feat(nordvpn): new API endpoint and wireguard support

[bubuntux]

(EDIT by qdm12):

Try it with:

docker run -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=nordvpn -e WIREGUARD_PRIVATE_KEY=CD75jsr7Dvjt+G0IHB2gKLDJ7agWPP4x707rhcU/nnY= -e VPN_TYPE=wireguard qmcgaw/gluetun:pr-1598

[bubuntux]

this should help to resolve #134 i think i can get wireguard working for nordvpn

[bubuntux]

also can help with #719

[qdm12]

Hi there, thanks for the contribution. And sorry for the huge delay, I was afk for a good few weeks.

I wasn't aware NordVPN had this much more advanced API endpoint, which simplifies a lot the Wireguard implementation as you've done, good job 👍

However, there are a few problems to resolve:

1. First, let's split away the generics refactoring to another PR since it has little to do with Nordvpn+Wireguard.
2. Even further, we could split your work in 1 PR for using the newer NordVPN API, and one for adding Wireguard support for Nordvpn. Not super compulsory, but it would be nice.
3. Can NordVPN servers have 0 location? Or more than 1 location? Why?
4. Move back the structure to how it was (api package -> updater package) so it matches all other providers. The changes still match the older interface and so on so there is no need to divert from it.
5. A bunch of small comments here and there.

Let me know if you can do it, otherwise I can finish it up if you moved on to something else 😉

[bubuntux]

Hi there, thanks for the contribution. And sorry for the huge delay, I was afk for a good few weeks.

I wasn't aware NordVPN had this much more advanced API endpoint, which simplifies a lot the Wireguard implementation as you've done, good job +1

However, there are a few problems to resolve:

1. First, let's split away the generics refactoring to another PR since it has little to do with Nordvpn+Wireguard.

2. Even further, we could split your work in 1 PR for using the newer NordVPN API, and one for adding Wireguard support for Nordvpn. Not super compulsory, but it would be nice.

3. Can NordVPN servers have 0 location? Or more than 1 location? Why?

4. Move back the structure to how it was (api package -> updater package) so it matches all other providers. The changes still match the older interface and so on so there is no need to divert from it.

5. A bunch of small comments here and there.

Let me know if you can do it, otherwise I can finish it up if you moved on to something else wink

yeah i can address those issues,
1, i'll split them in separate MR, i just did separate commits so it should be easy to separate into mrs
2. yeah will splot
3. as far i can tell there is only just one location, but the api is generic enough and seems like it could handle more
4. i change the structure because i had the idea of reusing the api for server selection so tried to have it in a more general way, but whatever i can make it follow the existing pattern,
5. yup will take a look, may take a little to address everything

i would like to start a few conversation in regards the interfaces and the files/models and so on,, but again i would do so in separate threads

[qdm12]

I'm working on this branch;

quick question, for Wireguard, do you have a public key to specify unique per server? If this is the case, there is little point to support Wireguard natively for Nordvpn, since you would need to download a wireguard config again and update the wireguard public key. You might as well simply bind mount a wireguard ini file directly. 🤔 Thanks!

EDIT: never mind found the public key in the metadata!

Other question... is it the same private key and interface address (WIREGUARD_ADDRESS) for all wireguard servers???

[qdm12]

@bubuntux I rebased/reworked the entire PR, it's now made of 3 commits which will get rebased and merged on the master branch, doing the following:

1. Use newer API endpoint
2. Add/Change server model fields: add city, country fields, and swap region <-> country fields
3. Add Wireguard support + update servers data

i change the structure because i had the idea of reusing the api for server selection so tried to have it in a more general way, but whatever i can make it follow the existing pattern,

Not the right time, but I'll keep this in mind. I need to finish up using a newer DNS in Gluetun and reworking the entire 'loop' start/stop logic, to be able to do (optional) API calls to i.e. the nordvpn API to get a recommended server.

