NordVPN

[Tae_kyon]

I have a subscrition to NordVPN and am using it on my Gentoo box. However, I have to import the server configuration files manually into Network-Manager every time.

Openpyn and other such instruments I've found need to be installed with PIP, and in the end I can never get them to work.
An ebuild for nordmn is on panther-overlay, doesn't work either.

Has anyone found a good solution to this?

Thanks

[nowlodek]

You can use NordVPN Linux app.
Get the latest deb package from https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/
Use deb2tar to convert to tar.
Extract
/usr/bin/nordvpn to /usr/local/bin
and
/usr/sbin/nordvpnd to /usr/local/sbin
and
/var/lib/norvpn to /var/lib

then create init file
touch /etc/init.d/nordvpnd
with

Code: Select all

#!/sbin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

command="/usr/local/sbin/nordvpnd"
pidfile="/run/${RC_SVCNAME}.pid"
retry="SIGTERM/5/SIGTERM/5/SIGKILL/5"
start_stop_daemon_args="--background --make-pidfile"

depend() {
<------>use logger net
<------>provide dns
}

To use it start daemon first

Code: Select all

rc-service nordvpnd start

login to nordvpn

Code: Select all

nordvpn login

and

Code: Select all

nordvpn connect

in case of issues with OpenVPN mode, switch to NordLynx mode

Code: Select all

nordvpn set technology nordlynx

[Tae_kyon]

Thanks! Looks like just what I need!

[nowlodek]

I'm lazy but I did it.
An ebuild for NordVPN

Code: Select all

touch /usr/local/portage/net-vpn/nordvpn/nordvpn-3.6.0.3.ebuild

nordvpn-3.6.0.3.ebuild

Code: Select all

# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit eutils unpacker

MY_PV=$(ver_rs 3 '-')

DESCRIPTION="NordVPN native client"
HOMEPAGE="https://nordvpn.com"
SRC_URI="https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${MY_PV}_amd64.deb"

LICENSE="NordVPN"
SLOT="0"
KEYWORDS="-* ~amd64"
IUSE=""

# TODO: verify that list of RDEPEND is complete
RDEPEND="net-misc/networkmanager
         net-vpn/networkmanager-openvpn"

RESTRICT="strip"
S="${WORKDIR}"

src_unpack() {
	# Unpack Debian package containing application's files
	unpack_deb ${A}
	gzip "${S}"/usr/share/doc/nordvpn/changelog.gz -d "${S}"
	gzip "${S}"/usr/share/man/man1/nordvpn.1.gz -d "${S}"
}

src_install() {
	cd ${S}

#	doinitd>etc/init.d/nordvpn
	newinitd "${FILESDIR}"/nordvpn.initd ${PN}

#	into<-->/usr
	dobin<->usr/bin/nordvpn
	dosbin<>usr/sbin/nordvpnd

	insinto>/var/lib/nordvpn
	doins -r var/lib/nordvpn

	insinto>/usr/share/bash-completion/completions
	doins <>usr/share/bash-completion/completions/nordvpn
	
	dodoc usr/share/doc/nordvpn/changelog
	doman usr/share/man/man1/nordvpn.1
}

new init file for package

Code: Select all

touch /usr/local/portage/net-vpn/nordvpn/files/nordvpn.initd

nordvpn.initd

Code: Select all

#!/sbin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

command="/usr/sbin/nordvpnd"
pidfile="/run/${RC_SVCNAME}.pid"
retry="SIGTERM/5/SIGTERM/5/SIGKILL/5"
start_stop_daemon_args="--background --make-pidfile"

depend() {
	use logger net
	provide dns
}

[Hu]

The way you represent tabs makes it difficult for users to quickly copy/paste this into a working ebuild. Do you have a repository somewhere from which interested users could download it? If not, consider posting the ebuild with tabs as actual tabs, not as placeholders.

Code: Select all

SRC_URI="https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${MY_PV}_amd64.deb"
KEYWORDS="~amd64"

I think it is conventional to include a -* in KEYWORDS when, as here, you download a prebuilt file that only works on one architecture.

