NordVPN connecting but not able to use it

duindain commented 3 years ago

Hopefully I've mis-configured something

I am getting a working VPN connection but i can't seem to use it

I could be testing it incorrectly potentially

This is my config for transmission and openvpn

services:
  vpn:
    container_name: vpn
    image: dperson/openvpn-client:latest
    cap_add:
      - net_admin # required to modify network interfaces
    restart: unless-stopped
    environment:
      - PUID=${VPNPUID} # vpn service user id, defined in .env
      - PGID=${VPNPGID} # vpn service group id, defined in .env
      - TZ=${TZ} # timezone, defined in .env
    volumes:
      - /dev/net:/dev/net:z # tun device
      - ${VPNROOT}:/vpn # OpenVPN configuration
    security_opt:
      - label:disable
    ports:
      - 9117:9117 # port for jackett web UI to be reachable from local network
      - 9091:9091 # port for transmission web UI to be reachable from local network
    command: '-d -f "" -r 192.168.2.0/24' # -d use the vpns DNS, -f enable firewall, -r route local network traffic

  transmission:
    image: linuxserver/transmission:latest
    container_name: transmission
    restart: unless-stopped
    network_mode: service:vpn # run on the vpn network
    environment:
      - PUID=${VPNUSERPUID} # default user id, defined in .env
      - PGID=${VPNUSERPGID} # default group id, defined in .env
      - TZ=${TZ} # timezone, defined in .env
    volumes:
      - ${DOWNLOADINGROOT}:/downloads/incomplete
      - ${COMPLETEDOWNLOADROOT}:/downloads/complete
      - ${CONFIGROOT}/config/transmission:/config # config files

This is close to stock but with it running under a different account, and enabling firewall and vpn dns

.env variables

TZ=Australia/Sydney
VPNPUID=1001
VPNPGID=1001
VPNUSERPUID=1001
VPNUSERPGID=1001
VPNROOT=/etc/openvpn

the other paths don't really matter for this issue

Anyway I have got the docker-compose working well for

sonarr
radarr
transmission
ombi
tautulli
jackett
maybe nzbget i haven't tried configuring that yet but its in there

I can view transmission and jacket web UI's fine

I had to create a vpn.conf file I couldn't seem to change that name (My previous non docker install used different file name) the env variable VPN_FILES didn't work unfortunately

My certificate and key are included in the vpn file as well as the link to a credentials file, all this seems to work fine

# VPN chosen is ****.nordvpn.com.tcp.ovpn injected on 2020-12-30 13:01:02
client
dev tun
proto tcp
remote NORDVPNSERVERIP
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /vpn/pass
auth-nocache

verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
disable-occ

script-security 2
route-noexec

<ca>
-----BEGIN CERTIFICATE-----
....Cert hash
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
....Cert key hash
-----END OpenVPN Static key V1-----
</tls-auth>

I've sanitised the Cert hash, key and servername and ip above

This is the VPN container logs

The use of ROUTE or -r may no longer be needed, try it without!,
The use of ROUTE or -r may no longer be needed, try it without!,
Dump terminated,
+ exec sg vpn -c 'openvpn --cd /vpn --config /vpn/vpn.conf --script-security 2 --redirect-gateway def1 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh --route-up '\''/bin/sh -c " iptables -A OUTPUT -d 127.0.0.11 -j ACCEPT"'\'' --route-pre-down '\''/bin/sh -c " iptables -D OUTPUT -d 127.0.0.11 -j ACCEPT"'\''                 ',
Thu Dec 31 05:26:27 2020 WARNING: file '/vpn/pass' is group or others accessible,
Thu Dec 31 05:26:27 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020,
Thu Dec 31 05:26:27 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10,
Thu Dec 31 05:26:27 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit,
Thu Dec 31 05:26:27 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts,
Thu Dec 31 05:26:27 2020 NOTE: --fast-io is disabled since we are not using UDP,
Thu Dec 31 05:26:27 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication,
Thu Dec 31 05:26:27 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication,
Thu Dec 31 05:26:27 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]NORDVPNSERVERIP:443,
Thu Dec 31 05:26:27 2020 Socket Buffers: R=[131072->131072] S=[16384->16384],
Thu Dec 31 05:26:27 2020 Attempting to establish TCP connection with [AF_INET]NORDVPNSERVERIP:443 [nonblock],
Thu Dec 31 05:26:28 2020 TCP connection established with [AF_INET]NORDVPNSERVERIP:443,
Thu Dec 31 05:26:28 2020 TCP_CLIENT link local: (not bound),
Thu Dec 31 05:26:28 2020 TCP_CLIENT link remote: [AF_INET]NORDVPNSERVERIP:443,
Thu Dec 31 05:26:28 2020 TLS: Initial packet from [AF_INET]NORDVPNSERVERIP:443, sid=26a605b9 fea347d3,
Thu Dec 31 05:26:29 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA,
Thu Dec 31 05:26:29 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5,
Thu Dec 31 05:26:29 2020 VERIFY KU OK,
Thu Dec 31 05:26:29 2020 Validating certificate extended key usage,
Thu Dec 31 05:26:29 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication,
Thu Dec 31 05:26:29 2020 VERIFY EKU OK,
Thu Dec 31 05:26:29 2020 VERIFY OK: depth=0, CN=se457.nordvpn.com,
Thu Dec 31 05:26:30 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA,
Thu Dec 31 05:26:30 2020 [se457.nordvpn.com] Peer Connection Initiated with [AF_INET]NORDVPNSERVERIP:443,
Thu Dec 31 05:26:31 2020 SENT CONTROL [se457.nordvpn.com]: 'PUSH_REQUEST' (status=1),
Thu Dec 31 05:26:32 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.3.2 255.255.255.0,peer-id 0,cipher AES-256-GCM',
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: timers and/or timeouts modified,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: compression parms modified,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified,
Thu Dec 31 05:26:32 2020 Socket Buffers: R=[131072->425984] S=[87040->425984],
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: --ifconfig/up options modified,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: route options modified,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: route-related options modified,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: peer-id set,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: adjusting link_mtu to 1659,
Thu Dec 31 05:26:32 2020 OPTIONS IMPORT: data channel crypto options modified,
Thu Dec 31 05:26:32 2020 Data Channel: using negotiated cipher 'AES-256-GCM',
Thu Dec 31 05:26:32 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Thu Dec 31 05:26:32 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Thu Dec 31 05:26:32 2020 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:02,
Thu Dec 31 05:26:32 2020 TUN/TAP device tun0 opened,
Thu Dec 31 05:26:32 2020 TUN/TAP TX queue length set to 100,
Thu Dec 31 05:26:32 2020 /sbin/ip link set dev tun0 up mtu 1500,
Thu Dec 31 05:26:32 2020 /sbin/ip addr add dev tun0 10.7.3.2/24 broadcast 10.7.3.255,
Thu Dec 31 05:26:32 2020 /etc/openvpn/up.sh tun0 1500 1587 10.7.3.2 255.255.255.0 init,
Thu Dec 31 05:26:32 2020 Initialization Sequence Completed,
Thu Dec 31 06:26:31 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA,
Thu Dec 31 06:26:31 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5,
Thu Dec 31 06:26:31 2020 VERIFY KU OK,
Thu Dec 31 06:26:31 2020 Validating certificate extended key usage,
Thu Dec 31 06:26:31 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication,
Thu Dec 31 06:26:31 2020 VERIFY EKU OK,
Thu Dec 31 06:26:31 2020 VERIFY OK: depth=0, CN=se457.nordvpn.com,
Thu Dec 31 06:26:32 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Thu Dec 31 06:26:32 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Thu Dec 31 06:26:32 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA,
Thu Dec 31 07:26:30 2020 TLS: tls_process: killed expiring key,
Thu Dec 31 07:26:36 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA,
Thu Dec 31 07:26:36 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5,
Thu Dec 31 07:26:36 2020 VERIFY KU OK,
Thu Dec 31 07:26:36 2020 Validating certificate extended key usage,
Thu Dec 31 07:26:36 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication,
Thu Dec 31 07:26:36 2020 VERIFY EKU OK,
Thu Dec 31 07:26:36 2020 VERIFY OK: depth=0, CN=se457.nordvpn.com,
Thu Dec 31 07:26:37 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Thu Dec 31 07:26:37 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Thu Dec 31 07:26:37 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA,