[bubuntux]

hey @qdm12 thanks for looking into this branch i haven't had the chance to comeback to this, regarding

is it the same private key and interface address (WIREGUARD_ADDRESS) for all wireguard servers???
yeah i did noticed that a lot of servers using the same private key (didn't check if all tbh) and you connect using the same ip address (that is by nordvpn design), last time i tested it it was working fine with a few servers, but it has been a while... so.. if you push the image i can give it a test

[qdm12]

@bubuntux thanks for getting back! You can already try the image from this PR (well duplicate #1598), see #134 (comment)

try qmcgaw/gluetun:pr-1380 setting VPN_TYPE=wireguard, VPN_PROVIDER=nordvpn, WIREGUARD_PRIVATE_KEY=xxx and WIREGUARD_ADDRESS=yyy to see how it goes?

[bubuntux]

@qdm12 i was unable to test using qmcgaw/gluetun:pr-1380 (was unable to find that image in docker.io) i rebuild the image from this branch and i got an error

2023-05-28T17:52:23Z ERROR VPN settings: provider settings: VPN provider name is not valid for Wireguard: "private internet access" can only be one of airvpn, custom, ivpn, mullvad, nordvpn, surfshark or windscribe

i'm sure is something silly, but i didn't have the time to troubleshoot tbh, may be able to look at it later.

i'm confident the WIREGUARD_ADDRESS is fix to 10.5.0.2/32 similar to how is done here https://github.com/bubuntux/nordlynx/blob/4bd50d58911eaf4c31b2d2f4c393fc698b118e13/root/etc/services.d/wireguard/run#LL26C1-L26C34 (i though i set that on my initial changes) and the private key is gonna work with all the servers for sure.

[qdm12]

The image was tagged :pr-1598, my bad for getting mixed up (because the CI only builds and publishes images from branches originating from qdm12/gluetun to avoid leaking credentials/pushing a malicious image from a forked branch PR, so I opened #1598 as a duplicate for this branch).

Anyway trying it with:

docker run -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=nordvpn -e WIREGUARD_PRIVATE_KEY=XXX -e WIREGUARD_ADDRESS="XYZ/32" -e VPN_TYPE=wireguard qmcgaw/gluetun:pr-1598

Works fine (well obviously the connection doesn't work, I don't have a nordvpn account 😉) Maybe have a go with :pr-1598?

i'm sure is something silly, but i didn't have the time to troubleshoot tbh, may be able to look at it later.

No worry, please don't I have some free time finally so I can look into it.

i'm confident the WIREGUARD_ADDRESS is fix to 10.5.0.2/32 similar to how is done here

Are you sure the address is not BY USER??? I guess I can override it for Nordvpn wireguard so users don't have to specify it, but that looks a bit strange 🤔

[bubuntux]

Are you sure the address is not BY USER??? I guess I can override it for Nordvpn wireguard so users don't have to specify it, but that looks a bit strange thinking
Yes i know it seems odd, but is a feature call double nat, check https://youtu.be/uDBySHiYw5U?t=55, i have been using that ip for other containers i maintain along with hundred of other ppl, the ip is fix to all users.

[qdm12]

Alright then, it should now default by itself the addresses to 10.5.0.2/32 for nordvpn only 😉

[bubuntux]

@qdm12 i just did a test of the branch and seems to be working as expected

❯ docker run -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=nordvpn -e WIREGUARD_PRIVATE_KEY="xxx" -e VPN_TYPE=wireguard  ghcr.io/qdm12/gluetun:pr-1598