Code: Select all

              · If you do not know if an ebuild runs under a particular  arch,
                then do not specify it in KEYWORDS.  It will then be masked by
                default on that architecture.

              · If the ebuild is known not to work on an  arch,  disable  that
                arch  in  KEYWORDS.   This would be done by specifying "-ppc",
                for example. This will  ensure  that  it  is  explicitly  key‐
                word-masked for that architecture.

In this case, you know it will not work on non-amd64.

Code: Select all

DEPEND="${RDEPEND}"

I think this is incorrect. As a prebuilt package, the only things needed to "build" it are tools for unpacking upstream's archive. The packages in your RDEPEND may be needed to run it, but are not needed if someone just wants to run emerge --buildpkgonly.

Code: Select all

S=${WORKDIR}

For consistency, this should be quoted.

Code: Select all

<------>gzip ${S}/usr/share/doc/nordvpn/changelog.gz -d ${S}
<------>gzip ${S}/usr/share/man/man1/nordvpn.1.gz -d ${S}

Again, quoting. Although rare, some people might set PORTAGE_TMPDIR, and by extension WORKDIR, and by extension, S, to a path with spaces.

Code: Select all

<------>cd ${S}

Quoting.

Code: Select all

command="/usr/local/sbin/nordvpnd"

Your ebuild installs this file into /usr/sbin, not /usr/local/sbin.

[nowlodek]

Thank you for looking up.
There are others architectures so I started with ~amd64 with hope to include another.
Post altered accordingly.

[elover]

Hey, I found this ebuild.


nordvpn-3.5.0-r2.ebuild

Code: Select all

Close
# Copyright 2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit unpacker

DESCRIPTION="NordVPN CLI tool for Linux"
HOMEPAGE="https://nordvpn.com"
BASE_URI="https://repo.nordvpn.com/deb/${PN}/debian/pool/main"
SRC_URI="
	amd64? ( "${BASE_URI}/${P/-/_}-${PR/r}_amd64.deb" )
	arm? ( "${BASE_URI}/${P/-/_}-${PR/r}_armel.deb" )
	arm64? ( "${BASE_URI}/${P/-/_}-${PR/r}_arm64.deb" )
	x86? ( "${BASE_URI}/${P/-/_}-${PR/r}_i386.deb" )
"

LICENSE="NordVPN"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~x86"
IUSE="nordlynx systemd"
RESTRICT="mirror strip"

RDEPEND="
	dev-libs/libxslt[crypt]
	net-firewall/iptables
	sys-apps/iproute2[iptables]
	sys-apps/net-tools
	sys-process/procps
	nordlynx? (
		net-vpn/wireguard[module,tools]
	)
	systemd? (
		sys-apps/systemd
	)
"

S="${WORKDIR}"

src_unpack() {
	unpack_deb "${A}"
}

src_prepare() {
	rm _gpgbuilder || die
	use !systemd && ( rm -rf usr/lib || die )
	mv usr/share/doc/nordvpn/changelog.gz .
	gunzip changelog.gz
	mv usr/share/man/man1/${PN}.1.gz .
	gunzip ${PN}.1.gz
	rm -rf usr/share/man \
		usr/share/doc \
		etc
	default
}

src_install() {
	dodoc changelog
	rm changelog
	doman ${PN}.1
	rm ${PN}.1
	mkdir -p "${ED}"
	cp -r . "${ED}"/
	doinitd "${FILESDIR}/${PN}"
}

pkg_postinst() {
	echo
	elog "Thanks for installing the NordVPN client."
	elog "Don't forget to purchase your NordVPN plan in order to use the client."
	echo
}

Could be arranged for the latest version deb?

[nowlodek]

Change the number and save it as nordvpn-3.6.0-r4.ebuild and try to emerge.
Deb file structure is the same so elevating ebuild should work.
Current deb file ver. 3.6.0-3 => 3.6.0-r4 ebuild ver.

[MrEncryptor]

HEY!
If you're getting this when you try to connect:

Code: Select all

~ $ nordvpn c
A new version of NordVPN is available! Please update the application.
Connecting to Arrakis #420 (xx.nordvpn.com)
Whoops! Connection failed. Please try again. If the problem persists, contact our customer support.

