NordVPN + RPi4 support

[ShadowEliteRyze]

Hello everyone!

I've had my RPi4 set up as a great travel router for the past year now and it has been working great, until yesterday.
I use NordVPN because this allows me to connect to their obfuscated servers using their official app.

This is what the setup looked like:
[personal device / devices] -> ethernet [RPi4 w/ NordVPN] -> Wi-Fi [ISP Router / Hotel Internet]

However, starting yesterday, I was forced to update the NordVPN app and the Raspberry Pi OS Lite because NordVPN would no longer log in (possibly depreciated due to the old version I was using), and suddenly, my set up doesn't work anymore.

In order to get it to work previously, I would set eth0 with a static IP address by:
sudo nano /etc/dhcpcd.conf
and then adding:

interface eth0
static ip_address=192.168.4.1/24

to the bottom of the file

I then would install dnsmasq and add the following code to the dnsmasq conf file

sudo apt install dnsmasq
sudo nano /etc/dnsmasq.conf
interface=eth0
listen-address=192.168.4.1   # Specify the address to listen on
#bind-interfaces                           # Bind to the interface
server=103.86.96.100                           # Use nord DNS
domain-needed                         # Don't forward short names
bogus-priv                                 # Drop the non-routed address spaces.
dhcp-range=192.168.4.3,192.168.4.20,12h # IP range and lease time

Then I would change sysctl conf to uncomment net ipv4 ip forward = 1

sudo nano /etc/sysctl.conf
net.ipv4.ip_forward=1

However, this set up doesn't seem to work anymore, and my ethernet devices, while getting the IP address assigned from the RPi4, are not connecting to the internet anymore.

I noticed after running ifconfig, that the nordvpn interface has changed from tun0 to nordtun, so I tried altering the rc.local file to say

iptables -t nat -A POSTROUTING -o nordtun -j MASQUERADE

but this still hasn't worked.
Any advice? I have been trying to get this to work again but with no luck so far!

I have tried downgrading the version of nordvpn to 3.15.5 and also rolled back the version of RPi OS to pre-bookworm version (bullseye) and I still can't get it to work.

Any advice would be greatly appreciated!

[ph202107]

I would like to request a step-by-step guide for setting up a Raspberry Pi with the NordVPN Linux client to act as a VPN gateway.

support.nordvpn.com has some guides for setting up routers, pfsense, and other manual setups, but none specifically for gateways. Generic online guides seem to be limited to OpenVPN configurations. Advice posted on forums may be outdated since there have been changes following v3.16.4 ( #50 ).

Using the Linux CLI makes it much easier to change servers, and of course to use NordLynx and all the other features that the CLI offers. However, config changes, additional iptables rules, allowlist considerations, etc. can seem very convoluted especially for a novice. A guide to the recommended setup and settings directly from the NordVPN Linux team would be ideal.

As an example, some very well written and comprehensive how-to guides are available for Meshnet on https://meshnet.nordvpn.com/ .

It would be very much appreciated! Thank you for your consideration.

[bartoszWojciechO]

@ShadowEliteRyze can you run iptables -L on the RPi and paste the output?

[ShadowEliteRyze]

Hi @bartoszWojciechO ,

I managed to get it to work by downgrading from RPi OS Bookworm back to Bullseye.
I then used:
iptables -t nat -A POSTROUTING -o nordtun -j MASQUERADE
and had to whitelist the local subnet that I assigned to the ethernet port (this was a new step I didn't previously have to do but seems to have gotten my set up to work!

Kind regards,
Ryan

[JarroVGIT]

I would like to request a step-by-step guide for setting up a Raspberry Pi with the NordVPN Linux client to act as a VPN gateway.

Well, hopefully this helps you or someone out trying to achieve just that!

1. Perform a clean install of Raspberry Pi OS (I used Lite, without a desktop environment).
   a. Ensure you have SSH enabled if you want headless mode.
2. SSH into your RPI and install NordVPN, then reboot (sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh) and sudo reboot and sudo reboot)
   a. Note: There is currently an issue with 3.18.1 (the latest stable). You will need to downgrade to 3.18 or earlier for this to work. See 3.18.1 - Private subnet in allowlist not working, lan-discovery works OK #406 for more information.
3. Allow your private network to bypass the VPN. Change the IP address with your local range. (nordvpn whitelist add subnet 192.168.0.0/16)
4. Perform the login dance as described here in the docs.
5. Ensure NordVPN auto connects on boot (nordvpn set autoconnect on)
6. Allow IP forwarding on your RPI (sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf)
7. Add a new NAT rule to iptables (sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE)
   a. Note: by default, changes to iptables do not persist between reboots.
8. Ensure iptables rules persists during boots by installing iptables-persistent. (sudo apt-get install iptables-persistent)
   a. During installation it will ask to save your configuration. Just accept the defaults. If you ever find yourself in a situation in which you need to change your iptables rules, you can use sudo netfilter-persistent save to save them again.

You can reboot after this, it should connect right away. You can check the status with nordvpn status after reboot (and of course, after you SSH into your RPI again).

For any machine to use the RPI's VPN, you have to setup the machine to use the IP address of your RPI as their gateway. For example, my TV had the following IP config with DHCP:

DHCP:
IP:       192.168.2.100
Netmask:  255.255.255.0
Gateway:  192.168.2.254     <-- typically IP of your Modem/Router
DNS:      192.168.2.254

I changed it to be static config as:

Static:
IP:       192.168.2.100
Netmask:  255.255.255.0
Gateway:  192.168.2.101     <-- change to RPI IP address
DNS:      8.8.8.8           Changed because didn't want to use DNS of my ISP anymore

Hope this helps you out, if not then some one else trying to do the same thing :)

[ph202107]

Hope this helps you out, if not then some one else trying to do the same thing :)

Thanks for the detailed guide! Very informative and helpful.