Configure openvpn & nordvpn

Installing and Using OpenWrt
1

Has anyone already configured nordvpn with this guide? https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-CI-setup-with-NordVPN.htm

Do I need to run this part of the manual on the new firmware 18.06.05 ?

(Optional) Do this step only if you have an older build of OpenWRT. Newer builds can skip this one.

If you have an older OpenWRT Build , you can also download an archive here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip and find in it corresponding files with extensions "crt" and "key". The files are specific for each VPN-server.

The OpenVPN configuration specific for NordVPN requires the input of username and password in each start of OpenVPN. To provide credentials automatically, append the word "secret" with space to the string "auth-user-pass", so the resulting string should be "auth-user-pass secret".

Create the file with the name "secret" in the same folder, and provide credentials in it as follows: the first line is your login, the second line is your password:

username

password

The file itself contains contents of file "ca.crt" between tags "" and "" and contents of file "ta.key" between tags "" and "". You can create separate files "ca.crt" and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in the original file with the following strings.

ca ca.crt tls-auth ta.key 1

I do not have internet after setup, I skip this paragraph

2

If the configuration file that you use on step 3 has the user/pass/certs/keys you'll be fine.
Post the configuration file, after you remove sensitive things like user/pass/private keys, as well as:
uci show network; uci show firewall; ip -4 addr ; ip -4 ro; ip-4 ru; iptables-save

3

uci show network

root@Hu:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdfd:03ea:af64::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8' '8.8.4.4'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.nordvpntun=interface
network.nordvpntun.proto='none'
network.nordvpntun.ifname='tun0'
root@Hu:~#

**uci show firewall

root@Hu:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpnfirewall'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='nordvpntun'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpnfirewall'
root@Hu:~#

ip -4 addr

root@Hu:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
root@Hu:~#

ip -4 ro

root@Hu:~# ip -4 ro
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
root@Hu:~#

ip-4 ru

root@Hu:~# ip-4 ru
-ash: ip-4: not found
root@Hu:~#
4

.ovpn file

client
dev tun
proto udp
remote 184.170.253.38 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

</tls-auth>

in .ovpn file need to add username and password? I did not change anything in it.

6

Your main problem is that you don't have uplink to the internet. Only the lan interface is up and vpn cannot connect without internet. Check the cables etc...

Other than that:

Change line auth-user-pass with auth-user-pass /etc/openvpn/client.auth and create this file with your username in the first line and password on the second line.

1 Like
7

it is excluded.I install packages before that, everything is fine ,after reboot have the problem

ok, added

in interfaces where NORDVPNTUN i see Error: Network device is not present

8

By excluded you mean that you removed some lines from the output that you pasted here?
You need to paste here the exact output and cover any public IP or mac address.

Is there a tun0 interface or you excluded that too?

9

I don't remove any lines

this seems to be my problem(it comes out if I restarted interface)

Open VPN and NordVPN - #34 by Leon this seems to be my problem on the screenshot 5

10

Then where is wan (eth0) interface? I don't see it in "ip -4 addr", nor you have a default gateway in "ip -4 ro".

This is also not seen in the output of these commands.

I suggest you reset the router to defaults and start from the beginning. The wan interface has to be there all the time, otherwise the vpn cannot work.

11

it was because I configured the router first on 2 routers, and then connected to the first (ISP)

root@hu:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.99.187/24 brd 192.168.99.255 scope global eth0
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
root@hu:~#

root@hu:~# ip -4 ro
default via 192.168.99.1 dev eth0 proto static src 192.168.99.187 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.187
12

and yet I don’t understand what to do with it

The file itself contains contents of file "ca.crt" between tags "" and "" and contents of file "ta.key" between tags "" and "". You can create separate files "ca.crt" and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in the original file with the following strings.

ca ca.crt tls-auth ta.key 1

13

You don't need to do anything, the ca and key are included in the .ovpn config file you downloaded.

Add the line log /tmp/ovpn.log in the client config, reload the openvpn instance service openvpn restart and check the log for any error messages.

14

log

Tue Nov 19 15:31:47 2019 disabling NCP mode (--ncp-disable) because not in P2MP
Options error: You must define TUN/TAP device (--dev)
Use --help for more information.
~
~
~
~
~
~
~
15

ls -la /etc/openvpn/ ; uci show openvpn; lsmod | grep tun
What is the output of these?

Also try to change the line dev tun into dev tun0

16 
root@hu:~# ls -la /etc/openvpn/
drwxr-xr-x    2 root     root             0 Nov 19 15:51 .
drwxr-xr-x    1 root     root             0 Nov 17 01:49 ..
-rw-r--r--    1 root     root            32 Nov 19 13:52 secret
-rw-r--r--    1 root     root          2818 Nov 19 15:29 us4598.nordvpn.com.udp.ovpn
17

From the router command line, can you ping the Nordvpn server 184.170.253.38, or anywhere else on the Internet?

18

now works
until I realized where the error

19

Where was the error?

1 Like
20

a second time, did not specify the path to the configuration file in /etc/config/openvpn

uci set openvpn.nordvpn.config='/etc/openvpn/al1.nordvpn.com.tcp.ovpn'

and yet, why does this installation not work through another router? (if I want to use at work for example)

21

Does your internet connected router also use same 192.168.1.x subnet? (ie. same as your openvpn/openwrt router?)

If yes, change the LAN IP address of your openvpn client router to use a different subnet. eg. 192.168.111.1

1 Like