And if you're getting this issue in your ` /usr/sbin/nordpvnd ` logs:

Code: Select all

2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 /sbin/ip link set dev tun0 up mtu 1500
2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 MANAGEMENT: Client disconnected
2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 Linux ip link set failed: could not execute external program
2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 Exiting due to fatal error
2020/02/25 22:01:52 [Error] Linux ip link set failed: could not execute external program
2020/02/25 22:01:52 Linux ip link set failed: could not execute external program

It's probably because your ip binary is in ` /bin/ip ` instead of ` /sbin/ip ` where nordvpn wants to use it. My solution was to symlink it there:

Code: Select all

# ln -s /bin/ip /sbin/ip

[rmk88]

Probably stupid question, but did follow the instructions on second post and then I got this:

nae ~ # rc-service nordvpnd start
* Starting nordvpnd ... [ ok ]

rmk@nae ~ $ nordvpn login
Whoops! /run/nordvpn/nordvpnd.sock not found

What I'm doin' wrong?

[lahouari]

I have the same issue.

when trying to run nordvpnd manualy this output shows:

Code: Select all

2021/08/13 14:29:24 [Info] Daemon has started
2021/08/13 14:29:24 Kill Switch set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 14:29:24 Auto-connect set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 14:29:24 DNS set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 14:29:24 CyberSec set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 14:29:24 Protocol set to: UDP
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 14:29:24 Technology set to: OpenVPN
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 14:29:24 Error on listening to UNIX domain socket: listen unix /run/nordvpn/nordvpnd.sock: bind: no such file or directory

[Hu]

The error states that the socket does not exist. Why not? Does the containing directory exist? If not, who was supposed to create it? Why did that program not create it? Since the path is under /run, I would expect this to be managed by a tmpfiles.d entry. Do you have tmpfiles enabled? Does the package install the right configuration for tmpfiles?

[lahouari]

ok after some digging and with help of support from NordVPN I moved some step further...

but not yet there.

so:
first thing is that nordvpn deamon wants to create soc file in /run/nordvpn/ and that folder does not exist.

I modified my init.d file like so for now:

Code: Select all

pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid"

and created folder nordvpn folder in /run I think... or maybe the init script did... regardless after that there is another problem (deamon starts) but it then needs a certificate file it will look in

/var/lib/nordvpn/data//rsa-key-1.pub
it should look it up in
/var/lib/nordvpn/nordvpn/data/rsa-key-1.pub

this is easily ammended by copping files...

then next problem is it tries to find openvpn file
again can be ammended by coping files from /var/lib/nordvpn/nordvpn to /var/lib/nordvpn/

but now I run into some more serious problem

I was missing /dev/net/tun

which I created by doing this:

Code: Select all

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
cat /dev/net/tun

and now current issue:
log from nordvpnd when run manually ( I couldnt get it to log when run as service)

Code: Select all

2021/08/13 18:05:16 [Info] Daemon has started
2021/08/13 18:05:16 Kill Switch set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 18:05:16 Auto-connect set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 18:05:16 DNS set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 18:05:16 CyberSec set to: disabled
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 18:05:16 Protocol set to: UDP
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 18:05:16 Technology set to: OpenVPN
NordVPN App Connection Settings:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
KillSwitch: disabled
Obfuscate: disabled
Notify: enabled
Auto-connect: disabled

2021/08/13 18:05:21 PRE_CONNECT system info:
App Version: 3.9.5
OS Info:
NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo/Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"

System Info:Linux zgredek 5.10.52-gentoo-dlc-34 #1 SMP Tue Aug 3 09:14:00 EEST 2021 x86_64 AMD Ryzen 7 1800X Eight-Core Processor AuthenticAMD GNU/Linux


Routes of All Routing Tables:
default via 192.168.0.1 dev enp3s0 proto dhcp src 192.168.0.2 metric 2 
default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 
192.168.0.0/24 dev enp3s0 proto dhcp scope link src 192.168.0.2 metric 2 
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev enp3s0 table local proto kernel scope link src 192.168.0.2 
local 192.168.0.2 dev enp3s0 table local proto kernel scope host src 192.168.0.2 
broadcast 192.168.0.255 dev enp3s0 table local proto kernel scope link src 192.168.0.2 
local ::1 dev lo table local proto kernel metric 0 pref medium
multicast ff00::/8 dev enp3s0 table local proto kernel metric 256 pref medium

