nordlynx-proxy

NordVPN client's version or changelog: 3.18.1 (11-05-2024)

Image with nordvpn's client 3.17.[0-3] require privileged Mode. Pre 3.17 versions are running without root privileges at container level. Set env var NORDVPN_VERSION to 3.16.9 for instance, to force a nordvpn package downgrade during setup process. Running privileged container is a risk. furhtermore container cannot be removed as it doesn't remove its graps on /etc/resolv.conf Error response from daemon: unable to remove filesystem for XXXX: unlinkat /var/lib/docker/containers/YYY/resolv.conf: operation not permitted. I guess a new version will be released soon.

Warning 1: login process is sometimes unstable:

It's not you, it's us. We're having trouble reaching our servers. If the issue persists, please contact our customer support.

Warning 2: login through token is preferred:

Logging in via ‘--legacy’, ‘--username’, and ‘--password’ flags is deprecated. Use ‘nordvpn login' or ‘nordvpn login --nordaccount’ to log in via browser. Alternatively, you can use ‘nordvpn login --token’ to log in with a generated token.

Warning 3: at the moment, the container is not set to run with generated wireguard config file. (healthcheck, start checks, switch from NordVPN to WireGuard tools).

Description

This is a NordVPN docker container, based on debian bookworm, that connects to the NordVPN recommended servers using the NordVPN Linux client. It starts a SOCKS5 proxy server (dante) and a HTTP proxy server to use it as a NordVPN gateway. When using wireguard tools, useful to extract wireguard configuration , 317 MB of additional disk space will be used. (nordlynx-proxy-wg image is built to compare sizes). OpenVPN and NordLynx technology are available through NordVPN settings technology. Whenever the connection is lost, the NordVPN client has a killswitch to obliterate the connection.

Exporting WireGuard config

If environment variable GENERATE_WIREGUARD_CONF=true is set, the WireGuard configuration is saved to /etc/wireguard/wg0.conf when connecting. This file can be exported then re-used to setup a plain WireGuard connection.

VPN tests:

• https://www.dnsleaktest.com
• https://ipleak.net
• https://browserleaks.com/webrtc

Please note that WebRTC will leak your real IP. You need to disable WebRTC or install nordvpn's browser extension. https://browserleaks.com/webrtc#howto-disable-webrtc

What is this?

This image is a variation of nordvpn-proxy. The latter is based on OpenVPN. The NordVPN client application replaces OpenVPN. NordVPN's version of WireGuard is NordLynx.

You can then expose port 1080 from the container to access the VPN connection via the SOCKS5 proxy, or use the 8888 http's proxy port.

To sum up, this container:

• Opens the best connection to NordVPN using NordVPN's API results according to your criteria. NordVPN recommended
• Starts a HTTP proxy that routes eth0:8888 to eth0:1080 (socks server) with tinyproxy.
• Starts a SOCKS5 proxy that routes eth0:1080 to tun0/nordlynx with dante-server.
• NordVPN DNS servers perform resolution, by default.
• Uses supervisor to handle services easily.

The main advantages are:

• You get the best recommendation for each combination of parameters (country, groups, protocol).
• You can select OpenVPN or NordLynx protocol.
• Use of NordVPN app features (Killswitch, CyberSec, ....).

Please note, that to avoid DNS problems when the DNS service is on the same host, /etc/resolv.conf is set to Cloudflare DNS (1.1.1.1). The DNS above is only used during startup (to check the latest NordVPN version). NordVPN DNS is set when VPN connection is up.

# Generated by NordVPN
nameserver 103.86.96.100
nameserver 103.86.99.100

Usage

The container may use environment variables to select a server, otherwise the best recommended server is selected: See environment variables to get all available options or NordVPN support.

Adding

sysclts:
 - net.ipv6.conf.all.disable_ipv6=1 # disable ipv6

Might be needed, if NordVPN cannot change the settings itself.

Environment options

• ANALYTICS: [off/on], default on, send anonymous aggregate data: crash reports, OS version, marketing performance, and feature usage data
• TECHNOLOGY: [NordLynx]/[OpenVPN], default: NordLynx (wireguard like)
• PROTOCOL: udp (default), tcp. Can only be used with TECHNOLOGY=OpenVPN.
• OBFUSCATE: [off/on], default off, hide vpn's use.
• CONNECT: [country]/[server]/[country_code]/[city] or [country] [city], if none provide you will connect to argentina server.
• COUNTRY: define the exit country, default argentina.
• GROUP: Default P2P, value: Africa_The_Middle_East_And_India, Asia_Pacific, Europe, Onion_Over_VPN, P2P, Standard_VPN_Servers, The_Americas, although many categories are possible, p2p seems to be more adapted.
• NORDVPN_LOGIN: email or token (as of 25-07-21, service credentials are not allowed).
• NORDVPN_PASS: pass or empty when using token
• CYBER_SEC, default off
• KILLERSWITCH, default on
• DNS: change dns
• PORTS: add ports to allow
• LOCAL_NETWORK: add subnet to allow, multiple values possible net1, net2, net3, ....
• DOCKER_NET: optional, docker CIDR extracted from container ip if not set.
• TINYUSER: optional, enforces authentication over tinyproxy when set with TINYPASS.
• TINYPASS: optional, enforces authentication over tinyproxy when set with TINYUSER.

