NordVPN in LXC UnPriv/Priv Container Doesn't Work

Goal: Designate a network, using NordVPN, which is the only network a certain container can use, so as to prevent leaking onto the host network.

I am using snap lxd.
I consistently receive the error message: “transport is closing”, right after “Connecting to {Country} #NUMB (domain name)”

Errors in Syslog:
nordvpnd.service: Failed with result ‘exit-code’.
nordvpnd.socket: TCP_NODELAY failed: Operation not supported

I was going to follow this guide: https://blog.san-ss.com.ar/2015/11/setting-up-vpn-gateway-in-ubuntu-using

Note: On the host system, it works flawlessly.

Looks like that particular VPN is trying to do something that requires more privileges than containers normally have.

What protocol does NordVPN use in this case?
What’s in nordvpnd.socket and nordvpnd.service?

This text will be hidden

In /var/lib/nordvpn/data/.config.ovpn:(redacted the certification and keys)

client

dev tun

remote 23.226.133.173 1194 udp

resolv-retry infinite

remote-random

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

persist-key

persist-tun

reneg-sec 0

server-poll-timeout 5

remote-cert-tls server

auth-user-pass

verb 3

pull

fast-io

cipher AES-256-CBC

auth SHA512

redacted…

pull-filter ignore "ifconfig-ipv6 "

pull-filter ignore "route-ipv6 "

ping 15

ping-restart 0

ping-timer-rem


NordVPN Daemon
/usr/sbin/nordvpnd

Running ‘nordvpnd’, retreieves this :
Error on listening to UNIX domain socket: listen unix /run/nordvpnd.sock: bind: address already in use

I’m assuming it’s that because it’s running currently.


In /etc/systemd/system/nordvpnd.socket:

[Unit]

Description=NordVPN Daemon Socket

PartOf=nordvpnd.service

[Socket]

ListenStream=/run/nordvpnd.sock

NoDelay=true

[Install]

WantedBy=sockets.target

~


In /etc/systemd/system/nordvpnd.service

[Unit]

Description=NordVPN Daemon

Requires=nordvpnd.socket

After=network-online.target

[Service]

ExecStart=/usr/sbin/nordvpnd

NonBlocking=true

KillMode=process

Restart=on-failure

RestartSec=5

[Install]

WantedBy=default.target

Try removing that NoDelay line, that should make systemd happier.

I tried removing the line and ‘NoDelay = false’, both followed by systemd daemon-reload and a reboot, to no avail; same error message: ‘transport is closing’ preceded by the ‘connecting to…’
I forgot to mention this:
Occasionally, upon using 'nordvpn connect, I receive this message :
'Whoops! Cannot reach System Daemon. ’

In the syslog, I have seen this error message, but I don’t know why:
‘Get “https://zwyr157wwiu6eior.com/v1/helpers/ips/insights”: dial tcp 0.0.0.0:443: connect: connection refused’

nordvpnd[255]: panic: runtime error: index out of range [1] with length 1

systemd[1]: nordvpnd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
systemd[1]: nordvpnd.service: Failed with result ‘exit-code’.

networkd-dispatcher[253]: WARNING:Unknown index 3 seen, reloading interface list
networkd-dispatcher[253]: ERROR:Unknown interface index 3 seen even after reload

Anyone?

NordVPN does not appear to offer a free, no credit card required, account. It is difficult for someone to check and replicate.

If I set up a VPN and provided you the proper authentication, assuming the same issue will arise, would you be willing to test it? @simos

NordVPN has a manager written in Go and manages OpenVPN. It gives the following error when running in a LXD container,

Jun 16 17:31:37 nordvpn nordvpnd[1250]: 2020/06/16 17:31:37 [INFO] Tue Jun 16 17:31:37 2020 MANAGEMENT: Connected to management server at /var/run/nordvpn-openvpn.sock
Jun 16 17:31:37 nordvpn nordvpnd[1250]: panic: runtime error: index out of range [1] with length 1
Jun 16 17:31:37 nordvpn nordvpnd[1250]: goroutine 258 [running]:
Jun 16 17:31:37 nordvpn nordvpnd[1250]: nordvpn/daemon.ruleParsing(...)
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/vpn_ipv6.go:117
Jun 16 17:31:37 nordvpn nordvpnd[1250]: nordvpn/daemon.(*Ipv6).Disable(0xc0047c2e60, 0x0, 0x0)
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/vpn_ipv6.go:43 +0x6c7
Jun 16 17:31:37 nordvpn nordvpnd[1250]: nordvpn/daemon.(*OpenVPN).Start(0xc0007df860, 0x2b89520, 0xc000028960, 0x18, 0xc000028980, 0x18, 0x0, 0x0, 0x0, 0x0, ...)
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/vpn_openvpn.go:159 +0xd11
Jun 16 17:31:37 nordvpn nordvpnd[1250]: created by nordvpn/daemon.Connect
Jun 16 17:31:37 nordvpn nordvpnd[1250]: #011/builds/nordvpn/apps-source/linux-app/src/daemon/rpc.go:288 +0x882
Jun 16 17:31:37 nordvpn systemd[1]: nordvpnd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 16 17:31:37 nordvpn systemd[1]: nordvpnd.service: Failed with result 'exit-code'.
Jun 16 17:31:42 nordvpn systemd[1]: nordvpnd.service: Service hold-off time over, scheduling restart.

This looks like a bug in the NordVPN client (incidentally, it is written in Go).
What you can do, is report this issue to them, and perhaps point them to this discussion.
They appear they are willing to fix things.

As a workaround you can use the OpenVPN client in Ubuntu to make a connection to one of the NordVPN servers. I have tested this and it works fine. Just make sure you avoid the DNS leaks.

1 Like