IP Rules:
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

IP Tables:
filter:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

nat:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

mangle:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

raw:
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT

security:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT


2021/08/13 18:05:21 [Debug] picking servers for OpenVPN technology
debug: Fri Aug 13 18:05:22 2021 OpenVPN 2.4.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  8 2021
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 OpenVPN 2.4.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  8 2021
debug: Fri Aug 13 18:05:22 2021 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: Connected to management server at /run/nordvpn/nordvpn-openvpn.sock
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: Connected to management server at /run/nordvpn/nordvpn-openvpn.sock
debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'state on'
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'state on'
debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'username "Auth" FU9gYxQnT7xy7SUGNxUPpEfN'
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'username "Auth" FU9gYxQnT7xy7SUGNxUPpEfN'
debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'password [...]'
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'password [...]'
debug: Fri Aug 13 18:05:22 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit
debug: Fri Aug 13 18:05:22 2021 NOTE: --fast-io is disabled since we are not using UDP
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 NOTE: --fast-io is disabled since we are not using UDP
debug: Fri Aug 13 18:05:22 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
debug: Fri Aug 13 18:05:22 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
debug: Fri Aug 13 18:05:22 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]194.110.84.148:443
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]194.110.84.148:443
debug: Fri Aug 13 18:05:22 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]
debug: Fri Aug 13 18:05:22 2021 Attempting to establish TCP connection with [AF_INET]194.110.84.148:443 [nonblock]
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Attempting to establish TCP connection with [AF_INET]194.110.84.148:443 [nonblock]
debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: >STATE:1628867122,TCP_CONNECT,,,,,,
2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: >STATE:1628867122,TCP_CONNECT,,,,,,
debug: Fri Aug 13 18:05:23 2021 TCP connection established with [AF_INET]194.110.84.148:443
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TCP connection established with [AF_INET]194.110.84.148:443
debug: Fri Aug 13 18:05:23 2021 TCP_CLIENT link local: (not bound)
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TCP_CLIENT link local: (not bound)
debug: Fri Aug 13 18:05:23 2021 TCP_CLIENT link remote: [AF_INET]194.110.84.148:443
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TCP_CLIENT link remote: [AF_INET]194.110.84.148:443
debug: Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,WAIT,,,,,,
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,WAIT,,,,,,
debug: Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,AUTH,,,,,,
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,AUTH,,,,,,
debug: Fri Aug 13 18:05:23 2021 TLS: Initial packet from [AF_INET]194.110.84.148:443, sid=af42edf9 6ea9d291
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TLS: Initial packet from [AF_INET]194.110.84.148:443, sid=af42edf9 6ea9d291
debug: Fri Aug 13 18:05:23 2021 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
debug: Fri Aug 13 18:05:23 2021 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6
debug: Fri Aug 13 18:05:23 2021 VERIFY KU OK
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY KU OK
debug: Fri Aug 13 18:05:23 2021 Validating certificate extended key usage
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 Validating certificate extended key usage
debug: Fri Aug 13 18:05:23 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
debug: Fri Aug 13 18:05:23 2021 VERIFY EKU OK
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY EKU OK
debug: Fri Aug 13 18:05:23 2021 VERIFY OK: depth=0, CN=fi163.nordvpn.com
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY OK: depth=0, CN=fi163.nordvpn.com
debug: Fri Aug 13 18:05:23 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
debug: Fri Aug 13 18:05:23 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
debug: Fri Aug 13 18:05:23 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
debug: Fri Aug 13 18:05:23 2021 [fi163.nordvpn.com] Peer Connection Initiated with [AF_INET]194.110.84.148:443
2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 [fi163.nordvpn.com] Peer Connection Initiated with [AF_INET]194.110.84.148:443
debug: Fri Aug 13 18:05:24 2021 MANAGEMENT: >STATE:1628867124,GET_CONFIG,,,,,,
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 MANAGEMENT: >STATE:1628867124,GET_CONFIG,,,,,,
debug: Fri Aug 13 18:05:24 2021 SENT CONTROL [fi163.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 SENT CONTROL [fi163.nordvpn.com]: 'PUSH_REQUEST' (status=1)
debug: Fri Aug 13 18:05:24 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'
debug: Fri Aug 13 18:05:24 2021 Pushed option removed by filter: 'redirect-gateway def1'
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Pushed option removed by filter: 'redirect-gateway def1'
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: timers and/or timeouts modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: timers and/or timeouts modified
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: compression parms modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: compression parms modified
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
debug: Fri Aug 13 18:05:24 2021 Socket Buffers: R=[131072->425984] S=[87040->425984]
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Socket Buffers: R=[131072->425984] S=[87040->425984]
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ifconfig/up options modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ifconfig/up options modified
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: route-related options modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: route-related options modified
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: peer-id set
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: peer-id set
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: adjusting link_mtu to 1658
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: adjusting link_mtu to 1658
debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: data channel crypto options modified
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: data channel crypto options modified
debug: Fri Aug 13 18:05:24 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
debug: Fri Aug 13 18:05:24 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
debug: Fri Aug 13 18:05:24 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
debug: Fri Aug 13 18:05:24 2021 MANAGEMENT: Client disconnected
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 MANAGEMENT: Client disconnected
debug: Fri Aug 13 18:05:24 2021 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
debug: Fri Aug 13 18:05:24 2021 Exiting due to fatal error
2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Exiting due to fatal error
2021/08/13 18:05:24 [Error] FATAL: "ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)"
2021/08/13 18:05:24 POST_CONNECT system info:
Routes of All Routing Tables:
default via 192.168.0.1 dev enp3s0 proto dhcp src 192.168.0.2 metric 2 
default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 
192.168.0.0/24 dev enp3s0 proto dhcp scope link src 192.168.0.2 metric 2 
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev enp3s0 table local proto kernel scope link src 192.168.0.2 
local 192.168.0.2 dev enp3s0 table local proto kernel scope host src 192.168.0.2 
broadcast 192.168.0.255 dev enp3s0 table local proto kernel scope link src 192.168.0.2 
local ::1 dev lo table local proto kernel metric 0 pref medium
multicast ff00::/8 dev enp3s0 table local proto kernel metric 256 pref medium