I've sanitised the Nord vpn server IP above but left everything else as is

For testing I am running

sudo docker exec -t -i vpn /bin/bash
curl ipinfo.io

This should return the VPN's details not the details I get through my own account It currently times out after a minute with no response

curl: (28) Failed to connect to ipinfo.io port 80: Operation timed out

I've also tried the same through transmissions container and get the same time out

I think the connection is fine but its not being exposed to itself let alone others

I've tried as configured as

 volumes:
      - /dev/net:/dev/net:z # tun device

I've also tried

devices:
    - /dev/net/tun

both seem to fail the same

I added the timezone as the logs had the incorrect time against them, no difference I've tried it removing the environment section in the docker-compose file for the vpn service, no difference I've tried without -d in the command for using the vpn dns servers, no difference I've tried without -f "" in the command for using the firewall, no difference

Does anyone have any ideas? am i testing it wrong?

I had a split tunnelling connection previously which I believe I've fully removed now multiple reboots renaming all the files, removing the old up and down scripts that the vpn config used to call

duindain commented 3 years ago

I've submitted this issue on the openvpn repo as well since its the vpn container thats not enabling the connection most likely

hopefully someone will know what to do :)

duindain commented 3 years ago

I think I've managed to resolve this

the vpn's dns did not work for me and also the config to allow scripts to run from the old split tunnel was breaking the connection

I changed the docker compose for vpn to

vpn:
    container_name: vpn
    image: dperson/openvpn-client:latest
    cap_add:
      - net_admin # required to modify network interfaces
    restart: unless-stopped
    environment:
      - PUID=${VPNPUID} # vpn service user id, defined in .env
      - PGID=${VPNPGID} # vpn service group id, defined in .env
      - TZ=${TZ} # timezone, defined in .env
    volumes:
      - ${VPNROOT}:/vpn # OpenVPN configuration
    devices:
      - /dev/net/tun:/dev/net/tun
    security_opt:
      - label:disable
    ports:
      - 9117:9117 # port for jackett web UI to be reachable from local network
      - 9091:9091 # port for transmission web UI to be reachable from local network
    command: '-f ""'

I used to inject the following for the split tunnelling config into the vpn.conf file

disable-occ

script-security 2
route-noexec

#up and down scripts to be executed when VPN starts or stops
#up /etc/openvpn/iptables.sh
#down /etc/openvpn/update-resolv-conf

I had already commented out the up and down scripts as this docker container does that internally but the three additional lines at the top seem to cause the vpn to work but not be allowed to be used

I can now jump onto the vpn and transmission containers with

docker exec -it vpn bin/bash
curl ipinfo.io

and both show the vpn addressing

I'll try experimenting soon with re-enabling the vpn dns now that those config changes are gone and see if i can restore that

duindain commented 3 years ago

I've tried changing the docker config to -d -f "" to turn on the vpn dns servers and keep the firewall on

Seems to be working ok still

sebgl / htpc-download-box

NordVPN connecting but not able to use it #54