NordVPN on one VLAN

Awesome! thank you so much

I am going to install this evening when I am local and not remote and get it setup

OK, default table is via tun, table 200 is via eth0.2

There is also rule in firewall to mark packets, see output of:
iptables -S -t mangle

This is working perfectly, thank you so much :)!

Is there a way to make it autostart?

I spoke too soon, it works for about 10-15minutes and then stops, any ideas?

Does the "service" stop working when this happens? Does it say "Running"?

It stays running but I have to click restart for it to work another 10-15 mins

Here is the log when it happened once:

Sat Aug  6 14:20:53 2022 daemon.notice openvpn(NordVPN)[3048]: [us8121.nordvpn.com] Inactivity timeout (--ping-restart), restarting
Sat Aug  6 14:20:53 2022 daemon.notice openvpn(NordVPN)[3048]: SIGUSR1[soft,ping-restart] received, process restarting
Sat Aug  6 14:20:53 2022 daemon.notice openvpn(NordVPN)[3048]: Restart pause, 5 second(s)
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.xxx.70.xxx:1194
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: Socket Buffers: R=[180224->360448] S=[180224->360448]
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: UDP link local: (not bound)
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: UDP link remote: [AF_INET]185.xxx.70.xxx:1194
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: TLS: Initial packet from [AF_INET]185.xxx.70.xxx:1194, sid=xxxxxxx xxxxxxx
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA7
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: VERIFY KU OK
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: Validating certificate extended key usage
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: VERIFY EKU OK
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: VERIFY OK: depth=0, CN=us8121.nordvpn.com
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Sat Aug  6 14:20:58 2022 daemon.notice openvpn(NordVPN)[3048]: [us8121.nordvpn.com] Peer Connection Initiated with [AF_INET]185.xxx.70.xxx:1194
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: SENT CONTROL [us8121.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.2.6 255.255.255.0,peer-id 3,cipher AES-256-GCM'
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Pushed option removed by filter: 'redirect-gateway def1'
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: explicit notify parm(s) modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: compression parms modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Socket Buffers: R=[360448->360448] S=[360448->360448]
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: route-related options modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: peer-id set
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: adjusting link_mtu to 1657
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: OPTIONS IMPORT: data channel crypto options modified
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Preserving previous TUN/TAP instance: tun0
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: Closing TUN/TAP interface
Sat Aug  6 14:20:59 2022 daemon.notice openvpn(NordVPN)[3048]: net_addr_v4_del: 10.8.0.7 dev tun0
Sat Aug  6 14:20:59 2022 daemon.notice netifd: Network device 'tun0' link is down
Sat Aug  6 14:20:59 2022 daemon.notice netifd: Interface 'VPN' has link connectivity loss
Sat Aug  6 14:21:01 2022 daemon.notice openvpn(NordVPN)[3048]: TUN/TAP device tun0 opened
Sat Aug  6 14:21:01 2022 daemon.notice openvpn(NordVPN)[3048]: net_iface_mtu_set: mtu 1500 for tun0
Sat Aug  6 14:21:01 2022 daemon.notice openvpn(NordVPN)[3048]: net_iface_up: set tun0 up
Sat Aug  6 14:21:01 2022 daemon.notice openvpn(NordVPN)[3048]: net_addr_v4_add: 10.8.2.6/24 dev tun0
Sat Aug  6 14:21:01 2022 daemon.notice netifd: Network device 'tun0' link is up
Sat Aug  6 14:21:01 2022 daemon.notice netifd: Interface 'VPN' has link connectivity
Sat Aug  6 14:21:01 2022 daemon.notice openvpn(NordVPN)[3048]: Initialization Sequence Completed
Sat Aug  6 14:21:36 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.10) 10.10.10.228 74:58:f3:53:cb:7b
Sat Aug  6 14:21:36 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.10) 10.10.10.228 74:58:f3:53:cb:7b
Sat Aug  6 14:22:52 2022 daemon.info dnsmasq-dhcp[5940]: DHCPDISCOVER(eth0.10) 00:bf:af:2e:3b:88
Sat Aug  6 14:22:52 2022 daemon.info dnsmasq-dhcp[5940]: DHCPOFFER(eth0.10) 10.10.10.159 00:bf:af:2e:3b:88
Sat Aug  6 14:23:19 2022 daemon.info dnsmasq-dhcp[5940]: DHCPDISCOVER(eth0.10) 24:18:c6:aa:d9:56
Sat Aug  6 14:23:19 2022 daemon.info dnsmasq-dhcp[5940]: DHCPOFFER(eth0.10) 10.10.10.103 24:18:c6:aa:d9:56
Sat Aug  6 14:23:19 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.10) 10.10.10.103 24:18:c6:aa:d9:56
Sat Aug  6 14:23:19 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.10) 10.10.10.103 24:18:c6:aa:d9:56
Sat Aug  6 14:23:20 2022 user.notice nft-qos-monitor: ACTION=update, MACADDR=24:18:c6:aa:d9:56, IPADDR=10.10.10.103, HOSTNAME=ROOter
Sat Aug  6 14:23:20 2022 user.notice nft-qos-dynamic: ACTION=update, MACADDR=24:18:c6:aa:d9:56, IPADDR=10.10.10.103, HOSTNAME=ROOter
Sat Aug  6 14:24:02 2022 daemon.notice netifd: Interface 'wan6_4' is setting up now
Sat Aug  6 14:24:02 2022 daemon.notice netifd: Interface 'wan6_4' is now down
Sat Aug  6 14:24:02 2022 user.notice URL-DEBUG: hotplug (iface): action='ifdown' interface='wan6_4'
Sat Aug  6 14:28:13 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.30) 10.10.30.96 e8:db:84:12:57:7c
Sat Aug  6 14:28:13 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.30) 10.10.30.96 e8:db:84:12:57:7c espressif
Sat Aug  6 14:28:13 2022 user.notice nft-qos-monitor: ACTION=update, MACADDR=98:cd:ac:5b:68:74, IPADDR=10.10.30.104, HOSTNAME=ROOter
Sat Aug  6 14:28:13 2022 user.notice nft-qos-monitor: ACTION=update, MACADDR=e8:db:84:12:57:7c, IPADDR=10.10.30.96, HOSTNAME=espressif
Sat Aug  6 14:28:13 2022 user.notice nft-qos-dynamic: ACTION=update, MACADDR=98:cd:ac:5b:68:74, IPADDR=10.10.30.104, HOSTNAME=ROOter
Sat Aug  6 14:28:13 2022 user.notice nft-qos-dynamic: ACTION=update, MACADDR=e8:db:84:12:57:7c, IPADDR=10.10.30.96, HOSTNAME=espressif
Sat Aug  6 14:29:17 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.30) 10.10.30.104 98:cd:ac:5b:68:74
Sat Aug  6 14:29:17 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.30) 10.10.30.104 98:cd:ac:5b:68:74 espressif
Sat Aug  6 14:29:17 2022 user.notice nft-qos-monitor: ACTION=update, MACADDR=e8:db:84:12:57:7c, IPADDR=10.10.30.96, HOSTNAME=ROOter
Sat Aug  6 14:29:17 2022 user.notice nft-qos-monitor: ACTION=update, MACADDR=98:cd:ac:5b:68:74, IPADDR=10.10.30.104, HOSTNAME=espressif
Sat Aug  6 14:29:17 2022 user.notice nft-qos-dynamic: ACTION=update, MACADDR=e8:db:84:12:57:7c, IPADDR=10.10.30.96, HOSTNAME=ROOter
Sat Aug  6 14:29:17 2022 user.notice nft-qos-dynamic: ACTION=update, MACADDR=98:cd:ac:5b:68:74, IPADDR=10.10.30.104, HOSTNAME=espressif
Sat Aug  6 14:29:33 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.10) 10.10.10.117 14:c1:4e:d9:1b:ac
Sat Aug  6 14:29:33 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.10) 10.10.10.117 14:c1:4e:d9:1b:ac
Sat Aug  6 14:29:57 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.30) 10.10.30.159 3c:84:6a:e7:b5:ed
Sat Aug  6 14:29:57 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.30) 10.10.30.159 3c:84:6a:e7:b5:ed KP400
Sat Aug  6 14:31:22 2022 daemon.info dnsmasq-dhcp[5940]: DHCPREQUEST(eth0.10) 10.10.10.193 0c:ee:99:e2:56:b3
Sat Aug  6 14:31:22 2022 daemon.info dnsmasq-dhcp[5940]: DHCPACK(eth0.10) 10.10.10.193 0c:ee:99:e2:56:b3