IP Rules:
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

IP Tables:
filter:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

nat:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

mangle:
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

raw:
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT

security:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

[lahouari]

ah it seem I should follow this guide:

https://wiki.gentoo.org/wiki/OpenVPN

[Hu]

first thing is that nordvpn deamon wants to create soc file in /run/nordvpn/ and that folder does not exist.

Right. That should be created either by the initscript or by a tmpfiles.d entry.

I modified my init.d file like so for now:

Code: Select all

pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid"

That was probably the wrong solution. Among other things, init.d changes will be considered for overwrite on package update. CONFIG_PROTECT should avoid automatically losing the changes, but it's still an extra step you will need to deal with on every upgrade.

and created folder nordvpn folder in /run I think... or maybe the init script did... regardless after that there is another problem (deamon starts) but it then needs a certificate file it will look in

On most systems, /run is a tmpfs. Anything you create there manually will be lost on reboot.

/var/lib/nordvpn/data//rsa-key-1.pub
it should look it up in
/var/lib/nordvpn/nordvpn/data/rsa-key-1.pub

I disagree. The path it tried to use looks proper to me. If that is not where the file is, then the file is installed in the wrong place, and the ebuild needs to be modified.

this is easily ammended by copping files...

No.

then next problem is it tries to find openvpn file
again can be ammended by coping files from /var/lib/nordvpn/nordvpn to /var/lib/nordvpn/

Again, no. Fix the install path. If you copy files around, they become unmanaged, so on next upgrade, they will not be updated.

I was missing /dev/net/tun

which I created by doing this:

I would expect that this device would be done for you, if you have the required kernel support (CONFIG_TUN=y).

