Custom NordVPN won't connect

[jeff-hughes]

I'm trying to use the --custom flag to use NordVPN via OpenVPN. However, it seems to get stuck on "Attempting to establish TCP connection..." and I'm trying to troubleshoot.

Here's the command I'm running:
vopono -v exec --custom /etc/openvpn/client/ovpn_tcp/ca1074.nordvpn.com.tcp.ovpn --protocol openvpn "bash"

The config files are downloaded straight from the NordVPN website. Here's the output I receive:

2021-01-26T00:17:45.635Z WARN  vopono > Could not parse PULSE_SERVER from pactl info output: Err(Could not parse pactl output!:
)
 2021-01-26T00:17:45.635Z DEBUG vopono::util > Existing namespaces: []
 2021-01-26T00:17:45.635Z DEBUG vopono::network_interface > ip addr
 2021-01-26T00:17:45.636Z DEBUG vopono::exec              > Interface: eno1
 2021-01-26T00:17:45.637Z DEBUG vopono::util              > Existing namespaces: []
 2021-01-26T00:17:45.637Z DEBUG vopono::util              > ip netns add vopono_custom_ca10
 2021-01-26T00:17:45.638Z INFO  vopono::netns             > Created new network namespace: vopono_custom_ca10
 2021-01-26T00:17:45.639Z DEBUG vopono::util              > Existing interfaces: 
 2021-01-26T00:17:45.640Z DEBUG vopono::util              > Assigned IPs: []
 2021-01-26T00:17:45.640Z DEBUG vopono::netns             > ip netns exec vopono_custom_ca10 ip addr add 127.0.0.1/8 dev lo
 2021-01-26T00:17:45.641Z DEBUG vopono::netns             > ip netns exec vopono_custom_ca10 ip link set lo up
 2021-01-26T00:17:45.643Z DEBUG vopono::veth_pair         > NetworkManager detected, adding custom_ca10_d to unmanaged devices
 2021-01-26T00:17:45.643Z DEBUG vopono::util              > nmcli connection reload
 2021-01-26T00:17:45.649Z DEBUG vopono::util              > ip link add custom_ca10_d type veth peer name custom_ca10_s
 2021-01-26T00:17:45.650Z DEBUG vopono::util              > ip link set custom_ca10_d up
 2021-01-26T00:17:45.651Z DEBUG vopono::util              > ip link set custom_ca10_s netns vopono_custom_ca10 up
 2021-01-26T00:17:45.693Z DEBUG vopono::util              > ip addr add 10.200.1.1/24 dev custom_ca10_d
 2021-01-26T00:17:45.694Z DEBUG vopono::netns             > ip netns exec vopono_custom_ca10 ip addr add 10.200.1.2/24 dev custom_ca10_s
 2021-01-26T00:17:45.695Z DEBUG vopono::netns             > ip netns exec vopono_custom_ca10 ip route add default via 10.200.1.1 dev custom_ca10_s
 2021-01-26T00:17:45.696Z INFO  vopono::netns             > IP address of namespace as seen from host: 10.200.1.2
 2021-01-26T00:17:45.696Z INFO  vopono::netns             > IP address of host as seen from namespace: 10.200.1.1
 2021-01-26T00:17:45.696Z DEBUG vopono::util              > iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o eno1 -j MASQUERADE
 2021-01-26T00:17:45.722Z DEBUG vopono::util              > sysctl -q net.ipv4.ip_forward=1
 2021-01-26T00:17:45.723Z DEBUG vopono::dns_config        > Setting namespace vopono_custom_ca10 DNS server to 8.8.8.8
 2021-01-26T00:17:45.723Z INFO  vopono::openvpn           > Launching OpenVPN...
 2021-01-26T00:17:45.724Z DEBUG vopono::openvpn           > Found remotes: [Remote { host: IPv4(89.47.234.3), port: 443, protocol: TCP }]
 2021-01-26T00:17:45.724Z DEBUG vopono::netns             > ip netns exec vopono_custom_ca10 openvpn --config /etc/openvpn/client/ovpn_tcp/ca1074.nordvpn.com.tcp.ovpn --machine-readable-output --log /etc/netns/vopono_custom_ca10/openvpn.log
 2021-01-26T00:17:45.733Z DEBUG vopono::openvpn           > "1611620265.733128 40 DEPRECATED OPTION: --cipher set to \'AES-256-CBC\' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add \'AES-256-CBC\' to --data-ciphers or change --cipher \'AES-256-CBC\' to --data-ciphers-fallback \'AES-256-CBC\' to silence this warning.\n"
 2021-01-26T00:17:45.733Z DEBUG vopono::openvpn           > "1611620265.733315 1 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020\n"
 2021-01-26T00:17:45.733Z DEBUG vopono::openvpn           > "1611620265.733334 1 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10\n"
🔐 Enter Auth Username: ***************
🔐 Enter Auth Password: ************            
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851084 40 WARNING: --ping should normally be used with --ping-restart or --ping-exit\n"
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851100 1 NOTE: --fast-io is disabled since we are not using UDP\n"
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851429 14000002 Outgoing Control Channel Authentication: Using 512 bit message hash \'SHA512\' for HMAC authentication\n"
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851435 14000002 Incoming Control Channel Authentication: Using 512 bit message hash \'SHA512\' for HMAC authentication\n"
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851491 1 TCP/UDP: Preserving recently used remote address: [AF_INET]89.47.234.3:443\n"
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851508 2b000003 Socket Buffers: R=[131072->131072] S=[16384->16384]\n"
 2021-01-26T00:17:51.851Z DEBUG vopono::openvpn           > "1611620271.851512 1 Attempting to establish TCP connection with [AF_INET]89.47.234.3:443 [nonblock]\n"
 2021-01-26T00:19:51.964Z DEBUG vopono::openvpn           > "1611620391.964795 1000021 TCP: connect to [AF_INET]89.47.234.3:443 failed: Connection timed out\n"
 2021-01-26T00:19:51.964Z DEBUG vopono::openvpn           > "1611620391.964870 1 SIGUSR1[connection failed(soft),init_instance] received, process restarting\n"
 2021-01-26T00:19:51.964Z DEBUG vopono::openvpn           > "1611620391.964884 21000003 Restart pause, 5 second(s)\n"

