Skip to content

Instantly share code, notes, and snippets.

@balupton
Last active July 5, 2024 11:07
Show Gist options
  • Save balupton/793d7492d27e1c5deccd7aa2a5ca5cef to your computer and use it in GitHub Desktop.
Save balupton/793d7492d27e1c5deccd7aa2a5ca5cef to your computer and use it in GitHub Desktop.
Debugging Ubuntu VPN/Bridge Networking

Networking on my Ubuntu machines is being flaking:

  • docker bridge interface failing
  • traffic not going to vpns
  • when vpn or docker bridge does work it knocks out all dns resolutions

Here are all the things I have tried or yet to try.

docker failures

# https://serverfault.com/a/963155
noipv4ll  # what is this?

# https://www.daemon-systems.org/man/dhcpcd.8.html
#     When using IPv4LL, dhcpcd nearly always succeeds and returns an exit code
#     of 0.  In the rare case it fails, it normally means that there is a
#     reverse ARP proxy installed which always defeats IPv4LL probing.  To
#     disable this behaviour, you can use the -L, --noipv4ll option.
#    -L, --noipv4ll
#             Don't use IPv4LL (aka APIPA, aka Bonjour, aka ZeroConf).
# ^ not helpful at explaining at all

# https://unix.stackexchange.com/a/658014/50703
# Udhcpc need /etc/udhcpc/udhcpc.conf, accessible by all, with a single line dns="ns1 ns2"
# ^ also a terrible explanation

transmission

# https://help.ubuntu.com/community/TransmissionHowTo
sudo vim /var/lib/transmission-daemon/info/settings.json
sudo usermod -a -G debian-transmission user
# "umask": 2, - WHY WHAT IS THIS

# https://wiki.debian.org/Transmission
apt install transmission-daemon  --install-suggests
systemctl edit transmission-daemon.service

docker vpn

nordvpn config

# https://www.makeuseof.com/how-to-install-nordvpn-ubuntu/
nordvpn set autoconnect on

ufw

# https://askubuntu.com/a/1230322/22776
sudo ufw allow 1194/udp

disable ipv6

apparently many things doesn't support it, including nord, however there is conflicting information about this

# https://wiki.archlinux.org/title/IPv6#Disable_IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.nic0.disable_ipv6 = 1
net.ipv6.conf.nicN.disable_ipv6 = 1

noipv6rs
noipv6

nmcli connection modify ConnectionName ipv6.method "disabled"

ip route

# https://serverfault.com/a/472364
ip route show table main
ip route add 88.191.250.176 via <gatewayip> dev eth3

wireguard

# https://bbs.archlinux.org/viewtopic.php?id=251317
Install wireguard-tools.

# https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/
sudo apt install wireguard
sudo ufw allow 41194/udp
sudo systemctl enable wg-quick@wg0
# and a bunch of other stuff
# https://askubuntu.com/a/1378515/22776
# no idea
sudo edit /etc/ppp/ip-up.d/0000usepeerdns

nexthop

# https://bbs.archlinux.org/viewtopic.php?id=243382
ip a
ip r
systemctl list-unit-files --state=enabled

protonvpn

# https://protonvpn.com/support/linux-vpn-setup/
# doesn't seem there is arm support for the official protonvpn client

# https://protonvpn.com/support/linux-openvpn/
#  Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).
sudo apt-get install openvpn
sudo wget "https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh" -O "/etc/openvpn/update-resolv-conf"

openvpn scripts

# https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-linux/
openvpn3 session-start --config ${client.ovpn}
openvpn3 sessions-list
openvpn --config client.ovpn --auth-user-pass --auth-retry interact
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# https://www.ivpn.net/setup/linux-terminal/
ip a | grep tun
curl https://api.ivpn.net/v4/geo-lookup
curl https://api.ivpn.net/v4/geo-lookup | jq
grep -i vpn /var/log/syslog

nordvpn scripts

# nord support
sudo iptables -P INPUT ACCEPT
sudo iptables -F INPUT 
sudo iptables -P OUTPUT ACCEPT
sudo iptables -F OUTPUT
sudo systemctl restart NetworkManager
# https://support.nord-help.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Raspberry-Pi-Elementary-OS-and-Linux-Mint.htm
nordvpn whitelist add port 22 - Add a rule to whitelist a specified incoming port. You can also whitelist multiple ports — just separate their numbers with a space.
nordvpn whitelist remove port 22 - Remove the rule to whitelist a specified port.
nordvpn whitelist add subnet 192.168.0.0/16 - Add a rule to whitelist a specified subnet.
nordvpn whitelist remove subnet 192.168.0.0/16  - Remove the rule to whitelist a specified subnet.
# https://www.reddit.com/r/nordvpn/comments/jodvfs/comment/gb7f5yj/?utm_source=reddit&utm_medium=web2x&context=3
# required nordlynx to actually initiate
ip table rule. sudo iptables -t nat -A POSTROUTING -o nordlynx -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o nordlynx -j ACCEPT
sudo iptables -A FORWARD -i nordLynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

openvpn

# https://openvpn.net/community-resources/how-to/
a whole bunch of routing and iptable stuff that doesn't seem relevant
# https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
--pull-filter ignore redirect-gateway
--route-noexec 
--route-nopull 
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

general debugging

route
ip addr
ip route
ip rule
ifconfig
tcpdump -i eth0
traceroute 8.8.8.8
sudo iptables -L -v

RTNETLINK errors

# JUST REBOOT

# https://stackoverflow.com/a/27708858/130638
# https://stackoverflow.com/a/64473630/130638
# --cap-add=NET_ADMIN
# http://linux.die.net/man/7/capabilities

# https://raspberrypi.stackexchange.com/a/51947/134746
sudo ip addr flush dev wlan0

# https://raspberrypi.stackexchange.com/a/65753/134746
sudo ifup --ignore-errors wlan0

# https://raspberrypi.stackexchange.com/a/79881/134746
ifdown --force --verbose ethX && ifup --force --verbose ethX

# https://askubuntu.com/a/313367/22776
sudo ifdown eth0 && sudo ifup -v eth0

# https://debugah.com/ubuntu-how-to-solve-rtnetlink-answers-file-exists-two-methods-5679/
ip addr flush dev eth0  # nukes network access until ifup is run
ip addre flush dev eth1
ifdown eth0 && ifup eth0 && ifdown eth1 && ifup eth1

# https://stackoverflow.com/a/53961002/130638
sudo tc qdisc replace dev eth0 root netem delay 100ms
sudo tc qdisc del dev eth0 root
sudo tc qdisc add dev eth0 root netem delay 100ms

syncthing

# https://docs.syncthing.net/users/config.html
# https://docs.syncthing.net/users/config.html#gui-element
<gui enabled="true" tls="false" debugging="false">
    <address>0.0.0.0:8384</address>
</gui>

# https://docs.syncthing.net/users/guilisten.html

docker transmission

# https://haugene.github.io/docker-transmission-openvpn/config-options/#dropping_default_route_from_iptables_advanced
# https://github.com/haugene/docker-transmission-openvpn/
# https://github.com/haugene/docker-transmission-openvpn/search?q=DROP_DEFAULT_ROUTE

Network configuration options¶
Variable	Function	Example
OPENVPN_CONFIG	Sets the OpenVPN endpoint to connect to.	OPENVPN_CONFIG=UK Southampton
OPENVPN_OPTS	Will be passed to OpenVPN on startup	See OpenVPN doc
LOCAL_NETWORK	Sets the local network that should have access. Accepts comma separated list.	LOCAL_NETWORK=192.168.0.0/24
CREATE_TUN_DEVICE	Creates /dev/net/tun device inside the container, mitigates the need mount the device from the host	CREATE_TUN_DEVICE=true
PEER_DNS	Controls whether to use the DNS provided by the OpenVPN endpoint.	To use your host DNS rather than what is provided by OpenVPN, set PEER_DNS=false. This allows for potential DNS leakage.
PEER_DNS_PIN_ROUTES	Controls whether to force traffic to peer DNS through the OpenVPN tunnel.	To disable this default, set PEER_DNS_PIN_ROUTES=false.


Some VPNs do not override the default route, but rather set other routes with a lower metric. This might lead to the default route (your untunneled connection) to be used.

To drop the default route set the environment variable DROP_DEFAULT_ROUTE to true.

Note: This is not compatible with all VPNs. You can check your iptables routing with the ip r command in a running container.

