[Instruction] Config NordVPN wireguard (Nordlynx) on OpenWrt

As you guys may know NordVPN supports wireguard for over a year now and unfortunately they're not planning to release configuration files anytime soon.
I thought sharing this tutorial here so people can at least enjoy the performance of wireguard.

All you need is linux machine or if you don't have one run it on vm.
I'm using ubuntu.

install following packages on your machine:

  1. wireguard sudo apt install wireguard
  2. curl sudo apt install curl
  3. jq sudo apt install jq
  4. nettools sudo apt install net-tools
  5. nordvpn sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

log in to your nordvpn app via this command:
sudo nordvpn login

change connection protocol to nordlynx:
sudo nordvpn set technology nordlynx

connect to your preferred server
sudo nordvpn c nl #to connect Nederland as an example

now run command below and write down the ip somewhere, you'll need it later. (it will be your wireguard interface ip)
ifconfig nordlynx

now use the following command to get your private key:

sudo wg show nordlynx private-key

output should be something like this:
2
:warning: never share your private key with anyone!

now enter this command:

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

output should be like above picture which includes
nl826.nordvpn.com #your endpoint host
178.239.173.207 #endpoint host ip
Amsterdam #city
Netherlands #country
5PXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF30= #public key which is different for each server
9 #server load at the time

:warning: keep that in mind the above command gives you the fastest server at the time if you're looking for the information of a specific server, connect to that country and copy the url above in your browser and from there search manually by the server number (e.g. nl833) using CTRL+F

now you can install following packages in your router to connect to wireguard using information you got from above
kmod-wireguard luci-app-wireguard luci-proto-wireguard wireguard wireguard-tools

once you installed above packages go to Luci -> network -> interfaces
add new interface using wireguard vpn protocol
once you created your interface, on general tab enter your private key and for the ip address enter the one you got using ifconfig command.
now hop on to the peers tab and enter your public key
for allowed ips use: 0.0.0.0/0
endpoint host: the ip of the vpn host you got at the last step
endpoint port: 51820
Persistent Keep Alive: 25
hit save and then save&apply then assign a firewall zone for it and add a dns! that's it.

the credit goes to @teymur88 from gl-inet forum for publishing this method.
also sorry for my grammar issues English is not my native language.

6 Likes

Perfect, this is exactly what I was looking for, thanks Armin! :slight_smile:

Can you please elaborate on the last step, about assigning a firewall zone and adding a dns? Since I'm a new OpenWrt user, I'm not familiar with that yet.

Could you please share the steps on how to complete the steps to setup NordLynx? Your help is highly appreciated!

Thanks again!

1 Like

I would just add the Wireguard interface you created to the WAN zone.

I just tried that, by setting the "Create / Assign firewall-zone" value to "WAN" in the newly created "NordLynx" interface:


But that doesn't seem to do the trick (even after a reboot of my OpenWrt device): my external IP is still visible/unchanged when checking via sites like "hidemyass". Am I forgetting something?

Show us your wireguard config.
/ Network.
Peer and interface setting

Sure, here you go:

I've done everything as explained above.

And the peers tab:

LuCI > Network > Interfaces > NORDLYNX > Edit

  • Peers > Route Allowed IPs > Check

Save > Save & Apply

1 Like

check route allowed IPs

That was definitely doing "something", but leaves me with a non-working internet connection after a reboot. When unchecking it again (and rebooting the router) brings the internet up again, but brings me back to the old issue. I guess the NORDLYNX bridge hasn't been configured well in that case, right?

Take a look at Solved: nordvpn OpenWrt wireguard client. Compare the contents of your network and firewall files to the contents in section "B - Via configuration files" and post back with the results.

Since you already have the correct public/private keys (which is something they are not willing to provide at this time (I tried)), maybe this will allow you to find the cause it's not (yet) working.

1 Like

are you sure the endpoint port is 51820? and what about listen port?

also, your ip adresses in interface, needs CIDR notation, not?? /24, /32

Thanks guys! That link solved my problem. Adding the dns-record to the "network" config file solved my problem. I added both NordVPN DNS servers to my NordLynx interface:

option dns '103.86.96.100 103.86.99.100'

After a reboot, everything worked fine.

I guess that was what the topic starter meant with "adding a dns"... :wink: It seems a little strange that you can't add it through the LuCI interface though...

1 Like

Thanks, @Armin, great guide!

But I'm getting different results from running the NordVPN app on my desktop machine. Having the wg tunnel in the router is giving me less speed and leaking DNS (a bunch of OpenDNS addresses). Could use some help diagnosing this, I'm not a networking guy :stuck_out_tongue:

Here's my network config file:

 config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:6172:a852::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth2 eth3'
        option ipaddr '192.168.1.1'

 config interface 'wan_tim'
        option ifname 'eth0'
        option proto 'pppoe'
        option password 'guest'
        option ipv6 'auto'
        option username 'guest'
        option metric '10'

 config interface 'wg_nordvpn'
        option proto 'wireguard'
        list addresses '10.5.0.2'
        option private_key 'private_key_here'
        option dns '103.86.96.100 103.86.99.100'
        option gateway '10.5.0.0'

config wireguard_wg_nordvpn
        option public_key 'public_key_here'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '209.14.0.243'

What other configs should I provide?

Nevermind, fixed the DNS leaks. All I had to do was disable "Use DNS servers advertised by peer" on my pppoe interface.

Speed is probably just a server thing, probably need to try different ones.

Thanks again for the guide!

I am getting the below error when try to install nordvpn on Ubuntu..

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to downloads.nordcdn.com:443

When I try to access the URL direct from Firefox, I get the below error:

Secure Connection Failed

An error occurred during a connection to downloads.nordcdn.com. PR_END_OF_FILE_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Can anyone help?

This forum is for OpenWRT, not Ubuntu and not NordVPN. However, this link may be useful for you: https://www.google.com/search?q="OpenSSL+SSL_connect%3A+SSL_ERROR_SYSCALL"

True, but to follow the above steps I need to install NordVPN on linux.

What happens if you try to go to https://downloads.nordcdn.com/ in your web browser?

Gets the below error:

Secure Connection Failed

An error occurred during a connection to downloads.nordcdn.com. PR_END_OF_FILE_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.