NordVPN Authentication

As of 23-12-2022, login with username and password are deprecated, as well as legacy. Username and password logins are allowed in the container, but may not be allowed by NordVPN. Login with a token is highly recommended. Tokens can be generated in your NordAccount.

docker-compose example with env variables explained

version: '3.8'
services:
  proxy:
    image: edgd1er/nordlynx-proxy:latest
    restart: unless-stopped
    ports:
      - "1080:1080"
      - "8888:8888"
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1 # disable ipv6
    cap_add:
      - NET_ADMIN               # Required
    environment:
      - TZ=America/Chicago
      #- CONNECT= #Optional, overrides COUNTRY, specify country+server number for example: uk715
      - COUNTRY=de #Set NordVPN server country to connect to.
      - GROUP=P2P #Africa_The_Middle_East_And_India, Asia_Pacific, Europe, Onion_Over_VPN, P2P, Standard_VPN_Servers, The_Americas
      #- KILLERSWITCH=on #Optional, on by default, kill switch is a feature helping you prevent unprotected access to the internet when your traffic doesn't go through a NordVPN server.
      #- CYBER_SEC=off #CyberSec is a feature protecting you from ads, unsafe connections and malicious sites
      #- TECHNOLOGY=NordLynx #OpenVPN or NordLynx
      #- PROTOCOL=udp #Optional, udp (default) or tcp. Can only be used with TECHNOLOGY=OpenVPN.
      #- IPV6=off #Optional, off by default, on/off available, off disables IPV6 in NordVPN app
      #- NORDVPN_LOGIN=<email or token> #Not required if using secrets
      #- NORDVPN_PASS=<pass> #Not required if using secrets or token in above `NORDVPN_LOGIN=token`
      #- DEBUG=0 #(0/1) activate debug mode for scripts, dante, tinyproxy
      - LOCAL_NETWORK=192.168.1.0/24 #LAN subnet to route through proxies and vpn.
      #- TINYUSER: optional, enforces authentication over tinyproxy when set with TINYPASS.
      #- TINYPASS: optional, enforces authentication over tinyproxy when set with TINYUSER.
      #- TINYLOGLEVEL=error #Optional, default error: Critical (least verbose), Error, Warning, Notice, Connect (to log connections without info's noise), Info
      #- TINYPORT=8888 #define tinyport inside the container, optional, 8888 by default,
      #- DANTE_LOGLEVEL="error" #Optional, error by default, available values: connect disconnect error data
      - DANTE_ERRORLOG=/dev/stdout #Optional, /dev/null by default
      #- DANTE_DEBUG=0 # Optional, 0-9
      #- GENERATE_WIREGUARD_CONF=true #write /etc/wireguard/wg0.conf if true
    secrets:
      - NORDVPN_CREDS
      - TINY_CREDS

secrets:
    NORDVPN_CREDS:
        file: ./nordvpn_creds #file with username/token in 1st line, passwd in 2nd line.
    TINY_CREDS:
        file: ./tiny_creds #file with username/password in 1st line, passwd in 2nd line.

Secrets

Nordvpn and tinyproxy credentials may be available throught secrets (/run/secrets/nordvpn_creds, /run/secrets/tiny_creds) In the setup scripts, secrets values override any env values. Secrets names are fixed values: NORDVPN_CREDS, TINY_CREDS.

file: ./nordvpn_creds #file with username/token in 1st line, passwd in 2nd line. file: ./tiny_creds #file with username/password in 1st line, passwd in 2nd line.

Troubleshoot

Enter the container: docker compose exec lynx bash

Several aliases are available:

• checkhttp: get external ip through http proxy and vpn. should be the same as checkip
• checksocks: get external ip through socks proxy and vpn. should be the same as checkip
• checkip: get external ip. should be the same as getcheck
• checkvpn: print protection status as seen by nordvpn's client.
• getcheck: get information as ip from nordvpn client.
• getdante: print socks proxy configuration
• gettiny: print http proxy configuration
• getversion: install nordvpn specific version, allow downgrades eg 3.17.0, 3.17.1, ...

From times to times, nordvpn app is bugged, installing another version (downgrade) may be a workaround.