I think I need to do this: https://docs.openwrt.melmac.net/vpn-policy-routing/#a-word-about-interface-hotplug-script

But can't figure it out

Your vpn is restarting due to inactivity.

Are you using 4G/5G LTE broadband?

Copy and paste the right script relevant to your version of PBR into putty and hit Enter. Might need to restart router.

Solving why Nord is dropping-out is your best course of action.

This script has solve the problem it seems. NordVPN by nature has to reset it self ever so often I was told so there is no way to avoid that.

Everything is working great after the script though :slight_smile:

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

I spoke too soon, the script does help. But it doesn't always restart or enable after after the VPN goes down and then restarts.

Not sure how to troubleshoot this?

PBR is working correctly. Your problem is Nord is dropping-out.

You may want to try another solution?
Try option 3 from @Trendy's post here.

Would that code be:?

config rule
        option in 'lan'
        option src '10.10.20.1/24'
        option lookup '100'

config route
        option interface 'VPN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

I have all my VLANs on the lan firewall, does this need to change now?

This is not correct, either .1/32 or omit it to classify all ingress packets.

config rule
        option in 'lan'
        option src '10.10.20.1'
        option lookup '100'

config route
        option interface 'VPN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

Would the above cover the entire VLAN on 10.10.20.1/24 to the VPN? Do I need to change anything on the firewall zone? I have all of my VLANs on the lan firewall zone currently

No, this covers only one address.

Just to make sure that the lan zone is allowed to forward to the vpn zone.

What would I put there to cover the entire 10.10.20.x subnet?

Okay, I will double check this :slight_smile:

10.10.20.0/24

Thank you :slight_smile: I will give this a shot