From there it repeats as it times out and retries.

And here's an output dump of some other potentially relevant info:

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b4:2e:99:f2:67:09 brd ff:ff:ff:ff:ff:ff
    altname enp8s0
    inet 192.168.0.39/24 brd 192.168.0.255 scope global dynamic noprefixroute eno1
       valid_lft 579391sec preferred_lft 579391sec
    inet6 2607:f2c0:ead4:8:e752:8f29:f11d:29f/64 scope global dynamic noprefixroute 
       valid_lft 578677sec preferred_lft 146677sec
    inet6 fe80::29e3:58d2:9f8a:acb0/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
14: custom_ca10_d@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 46:91:e7:e4:95:30 brd ff:ff:ff:ff:ff:ff link-netns vopono_custom_ca10
    inet 10.200.1.1/24 scope global custom_ca10_d
       valid_lft forever preferred_lft forever
    inet6 fe80::4491:e7ff:fee4:9530/64 scope link 
       valid_lft forever preferred_lft forever

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether b4:2e:99:f2:67:09 brd ff:ff:ff:ff:ff:ff
    altname enp8s0
14: custom_ca10_d@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 46:91:e7:e4:95:30 brd ff:ff:ff:ff:ff:ff link-netns vopono_custom_ca10

$ ping -c 3 10.200.1.2
PING 10.200.1.2 (10.200.1.2) 56(84) bytes of data.
64 bytes from 10.200.1.2: icmp_seq=1 ttl=64 time=0.052 ms
64 bytes from 10.200.1.2: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 10.200.1.2: icmp_seq=3 ttl=64 time=0.040 ms

--- 10.200.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2033ms
rtt min/avg/max/mdev = 0.040/0.044/0.052/0.005 ms

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.200.1.0/24        anywhere

# ip netns exec vopono_custom_ca10 ip addr
Bind /etc/netns/vopono_custom_ca10/openvpn.log -> /etc/openvpn.log failed: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
15: custom_ca10_s@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 22:cd:0a:e3:15:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.200.1.2/24 scope global custom_ca10_s
       valid_lft forever preferred_lft forever
    inet6 fe80::20cd:aff:fee3:1501/64 scope link 
       valid_lft forever preferred_lft forever

# ip netns exec vopono_custom_ca10 ip link
Bind /etc/netns/vopono_custom_ca10/openvpn.log -> /etc/openvpn.log failed: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
15: custom_ca10_s@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 22:cd:0a:e3:15:01 brd ff:ff:ff:ff:ff:ff link-netnsid 0