[lahouari]

Hay thanks for responce - yes yes it is a mess atm.. and I am working to fix it but I am stumbling blind.

So I intend to update the ebuild to do what it needs correctly (for creation of run foler etc it is obvious that it shouldnt be done manually.( I am just describing process of what I discover as I go along) init.d file I changed already in the ebuild files folder so it will be ok after updating.

as for the pub keys and and other files in /var/lib/nordvpn folder - yeah I agree that they need to be installed in to prper place by enuild but I also don't like the double slash in the path deamon uses.

There is the other problem mentioned above of nordvpn deamon or script its using looking for ip command in sbin therfor needing to have sym link created to ip command - should that be also added to nordvpn ebuild package?

@Hu do you know where I can find info how to cerate the run folder properly - that is the one I am not sure how to do. (I gues doing that in init script would be easiest ( check if folder exists and if not create it?)

[lahouari]

this is simpler solution though:

Following this guide:
https://support.nordvpn.com/Connectivit ... rminal.htm

One can download openvpn script files and use them to connect directly using openVPN client. (like Network Manager with openvpn plugin)

[Hu]

The double slash is a cosmetic issue only. The kernel will collapse it properly. It may indicate that the daemon tried to insert some empty string as an extra level of directory component.

No, this package should not symlink ip. Can you patch the package to use the proper path?

Historically, initscripts did handle the run directory on their own. However, the preferred path is now through tmpfiles. See man tmpfiles.d for documentation, although you may find it easier to find a similar package and derive your configuration from that.

[lahouari]

Thanks again:

I found how to manage the run path in here:
https://www.linuxhowtos.org/manpages/8/openrc-run.htm

checkpath should do nicely (I see other init scripts using it)

as to the ip path I will dig around but as it is binary package distribution I don't think I can do it - maybe it will be possible to get NordVPN guys to fix that...


Sometimes it is so frustrating that Gentoo is a fringe distribution but I would not trade it for any other

[lahouari]

Ok so I got it working almost out of the box:
only remaining problem is the ip being looked at in /usr/sbin instead of /usr/bin - work around for now create a sym link -ill ask nord vpn guys if this can be fixed better - but that will likely take time.

my code for now:
net-vpn/nordvpn/nordvpn-3.10.0.1.ebuild

Code: Select all

# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit eutils unpacker

MY_PV=$(ver_rs 3 '-')

DESCRIPTION="NordVPN native client"
HOMEPAGE="https://nordvpn.com"
SRC_URI="https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${MY_PV}_amd64.deb"

LICENSE="NordVPN"
SLOT="0"
KEYWORDS="-* ~amd64"
IUSE=""

# TODO: verify that list of RDEPEND is complete
RDEPEND="net-misc/networkmanager
		net-vpn/networkmanager-openvpn
		sys-apps/iproute2
		acct-group/nordvpn"


RESTRICT="strip"
S="${WORKDIR}"

src_unpack() {
	# Unpack Debian package containing application's files
	unpack_deb ${A}
	gzip "${S}"/usr/share/doc/nordvpn/changelog.gz -d "${S}"
	gzip "${S}"/usr/share/man/man1/nordvpn.1.gz -d "${S}"
}

src_install() {
	cd ${S}

#   doinitd>etc/init.d/nordvpn
	newinitd "${FILESDIR}/nordvpn.initd" ${PN}

#   into<-->/usr
	dobin usr/bin/nordvpn
	dosbin usr/sbin/nordvpnd

	insinto /var/lib/
	doins -r var/lib/nordvpn

	fowners root:nordvpn /var/lib/nordvpn/openvpn
	fperms 0550 /var/lib/nordvpn/openvpn

	insinto /usr/share/bash-completion/completions
	doins usr/share/bash-completion/completions/nordvpn

	dodoc usr/share/doc/nordvpn/changelog
	doman usr/share/man/man1/nordvpn.1
}

net-vpn/nordvpn/files/nordvpn.initd

Code: Select all

#!/sbin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

LOGFILE="/var/log/${RC_SVCNAME}/daemon"