# https://github.com/haugene/docker-transmission-openvpn/blob/d1ece1c5f36f275d5d950bd2557ec43f79a80d14/transmission/start.sh#L70-L74
/sbin/ip route del default via "${route_net_gateway}" 

ufw

# https://askubuntu.com/a/98252/22776
sudo ufw enable
sudo ufw allow 22/tcp
# https://linuxconfig.org/how-to-enable-disable-firewall-on-ubuntu-20-04-lts-focal-fossa-linux
sudo ufw status
sudo ufw status verbose
sudo ufw disable
sudo ufw enable

docker

# https://stackoverflow.com/a/68992601/130638
docker network prune
# https://docs.docker.com/network/bridge/#use-the-default-bridge-network
# Configure the default bridge network
{
  "bip": "192.168.1.1/24",
  "fixed-cidr": "192.168.1.0/25",
  "fixed-cidr-v6": "2001:db8::/64",
  "mtu": 1500,
  "default-gateway": "192.168.1.254",
  "default-gateway-v6": "2001:db8:abcd::89",
  "dns": ["10.20.1.2","10.20.1.3"]
}
# daemon.json
{
  "allow-nondistributable-artifacts": [],
  "authorization-plugins": [],
  "bridge": "",
  "cluster-advertise": "",
  "cluster-store": "",
  "containerd": "\\\\.\\pipe\\containerd-containerd",
  "containerd-namespace": "docker",
  "containerd-plugin-namespace": "docker-plugins",
  "data-root": "",
  "debug": true,
  "default-ulimits": {},
  "dns": [],
  "dns-opts": [],
  "dns-search": [],
  "exec-opts": [],
  "experimental": false,
  "features": {},
  "fixed-cidr": "",
  "group": "",
  "hosts": [],
  "insecure-registries": [],
  "labels": [],
  "log-driver": "",
  "log-level": "",
  "max-concurrent-downloads": 3,
  "max-concurrent-uploads": 5,
  "max-download-attempts": 5,
  "mtu": 0,
  "pidfile": "",
  "raw-logs": false,
  "registry-mirrors": [],
  "shutdown-timeout": 15,
  "storage-driver": "",
  "storage-opts": [],
  "swarm-default-advertise-addr": "",
  "tlscacert": "",
  "tlscert": "",
  "tlskey": "",
  "tlsverify": true
}
debug: it changes the daemon to debug mode when set to true.
cluster-store: it reloads the discovery store with the new address.
cluster-store-opts: it uses the new options to reload the discovery store.
cluster-advertise: it modifies the address advertised after reloading.
labels: it replaces the daemon labels with a new set of labels.
live-restore: Enables keeping containers alive during daemon downtime.
max-concurrent-downloads: it updates the max concurrent downloads for each pull.
max-concurrent-uploads: it updates the max concurrent uploads for each push.
max-download-attempts: it updates the max download attempts for each pull.
default-runtime: it updates the runtime to be used if not is specified at container creation. It defaults to “default” which is the runtime shipped with the official docker packages.
runtimes: it updates the list of available OCI runtimes that can be used to run containers.
authorization-plugin: it specifies the authorization plugins to use.
allow-nondistributable-artifacts: Replaces the set of registries to which the daemon will push nondistributable artifacts with a new set of registries.
insecure-registries: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon’s configuration are not in newly reloaded insecure registries, these existing ones will be removed from daemon’s config.
registry-mirrors: it replaces the daemon registry mirrors with a new set of registry mirrors. If some existing registry mirrors in daemon’s configuration are not in newly reloaded registry mirrors, these existing ones will be removed from daemon’s config.
shutdown-timeout: it replaces the daemon’s existing configuration timeout with a new timeout for shutting down all containers.
features: it explicitly enables or disables specific features.

# flags
The -b, --bridge= flag is set to docker0 as default bridge network. It is created automatically when you install Docker. If you are not using the default, you must create and configure the bridge manually or just set it to ‘none’: --bridge=none
--exec-root is the path where the container state is stored. The default value is /var/run/docker. Specify the path for your running daemon here.
--data-root is the path where persisted data such as images, volumes, and cluster state are stored. The default value is /var/lib/docker. To avoid any conflict with other daemons, set this parameter separately for each daemon.
-p, --pidfile=/var/run/docker.pid is the path where the process ID of the daemon is stored. Specify the path for your pid file here.
--host=[] specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to /var/run/docker.sock.
--iptables=false prevents the Docker daemon from adding iptables rules. If multiple daemons manage iptables rules, they may overwrite rules set by another daemon. Be aware that disabling this option requires you to manually add iptables rules to expose container ports. If you prevent Docker from adding iptables rules, Docker will also not add IP masquerading rules, even if you set --ip-masq to true. Without IP masquerading rules, Docker containers will not be able to connect to external hosts or the internet when using network other than default bridge.
--config-file=/etc/docker/daemon.json is the path where configuration file is stored. You can use it instead of daemon flags. Specify the path for each daemon.
--tls* Docker daemon supports --tlsverify mode that enforces encrypted and authenticated remote connections. The --tls* options enable use of specific certificates for individual daemons.
sudo dockerd \
        -H unix:///var/run/docker-bootstrap.sock \
        -p /var/run/docker-bootstrap.pid \
        --iptables=false \
        --ip-masq=false \
        --bridge=none \
        --data-root=/var/lib/docker-bootstrap \
        --exec-root=/var/run/docker-bootstrap
# https://stackoverflow.com/a/35519951/130638
# /etc/systemd/system/docker.service.d/docker.conf 
# [Service]
# ExecStart=
# ExecStart=/usr/bin/docker daemon -H fd:// --bip=192.168.169.1/24

systemctl stop docker

# We need a program called brctl to, well, control the bridge, which is part of the bridge-utils package.
sudo apt-get install bridge-utils

#Bring down the docker0 interface:
sudo ip link set docker0 down

# And delete the bridge.
sudo brctl delbr docker0

# Finally, start the Docker daemon
systemctl start docker
https://www.suse.com/support/kb/doc/?id=000018916
DOCKER_OPTS="--bip=192.168.1.1/24"
# https://github.com/kubernetes-sigs/kubespray/issues/213#issuecomment-212974520
ExecStartPre=-/usr/bin/ip link set dev docker0 down
ExecStartPre=-/usr/sbin/brctl delbr docker0
# https://github.com/moby/moby/issues/42558#issuecomment-905313588
# don't work, breaks more things
sudo apt remove netscript-2.4
# https://stackoverflow.com/a/64793583/130638
sysctl -w net.ipv4.ip_forward=1
# https://docs.docker.com.zh.xy2401.com/v17.09/engine/userguide/networking/default_network/custom-docker0/
sudo apt-get install bridge-utils
sudo brctl show
{
  "bip": "192.168.1.5/24",
  "fixed-cidr": "192.168.1.5/25",
  "fixed-cidr-v6": "2001:db8::/64",
  "mtu": 1500,
  "default-gateway": "10.20.1.1",
  "default-gateway-v6": "2001:db8:abcd::89",
  "dns": ["10.20.1.2","10.20.1.3"]
}
The same options are presented as flags to dockerd, with an explanation for each:

--bip=CIDR: supply a specific IP address and netmask for the docker0 bridge, using standard CIDR notation. For example: 192.168.1.5/24.

--fixed-cidr=CIDR and --fixed-cidr-v6=CIDRv6: restrict the IP range from the docker0 subnet, using standard CIDR notation. For example: 172.16.1.0/28. This range must be an IPv4 range for fixed IPs, and must be a subset of the bridge IP range (docker0 or set using --bridge or the bip key in the daemon.json file). For example, with --fixed-cidr=192.168.1.0/25, IPs for your containers will be chosen from the first half of addresses included in the 192.168.1.0/24 subnet.

--mtu=BYTES: override the maximum packet length on docker0.

--default-gateway=Container default Gateway IPV4 address and --default-gateway-v6=Container default gateway IPV6 address: designates the default gateway for containers connected to the docker0 bridge, which controls where they route traffic by default. Applicable for addresses set with --bip and --fixed-cidr flags. For instance, you can configure --fixed-cidr=172.17.2.0/24 and default-gateway=172.17.1.1.

