Getting NordVPN WireGuard details

GetNordVPNWireGuardDetails.md

About

Instructions to obtain WireGuard details of your NordVPN account. These can be used to setup a WireGuard tunnel on your router to NordVPN.

Source: https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27

Prerequisites

If you have any linux machine, use that or install a vm if you don't have one.

Get their official linux app installed. Make sure you have wireguard installed too. And set the used technology to Nordlynx by running nordvpn set technology nordlynx

Fetching details

Connect to nordvpn with command: nordvpn connect (don't forget to login with nordvpn login --legacy).

Fetch (your) IP address

After successful connection run

ifconfig nordlynx

Fetch your private key

Run

sudo wg show nordlynx private-key

Output of this command should be something like this:

CKMAE9LARlt2eZHgGnNaSUYiKllKJN7f3hed/bWm5E8=

The key above is just a random key for demo purposes.

Fetch your public key

Run

sudo wg show nordlynx public-key

Output of this command should be something like this:

TO158iXbNXt2eZHgGnNaSUYiKZHgGN7f3hed/bWm5E8=

The key above is just a random key for demo purposes.

Fetch server details

Make sure you have curl and jq installed on your host/router. These are needed to be able to fetch the config of NordVPN Server. If not installed, go ahead and install

opkg install curl jq

After installation enter the command below to fetch the recommended server config:

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

Output:

uk1818.nordvpn.com #your endpoint host
178.239.166.185 #its ip address
London #city
United Kingdom #country
K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE= #Server public key
10 #Server load at the time.

Or just visit the following url https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1 from your browser and look for the details manually.

The only way to use hide.me with Wireguard is to use the hide.client.linux. There are no WireGuard configs.
I found this https://github.com/Seyloria/hide.me-server-switch and this https://github.com/passepartoutvpn/api-source-hideme?tab=readme-ov-file

alternative way without downloading their software (needs curl and jq):

1. go to https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/ and create an access token
2. get your private key

curl -s -u token:<ACCESS_TOKEN> https://api.nordvpn.com/v1/users/services/credentials | jq -r .nordlynx_private_key

3. get server info

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

4. create config:

[Interface]
PrivateKey = <PRIVATE_KEY> # from step 2
Address = 10.5.0.2/32 # this IP is always the same
DNS = 9.9.9.9 # your favorite DNS server

[Peer]
PublicKey = <PUBLIC_KEY> # from step 3
AllowedIPs = 0.0.0.0/0, ::/0 # route everything
Endpoint = <ENDPOINT>:51820 # endpoint or IP from step 3, the port is always the same

This didn't work for me. Here it is adjusted that worked:

Fetching the Server Information:

SERVER_INFO=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1")
HOSTNAME=$(echo $SERVER_INFO | jq -r '.[0].hostname')
PUBLIC_KEY=$(echo $SERVER_INFO | jq -r '.[0].technologies[] | select(.identifier == "wireguard_udp").metadata[] | select(.name == "public_key").value')
ENDPOINT=$(echo $SERVER_INFO | jq -r '.[0].station')

echo "Hostname: $HOSTNAME"
echo "Public Key: $PUBLIC_KEY"
echo "Endpoint: $ENDPOINT"

Fetching the Private Key:

ACCESS_TOKEN="<ACCESS_TOKEN>"
PRIVATE_KEY=$(curl -s -u token:$ACCESS_TOKEN https://api.nordvpn.com/v1/users/services/credentials | jq -r .nordlynx_private_key)
echo "Private Key: $PRIVATE_KEY"
echo "Endpoint: $ENDPOINT"

Had a massive faff doing this, didn't work through WSL at all for me, but ended up getting the key after fiddling with an Ubuntu VM on VMWare Player. This shouldn't be this difficult, thanks for the guidance.

curl -s -u token:<ACCESS_TOKEN> https://api.nordvpn.com/v1/users/services/credentials

Worked fine for me thanks @dumbasPL

Interesting way to retrieve the credentials, thanks for sharing! Maybe we can add that to https://github.com/dvcrn/generate-nordvpn-wgconf/ as another way to fetch the necessary creds besides just osxkeychain or manual specifying

For anyone wondering how to set this up on a FRITZ!Box router here's how I did it

1. Follow the steps
2. Create a config (.conf) file and write as follows:

[Interface]
PrivateKey = {YOUR PRIVATE KEY} # sudo wg show nordlynx private-key (step 2)
Address = 10.5.0.2/32 # don't change this as it's always the same
DNS = {A DNS SERVER} # I used 8.8.8.8
 
[Peer]
PublicKey = {ENDPOINT PUBLIC KEY} # step 4
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = {ENDPOINT HOST}:51820 # ex. uk1818.nordvpn.com (step 4)

3. Log in the router's interface
4. Go to Internet > Permit Access > VPN (Wireguard)
5. Click Add Connection and then click "Connect networks or establish special connections", then "Next"
6. "Has this WireGuard connection already been set up at the remote connection?" click "Yes" and then "Next"
7. Enter a name for the connection
8. Upload the .conf file you created
9. Enable the option "Send all network traffic via the VPN connection"
10. Click "Finish"

This worked perfectly for me on my FRITZ!Box 7590