command="/usr/sbin/nordvpnd"
pidfile="/run/${RC_SVCNAME}.pid"
retry="SIGTERM/30/SIGKILL/5"
start_stop_daemon_args="--make-pidfile -g ${RC_SVCNAME} --background -1 ${LOGFILE}"

depend() {
   use logger net
   provide dns
}

start_pre() {
   checkpath -d -m 0775 -o root:${RC_SVCNAME} /run/${RC_SVCNAME}
   checkpath -d -m 0755 -o root:${RC_SVCNAME} /var/log/${RC_SVCNAME}
}

and one more:
acct-group/nordvpn/nordvpn-0.ebuild

Code: Select all

# Copyright 2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

inherit acct-group

ACCT_GROUP_ID=-1

I do not like also that there is an executable openvpn installed into /var/lib/nordvpn folder - I don't think it should be necesary we could instead depend on native openvpn - but will have to check with NordVPN guys if it is possible. any way I hope this helps some

[lahouari]

I created overlay containig above package

https://gitlab.com/lahouari.dc/nordvpn/
It is now avariable through overlay (nordvpn)

Code: Select all

# eselect repository enable nordvpn
# emerge --sync nordvpn
# emerge nordvpn

# rc-service nordvpn start
# rc-update add nordvpn default

[lahouari]

@Hu - what do you think of adding an use flag conditional to add the symlink to ip? (USE=ipsymlink) I don't know if nordvpn will ever fix the deamon not to rely on the ip being in /sbin...

and it is a bit inconvenient to do a manual step after instalation...

Just thinking if it would be acceptable...

[Hu]

I don't think a USE flag would be right here. I think installing such a symlink is always wrong, but on the other hand, if the package is broken without the link, then there should not be an option not to install the link, because then users could readily install a non-working package. I'm pretty sure Nordvpn has never been right here. ip may once have been in /sbin, and is now in /bin. I am not aware of /usr/sbin/ip ever having been the correct path.

Is this path not something you can patch? Fixing one character should be an easy patch regardless of the language NordVPN is written in, particularly since we need to delete a character, not add one. If there are alignment requirements, changing s to / will let you preserve the length of the string, and still fix the problem, since //bin/ip is an inefficient alias for /bin/ip.

You wrote earlier in the thread that there are openvpn script files for this, and also that the package installs a binary openvpn. Exactly which component uses the wrong path? OpenVPN is GPLv2, so if Nord is redistributing an openvpn with the bad path embedded in there, you should be able to get the source and recompile with the right path.

[lahouari]

ok to clarify I used paths /usr/{s}bin by mistake - it is /sbin in the package - problem with patching is that it is binary package and I do not feel proficient enough to fix binary package with a patch.

I referred to openvpn scripts as those are available alternative to using native client from nordvpn and can be downloaded from nordvpn servers - but I find usage of openvpn scripts inconvenient.

nordvpn package consists of 3 binary files and some certificates and maybe some other little data files; binaries are
* nordvpnd - service deamon;
* nordvpn - command line client to manage nordvpnd and connect to vpn service
* openvpn - binary in /var/lib/nordvpn open vpn version used by nordvpnd.

I did talk with NordVPN customer support and asked them about changing or allowing for various location of ip command but given Gentoo is not officially supported distribution that may never happen - especially as we are not too many to justify changes from established paths. (I assume ip is installed to /sbin in Debian based distributions)

I am not certain if it is nordvpn or nordvpnd that uses wrong path to ip (I assume it is the deamon) according to customer support it is used to establish server nearest to you to connect to.

I am certain it isn't the openvpn binary that uses ip as it was first error that appeared when trying to get this to work and path to openvpn was an error after that...

I assume we could replace the binary openvpn delivered by this package with link to system native openvpn but that is separate issue

[Hu]

Patching one string in the binary should be pretty easy, but you would need to check the license terms first. Many vendors that fail to distribute source code also like to require restrictive licenses that prohibit modifying their binaries, even to fix their bugs. If the nordvpn daemon is just a patched/rebranded OpenVPN, then the license should be fairly friendly, and getting the source should be easy. If it's a custom program they wrote, they may have it under a restrictive license.

I seem to recall that /sbin was once the path of ip, but that was changed long ago, partly on the basis that Debian did it first.