--dns=[]: The DNS servers to use. For example: --dns=172.17.2.10.
# https://docs.docker.com.zh.xy2401.com/v17.09/engine/userguide/networking/default_network/container-communication/#communication-between-containers
sysctl net.ipv4.conf.all.forwarding=1
iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
sudo iptables -L -n
sudo iptables -P FORWARD ACCEPT
# https://stackoverflow.com/a/43932266/130638
{
"bip": "192.168.1.5/24",
"fixed-cidr": "192.168.1.0/25"
}
# https://support.microfocus.com/kb/doc.php?id=7023491
{
  "bip": "192.168.1.5/24",
  "fixed-cidr": "192.168.1.5/25",
  "fixed-cidr-v6": "2001:db8::/64",
  "mtu": 1500,
  "default-gateway": "10.20.1.1",
  "default-gateway-v6": "2001:db8:abcd::89",
  "dns": ["10.20.1.2","10.20.1.3"]
}
# https://developpaper.com/question/the-docker-container-cannot-connect-to-the-internet/
sysctl net.ipv4.ip_forward
iptables -t nat -L POSTROUTING
iptables -t nat -L POSTROUTING | grep masquerade
# https://github.com/moby/moby/issues/36151#issuecomment-811024910
lsmod | grep br_netfilter
modprobe br_netfilter
netstat -i
ip link set dev docker0 promisc on
# https://earthly.dev/blog/docker-networking/
docker network ls     
docker ps
docker network inspect bridge    
# https://maximorlov.com/4-reasons-why-your-docker-containers-cant-talk-to-each-other/
docker network create -o com.docker.network.bridge.enable_icc=true [network]
# https://www.reddit.com/r/docker/comments/o3axmn/docker_has_no_internet_access/
# https://stackoverflow.com/a/70421216/130638
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
    echo "deb http://deb.debian.org/debian buster-backports main" | sudo tee -a /etc/apt/sources.list.d/buster-backports.list
    sudo apt update
    sudo apt install -t buster-backports libseccomp2
# https://github.com/moby/moby/issues/36151#issuecomment-370978922
# https://stackoverflow.com/a/20431030/130638
# https://superuser.com/a/1130993/32418
sudo systemctl stop docker
sudo pkill docker
sudo iptables -t nat -F
sudo ifconfig docker0 down
sudo brctl delbr docker0
sudo systemctl start docker
# https://github.com/docker/for-win/issues/221#issuecomment-597431251
sudo route -n add -net 172.x.0.0/16  $(docker-machine ip default)
sudo iptables -L
sudo iptables -I DOCKER-USER  -j ACCEPT
# https://stackoverflow.com/a/39801518/130638
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
# https://stackoverflow.com/a/49621509/130638
sudo service iptables stop
sudo service docker restart
# https://stackoverflow.com/a/70939554/130638
sudo ip link delete docker0
# https://stackoverflow.com/a/68092908/130638
docker run --security-opt seccomp=unconfined imageName
# https://github.com/moby/moby/issues/36151#issuecomment-968356070
# https://stackoverflow.com/a/70452290/130638
sudo systemctl disable nftables
sudo systemctl stop nftables
sudo reboot
sudo systemctl start docker

dns

# https://support.nordvpn.com/Connectivity/Linux/1134945702/Change-your-DNS-servers-on-Linux.htm
# https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm
nameserver 103.86.96.100
nameserver 103.86.99.100
chattr +i /etc/resolv.conf

resolvectl default route

# https://www.freedesktop.org/software/systemd/man/resolvectl.html
dns [LINK [SERVER…]], domain [LINK [DOMAIN…]], default-route [LINK [BOOL…]], llmnr [LINK [MODE]], mdns [LINK [MODE]], dnssec [LINK [MODE]], dnsovertls [LINK [MODE]], nta [LINK [DOMAIN…]]
Get/set per-interface DNS configuration. These commands may be used to configure various DNS settings for network interfaces. These commands may be used to inform systemd-resolved or systemd-networkd about per-interface DNS configuration determined through external means. The dns command expects IPv4 or IPv6 address specifications of DNS servers to use. Each address can optionally take a port number separated with ":", a network interface name or index separated with "%", and a Server Name Indication (SNI) separated with "#". When IPv6 address is specified with a port number, then the address must be in the square brackets. That is, the acceptable full formats are "111.222.333.444:9953%ifname#example.com" for IPv4 and "[1111:2222::3333]:9953%ifname#example.com" for IPv6. The domain command expects valid DNS domains, possibly prefixed with "~", and configures a per-interface search or route-only domain. The default-route command expects a boolean parameter, and configures whether the link may be used as default route for DNS lookups, i.e. if it is suitable for lookups on domains no other link explicitly is configured for. The llmnr, mdns, dnssec and dnsovertls commands may be used to configure the per-interface LLMNR, MulticastDNS, DNSSEC and DNSOverTLS settings. Finally, nta command may be used to configure additional per-interface DNSSEC NTA domains.

Commands dns, domain and nta can take a single empty string argument to clear their respective value lists.

For details about these settings, their possible values and their effect, see the corresponding settings in systemd.network(5).

The default-route command expects a boolean parameter, and configures whether the link may be used as default route for DNS lookups, i.e. if it is suitable for lookups on domains no other link explicitly is configured for.

# https://systemd.io/RESOLVED-VPNS/
resolvectl domain corporate0 '~corp-company.example' '~2.0.192.in-addr.arpa'
resolvectl default-route corporate0 false
resolvectl dns corporate0 192.0.2.1
resolvectl domain privacy0 '~.'
resolvectl default-route privacy0 true
resolvectl dns privacy0 8.8.8.8

openvpn

# https://askubuntu.com/a/466011/22776
# https://serverfault.com/a/953745
# https://serverfault.com/a/480098
redirect-gateway def1
  • apparently this needs server-side config
  • why isn't this config already inside the .ovpn files from nord?

openvpn and iptables

# https://community.openvpn.net/openvpn/wiki/BridgingAndRouting

dev tun
topology subnet
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"

push "redirect-gateway def1"

# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o eth0 \
     -s 10.8.0.0/24 -d 192.168.0.0/24 \
     -m conntrack --ctstate NEW -j ACCEPT

# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
     -j ACCEPT

# Masquerade all traffic from VPN clients -- done in the nat table 
iptables -t nat -I POSTROUTING -o eth0 \
      -s 10.8.0.0/24 -j MASQUERADE
# https://askubuntu.com/a/578550/22776
iptables -I FORWARD -i tun0 -o eth0 \
         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
         -j ACCEPT

iptables -t nat -I POSTROUTING -o eth0 \
          -s 10.8.0.0/24 -j MASQUERADE
          
# https://askubuntu.com/a/1341821/22776
push "redirect-gateway autolocal"

# https://askubuntu.com/a/1157242/22776
push "redirect-gateway def1 bypass-dhcp"
redirect-gateway def1 bypass-dhcp

# https://forums.openvpn.net/viewtopic.php?t=27618
pull-filter ignore "redirect-gateway def1 bypass-dhcp" pull-filter ignore "dhcp-option DNS 192.168.55.1" pull-filter ignore "dhcp-option DOMAIN example.com" route 192.168.55.0 255.255.255.0

# https://blog.sellorm.com/2017/03/01/force-all-traffic-through-openvpn-connection/
redirect-gateway def1

# https://erwinbierens.com/route-all-traffic-by-openvpn/
push "redirect-gateway def1"
push "dhcp-option DNS "
push "dhcp-option DNS 1.1.1.1"
sudo /etc/init.d/openvpn restart
redirect-gateway def1
iptables -I FORWARD -i tun0 -o wlan0 \
        -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
        -j ACCEPT
iptables -t nat -I POSTROUTING -o wlan0 \
        -s 10.8.0.0/24 -j MASQUERADE

iptables debugging

# list rules
iptables --line-numbers -t filter -L FORWARD

iptables forwarding

# https://upcloud.com/resources/tutorials/configure-iptables-ubuntu
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Next, allow traffic to a specific port to enable SSH connections with the following.
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# To enable access to an HTTP web server, use the following command.
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# hanging the default rule to drop will permit only specifically accepted connection.
sudo iptables -P INPUT DROP

# Now if you were to restart your cloud server all of these iptables configurations would be wiped. To prevent this, save the rules to a file.
sudo iptables-save > /etc/iptables/rules.v4

# You can then simply restore the saved rules by reading the file you saved.
# Overwrite the current rules
sudo iptables-restore < /etc/iptables/rules.v4
# Add the new rules keeping the current ones
sudo iptables-restore -n < /etc/iptables/rules.v4

# You can automate the restore process at reboot by installing an additional package for iptables which takes over the loading of the saved rules. To this with the following command.
sudo apt-get install iptables-persistent
# If you make further changes to your iptables rules, remember to save them again using the same command as above. The iptables-persistent looks for the files rules.v4 and rules.v6 under /etc/iptables.

# To know which index number to enter, use the following command.
sudo iptables -L --line-numbers

# For example to insert a new rule to the top of the chain, use the following command with index number 1.
sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

# For example to delete the second rule on the input chain, use this command.
# sudo iptables -D INPUT 2

# Warning: Make sure you set the default rule to ACCEPT before flushing any chain.
sudo iptables -P INPUT ACCEPT

# Clear input chain
sudo iptables -F INPUT
# Flush the whole iptables
sudo iptables -F
# https://www.hostinger.com/tutorials/iptables-tutorial

# sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.>  -j <target>
# -i (interface) — the network interface whose traffic you want to filter, such as eth0, lo, ppp0, etc.
# -p (protocol) — the network protocol where your filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6, and so on. Alternatively, you can type all to choose every protocol.
# -s (source) — the address from which traffic comes from. You can add a hostname or IP address.
# –dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443 (https), etc.
# -j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert this every time you make a new rule.

