NordVPN in LXC UnPriv/Priv Container Doesn't Work

Ashar003 · June 10, 2020, 6:00pm

Goal: Designate a network, using NordVPN, which is the only network a certain container can use, so as to prevent leaking onto the host network.

I am using snap lxd.
I consistently receive the error message: “transport is closing”, right after “Connecting to {Country} #NUMB (domain name)”

Errors in Syslog:
nordvpnd.service: Failed with result ‘exit-code’.
nordvpnd.socket: TCP_NODELAY failed: Operation not supported

I was going to follow this guide: https://blog.san-ss.com.ar/2015/11/setting-up-vpn-gateway-in-ubuntu-using

Note: On the host system, it works flawlessly.

stgraber · June 10, 2020, 6:53pm

Looks like that particular VPN is trying to do something that requires more privileges than containers normally have.

What protocol does NordVPN use in this case?
What’s in nordvpnd.socket and nordvpnd.service?

Ashar003 · June 10, 2020, 7:05pm

This text will be hidden

In /var/lib/nordvpn/data/.config.ovpn:(redacted the certification and keys)

client

dev tun

remote 23.226.133.173 1194 udp

resolv-retry infinite

remote-random

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

persist-key

persist-tun

reneg-sec 0

server-poll-timeout 5

remote-cert-tls server

auth-user-pass

verb 3

pull

fast-io

cipher AES-256-CBC

auth SHA512

redacted…

pull-filter ignore "ifconfig-ipv6 "

pull-filter ignore "route-ipv6 "

ping 15

ping-restart 0

ping-timer-rem

NordVPN Daemon
/usr/sbin/nordvpnd

Running ‘nordvpnd’, retreieves this :
Error on listening to UNIX domain socket: listen unix /run/nordvpnd.sock: bind: address already in use

I’m assuming it’s that because it’s running currently.

In /etc/systemd/system/nordvpnd.socket:

[Unit]

Description=NordVPN Daemon Socket

PartOf=nordvpnd.service

[Socket]

ListenStream=/run/nordvpnd.sock

NoDelay=true

[Install]

WantedBy=sockets.target

~

In /etc/systemd/system/nordvpnd.service

[Unit]

Description=NordVPN Daemon

Requires=nordvpnd.socket

After=network-online.target

[Service]

ExecStart=/usr/sbin/nordvpnd

NonBlocking=true

KillMode=process

Restart=on-failure

RestartSec=5

[Install]

WantedBy=default.target

stgraber · June 10, 2020, 7:36pm

Try removing that NoDelay line, that should make systemd happier.

Ashar003 · June 10, 2020, 7:45pm

I tried removing the line and ‘NoDelay = false’, both followed by systemd daemon-reload and a reboot, to no avail; same error message: ‘transport is closing’ preceded by the ‘connecting to…’
I forgot to mention this:
Occasionally, upon using 'nordvpn connect, I receive this message :
'Whoops! Cannot reach System Daemon. ’

In the syslog, I have seen this error message, but I don’t know why:
‘Get “https://zwyr157wwiu6eior.com/v1/helpers/ips/insights”: dial tcp 0.0.0.0:443: connect: connection refused’

nordvpnd[255]: panic: runtime error: index out of range [1] with length 1

systemd[1]: nordvpnd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
systemd[1]: nordvpnd.service: Failed with result ‘exit-code’.

networkd-dispatcher[253]: WARNING:Unknown index 3 seen, reloading interface list
networkd-dispatcher[253]: ERROR:Unknown interface index 3 seen even after reload

Ashar003 · June 14, 2020, 7:59pm

Anyone?

simos · June 15, 2020, 8:49am

NordVPN does not appear to offer a free, no credit card required, account. It is difficult for someone to check and replicate.

Ashar003 · June 15, 2020, 2:55pm

If I set up a VPN and provided you the proper authentication, assuming the same issue will arise, would you be willing to test it? @simos

simos · June 16, 2020, 9:30pm

NordVPN has a manager written in Go and manages OpenVPN. It gives the following error when running in a LXD container,

Jun 16 17:31:37 nordvpn nordvpnd[1250]: 2020/06/16 17:31:37 [INFO] Tue Jun 16 17:31:37 2020 MANAGEMENT: Connected to management server at /var/run/nordvpn-openvpn.sock
Jun 16 17:31:37 nordvpn nordvpnd[1250]: panic: runtime error: index out of range [1] with length 1
Jun 16 17:31:37 nordvpn nordvpnd[1250]: goroutine 258 [running]:
Jun 16 17:31:37 nordvpn nordvpnd[1250]: nordvpn/daemon.ruleParsing(...)
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/vpn_ipv6.go:117
Jun 16 17:31:37 nordvpn nordvpnd[1250]: nordvpn/daemon.(*Ipv6).Disable(0xc0047c2e60, 0x0, 0x0)
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/vpn_ipv6.go:43 +0x6c7
Jun 16 17:31:37 nordvpn nordvpnd[1250]: nordvpn/daemon.(*OpenVPN).Start(0xc0007df860, 0x2b89520, 0xc000028960, 0x18, 0xc000028980, 0x18, 0x0, 0x0, 0x0, 0x0, ...)
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/vpn_openvpn.go:159 +0xd11
Jun 16 17:31:37 nordvpn nordvpnd[1250]: created by nordvpn/daemon.Connect
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/rpc.go:288 +0x882
Jun 16 17:31:37 nordvpn systemd[1]: nordvpnd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 16 17:31:37 nordvpn systemd[1]: nordvpnd.service: Failed with result 'exit-code'.
Jun 16 17:31:42 nordvpn systemd[1]: nordvpnd.service: Service hold-off time over, scheduling restart.

This looks like a bug in the NordVPN client (incidentally, it is written in Go).
What you can do, is report this issue to them, and perhaps point them to this discussion.
They appear they are willing to fix things.

As a workaround you can use the OpenVPN client in Ubuntu to make a connection to one of the NordVPN servers. I have tested this and it works fine. Just make sure you avoid the DNS leaks.

Daniel · July 22, 2020, 7:36pm

Did you ever figure this out? I just hit the exact same issue (same “runtime error: index out of range [1] with length 1” error), and NordVPN’s support have not been very useful. I might just use the OpenVPN client directly. I was hoping to take advantage of their “NordLynx” WireGuard-based protocol, however they don’t have vanilla WireGuard configs available.

simos · July 22, 2020, 7:49pm

It is up to the NordVPN people to fix the client to work in a container.
I have not reported it.

Frankly, it is good that you can use the stock OpenVPN client in Ubuntu, provided that you take care of security issues such DNS leaks.

Ashar003 · July 22, 2020, 7:54pm

I reported it, and they said something along the lines of LXC is not supported, use openvpn to connect to the server.

Daniel · July 23, 2020, 9:51pm

Yeah I just got a similar response: “Unfortunately, we do not officially have any tutorials or support for such a setup. Because of this reason, we are not able to help you with it”, which is really frustrating as it’s obviously some sort of bug in their code

simos · September 2, 2020, 2:59pm

@Ashar003, I have written a blog post on getting NordVPN to work in a LXD container. Feel free to forward to NordVPN so that they fix their client.