You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
set Nord to use wireguard nordvpn set technology NordLynx then nordvpn login
nordvpn whitelist add subnet 192.168.0.0/24
On the local machine connect to the nordvpn country of choice nordvpn connect ch, ch is Switzerland
On the local machine sudo wg showconf nordlynx to see the client private key and server pubkey
also run ifconfig to see the nordlynx ip, probably 10.5.0.2
also run curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load' to see server pubkey and server hostname server.nordvpn.com
sudo wg show will show the interface pubkey
on the local device nordvpn d to disconnect, freeing the credentials to be used by our server
Configure the server
Boot up and log in to your favourite VPS provider and create a new instance. I used Oracle's free tier
Log in to the instance sudo apt update && sudo apt upgrade -y
Whilst waiting, if you want to, point a new domain name at the IP of the server.
Edit ,/etc/pivpn/wireguard/setupVars.conf to have piVPNnet 10.5.0.0 and DNS 1.1.1.1 unless doing pihole in which case 10.5.0.2
Edit sudo nano /etc/wireguard/keys/server_priv and sudo nano /etc/wireguard/keys/server_pub to be the NordVPN client private and public keys you found from the local machine.
Edit sudo nano /etc/wireguard/wg0.conf to have the correct private key and address 10.5.0.2/24
run pivpn -d and agree to the suggested changes
Stop the wireguard server sudo wg-quick down wg0
Run these commands - make sure the tunnel is down
sudo ip route get 1 | grep -Po '(?<=src )(\S+)'
sudo ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)'
sudo ip -4 route ls | grep default | grep -Po '(?<=via )(\S+)'
Append the following, but completed to the end of /etc/wireguard/wg0.conf
PreUp = ip rule add from <output from command 1> table 128
PreUp = ip route add table 128 to <output from command 1>/32 dev <output from command 2>
PreUp = ip route add table 128 default via <output from command 3>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o %i -j MASQUERADEPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j MASQUERADEPostDown = ip rule del from <output from command 1> table 128
PostDown = ip route del table 128 to <output from command 1>/32 dev <output from command 2>
PostDown = ip route del table 128 default via <output from command 3>
### begin nord upstream ###[Peer]PublicKey = <public key of the nordvpn wg server>
AllowedIPs = 0.0.0.0/0
Endpoint = <nord address e.g ch215.nordvpn.com>:51820
PersistentKeepalive = 25
pivnp -a --name ignoreme Create a profile that wont be used because it has a conflicting IP (10.5.0.2)
Comment out the ignoreme peer
Example of what wg0.conf should look like when done
[Interface]PrivateKey = <hidden>
Address = 10.5.0.2/24
ListenPort = 51820
PostUp = ip rule add from 10.0.0.108 table 128 pref 1
PostUp = ip route add table 128 to 10.0.0.108/32 dev ens3
PostUp = ip route add table 128 default via 10.0.0.1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j MASQUERADEPostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o %i -j MASQUERADEPostDown = ip rule del from 10.0.0.108 table 128
PostDown = ip route del table 128 to 10.0.0.108/32 dev ens3
PostDown = ip route del table 128 default via 10.0.0.1
### begin nord upstream ###[Peer]PublicKey = SqvsfSVdnUJgsdfgsdfgwPgvwQagdsgrrF8=
AllowedIPs = 0.0.0.0/0
Endpoint = ch215.nordvpn.com:51820
PersistentKeepalive = 25
### begin ignoreme ####[Peer]#PublicKey = +B9olwKGeULQMFEmyfgdhdfghgdfhFVj2Csfgdfsg4FM=#PresharedKey = 5UasdfadfsVsdfgsdfg4Gm+12yFSwdrW3WGRzY=#AllowedIPs = 10.5.0.2/32
sudo wg-quick up wg0 should go up without a hitch.
sudo iptables --line-numbers --list and then iptables -D FORWARD X where X is the number that rejects with ICMP
I tried your tutorial (really great something like that exist, btw !), but I’m running into the same problem than what I had with the bubuntu versions off NordVPN dockers. It conflicts due to iptable. And I just can’t make any versions work at the moment… would you know how to behave a version of iptable needed for docker to run, anyway) that also support nftable inside the docker out of the box ?
Sorry, I stopped using this setup a year or two ago. So it is possible something is broken now. If you find a fix, do reply on this threat so that other can see
I found this while researching how to allow wireguard to connect to my home network from outside while running nordvpn on the home network. I had wireguard working before deploying my nordvpn router, but now it's currently broken. @TKinslayer, I figured out the iptables to make basically any nordvpn suported linux distro into a nordvpn router without all the hacky steps to get a static wireguard config(which doesn't work anymore) and using only the nordvpn native linux app and a local dhcp server.
If anyone seeing this has a solution for my problem, I welcome the help.
In the meantime, here's my nordvpn router project write-up... https://github.com/theOtherLuke/nordlynx-router
Hi,
I tried your tutorial (really great something like that exist, btw !), but I’m running into the same problem than what I had with the bubuntu versions off NordVPN dockers. It conflicts due to iptable. And I just can’t make any versions work at the moment… would you know how to behave a version of iptable needed for docker to run, anyway) that also support nftable inside the docker out of the box ?
Thanks!