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version pr-1598 built on 2023-06-01T10:05:19.762Z (commit e3aebeb)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-06-02T03:43:23Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2023-06-02T03:43:23Z INFO [routing] local ethernet link found: eth0
2023-06-02T03:43:23Z INFO [routing] local ipnet found: 172.17.0.0/16
2023-06-02T03:43:23Z INFO [firewall] enabling...
2023-06-02T03:43:23Z INFO [firewall] enabled successfully
2023-06-02T03:43:24Z INFO [storage] creating /gluetun/servers.json with 17678 hardcoded servers
2023-06-02T03:43:24Z INFO Alpine version: 3.18.0
2023-06-02T03:43:24Z INFO OpenVPN 2.5 version: 2.5.8
2023-06-02T03:43:24Z INFO OpenVPN 2.6 version: 2.6.4
2023-06-02T03:43:24Z INFO Unbound version: 1.17.1
2023-06-02T03:43:24Z INFO IPtables version: v1.8.9
2023-06-02T03:43:24Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: nordvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: xxx
|       ├── Interface addresses:
|       |   └── 10.5.0.2/32
|       └── Network interface: tun0
|           └── MTU: 1420
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-06-02T03:43:24Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2023-06-02T03:43:24Z INFO [routing] adding route for 0.0.0.0/0
2023-06-02T03:43:24Z INFO [firewall] setting allowed subnets...
2023-06-02T03:43:24Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2023-06-02T03:43:24Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-06-02T03:43:24Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-06-02T03:43:24Z INFO [http server] http server listening on [::]:8000
2023-06-02T03:43:24Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-06-02T03:43:24Z INFO [firewall] allowing VPN connection...
2023-06-02T03:43:24Z INFO [wireguard] Using available kernelspace implementation
2023-06-02T03:43:24Z INFO [wireguard] Connecting to 103.62.49.193:51820
2023-06-02T03:43:24Z INFO [wireguard] Wireguard is up
2023-06-02T03:43:24Z INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-06-02T03:43:25Z INFO [healthcheck] healthy!
2023-06-02T03:43:28Z INFO [dns over tls] downloading hostnames and IP block lists
2023-06-02T03:43:35Z INFO [dns over tls] init module 0: validator
2023-06-02T03:43:35Z INFO [dns over tls] init module 1: iterator
2023-06-02T03:43:35Z INFO [dns over tls] start of service (unbound 1.17.1).
2023-06-02T03:43:37Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-06-02T03:43:37Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-06-02T03:43:39Z INFO [dns over tls] ready
2023-06-02T03:43:39Z INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2023-06-02T03:43:40Z INFO [healthcheck] healthy!
2023-06-02T03:43:41Z INFO [vpn] There is a new release v3.34.3 (v3.34.3) created 36 hours ago
2023-06-02T03:43:41Z INFO [ip getter] Public IP address is 103.62.49.195 (New Zealand, Auckland, Auckland)

noticed that is using 1.1.1.1 dns (nordvpn defaults are 103.86.96.100, 103.86.99.100) , i verified that the public ip address was the new zeland one ( using wget -qO- ipconfig.io )

I was able to select an specific server based on region, hostname, city and such using env variables

[GGegenhuber]

I tried it out as well and can confirm that everything works just fine

got my wg-key via sudo wg show nordlynx private-key

docker run -it --rm --cap-add=NET_ADMIN -e VPN_SERVICE_PROVIDER=nordvpn -e WIREGUARD_PRIVATE_KEY="xxx" -e VPN_TYPE=wireguard --sysctl net.ipv6.conf.all.disable_ipv6=0 ghcr.io/qdm12/gluetun:pr-1598