# list rules
sudo iptables -L -v

# To allow traffic on localhost, type this command:
sudo iptables -A INPUT -i lo -j ACCEPT

# Enabling Connections on HTTP, SSH, and SSL Port
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Filtering Packets Based on Source
sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT
sudo iptables -A INPUT -s 192.168.1.3 -j DROP
sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP

# Dropping all Other Traffic
sudo iptables -A INPUT -j DROP

# Deleting Rules
sudo iptables -F # erase all apparently aka flush
sudo iptables -L --line-numbers # list rules
sudo iptables -D INPUT 3  # delete a specific rule

# Persisting Changes across reboots
sudo /sbin/iptables-save

# Disable iptables
sudo iptables -F
sudo /sbin/iptables-save
# https://askubuntu.com/a/218053/22776
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE  -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -m state --state INVALID -j DROP
# https://serverfault.com/a/1025183
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
# https://serverfault.com/a/480098
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# https://askubuntu.com/a/578550/22776
iptables -I FORWARD -i tun0 -o eth0 \
         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \
         -j ACCEPT

iptables -t nat -I POSTROUTING -o eth0 \
          -s 10.8.0.0/24 -j MASQUERADE
# https://serverfault.com/a/200658
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

iptables -nvL
# https://serverfault.com/a/200642
iptables-save | awk '/^[*]/ { print $1 } 
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore
# https://serverfault.com/a/962809
iptables-save | tee iptables_backup.conf | grep -v '\-A' | iptables-restore
iptables-restore < iptables_backup.conf
# https://serverfault.com/a/998574
# It resets (and disables) ufw and then resets iptables clearing and removing all chains. Then it enables the ufw again, but not before it allows port 22 for remote access. The two commands that require user confirmation are "forced" ensuring no input is required. I was able to run this over an active SSH connection.
sudo bash -c "ufw -f reset && iptables -F && iptables -X && ufw allow 22 && ufw -f enable"
# https://serverfault.com/a/1002428
iptables -S |grep DROP| sed 's/-A/-D/' >rules  # -A becomes -D: delete
nano rules  # check that everything is correct
cat rules | while read line; do iptables $line; done
iptables-save
# https://serverfault.com/a/1082227
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -t filter -F
sudo iptables -t raw -F

sudo iptables -t nat -X
sudo iptables -t mangle -X
sudo iptables -t filter -X
sudo iptables -t raw -X

