireguard images out there so decided to go back to ovpn.

yeah azinchen/nordvpn works!! thanks!

jegardiner commented 3 years ago

I'm still having the same problem running under Docker on MacOS 10.15.7 and have tried the basic_ports and v3.9.5-1 versions, as well as v3.10.0 and v3.10.0-1-1.

The weird thing is that, very occasionally, it will connect successfully without any other changes. But 99% of the time it's failing.

Unfortunately, the other recommended image (azinchen/nordvpn) isn't suitable for me, as I need to be able to specify a particular NordVPN server, which that image doesn't seem to support.

rusty1281 commented 3 years ago

I'm still having the same problem running under Docker on MacOS 10.15.7 and have tried the basic_ports and v3.9.5-1 versions, as well as v3.10.0 and v3.10.0-1-1.

The weird thing is that, very occasionally, it will connect successfully without any other changes. But 99% of the time it's failing.

Unfortunately, the other recommended image (azinchen/nordvpn) isn't suitable for me, as I need to be able to specify a particular NordVPN server, which that image doesn't seem to support.

This one does

https://hub.docker.com/r/markusmcnugen/qbittorrentvpn

wiebereu commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client. Is your password longer than 48 characters?

No it is not. Don’t worry about it, I have moved to other Nord containers that work just fine. Tnx for the effort.

hey, no fix is working for me, to what container did you switch? do you have a link because i have the same error as you

Ended using azinchen/nordvpn but not via wireguard. Stuck with ovpn for the time beeing. Needed a stable and working vpn container running under DSM7, and not many Nord Wireguard images out there so decided to go back to ovpn.

I had the same problem with the Bubuntux NordVPN and from what i read here i didn't see any helpful solutions. Just like you i ended up installing the Azichen/ nordpvn container but there i got another problem. That is that i get the message about my TUN/TAP device. I don't know if this has anything to do with DSM 7.0

rusty1281 commented 3 years ago

@rusty1281 The last thing I can think of is the 48 character limit to be able to use the Linux client. Is your password longer than 48 characters?

No it is not. Don’t worry about it, I have moved to other Nord containers that work just fine. Tnx for the effort.

hey, no fix is working for me, to what container did you switch? do you have a link because i have the same error as you

Ended using azinchen/nordvpn but not via wireguard. Stuck with ovpn for the time beeing. Needed a stable and working vpn container running under DSM7, and not many Nord Wireguard images out there so decided to go back to ovpn.

I had the same problem with the Bubuntux NordVPN and from what i read here i didn't see any helpful solutions. Just like you i ended up installing the Azichen/ nordpvn container but there i got another problem. That is that i get the message about my TUN/TAP device. I don't know if this has anything to do with DSM 7.0

Try the workaround that I posted in this article here https://www.blackvoid.club/qbittorrent-via-vpn-docker-container-running-on-synology-nas/

Search for the TUN problem

ZaxLofful commented 2 years ago

I have read all of the comment here, but I am still having this issue.

I even tried to change my password....No dice.

It doesn't give me invalid login credentials, it just says that it cannot connect to the Nord server I put in the config (I have changed and checked, these are valid).

It worked a week ago, but not it just "doesn't" connect, login is fine.

CodeSapiens commented 1 year ago

This issue still exists after trying all the solutions proposed above. Here is what I have observed... When running the docker package as is, the log shows that none of the iptables are created due to permission. Changing the container to have NET_ADMIN privileges gets rid of the log errors and allows the manipulation of iptables, however that eliminates internet access since all traffic is routed through the new iptables configuration, preventing a login to nordvpn. This issue did not exist before, as this same container worked in the past. I haven't been able to pinpoint when it stopped working or what broke it, but I don't think this ticket should be closed until that is resolved.