NORDVPN prevent traffic leakage settings don't work

I see what periodically (e...g..., the next morning) get ip leak with some servers of nordvpn.
At the moment I use the official faq

OpenWrt 19.07.8

/etc/firewall.user and /etc/hotplug.d/iface/99-prevent-leak already was configured


# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT


if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j R
       iptables -D forwarding_rule -j REJECT
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rul
       iptables -I forwarding_rule -j REJECT

How I really can prevent traffic leakage ?
my ISP supports only ivp4

The simplest way to prevent leakage is to just remove the forwarding from lan > wan. You'll see this in the main firewall file as a forward rule... delete it and no traffic will be allowed out of the wan from the lan.

1 Like

Also @gien I use NordVPN myself. They are great, but you may well want to consider using WireGuard rather than OpenVPN. Check out this excellent guide here:

The reason for the above steps is that NordVPN don't release WireGuard credentials. They want everyone to use their own NordLynx built upon WireGuard, but it is easy to extract the relevant credentials as demonstrated above. I think NordVPN are fine with this, they just don't (yet?) officially support WireGuard.

1 Like

only see from lan to wan

config forwarding
        option src 'lan'
        option dest 'wan'

That's the one I'm talking about... I made a typo above (edit: now corrected), sorry.

Delete that one and you'll be good -- no leaks.

1 Like

thank you !
I will try

BTW if VPN is not critical for your use case you may want to consider setting up VPN pbr such that you failover to WAN on VPN failure so you retain internet connectivity.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.