echo "=== NAT ==="; sudo iptables -t nat -S; echo "\n=== MANGLE ==="; sudo iptables -t mangle -S; echo "\n=== FILTER ==="; sudo iptables -t filter -S; echo "\n=== RAW ==="; sudo iptables -t raw -S
# https://unix.stackexchange.com/a/283803/50703
# Masquerade outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# Allow return traffic
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forward everything
iptables -A FORWARD -j ACCEPT
# https://unix.stackexchange.com/a/283802/50703
-I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# https://serverfault.com/a/866668
# too complicated no explanation
# https://arashmilani.com/post?id=53
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
  • why is linux help never explanatory, what do those commands even do?
# https://github.com/aerodomigue/qbittorrent-nordvpn/blob/a6f289fa7665831fc850a78cb39a8b30f7bf2343/root/etc/services.d/nordvpn/run
#!/usr/bin/with-contenv bash
[[ -n ${DEBUG} ]] && set -x
[[ -n ${COUNTRY} && -z ${CONNECT} ]] && CONNECT=${COUNTRY}
[[ "${PGID:-""}" =~ ^[0-9]+$ ]] && groupmod -g $PGID -o vpn
DOCKER_NET="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')"
custom_kill_switch() {
local docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4; exit}')"
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o tap+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT || {
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -d api.nordvpn.com -j ACCEPT
}
iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
if [[ -n ${DOCKER_NET} ]]; then
iptables -A INPUT -s ${DOCKER_NET} -j ACCEPT
iptables -A FORWARD -d ${DOCKER_NET} -j ACCEPT
iptables -A FORWARD -s ${DOCKER_NET} -j ACCEPT
iptables -A OUTPUT -d ${DOCKER_NET} -j ACCEPT
fi
[[ -n ${NETWORK} ]] && for net in ${NETWORK//[;,]/ }; do return_route ${net}; done
[[ -n ${WHITELIST} ]] && for domain in ${WHITELIST//[;,]/ }; do white_list ${domain}; done
ip6tables -F 2>/dev/null
ip6tables -X 2>/dev/null
ip6tables -P INPUT DROP 2>/dev/null
ip6tables -P FORWARD DROP 2>/dev/null
ip6tables -P OUTPUT DROP 2>/dev/null
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
ip6tables -A INPUT -p icmp -j ACCEPT 2>/dev/null
ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -p icmp -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -i lo -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -o tap+ -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -o tun+ -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT 2>/dev/null || {
ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -j ACCEPT 2>/dev/null
}
if [[ -n ${docker6_network} ]]; then
ip6tables -A INPUT -s ${docker6_network} -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -d ${docker6_network} -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -s ${docker6_network} -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -d ${docker6_network} -j ACCEPT 2>/dev/null
fi
[[ -n ${NETWORK6} ]] && for net in ${NETWORK6//[;,]/ }; do return_route6 ${net}; done
}
return_route() { # Add a route back to your network, so that return traffic works
local network="$1" gw="$(ip route |awk '/default/ {print $3}')"
ip route | grep -q "$network" || ip route add to $network via $gw dev eth0
iptables -A INPUT -s $network -j ACCEPT
iptables -A FORWARD -d $network -j ACCEPT
iptables -A FORWARD -s $network -j ACCEPT
iptables -A OUTPUT -d $network -j ACCEPT
}
return_route6() { # Add a route back to your network, so that return traffic works
local network="$1" gw="$(ip -6 route | awk '/default/{print $3}')"
ip -6 route | grep -q "$network" || ip -6 route add to $network via $gw dev eth0
ip6tables -A INPUT -s $network -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -d $network -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -s $network -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -d $network -j ACCEPT 2>/dev/null
}
white_list() { # Allow unsecured traffic for an specific domain
local domain=`echo $1 | sed 's/^.*:\/\///;s/\/.*$//'`
sg vpn -c "iptables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT"
sg vpn -c "ip6tables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT 2>/dev/null"
}
create_tun_device() {
mkdir -p /dev/net
[[ -c /dev/net/tun ]] || mknod -m 0666 /dev/net/tun c 10 200
}
setup_nordvpn() {
[[ -n ${TECHNOLOGY} ]] && nordvpn set technology ${TECHNOLOGY}
[[ -n ${PROTOCOL} ]] && nordvpn set protocol ${PROTOCOL}
[[ -n ${OBFUSCATE} ]] && nordvpn set obfuscate ${OBFUSCATE}
[[ -n ${CYBER_SEC} ]] && nordvpn set cybersec ${CYBER_SEC}
[[ -n ${DNS} ]] && nordvpn set dns ${DNS//[;,]/ }
[[ -n ${DOCKER_NET} ]] && nordvpn whitelist add subnet ${DOCKER_NET}
[[ -n ${NETWORK} ]] && for net in ${NETWORK//[;,]/ }; do nordvpn whitelist add subnet ${net}; done
[[ -n ${PORTS} ]] && for port in ${PORTS//[;,]/ }; do nordvpn whitelist add port ${port}; done
[[ -n ${DEBUG} ]] && nordvpn -version && nordvpn settings
}
if [ "${KILL_SWITCH}" = "custom" ]; then
custom_kill_switch
elif [ "${KILL_SWITCH}" = "on" ]; then
nordvpn set killswitch on
else
nordvpn set killswitch off
fi
pkill nordvpnd
rm -f /run/nordvpnd.sock
sg vpn -c nordvpnd &
while [ ! -S /run/nordvpnd.sock ]; do
sleep 0.25
done
nordvpn login -u ${USER} -p "${PASS}"
setup_nordvpn
create_tun_device
nordvpn connect ${CONNECT} || exit 1
nordvpn status
tail -f --pid=$(pidof nordvpnd) /var/log/nordvpn/daemon.log
# https://raw.githubusercontent.com/davesdere/configs/836def6e3f7aac657fd007c8ef32e38ee91a4fac/dockerfiles/nordvpn/start_vpn.sh#!/bin/bash
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P OUTPUT DROP 2>/dev/null
ip6tables -P INPUT DROP 2>/dev/null
ip6tables -P FORWARD DROP 2>/dev/null
iptables -F
iptables -X
ip6tables -F 2>/dev/null
ip6tables -X 2>/dev/null
[[ "${DEBUG,,}" == trace* ]] && set -x
if [ "$(cat /etc/timezone)" != "${TZ}" ]; then
if [ -d "/usr/share/zoneinfo/${TZ}" ] || [ ! -e "/usr/share/zoneinfo/${TZ}" ] || [ -z "${TZ}" ]; then
TZ="Etc/UTC"
fi
ln -fs "/usr/share/zoneinfo/${TZ}" /etc/localtime
dpkg-reconfigure -f noninteractive tzdata 2>/dev/null
fi
echo "[$(date -Iseconds)] Firewall is up, everything has to go through the vpn"
docker_network="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')"
docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4; exit}')"
echo "[$(date -Iseconds)] Enabling connection to secure interfaces"
if [[ -n ${docker_network} ]]; then
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o tap+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -o nordlynx+ -j ACCEPT
iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
iptables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE
fi
if [[ -n ${docker6_network} ]]; then
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -p icmp -j ACCEPT
ip6tables -A FORWARD -i lo -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A OUTPUT -o tap+ -j ACCEPT
ip6tables -A OUTPUT -o tun+ -j ACCEPT
ip6tables -A OUTPUT -o nordlynx+ -j ACCEPT
ip6tables -t nat -A POSTROUTING -o tap+ -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
ip6tables -t nat -A POSTROUTING -o nordlynx+ -j MASQUERADE
fi
echo "[$(date -Iseconds)] Enabling connection to nordvpn group"
if [[ -n ${docker_network} ]]; then
iptables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT || {
echo "[$(date -Iseconds)] group match failed, fallback to open necessary ports"
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
}
fi
if [[ -n ${docker6_network} ]]; then
ip6tables -A OUTPUT -m owner --gid-owner nordvpn -j ACCEPT || {
echo "[$(date -Iseconds)] ip6 group match failed, fallback to open necessary ports"
ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
ip6tables -A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
ip6tables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
}
fi
echo "[$(date -Iseconds)] Enabling connection to docker network"
if [[ -n ${docker_network} ]]; then
iptables -A INPUT -s "${docker_network}" -j ACCEPT
iptables -A FORWARD -d "${docker_network}" -j ACCEPT
iptables -A FORWARD -s "${docker_network}" -j ACCEPT
iptables -A OUTPUT -d "${docker_network}" -j ACCEPT
fi
if [[ -n ${docker6_network} ]]; then
ip6tables -A INPUT -s "${docker6_network}" -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -d "${docker6_network}" -j ACCEPT 2>/dev/null
ip6tables -A FORWARD -s "${docker6_network}" -j ACCEPT 2>/dev/null
ip6tables -A OUTPUT -d "${docker6_network}" -j ACCEPT 2>/dev/null
fi
if [[ -n ${docker_network} && -n ${NETWORK} ]]; then
gw=$(ip route | awk '/default/ {print $3}')
for net in ${NETWORK//[;,]/ }; do
echo "[$(date -Iseconds)] Enabling connection to network ${net}"
ip route | grep -q "$net" || ip route add to "$net" via "$gw" dev eth0
iptables -A INPUT -s "$net" -j ACCEPT
iptables -A FORWARD -d "$net" -j ACCEPT
iptables -A FORWARD -s "$net" -j ACCEPT
iptables -A OUTPUT -d "$net" -j ACCEPT
done
fi
if [[ -n ${docker6_network} && -n ${NETWORK6} ]]; then
gw6=$(ip -6 route | awk '/default/{print $3}')
for net6 in ${NETWORK6//[;,]/ }; do
echo "[$(date -Iseconds)] Enabling connection to network ${net6}"
ip -6 route | grep -q "$net6" || ip -6 route add to "$net6" via "$gw6" dev eth0
ip6tables -A INPUT -s "$net6" -j ACCEPT
ip6tables -A FORWARD -d "$net6" -j ACCEPT
ip6tables -A FORWARD -s "$net6" -j ACCEPT
ip6tables -A OUTPUT -d "$net6" -j ACCEPT
done
fi
if [[ -n ${WHITELIST} ]]; then
for domain in ${WHITELIST//[;,]/ }; do
domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//')
echo "[$(date -Iseconds)] Enabling connection to host ${domain}"
sg nordvpn -c "iptables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT"
sg nordvpn -c "ip6tables -A OUTPUT -o eth0 -d ${domain} -j ACCEPT 2>/dev/null"
done
fi
mkdir -p /dev/net
[[ -c /dev/net/tun ]] || mknod -m 0666 /dev/net/tun c 10 200
restart_daemon() {
echo "[$(date -Iseconds)] Restarting the service"
service nordvpn stop
rm -rf /run/nordvpn/nordvpnd.sock
service nordvpn start
echo "[$(date -Iseconds)] Waiting for the service to start"
attempt_counter=0
max_attempts=50
until [ -S /run/nordvpn/nordvpnd.sock ]; do
if [ ${attempt_counter} -eq ${max_attempts} ]; then
echo "[$(date -Iseconds)] Max attempts reached"
exit 1
fi
attempt_counter=$((attempt_counter + 1))
sleep 0.1
done
}
restart_daemon
echo "[$(date -Iseconds)] Pre-logging settings $(nordvpn -version)"
[[ -n ${DNS} ]] && nordvpn set dns ${DNS//[;,]/ }
[[ -n ${CYBER_SEC} ]] && nordvpn set cybersec ${CYBER_SEC}
[[ -n ${OBFUSCATE} ]] && nordvpn set obfuscate ${OBFUSCATE} && sleep 3
if [[ "${DEBUG,,}" == trace+* ]]; then
echo "[$(date -Iseconds)] ############# WARNING ############### make sure to remove user/pass before sharing this log"
else
set +x
[[ "${DEBUG,,}" == trace* ]] && echo "[$(date -Iseconds)] Hiding user/password from the logs, set DEBUG=trace+ if you want to show them in the logs"
fi
[[ -z "${PASS}" ]] && [[ -f "${PASSFILE}" ]] && PASS="$(head -n 1 "${PASSFILE}")"
echo "[$(date -Iseconds)] Logging in"
nordvpn logout >/dev/null
nordvpn login --username "${USER}" --password "${PASS}" || {
echo "[$(date -Iseconds)] Invalid Username or password."
exit 1
}
[[ "${DEBUG,,}" == trace* ]] && set -x
echo "[$(date -Iseconds)] Post-logging settings $(nordvpn -version)"
[[ -n ${FIREWALL} ]] && nordvpn set firewall ${FIREWALL}
[[ -n ${KILLSWITCH} ]] && nordvpn set killswitch ${KILLSWITCH}
[[ -n ${PROTOCOL} ]] && nordvpn set protocol ${PROTOCOL}
[[ -n ${TECHNOLOGY} ]] && nordvpn set technology ${TECHNOLOGY}
if [[ -n ${docker_network} ]]; then
nordvpn whitelist add subnet ${docker_network}
[[ -n ${NETWORK} ]] && for net in ${NETWORK//[;,]/ }; do nordvpn whitelist add subnet "${net}"; done
fi
if [[ -n ${docker6_network} ]]; then
nordvpn set ipv6 on
nordvpn whitelist add subnet ${docker6_network}
[[ -n ${NETWORK6} ]] && for net in ${NETWORK6//[;,]/ }; do nordvpn whitelist add subnet "${net}"; done
fi
[[ -n ${PORTS} ]] && for port in ${PORTS//[;,]/ }; do nordvpn whitelist add port "${port}"; done
[[ -n ${PORT_RANGE} ]] && nordvpn whitelist add ports ${PORT_RANGE}
[[ -n ${DEBUG} ]] && nordvpn settings
connect() {
echo "[$(date -Iseconds)] Connecting..."
current_sleep=1
until nordvpn connect ${CONNECT}; do
if [ ${current_sleep} -gt 4096 ]; then
echo "[$(date -Iseconds)] Unable to connect."
tail -n 200 /var/log/nordvpn/daemon.log
exit 1
fi
echo "[$(date -Iseconds)] Unable to connect retrying in ${current_sleep} seconds."
sleep ${current_sleep}
current_sleep=$((current_sleep * 2))
done
if [[ ! -z "${POST_CONNECT}" ]]; then
