NordVPN client's version or changelog: 3.19.0 (30-09-2024)
Image with nordvpn's client >3.17.0 require privileged Mode. Pre 3.17 versions are running without root privileges at container level. Set env var NORDVPN_VERSION to 3.16.9 for instance, to force a nordvpn package downgrade during setup process. Running privileged container is a risk.
furhtermore container cannot be removed as it doesn't remove its graps on /etc/resolv.conf Error response from daemon: unable to remove filesystem for XXXX: unlinkat /var/lib/docker/containers/YYY/resolv.conf: operation not permitted
. I guess a new version will be released soon.
Warning 1: login process is sometimes unstable:
It's not you, it's us. We're having trouble reaching our servers. If the issue persists, please contact our customer support.
Warning 2: login through token is preferred:
Logging in via ‘--legacy’, ‘--username’, and ‘--password’ flags is deprecated. Use ‘nordvpn login' or ‘nordvpn login --nordaccount’ to log in via browser. Alternatively, you can use ‘nordvpn login --token’ to log in with a generated token.
Warning 3: at the moment, the container is not set to run with generated wireguard config file. (healthcheck, start checks, switch from NordVPN to WireGuard tools).
This is a NordVPN docker container, based on debian bookworm, that connects to the NordVPN recommended servers using the NordVPN Linux client. It starts a SOCKS5 proxy server (dante) and a HTTP proxy server to use it as a NordVPN gateway. When using wireguard tools, useful to extract wireguard configuration , 317 MB of additional disk space will be used. (nordlynx-proxy-wg image is built to compare sizes). OpenVPN and NordLynx technology are available through NordVPN settings technology. Whenever the connection is lost, the NordVPN client has a killswitch to obliterate the connection.
If environment variable GENERATE_WIREGUARD_CONF=true
is set, the WireGuard configuration is saved to /etc/wireguard/wg0.conf
when connecting.
This file can be exported then re-used to setup a plain WireGuard connection.
Please note that WebRTC will leak your real IP. You need to disable WebRTC or install nordvpn's browser extension. https://browserleaks.com/webrtc#howto-disable-webrtc
This image is a variation of nordvpn-proxy. The latter is based on OpenVPN. The NordVPN client application replaces OpenVPN. NordVPN's version of WireGuard is NordLynx.
You can then expose port 1080
from the container to access the VPN connection via the SOCKS5 proxy, or use the 8888
http's proxy port.
To sum up, this container:
eth0:8888
to eth0:1080
(socks server) with tinyproxy.eth0:1080
to tun0/nordlynx
with dante-server.The main advantages are:
Please note, that to avoid DNS problems when the DNS service is on the same host, /etc/resolv.conf is set to Cloudflare DNS (1.1.1.1). The DNS above is only used during startup (to check the latest NordVPN version). NordVPN DNS is set when VPN connection is up.
# Generated by NordVPN
nameserver 103.86.96.100
nameserver 103.86.99.100
The container may use environment variables to select a server, otherwise the best recommended server is selected: See environment variables to get all available options or NordVPN support.
Adding
sysclts:
- net.ipv6.conf.all.disable_ipv6=1 # disable ipv6
Might be needed, if NordVPN cannot change the settings itself.
As of 23-12-2022, login with username and password are deprecated, as well as legacy. Username and password logins are allowed in the container, but may not be allowed by NordVPN. Login with a token is highly recommended. Tokens can be generated in your NordAccount.
version: '3.8'
services:
proxy:
image: edgd1er/nordlynx-proxy:latest
restart: unless-stopped
ports:
- "1080:1080"
- "8888:8888"
sysctls:
- net.ipv6.conf.all.disable_ipv6=1 # disable ipv6
cap_add:
- NET_ADMIN # Required
environment:
- TZ=America/Chicago
#- CONNECT= #Optional, overrides COUNTRY, specify country+server number for example: uk715
- COUNTRY=de #Set NordVPN server country to connect to.
- GROUP=P2P #Africa_The_Middle_East_And_India, Asia_Pacific, Europe, Onion_Over_VPN, P2P, Standard_VPN_Servers, The_Americas
#- KILLERSWITCH=on #Optional, on by default, kill switch is a feature helping you prevent unprotected access to the internet when your traffic doesn't go through a NordVPN server.
#- CYBER_SEC=off #CyberSec is a feature protecting you from ads, unsafe connections and malicious sites
#- TECHNOLOGY=NordLynx #OpenVPN or NordLynx
#- PROTOCOL=udp #Optional, udp (default) or tcp. Can only be used with TECHNOLOGY=OpenVPN.
#- IPV6=off #Optional, off by default, on/off available, off disables IPV6 in NordVPN app
#- NORDVPN_LOGIN=<email or token> #Not required if using secrets
#- NORDVPN_PASS=<pass> #Not required if using secrets or token in above `NORDVPN_LOGIN=token`
#- DEBUG=0 #(0/1) activate debug mode for scripts, dante, tinyproxy
- LOCAL_NETWORK=192.168.1.0/24 #LAN subnet to route through proxies and vpn.
#- TINYUSER: optional, enforces authentication over tinyproxy when set with TINYPASS.
#- TINYPASS: optional, enforces authentication over tinyproxy when set with TINYUSER.
#- TINYLOGLEVEL=error #Optional, default error: Critical (least verbose), Error, Warning, Notice, Connect (to log connections without info's noise), Info
#- TINYPORT=8888 #define tinyport inside the container, optional, 8888 by default,
#- DANTE_LOGLEVEL="error" #Optional, error by default, available values: connect disconnect error data
- DANTE_ERRORLOG=/dev/stdout #Optional, /dev/null by default
#- DANTE_DEBUG=0 # Optional, 0-9
#- GENERATE_WIREGUARD_CONF=true #write /etc/wireguard/wg0.conf if true
secrets:
- NORDVPN_CREDS # token, 1 line only
- TINY_CREDS # username on line 1, password on line 2
secrets:
NORDVPN_CREDS:
file: ./nordvpn_creds #file with username/token in 1st line, passwd in 2nd line.
TINY_CREDS:
file: ./tiny_creds #file with username/password in 1st line, passwd in 2nd line.
Nordvpn and tinyproxy credentials may be available throught secrets (/run/secrets/nordvpn_creds, /run/secrets/tiny_creds) In the setup scripts, secrets values override any env values. Secrets names are fixed values: NORDVPN_CREDS, TINY_CREDS.
file: ./nordvpn_creds #file with username/token in 1st line, passwd in 2nd line. file: ./tiny_creds #file with username/password in 1st line, passwd in 2nd line.
Enter the container: docker compose exec lynx bash
Several aliases are available:
checkip
checkip
getcheck
From times to times, nordvpn app is bugged, installing another version (downgrade) may be a workaround.