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version pr-1598 built on 2023-06-01T10:05:19.762Z (commit e3aebeb)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2023-06-03T16:53:25Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2023-06-03T16:53:25Z INFO [routing] default route found: interface eth0, gateway fd00::1, assigned IP fd00::242:ac11:2 and family v6
2023-06-03T16:53:25Z INFO [routing] local ethernet link found: eth0
2023-06-03T16:53:25Z INFO [routing] local ipnet found: 172.17.0.0/16
2023-06-03T16:53:25Z INFO [routing] local ipnet found: fd00::/80
2023-06-03T16:53:25Z INFO [routing] local ipnet found: fe80::/64
2023-06-03T16:53:25Z INFO [firewall] enabling...
2023-06-03T16:53:25Z INFO [firewall] enabled successfully
2023-06-03T16:53:25Z INFO [storage] creating /gluetun/servers.json with 17678 hardcoded servers
2023-06-03T16:53:25Z INFO Alpine version: 3.18.0
2023-06-03T16:53:25Z INFO OpenVPN 2.5 version: 2.5.8
2023-06-03T16:53:25Z INFO OpenVPN 2.6 version: 2.6.4
2023-06-03T16:53:25Z INFO Unbound version: 1.17.1
2023-06-03T16:53:25Z INFO IPtables version: v1.8.9
2023-06-03T16:53:25Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: nordvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: xxx
|       ├── Interface addresses:
|       |   └── 10.5.0.2/32
|       └── Network interface: tun0
|           └── MTU: 1420
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2023-06-03T16:53:25Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2023-06-03T16:53:25Z INFO [routing] default route found: interface eth0, gateway fd00::1, assigned IP fd00::242:ac11:2 and family v6
2023-06-03T16:53:25Z INFO [routing] adding route for 0.0.0.0/0
2023-06-03T16:53:25Z INFO [routing] adding route for ::/0
2023-06-03T16:53:25Z INFO [firewall] setting allowed subnets...
2023-06-03T16:53:25Z INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.2 and family v4
2023-06-03T16:53:25Z INFO [routing] default route found: interface eth0, gateway fd00::1, assigned IP fd00::242:ac11:2 and family v6
2023-06-03T16:53:25Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2023-06-03T16:53:25Z INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2023-06-03T16:53:25Z INFO [http server] http server listening on [::]:8000
2023-06-03T16:53:25Z INFO [healthcheck] listening on 127.0.0.1:9999
2023-06-03T16:53:25Z INFO [firewall] allowing VPN connection...
2023-06-03T16:53:25Z INFO [wireguard] Using available kernelspace implementation
2023-06-03T16:53:25Z INFO [wireguard] Connecting to 91.205.230.217:51820
2023-06-03T16:53:25Z INFO [wireguard] Wireguard is up
2023-06-03T16:53:25Z INFO [dns over tls] downloading DNS over TLS cryptographic files
2023-06-03T16:53:26Z INFO [healthcheck] healthy!
2023-06-03T16:53:27Z INFO [dns over tls] downloading hostnames and IP block lists
2023-06-03T16:53:31Z INFO [dns over tls] init module 0: validator
2023-06-03T16:53:31Z INFO [dns over tls] init module 1: iterator
2023-06-03T16:53:31Z INFO [dns over tls] start of service (unbound 1.17.1).
2023-06-03T16:53:31Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-06-03T16:53:31Z INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2023-06-03T16:53:32Z INFO [dns over tls] ready
2023-06-03T16:53:32Z INFO [vpn] There is a new release v3.34.3 (v3.34.3) created 3 days ago
2023-06-03T16:53:32Z INFO [ip getter] Public IP address is 185.128.9.78 (Portugal, Lisbon, Lisbon)

then i was able to veryfy that the container's network is routed via the connected vpn

[qdm12]

@bubuntux would you have an idea how to extract your private key using Docker? Just drafted:

docker run -it --rm debian
apt-get update -y
apt-get install -y curl
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)
nordvpn login

but this needs systemd to launch the nordvpn daemon (ugh), and then I am not sure which nordvpn commands to use to get to the point of getting the private key, can you enlighten me?🙏 I'm thinking to add instructions to the nordvpn github wiki page, since I don't really want to start bloating gluetun with nordlynx just to extract the private key.

[bubuntux]

@qdm12 i have that already using docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX ghcr.io/bubuntux/nordvpn:get_private_key

[bubuntux]

the code is on this repo https://github.com/bubuntux/nordvpn/tree/get_private_key

[qdm12]

Awesome thanks, I documented it there: https://github.com/qdm12/gluetun/wiki/NordVPN

[bubuntux]

@qdm12 i would also add the SERVER_CITIES env variable in the documentation now that is supported with the new api

[qdm12]

Done in qdm12/gluetun-wiki@c46180d