eval ${POST_CONNECT}
fi
}
connect
[[ -n ${DEBUG} ]] && tail -n 1 -f /var/log/nordvpn/daemon.log &
cleanup() {
nordvpn status
nordvpn disconnect
nordvpn logout
service nordvpn stop
trap - SIGTERM SIGINT EXIT # https://bash.cyberciti.biz/guide/How_to_clear_trap
exit 0
}
trap cleanup SIGTERM SIGINT EXIT # https://www.ctl.io/developers/blog/post/gracefully-stopping-docker-containers/
[[ -n ${RECONNECT} && -z ${CHECK_CONNECTION_INTERVAL} ]] && CHECK_CONNECTION_INTERVAL=${RECONNECT}
while true; do
sleep "${CHECK_CONNECTION_INTERVAL:-300}"
if [[ ! $(curl -Is -m 30 -o /dev/null -w "%{http_code}" "${CHECK_CONNECTION_URL:-www.google.com}") =~ ^[23] ]]; then
echo "[$(date -Iseconds)] Unstable connection detected!"
nordvpn status
restart_daemon
connect
fi
done
# https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh
# https://github.com/ProtonVPN/scripts
#!/usr/bin/env bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
# 07/2013 colin@daedrum.net Fixed intet name
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
# foreign_option_4='dhcp-option DOMAIN-SEARCH bnc.local'
## The 'type' builtins will look for file in $PATH variable, so we set the
## PATH below. You might need to directly set the path to 'resolvconf'
## manually if it still doesn't work, i.e.
## RESOLVCONF=/usr/sbin/resolvconf
export PATH=$PATH:/sbin:/usr/sbin:/bin:/usr/bin
RESOLVCONF=$(type -p resolvconf)
case $script_type in
up)
for optionname in ${!foreign_option_*} ; do
option="${!optionname}"
echo $option
part1=$(echo "$option" | cut -d " " -f 1)
if [ "$part1" == "dhcp-option" ] ; then
part2=$(echo "$option" | cut -d " " -f 2)
part3=$(echo "$option" | cut -d " " -f 3)
if [ "$part2" == "DNS" ] ; then
IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
fi
if [[ "$part2" == "DOMAIN" || "$part2" == "DOMAIN-SEARCH" ]] ; then
IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
fi
fi
done
R=""
if [ "$IF_DNS_SEARCH" ]; then
R="search "
for DS in $IF_DNS_SEARCH ; do
R="${R} $DS"
done
R="${R}
"
fi
for NS in $IF_DNS_NAMESERVERS ; do
R="${R}nameserver $NS
"
done
#echo -n "$R" | $RESOLVCONF -x -p -a "${dev}"
echo -n "$R" | $RESOLVCONF -x -a "${dev}.inet"
;;
down)
$RESOLVCONF -d "${dev}.inet"
;;
esac
# Workaround / jm@epiclabs.io
# force exit with no errors. Due to an apparent conflict with the Network Manager
# $RESOLVCONF sometimes exits with error code 6 even though it has performed the
# action correctly and OpenVPN shuts down.
exit 0
# https://raw.githubusercontent.com/Tyrean737/i3config/9009d0fd0e8d6fa9157abb020ed4273942ce554c/.scripts/vpn_secure_connect.sh
#!/bin/bash
#***************************************************************************************************************#
# This Script uses iptables to block all traffic except to and from the IP of the selected VPN. #
# When disconnected it asks if the normal setting shall be restore again. #
# #
# In case you want to manually restore the settings run 'iptables-restore iptables_BackUp_temp' (file is #
# located in the user directory). #
# #
# This script uses 'dns_nordvpn_0.sh', 'dns_nordvpn_1.sh', 'ipv6_diable.sh' and 'ipv6_enable.sh'. #
#***************************************************************************************************************#
# Setting up paths
USER="tobias"
PATH_USER="/home/$USER"
PATH_OVPN="/home/$USER/.ovpn"
# Check if run as root
if [ $(id -u) -ne 0 ]; then
echo "Please run as root!"
exit
fi
# Set DNS servers and disable ipv6
dns_nordvpn_1.sh
ipv6_disable.sh
# Get and print local network IP range
LOCAL_IPS=$(ip a | awk '/inet 192.*/ {print $2}' | awk -F'.' '{print $1"."$2"."$3".0/24"}')
echo "Local network IP range is: $LOCAL_IPS"
read -p "Enter NordVPN server to connect to (e.g. de33): " VPN_ID
read -p "Enter connection protocol (tcp/udp, only lower case letters!) [default: tcp]: " VPN_PROTOCOL
if [ -z $VPN_PROTOCOL ]; then
VPN_PROTOCOL="tcp"
fi
# Get VPN
VPN_IP=$(awk '/remote / {print $2}' $PATH_OVPN/$VPN_PROTOCOL/$VPN_ID.nordvpn.com.$VPN_PROTOCOL.ovpn)
# Backup current iptables config
iptables-save -f $PATH_USER/iptables_BackUp_temp
# Flush iptables
iptables -F
# Allow loopback device (internal communication)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow all local traffic.
iptables -A INPUT -s $LOCAL_IPS -j ACCEPT
iptables -A OUTPUT -d $LOCAL_IPS -j ACCEPT
# Allow traffic to VPN
iptables -A INPUT -s $VPN_IP -j ACCEPT
iptables -A OUTPUT -d $VPN_IP -j ACCEPT
# Allow traffic to NordVPN DNS servers (Does not seem to be nescessary)
#iptables -A INPUT -s 103.86.96.100 -j ACCEPT
#iptables -A OUTPUT -d 103.86.96.100 -j ACCEPT
#iptables -A INPUT -s 103.86.99.100 -j ACCEPT
#iptables -A OUTPUT -d 103.86.99.100 -j ACCEPT
# Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
# Set default policies to drop all communication unless specifically allowed
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Connect to VPN
openvpn $PATH_OVPN/$VPN_PROTOCOL/$VPN_ID.nordvpn.com.$VPN_PROTOCOL.ovpn
# Ask if setting shall be restored
echo "Disconnected from VPN!"
read -p "Shall traffic be allowed again? [y/N]" restore
if [[ "$restore" == "y" || "$restore" == "Y" ]]; then
iptables-restore $PATH_USER/iptables_BackUp_temp
dns_nordvpn_0.sh
ipv6_enable.sh
echo "All settings restored and normal traffic allowed again!"
else
echo "Keep traffic forbidden!"
fi
> sudo iptables -L -v
[sudo] password for balupton: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 > resolvectl status --no-pager
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (ens33)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.4.1
       DNS Servers: 192.168.4.1
>  sudo-helper -- resolvectl default-route  ens33
Link 2 (ens33): yes
> openvpn --config au614.nordvpn.com.udp1194.ovpn
2022-09-23 22:27:19 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-23 22:27:19 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-23 22:27:19 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Enter Auth Username: redacted
🔐 Enter Auth Password: ************************
2022-09-23 22:27:29 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2022-09-23 22:27:29 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-09-23 22:27:29 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-09-23 22:27:29 TCP/UDP: Preserving recently used remote address: [AF_INET]103.137.12.163:1194
2022-09-23 22:27:29 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-23 22:27:29 UDP link local: (not bound)
2022-09-23 22:27:29 UDP link remote: [AF_INET]103.137.12.163:1194
2022-09-23 22:27:29 TLS: Initial packet from [AF_INET]103.137.12.163:1194, sid=6df699e9 adaca097
2022-09-23 22:27:29 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2022-09-23 22:27:29 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
2022-09-23 22:27:29 VERIFY KU OK
2022-09-23 22:27:29 Validating certificate extended key usage
2022-09-23 22:27:29 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-09-23 22:27:29 VERIFY EKU OK
2022-09-23 22:27:29 VERIFY X509NAME OK: CN=au614.nordvpn.com
2022-09-23 22:27:29 VERIFY OK: depth=0, CN=au614.nordvpn.com
2022-09-23 22:27:29 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-09-23 22:27:29 [au614.nordvpn.com] Peer Connection Initiated with [AF_INET]103.137.12.163:1194
2022-09-23 22:27:31 SENT CONTROL [au614.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2022-09-23 22:27:31 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.6 255.255.255.0,peer-id 7,cipher AES-256-GCM'
2022-09-23 22:27:31 OPTIONS IMPORT: timers and/or timeouts modified
2022-09-23 22:27:31 OPTIONS IMPORT: explicit notify parm(s) modified
2022-09-23 22:27:31 OPTIONS IMPORT: compression parms modified
2022-09-23 22:27:31 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-09-23 22:27:31 Socket Buffers: R=[212992->425984] S=[212992->425984]
2022-09-23 22:27:31 OPTIONS IMPORT: --ifconfig/up options modified
2022-09-23 22:27:31 OPTIONS IMPORT: route options modified
2022-09-23 22:27:31 OPTIONS IMPORT: route-related options modified
2022-09-23 22:27:31 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-09-23 22:27:31 OPTIONS IMPORT: peer-id set
2022-09-23 22:27:31 OPTIONS IMPORT: adjusting link_mtu to 1657
2022-09-23 22:27:31 OPTIONS IMPORT: data channel crypto options modified
2022-09-23 22:27:31 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-09-23 22:27:31 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-23 22:27:31 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-23 22:27:31 net_route_v4_best_gw query: dst 0.0.0.0
2022-09-23 22:27:31 net_route_v4_best_gw result: via 192.168.4.1 dev ens33
2022-09-23 22:27:31 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 IFACE=ens33 HWADDR=00:0c:29:c7:7a:02
2022-09-23 22:27:31 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2022-09-23 22:27:31 Exiting due to fatal error
> sudo openvpn --config au614.nordvpn.com.udp1194.ovpn
2022-09-23 22:27:46 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-23 22:27:46 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-23 22:27:46 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Enter Auth Username: redacted
🔐 Enter Auth Password: ************************
2022-09-23 22:27:52 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2022-09-23 22:27:52 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-09-23 22:27:52 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2022-09-23 22:27:52 TCP/UDP: Preserving recently used remote address: [AF_INET]103.137.12.163:1194
2022-09-23 22:27:52 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-23 22:27:52 UDP link local: (not bound)
2022-09-23 22:27:52 UDP link remote: [AF_INET]103.137.12.163:1194
2022-09-23 22:27:52 TLS: Initial packet from [AF_INET]103.137.12.163:1194, sid=7eb62b69 0ad279f4
2022-09-23 22:27:52 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2022-09-23 22:27:52 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
2022-09-23 22:27:52 VERIFY KU OK
2022-09-23 22:27:52 Validating certificate extended key usage
2022-09-23 22:27:52 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-09-23 22:27:52 VERIFY EKU OK
2022-09-23 22:27:52 VERIFY X509NAME OK: CN=au614.nordvpn.com
2022-09-23 22:27:52 VERIFY OK: depth=0, CN=au614.nordvpn.com
2022-09-23 22:27:52 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2022-09-23 22:27:52 [au614.nordvpn.com] Peer Connection Initiated with [AF_INET]103.137.12.163:1194
2022-09-23 22:27:52 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.9 255.255.255.0,peer-id 12,cipher AES-256-GCM'
2022-09-23 22:27:52 OPTIONS IMPORT: timers and/or timeouts modified
2022-09-23 22:27:52 OPTIONS IMPORT: explicit notify parm(s) modified
2022-09-23 22:27:52 OPTIONS IMPORT: compression parms modified
2022-09-23 22:27:52 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2022-09-23 22:27:52 Socket Buffers: R=[212992->425984] S=[212992->425984]
2022-09-23 22:27:52 OPTIONS IMPORT: --ifconfig/up options modified
2022-09-23 22:27:52 OPTIONS IMPORT: route options modified
2022-09-23 22:27:52 OPTIONS IMPORT: route-related options modified
2022-09-23 22:27:52 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-09-23 22:27:52 OPTIONS IMPORT: peer-id set
2022-09-23 22:27:52 OPTIONS IMPORT: adjusting link_mtu to 1657
2022-09-23 22:27:52 OPTIONS IMPORT: data channel crypto options modified
2022-09-23 22:27:52 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-09-23 22:27:52 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-23 22:27:52 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-09-23 22:27:52 net_route_v4_best_gw query: dst 0.0.0.0
2022-09-23 22:27:52 net_route_v4_best_gw result: via 192.168.4.1 dev ens33
2022-09-23 22:27:52 ROUTE_GATEWAY 192.168.4.1/255.255.252.0 IFACE=ens33 HWADDR=00:0c:29:c7:7a:02
2022-09-23 22:27:52 TUN/TAP device tun0 opened
2022-09-23 22:27:52 net_iface_mtu_set: mtu 1500 for tun0
2022-09-23 22:27:52 net_iface_up: set tun0 up
2022-09-23 22:27:52 net_addr_v4_add: 10.8.1.9/24 dev tun0
2022-09-23 22:27:52 net_route_v4_add: 103.137.12.163/32 via 192.168.4.1 dev [NULL] table 0 metric -1
2022-09-23 22:27:52 net_route_v4_add: 0.0.0.0/1 via 10.8.1.1 dev [NULL] table 0 metric -1
2022-09-23 22:27:52 net_route_v4_add: 128.0.0.0/1 via 10.8.1.1 dev [NULL] table 0 metric -1
2022-09-23 22:27:52 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-09-23 22:27:52 Initialization Sequence Completed
> what-is-my-ip
Local: 192.168.7.162
Remote: 124.169.100.242

