Open bouncymonkey opened 5 years ago
Hi, thanks for the suggestion.
Unfortunately, NordVPN appears to use hundreds of DNS entries to point to individual servers...it is almost like referring to individual ips. I'd suggest the most straightforward way around this is to not use a vendor-specific kludge, but to list many of the servers (hundreds, if you wish) in the conf and use the openvpn remote-random
option. This exposes the vpn vm to less risk since it doesn't have to interact with a web server during startup.
I'd also suggest that NordVPN customers contact their support to request a regional domain name like "us-east", "us-nyc", "us-west" etc. that does load balancing via the traditional DNS method. Notice that a domain like us-east.privateinternetaccess.com
has an DNS response that changes ips second-by-second for this reason.
Note: It would probably be better to fetch the recommended VPN server every time the service is restarted. Unfortunately, the firewall is dropping any connection to the outside while the VPN is down to prevent leaks, so we would have to poke a hole in its configuration.
NordVPN provides neat packages for Linux, based on OpenVPN. One key feature of that package over vanilla OpenVPN is that NordVPN connects to a recommended server based on load and location.
It is not obvious how to use the NordVPN program in stead of OpenVPN in Qubes-vpn-support. OpenVPN provides several hooks (e.g.
--up
and--down
) that are lacking in the NordVPN binary.However, the NordVPN website provides a utility to determine which server is best. It is trivial to pull that information from the webpage and use the matching configuration in OpenVPN. See the utility here: https://nordvpn.com/servers/tools/
Here's what to do:
/rw/config/vpn
(You should have directory/rw/config/vpn/ovpn_udp
containing many OVPN configuration files.)jq
for JSON parsing./usr/lib/qubes/qubes-vpn-setup
as follows:This should pick the recommended NordVPN server every time the VPN service starts. Note that in this example, we ask the website for a US-based server that supports UDP. The
wget
URL can be changed to match one's needs.This is probably not the best way to go about it, but it solved my problem and I figured it would solve other's. If anyone is willing to make it a solid feature, I will be happy to help.