# ip netns exec vopono_custom_ca10 iptables -L
Bind /etc/netns/vopono_custom_ca10/openvpn.log -> /etc/openvpn.log failed: No such file or directory
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# ip netns exec vopono_custom_ca10 ping -c 3 10.200.1.1
Bind /etc/netns/vopono_custom_ca10/openvpn.log -> /etc/openvpn.log failed: No such file or directory
PING 10.200.1.1 (10.200.1.1) 56(84) bytes of data.
64 bytes from 10.200.1.1: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 10.200.1.1: icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from 10.200.1.1: icmp_seq=3 ttl=64 time=0.040 ms

--- 10.200.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2015ms
rtt min/avg/max/mdev = 0.039/0.041/0.044/0.002 ms

# ip netns exec vopono_custom_ca10 ping -c 3 8.8.8.8
Bind /etc/netns/vopono_custom_ca10/openvpn.log -> /etc/openvpn.log failed: No such file or directory
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=25.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=194 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=21.5 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 21.547/80.282/194.017/80.436 ms

I don't see anything in particular there that jumps out at me -- the namespace seems to be set up, I can ping inside and outside just fine, and pinging the VPN server also seems to work. But vopono seems to just not be able to connect for some reason. The only particular error I see at all is this issue with trying to bind the openvpn.log, but I'm not sure if that's necessary or related. Any thoughts?

Edit: I should add that connecting directly via sudo openvpn works as expected, so again, it doesn't seem to be an issue with the VPN connection itself.

[jamesmcm]

Hi,

Thanks for the detailed logs.

Please try running it with the --no-killswitch option too, it seems like OpenVPN is failing to connect before the killswitch is even enabled but just in case.

In that case you should be able to access the internet as usual via the namespace, i.e. with ip netns exec vopono_custom_ca10 firefox - your ping to 8.8.8.8 worked so that means it's probably okay, but it is still worth checking that it works for other addresses and HTTPS, etc.

Also check that no other firewall is enabled i.e. ufw or nftables rules, and that NetworkManager isn't managing the veth device or interfering. But if you can connect as usual from the namespace, then the OpenVPN handshake should work. Please check that though, as it's the most likely error since the address directly cannot connect (i.e. it's not even a DNS lookup).

Note that the bind error for openvpn.log is expected, it's due to using the OpenVPN log file within a network namespace (and I don't want to suppress stderr in case there are real errors). I'll add something to the docs about this though and see if I can suppress it specifically somehow.

I'll see if I can test this on a similar case in Mullvad tonight (or perhaps even sign up to NordVPN). Could you please paste the OpenVPN config file itself too if possible?

[jeff-hughes]

Hi James,

Thanks for the quick response! With some further testing, it appears that my ufw rules were indeed the issue. When I temporarily disabled ufw, it worked just fine. That confused me a bit because I had just been playing with netns recently (primarily following this article) and hadn't run into this issue. The difference is that the article suggests adding some explicit forwarding rules in iptables:

iptables -A FORWARD -i eth0 -o v-eth1 -j ACCEPT
iptables -A FORWARD -o eth0 -i v-eth1 -j ACCEPT

Now I'm seeing that vopono doesn't add those rules. I'm wondering, given that vopono is already adding rules to iptables (i.e., the POSTROUTING rule), if maybe it's worth just adding those two additional FORWARD rules in there explicitly. That should certainly be one less point of friction for anyone running ufw, which I believe sets a default of iptables -P FORWARD DROP.

Either way, I'll close this issue as solved -- thanks for the help! And now that I have at least gotten it working with NordVPN, I'd be happy to work on a PR to add it as another provider. I see you've already got it on the list, so I can help with crossing one of those off at least!

[jamesmcm]

Thanks for replying with the fix!

I created an issue to add those rules alongside the masquerade one on the host - #60

Also feel free to post an issue if you have any questions about adding a new provider.

There are some details in https://github.com/jamesmcm/vopono/blob/master/CONTRIBUTING.md

I imagine the PrivateInternetAccess code would be the best to look at: https://github.com/jamesmcm/vopono/tree/master/src/providers/pia (since at the moment it only includes OpenVPN support and will probably have a similar configuration).

i.e. we download the zip file from the user's provided options in the dialogue, then iterate through the config files and modify them so that they won't ask for the user and pass directly (but we can provide it with a file), then we ask for the user and pass and save that too.