> route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 ens33
103.137.12.163  _gateway        255.255.255.255 UGH   0      0        0 ens33
192.168.4.0     0.0.0.0         255.255.252.0   U     100    0        0 ens33
_gateway        0.0.0.0         255.255.255.255 UH    100    0        0 ens33
> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:c7:7a:02 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.7.162/22 metric 100 brd 192.168.7.255 scope global dynamic ens33
       valid_lft 14017sec preferred_lft 14017sec
    inet6 fe80::20c:29ff:fec7:7a02/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc fq_codel state DOWN group default qlen 500
    link/none 
> sudo iptables -L -v
[sudo] password for balupton: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
22:31:30:balupton@vm-ubuntu-server:/home/balupton
> resolvectl status --no-pager
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (ens33)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.4.1
       DNS Servers: 192.168.4.1

Link 4 (tun0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
# adding redirect-gateway def1 to .ovpn and didn't do anything, even after
sudo sysctl net.ipv4.ip_forward=1
sudo sysctl net.ipv6.conf.all.disable_ipv6=1
ufw disable

# as well as
sudo iptables -I FORWARD -i tun0 -o ens33 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -t nat -I POSTROUTING -o ens33  -s 10.8.0.0/24 -
; > sudo iptables -L -v
; [sudo] password for balupton: 
; Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
;  pkts bytes target     prot opt in     out     source               destination         
; 23:41:42:balupton@vm-ubuntu-server:/home/balupton
# nord worked
setup-util-nordvpn
sudo usermod -aG nordvpn balupton
exit
nordvpn login --token redacted
nordvpn whitelist add port 22 # ufw did not work
nordvpn connect
# this worked however killed ssh
> sudo iptables -L -v
[sudo] password for balupton: 
Chain INPUT (policy ACCEPT 3004 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  ens33  any     anywhere             anywhere             udp dpt:22 /* nordvpn */
    0     0 ACCEPT     udp  --  ens33  any     anywhere             anywhere             udp spt:22 /* nordvpn */
   99 12570 ACCEPT     tcp  --  ens33  any     anywhere             anywhere             tcp dpt:ssh /* nordvpn */
    0     0 ACCEPT     tcp  --  ens33  any     anywhere             anywhere             tcp spt:ssh /* nordvpn */
  229 67532 ACCEPT     all  --  ens33  any     anywhere             anywhere             connmark match  0xe1f1 /* nordvpn */
  256 84166 DROP       all  --  ens33  any     anywhere             anywhere             /* nordvpn */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2201 packets, 173K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  any    ens33   anywhere             anywhere             udp dpt:22 /* nordvpn */
    0     0 ACCEPT     udp  --  any    ens33   anywhere             anywhere             udp spt:22 /* nordvpn */
    0     0 ACCEPT     tcp  --  any    ens33   anywhere             anywhere             tcp dpt:ssh /* nordvpn */
   70 12768 ACCEPT     tcp  --  any    ens33   anywhere             anywhere             tcp spt:ssh /* nordvpn */
  318 57844 CONNMARK   all  --  any    ens33   anywhere             anywhere             mark match 0xe1f1 /* nordvpn */ CONNMARK save
  318 57844 ACCEPT     all  --  any    ens33   anywhere             anywhere             connmark match  0xe1f1 /* nordvpn */
  103 20804 DROP       all  --  any    ens33   anywhere             anywhere             /* nordvpn */

Chain ufw-after-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (0 references)
 pkts bytes target     prot opt in     out     source               destination  
> nordvpn disconnect
New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
You are disconnected from NordVPN.
How would you rate your connection quality on a scale from 1 (poor) to 5 (excellent)? Type 'nordvpn rate [1-5]'.
23:07:58:balupton@vm-ubuntu-server:/home/balupton
> sudo iptables -L -v
Chain INPUT (policy ACCEPT 3035 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2238 packets, 179K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (0 references)
 pkts bytes target     prot opt in     out     source               destination      
# even after setup-dns, while nord is connected, it's still going to the local resolver
# let's debug how it gets there
> nslookup cloudflare.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	cloudflare.com
Address: 104.16.133.229
Name:	cloudflare.com
Address: 104.16.132.229
Name:	cloudflare.com
Address: 2606:4700::6810:85e5
Name:	cloudflare.com
Address: 2606:4700::6810:84e5
nordvpn set threatprotectionlite on # works fine
nordvpn set dns 192.168.5.20 # causes dns lookups to fail
nordvpn set dns 124.169.100.242 # works fine
# > debug-network
; DNS LISTENERS:
; Netid        State         Recv-Q         Send-Q                 Local Address:Port                   Peer Address:Port        Process                                             
; udp          UNCONN        0              0                      127.0.0.53%lo:domain                      0.0.0.0:*            users:(("systemd-resolve",pid=10111,fd=13))        
; tcp          LISTEN        0              4096                   127.0.0.53%lo:domain                      0.0.0.0:*            users:(("systemd-resolve",pid=10111,fd=14))        
; LISTENERS:
; tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      10111/systemd-resol 
; tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1129/sshd: /usr/sbi 
; tcp6       0      0 :::22                   :::*                    LISTEN      1129/sshd: /usr/sbi 
; DNS:
; Global:
; Link 2 (ens33): 9.9.9.9 149.112.112.112 2620:fe::9 192.168.4.1
; Link 11 (nordlynx): 124.169.100.242
# after `nordvpn d` internet failed, had to `sudo iptables -F` to fix
# now trying setup-dns with cloudflared
nordvpn set dns off
> nordvpn set dns off
; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
; DNS is set to 'disabled' successfully.
; 23:21:08:balupton@vm-ubuntu-server:/home/balupton
; > nordvpn settings
; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
; Technology: NORDLYNX
; Firewall: enabled
; Kill Switch: disabled
; Threat Protection Lite: disabled
; Notify: disabled
; Auto-connect: disabled
; IPv6: disabled
; Meshnet: disabled
; DNS: disabled
; Whitelisted ports:
;        22 (UDP|TCP)
# > debug-network
; DNS LISTENERS:
; Netid          State           Recv-Q          Send-Q                   Local Address:Port                     Peer Address:Port          Process                                          
; udp            UNCONN          0               0                                    *:domain                              *:*              users:(("cloudflared",pid=17894,fd=7))          
; tcp            LISTEN          0               4096                                 *:domain                              *:*              users:(("cloudflared",pid=17894,fd=8))          
; LISTENERS:
; tcp        0      0 127.0.0.1:46279         0.0.0.0:*               LISTEN      17894/cloudflared   
; tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1129/sshd: /usr/sbi 
; tcp6       0      0 :::53                   :::*                    LISTEN      17894/cloudflared   
; tcp6       0      0 :::22                   :::*                    LISTEN      1129/sshd: /usr/sbi 
; DNS:
# > what-is-my-ip
; Local: 192.168.7.162
; Remote: 103.107.197.134
; > sudo iptables -L -v
; Chain INPUT (policy ACCEPT 11145 packets, 62M bytes)
;  pkts bytes target     prot opt in     out     source               destination         
;     0     0 ACCEPT     udp  --  ens33  any     anywhere             anywhere             udp dpt:22 /* nordvpn */
;     0     0 ACCEPT     udp  --  ens33  any     anywhere             anywhere             udp spt:22 /* nordvpn */
;   293 17756 ACCEPT     tcp  --  ens33  any     anywhere             anywhere             tcp dpt:ssh /* nordvpn */
;     0     0 ACCEPT     tcp  --  ens33  any     anywhere             anywhere             tcp spt:ssh /* nordvpn */
;   166 50868 ACCEPT     all  --  ens33  any     anywhere             anywhere             connmark match  0xe1f1 /* nordvpn */
;    39 10153 DROP       all  --  ens33  any     anywhere             anywhere             /* nordvpn */

; Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain OUTPUT (policy ACCEPT 11079 packets, 1185K bytes)
;  pkts bytes target     prot opt in     out     source               destination         
;     0     0 ACCEPT     udp  --  any    ens33   anywhere             anywhere             udp dpt:22 /* nordvpn */
;     0     0 ACCEPT     udp  --  any    ens33   anywhere             anywhere             udp spt:22 /* nordvpn */
;     0     0 ACCEPT     tcp  --  any    ens33   anywhere             anywhere             tcp dpt:ssh /* nordvpn */
;   227 35012 ACCEPT     tcp  --  any    ens33   anywhere             anywhere             tcp spt:ssh /* nordvpn */
;   217 39756 CONNMARK   all  --  any    ens33   anywhere             anywhere             mark match 0xe1f1 /* nordvpn */ CONNMARK save
;   217 39756 ACCEPT     all  --  any    ens33   anywhere             anywhere             connmark match  0xe1f1 /* nordvpn */
;     4   356 DROP       all  --  any    ens33   anywhere             anywhere             /* nordvpn */

; Chain ufw-after-forward (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-after-input (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-after-logging-forward (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-after-logging-input (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-after-logging-output (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-after-output (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-before-forward (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-before-input (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-before-logging-forward (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-before-logging-input (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-before-logging-output (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-before-output (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-reject-forward (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-reject-input (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-reject-output (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-track-forward (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-track-input (0 references)
;  pkts bytes target     prot opt in     out     source               destination         

; Chain ufw-track-output (0 references)
;  pkts bytes target     prot opt in     out     source               destination    
# however, nslookup is giving a different result
; > nslookup cloudflare.com
; Server:		103.86.96.100
; Address:	103.86.96.100#53 <--- nordvpn dns srever

; Non-authoritative answer:
; Name:	cloudflare.com
; Address: 104.16.132.229
; Name:	cloudflare.com
; Address: 104.16.133.229
; Name:	cloudflare.com
; Address: 2606:4700::6810:85e5
; Name:	cloudflare.com
; Address: 2606:4700::6810:84e5

; 23:23:48:balupton@vm-ubuntu-server:/home/balupton
; > what-is-my-ip
; Local: 192.168.7.162
; Remote: 103.107.197.134
; > nordvpn set dns 127.0.0.1
; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
; DNS is set to '127.0.0.1' successfully.
; 23:25:08:balupton@vm-ubuntu-server:/home/balupton
; > nslookup cloudflare.com
; Server:		127.0.0.1
; Address:	127.0.0.1#53

; ** server can't find cloudflare.com: SERVFAIL
; > nordvpn set dns 0.0.0.0
; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
; DNS is set to '0.0.0.0' successfully.
; 23:25:28:balupton@vm-ubuntu-server:/home/balupton
; > nslookup cloudflare.com
; Server:		127.0.0.1
; Address:	127.0.0.1#53

; ** server can't find cloudflare.com: SERVFAIL
; > nordvpn whitelist add subnet 192.168.0.0/16
; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
; Subnet 192.168.0.0/16 is whitelisted successfully.
; > nordvpn set dns 192.168.5.20
; New feature - Meshnet! Link remote devices in Meshnet to connect to them directly over encrypted private tunnels, and route your traffic through another device. Use the `nordvpn meshnet --help` command to get started. Learn more: https://nordvpn.com/features/meshnet/
; DNS is set to '192.168.5.20' successfully.
; 23:26:42:balupton@vm-ubuntu-server:/home/balupton
; > nslookup cloudflare.com
; Server:		192.168.5.20
; Address:	192.168.5.20#53

; Non-authoritative answer:
; Name:	cloudflare.com
; Address: 104.16.133.229
; Name:	cloudflare.com
; Address: 104.16.132.229
; Name:	cloudflare.com
; Address: 2606:4700::6810:84e5
; Name:	cloudflare.com
; Address: 2606:4700::6810:85e5

; DNS LISTENERS:
; Netid          State           Recv-Q          Send-Q                   Local Address:Port                     Peer Address:Port          Process                                          
; udp            UNCONN          0               0                                    *:domain                              *:*              users:(("cloudflared",pid=17894,fd=7))          
; tcp            LISTEN          0               4096                                 *:domain                              *:*              users:(("cloudflared",pid=17894,fd=8))          
; LISTENERS:
; tcp        0      0 127.0.0.1:46279         0.0.0.0:*               LISTEN      17894/cloudflared   
; tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1129/sshd: /usr/sbi 
; tcp6       0      0 :::53                   :::*                    LISTEN      17894/cloudflared   
; tcp6       0      0 :::22                   :::*                    LISTEN      1129/sshd: /usr/sbi 
; DNS:

these both fail on nslookup, even with whitelist subnet and port guarantees

nordvpn set dns $(what-is-my-ip local) nordvpn set dns 0.0.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment