# NordVPN

## Tae_kyon

I have a subscrition to NordVPN and am using it on my Gentoo box. However, I have to import the server configuration files  manually into Network-Manager every time.

Openpyn and other such instruments I've found need to be installed with PIP, and in the end I can never get them to work.

An ebuild for nordmn is on panther-overlay, doesn't work either.

Has anyone found a good solution to this?

Thanks

----------

## nowlodek

You can use NordVPN Linux app.

Get the latest deb package from https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/

Use deb2tar to convert to tar. 

Extract 

/usr/bin/nordvpn to /usr/local/bin

and

/usr/sbin/nordvpnd to /usr/local/sbin

and

/var/lib/norvpn to /var/lib

then create init file

touch /etc/init.d/nordvpnd

 with

```
#!/sbin/openrc-run

# Copyright 1999-2019 Gentoo Authors

# Distributed under the terms of the GNU General Public License v2

command="/usr/local/sbin/nordvpnd"

pidfile="/run/${RC_SVCNAME}.pid"

retry="SIGTERM/5/SIGTERM/5/SIGKILL/5"

start_stop_daemon_args="--background --make-pidfile"

depend() {

<------>use logger net

<------>provide dns

}

```

To use it start daemon first 

```
rc-service nordvpnd start
```

login to nordvpn

```
nordvpn login
```

and 

```
nordvpn connect
```

in case of issues with OpenVPN mode, switch to NordLynx mode 

```
nordvpn set technology nordlynx
```

----------

## Tae_kyon

Thanks! Looks like just what I need!

----------

## nowlodek

I'm lazy but I did it.

An ebuild for NordVPN

```
touch /usr/local/portage/net-vpn/nordvpn/nordvpn-3.6.0.3.ebuild
```

nordvpn-3.6.0.3.ebuild

```

# Copyright 1999-2017 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit eutils unpacker

MY_PV=$(ver_rs 3 '-')

DESCRIPTION="NordVPN native client"

HOMEPAGE="https://nordvpn.com"

SRC_URI="https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${MY_PV}_amd64.deb"

LICENSE="NordVPN"

SLOT="0"

KEYWORDS="-* ~amd64"

IUSE=""

# TODO: verify that list of RDEPEND is complete

RDEPEND="net-misc/networkmanager

         net-vpn/networkmanager-openvpn"

RESTRICT="strip"

S="${WORKDIR}"

src_unpack() {

   # Unpack Debian package containing application's files

   unpack_deb ${A}

   gzip "${S}"/usr/share/doc/nordvpn/changelog.gz -d "${S}"

   gzip "${S}"/usr/share/man/man1/nordvpn.1.gz -d "${S}"

}

src_install() {

   cd ${S}

#   doinitd>etc/init.d/nordvpn

   newinitd "${FILESDIR}"/nordvpn.initd ${PN}

#   into<-->/usr

   dobin<->usr/bin/nordvpn

   dosbin<>usr/sbin/nordvpnd

   insinto>/var/lib/nordvpn

   doins -r var/lib/nordvpn

   insinto>/usr/share/bash-completion/completions

   doins <>usr/share/bash-completion/completions/nordvpn

   

   dodoc usr/share/doc/nordvpn/changelog

   doman usr/share/man/man1/nordvpn.1

}

```

new init file for package

```
touch /usr/local/portage/net-vpn/nordvpn/files/nordvpn.initd
```

nordvpn.initd

```

#!/sbin/openrc-run

# Copyright 1999-2019 Gentoo Authors

# Distributed under the terms of the GNU General Public License v2

command="/usr/sbin/nordvpnd"

pidfile="/run/${RC_SVCNAME}.pid"

retry="SIGTERM/5/SIGTERM/5/SIGKILL/5"

start_stop_daemon_args="--background --make-pidfile"

depend() {

   use logger net

   provide dns

}

```

Last edited by nowlodek on Sun Jan 26, 2020 8:51 pm; edited 1 time in total

----------

## Hu

The way you represent tabs makes it difficult for users to quickly copy/paste this into a working ebuild.  Do you have a repository somewhere from which interested users could download it?  If not, consider posting the ebuild with tabs as actual tabs, not as placeholders. *nowlodek wrote:*   

> 
> 
> ```
> SRC_URI="https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${MY_PV}_amd64.deb"
> 
> ...

 I think it is conventional to include a -* in KEYWORDS when, as here, you download a prebuilt file that only works on one architecture.

```
              · If you do not know if an ebuild runs under a particular  arch,

                then do not specify it in KEYWORDS.  It will then be masked by

                default on that architecture.

              · If the ebuild is known not to work on an  arch,  disable  that

                arch  in  KEYWORDS.   This would be done by specifying "-ppc",

                for example. This will  ensure  that  it  is  explicitly  key‐

                word-masked for that architecture.
```

In this case, you know it will not work on non-amd64. *nowlodek wrote:*   

> 
> 
> ```
> DEPEND="${RDEPEND}"
> ```
> ...

 I think this is incorrect.  As a prebuilt package, the only things needed to "build" it are tools for unpacking upstream's archive.  The packages in your RDEPEND may be needed to run it, but are not needed if someone just wants to run emerge --buildpkgonly. *nowlodek wrote:*   

> 
> 
> ```
> S=${WORKDIR}
> ```
> ...

 For consistency, this should be quoted. *nowlodek wrote:*   

> 
> 
> ```
> <------>gzip ${S}/usr/share/doc/nordvpn/changelog.gz -d ${S}
> 
> ...

 Again, quoting.  Although rare, some people might set PORTAGE_TMPDIR, and by extension WORKDIR, and by extension, S, to a path with spaces. *nowlodek wrote:*   

> 
> 
> ```
> <------>cd ${S}
> ```
> ...

 Quoting. *nowlodek wrote:*   

> 
> 
> ```
> command="/usr/local/sbin/nordvpnd"
> ```
> ...

 Your ebuild installs this file into /usr/sbin, not /usr/local/sbin.

----------

## nowlodek

Thank you for looking up.

There are others architectures so I started with ~amd64 with hope to include another.

Post altered accordingly.

----------

## elover

Hey, I found this ebuild.

nordvpn-3.5.0-r2.ebuild

```
Close

# Copyright 2019 Gentoo Authors

# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit unpacker

DESCRIPTION="NordVPN CLI tool for Linux"

HOMEPAGE="https://nordvpn.com"

BASE_URI="https://repo.nordvpn.com/deb/${PN}/debian/pool/main"

SRC_URI="

   amd64? ( "${BASE_URI}/${P/-/_}-${PR/r}_amd64.deb" )

   arm? ( "${BASE_URI}/${P/-/_}-${PR/r}_armel.deb" )

   arm64? ( "${BASE_URI}/${P/-/_}-${PR/r}_arm64.deb" )

   x86? ( "${BASE_URI}/${P/-/_}-${PR/r}_i386.deb" )

"

LICENSE="NordVPN"

SLOT="0"

KEYWORDS="~amd64 ~arm ~arm64 ~x86"

IUSE="nordlynx systemd"

RESTRICT="mirror strip"

RDEPEND="

   dev-libs/libxslt[crypt]

   net-firewall/iptables

   sys-apps/iproute2[iptables]

   sys-apps/net-tools

   sys-process/procps

   nordlynx? (

      net-vpn/wireguard[module,tools]

   )

   systemd? (

      sys-apps/systemd

   )

"

S="${WORKDIR}"

src_unpack() {

   unpack_deb "${A}"

}

src_prepare() {

   rm _gpgbuilder || die

   use !systemd && ( rm -rf usr/lib || die )

   mv usr/share/doc/nordvpn/changelog.gz .

   gunzip changelog.gz

   mv usr/share/man/man1/${PN}.1.gz .

   gunzip ${PN}.1.gz

   rm -rf usr/share/man \

      usr/share/doc \

      etc

   default

}

src_install() {

   dodoc changelog

   rm changelog

   doman ${PN}.1

   rm ${PN}.1

   mkdir -p "${ED}"

   cp -r . "${ED}"/

   doinitd "${FILESDIR}/${PN}"

}

pkg_postinst() {

   echo

   elog "Thanks for installing the NordVPN client."

   elog "Don't forget to purchase your NordVPN plan in order to use the client."

   echo

}
```

Could be arranged for the latest version deb?

----------

## nowlodek

Change the number and save it as nordvpn-3.6.0-r4.ebuild and try to emerge.

Deb file structure is the same so elevating ebuild should work.

Current deb file ver. 3.6.0-3 => 3.6.0-r4 ebuild ver.

----------

## MrEncryptor

HEY!

If you're getting this when you try to connect:

```
~ $ nordvpn c

A new version of NordVPN is available! Please update the application.

Connecting to Arrakis #420 (xx.nordvpn.com)

Whoops! Connection failed. Please try again. If the problem persists, contact our customer support.

```

And if you're getting this issue in your ` /usr/sbin/nordpvnd ` logs:

```

2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 /sbin/ip link set dev tun0 up mtu 1500

2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 MANAGEMENT: Client disconnected

2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 Linux ip link set failed: could not execute external program

2020/02/25 22:01:52 [INFO] Tue Feb 25 22:01:52 2020 Exiting due to fatal error

2020/02/25 22:01:52 [Error] Linux ip link set failed: could not execute external program

2020/02/25 22:01:52 Linux ip link set failed: could not execute external program

```

It's probably because your ip binary is in ` /bin/ip ` instead of ` /sbin/ip ` where nordvpn wants to use it. My solution was to symlink it there: 

```
# ln -s /bin/ip /sbin/ip
```

----------

## rmk88

Probably stupid question, but did follow the instructions on second post and then I got this:

nae ~ # rc-service nordvpnd start

 * Starting nordvpnd ...                                                  [ ok ]

rmk@nae ~ $ nordvpn login

Whoops! /run/nordvpn/nordvpnd.sock not found

What I'm doin' wrong?

----------

## lahouari

I have the same issue.

when trying to run nordvpnd manualy this output shows:

```
2021/08/13 14:29:24 [Info] Daemon has started

2021/08/13 14:29:24 Kill Switch set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 14:29:24 Auto-connect set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 14:29:24 DNS set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 14:29:24 CyberSec set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 14:29:24 Protocol set to: UDP

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 14:29:24 Technology set to: OpenVPN

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 14:29:24 Error on listening to UNIX domain socket: listen unix /run/nordvpn/nordvpnd.sock: bind: no such file or directory

```

----------

## Hu

The error states that the socket does not exist.  Why not?  Does the containing directory exist?  If not, who was supposed to create it?  Why did that program not create it?  Since the path is under /run, I would expect this to be managed by a tmpfiles.d entry.  Do you have tmpfiles enabled?  Does the package install the right configuration for tmpfiles?

----------

## lahouari

ok after some digging and with help of support from NordVPN I moved some step further...

but not yet there.

so:

first thing is that nordvpn deamon wants to create soc file in /run/nordvpn/ and that folder does not exist.

I modified my init.d file like so for now:

```
pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid"
```

and created folder nordvpn folder in /run I think... or maybe the init script did... regardless after that there is another problem (deamon starts) but it then needs a certificate file it will look in 

/var/lib/nordvpn/data//rsa-key-1.pub

it should look it up in 

/var/lib/nordvpn/nordvpn/data/rsa-key-1.pub

this is easily ammended by copping files...

then next problem is it tries to find openvpn file

again can be ammended by coping files from /var/lib/nordvpn/nordvpn to /var/lib/nordvpn/

but now I run into some more serious problem

I was missing /dev/net/tun

which I created by doing this:

```

mkdir -p /dev/net

mknod /dev/net/tun c 10 200

chmod 600 /dev/net/tun

cat /dev/net/tun

```

and now current issue:

log from nordvpnd when run manually ( I couldnt get it to log when run as service)

```

2021/08/13 18:05:16 [Info] Daemon has started

2021/08/13 18:05:16 Kill Switch set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 18:05:16 Auto-connect set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 18:05:16 DNS set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 18:05:16 CyberSec set to: disabled

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 18:05:16 Protocol set to: UDP

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 18:05:16 Technology set to: OpenVPN

NordVPN App Connection Settings:

Technology: OpenVPN

Protocol: UDP

Firewall: enabled

KillSwitch: disabled

Obfuscate: disabled

Notify: enabled

Auto-connect: disabled

2021/08/13 18:05:21 PRE_CONNECT system info:

App Version: 3.9.5

OS Info:

NAME=Gentoo

ID=gentoo

PRETTY_NAME="Gentoo/Linux"

ANSI_COLOR="1;32"

HOME_URL="https://www.gentoo.org/"

SUPPORT_URL="https://www.gentoo.org/support/"

BUG_REPORT_URL="https://bugs.gentoo.org/"

System Info:Linux zgredek 5.10.52-gentoo-dlc-34 #1 SMP Tue Aug 3 09:14:00 EEST 2021 x86_64 AMD Ryzen 7 1800X Eight-Core Processor AuthenticAMD GNU/Linux

Routes of All Routing Tables:

default via 192.168.0.1 dev enp3s0 proto dhcp src 192.168.0.2 metric 2 

default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 

192.168.0.0/24 dev enp3s0 proto dhcp scope link src 192.168.0.2 metric 2 

192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100 

broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 

local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 

local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 

broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 

broadcast 192.168.0.0 dev enp3s0 table local proto kernel scope link src 192.168.0.2 

local 192.168.0.2 dev enp3s0 table local proto kernel scope host src 192.168.0.2 

broadcast 192.168.0.255 dev enp3s0 table local proto kernel scope link src 192.168.0.2 

local ::1 dev lo table local proto kernel metric 0 pref medium

multicast ff00::/8 dev enp3s0 table local proto kernel metric 256 pref medium

IP Rules:

0:   from all lookup local

32766:   from all lookup main

32767:   from all lookup default

IP Tables:

filter:

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

nat:

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

mangle:

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

raw:

-P PREROUTING ACCEPT

-P OUTPUT ACCEPT

security:

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

2021/08/13 18:05:21 [Debug] picking servers for OpenVPN technology

debug: Fri Aug 13 18:05:22 2021 OpenVPN 2.4.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  8 2021

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 OpenVPN 2.4.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  8 2021

debug: Fri Aug 13 18:05:22 2021 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10

debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: Connected to management server at /run/nordvpn/nordvpn-openvpn.sock

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: Connected to management server at /run/nordvpn/nordvpn-openvpn.sock

debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'state on'

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'state on'

debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'username "Auth" FU9gYxQnT7xy7SUGNxUPpEfN'

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'username "Auth" FU9gYxQnT7xy7SUGNxUPpEfN'

debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'password [...]'

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: CMD 'password [...]'

debug: Fri Aug 13 18:05:22 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit

debug: Fri Aug 13 18:05:22 2021 NOTE: --fast-io is disabled since we are not using UDP

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 NOTE: --fast-io is disabled since we are not using UDP

debug: Fri Aug 13 18:05:22 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

debug: Fri Aug 13 18:05:22 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

debug: Fri Aug 13 18:05:22 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]194.110.84.148:443

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]194.110.84.148:443

debug: Fri Aug 13 18:05:22 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Socket Buffers: R=[131072->131072] S=[16384->16384]

debug: Fri Aug 13 18:05:22 2021 Attempting to establish TCP connection with [AF_INET]194.110.84.148:443 [nonblock]

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 Attempting to establish TCP connection with [AF_INET]194.110.84.148:443 [nonblock]

debug: Fri Aug 13 18:05:22 2021 MANAGEMENT: >STATE:1628867122,TCP_CONNECT,,,,,,

2021/08/13 18:05:22 [INFO] Fri Aug 13 18:05:22 2021 MANAGEMENT: >STATE:1628867122,TCP_CONNECT,,,,,,

debug: Fri Aug 13 18:05:23 2021 TCP connection established with [AF_INET]194.110.84.148:443

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TCP connection established with [AF_INET]194.110.84.148:443

debug: Fri Aug 13 18:05:23 2021 TCP_CLIENT link local: (not bound)

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TCP_CLIENT link local: (not bound)

debug: Fri Aug 13 18:05:23 2021 TCP_CLIENT link remote: [AF_INET]194.110.84.148:443

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TCP_CLIENT link remote: [AF_INET]194.110.84.148:443

debug: Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,WAIT,,,,,,

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,WAIT,,,,,,

debug: Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,AUTH,,,,,,

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 MANAGEMENT: >STATE:1628867123,AUTH,,,,,,

debug: Fri Aug 13 18:05:23 2021 TLS: Initial packet from [AF_INET]194.110.84.148:443, sid=af42edf9 6ea9d291

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 TLS: Initial packet from [AF_INET]194.110.84.148:443, sid=af42edf9 6ea9d291

debug: Fri Aug 13 18:05:23 2021 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA

debug: Fri Aug 13 18:05:23 2021 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA6

debug: Fri Aug 13 18:05:23 2021 VERIFY KU OK

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY KU OK

debug: Fri Aug 13 18:05:23 2021 Validating certificate extended key usage

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 Validating certificate extended key usage

debug: Fri Aug 13 18:05:23 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

debug: Fri Aug 13 18:05:23 2021 VERIFY EKU OK

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY EKU OK

debug: Fri Aug 13 18:05:23 2021 VERIFY OK: depth=0, CN=fi163.nordvpn.com

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 VERIFY OK: depth=0, CN=fi163.nordvpn.com

debug: Fri Aug 13 18:05:23 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'

debug: Fri Aug 13 18:05:23 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

debug: Fri Aug 13 18:05:23 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA

debug: Fri Aug 13 18:05:23 2021 [fi163.nordvpn.com] Peer Connection Initiated with [AF_INET]194.110.84.148:443

2021/08/13 18:05:23 [INFO] Fri Aug 13 18:05:23 2021 [fi163.nordvpn.com] Peer Connection Initiated with [AF_INET]194.110.84.148:443

debug: Fri Aug 13 18:05:24 2021 MANAGEMENT: >STATE:1628867124,GET_CONFIG,,,,,,

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 MANAGEMENT: >STATE:1628867124,GET_CONFIG,,,,,,

debug: Fri Aug 13 18:05:24 2021 SENT CONTROL [fi163.nordvpn.com]: 'PUSH_REQUEST' (status=1)

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 SENT CONTROL [fi163.nordvpn.com]: 'PUSH_REQUEST' (status=1)

debug: Fri Aug 13 18:05:24 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'

debug: Fri Aug 13 18:05:24 2021 Pushed option removed by filter: 'redirect-gateway def1'

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Pushed option removed by filter: 'redirect-gateway def1'

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: timers and/or timeouts modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: timers and/or timeouts modified

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: compression parms modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: compression parms modified

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

debug: Fri Aug 13 18:05:24 2021 Socket Buffers: R=[131072->425984] S=[87040->425984]

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Socket Buffers: R=[131072->425984] S=[87040->425984]

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ifconfig/up options modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ifconfig/up options modified

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: route-related options modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: route-related options modified

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: peer-id set

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: peer-id set

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: adjusting link_mtu to 1658

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: adjusting link_mtu to 1658

debug: Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: data channel crypto options modified

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 OPTIONS IMPORT: data channel crypto options modified

debug: Fri Aug 13 18:05:24 2021 Data Channel: using negotiated cipher 'AES-256-GCM'

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Data Channel: using negotiated cipher 'AES-256-GCM'

debug: Fri Aug 13 18:05:24 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

debug: Fri Aug 13 18:05:24 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

debug: Fri Aug 13 18:05:24 2021 MANAGEMENT: Client disconnected

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 MANAGEMENT: Client disconnected

debug: Fri Aug 13 18:05:24 2021 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)

debug: Fri Aug 13 18:05:24 2021 Exiting due to fatal error

2021/08/13 18:05:24 [INFO] Fri Aug 13 18:05:24 2021 Exiting due to fatal error

2021/08/13 18:05:24 [Error] FATAL: "ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)"

2021/08/13 18:05:24 POST_CONNECT system info:

Routes of All Routing Tables:

default via 192.168.0.1 dev enp3s0 proto dhcp src 192.168.0.2 metric 2 

default via 192.168.0.1 dev enp3s0 proto dhcp metric 100 

192.168.0.0/24 dev enp3s0 proto dhcp scope link src 192.168.0.2 metric 2 

192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.2 metric 100 

broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 

local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 

local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 

broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 

broadcast 192.168.0.0 dev enp3s0 table local proto kernel scope link src 192.168.0.2 

local 192.168.0.2 dev enp3s0 table local proto kernel scope host src 192.168.0.2 

broadcast 192.168.0.255 dev enp3s0 table local proto kernel scope link src 192.168.0.2 

local ::1 dev lo table local proto kernel metric 0 pref medium

multicast ff00::/8 dev enp3s0 table local proto kernel metric 256 pref medium

IP Rules:

0:   from all lookup local

32766:   from all lookup main

32767:   from all lookup default

IP Tables:

filter:

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

nat:

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

mangle:

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

raw:

-P PREROUTING ACCEPT

-P OUTPUT ACCEPT

security:

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

```

----------

## lahouari

ah it seem I should follow this guide:

https://wiki.gentoo.org/wiki/OpenVPN

----------

## Hu

 *lahouari wrote:*   

> first thing is that nordvpn deamon wants to create soc file in /run/nordvpn/ and that folder does not exist.

 Right.  That should be created either by the initscript or by a tmpfiles.d entry. *lahouari wrote:*   

> I modified my init.d file like so for now:
> 
> ```
> pidfile="/run/${RC_SVCNAME}/${RC_SVCNAME}.pid"
> ```
> ...

 That was probably the wrong solution.  Among other things, init.d changes will be considered for overwrite on package update.  CONFIG_PROTECT should avoid automatically losing the changes, but it's still an extra step you will need to deal with on every upgrade. *lahouari wrote:*   

> and created folder nordvpn folder in /run I think... or maybe the init script did... regardless after that there is another problem (deamon starts) but it then needs a certificate file it will look in 

 On most systems, /run is a tmpfs.  Anything you create there manually will be lost on reboot. *lahouari wrote:*   

> /var/lib/nordvpn/data//rsa-key-1.pub
> 
> it should look it up in 
> 
> /var/lib/nordvpn/nordvpn/data/rsa-key-1.pub

 I disagree.  The path it tried to use looks proper to me.  If that is not where the file is, then the file is installed in the wrong place, and the ebuild needs to be modified. *lahouari wrote:*   

> this is easily ammended by copping files...

 No. *lahouari wrote:*   

> then next problem is it tries to find openvpn file
> 
> again can be ammended by coping files from /var/lib/nordvpn/nordvpn to /var/lib/nordvpn/

 Again, no.  Fix the install path.  If you copy files around, they become unmanaged, so on next upgrade, they will not be updated. *lahouari wrote:*   

> I was missing /dev/net/tun
> 
> which I created by doing this:

 I would expect that this device would be done for you, if you have the required kernel support (CONFIG_TUN=y).

----------

## lahouari

Hay thanks for responce - yes yes it is a mess atm.. and I am working to fix it but I am stumbling blind.

So I intend to update the ebuild to do what it needs correctly (for creation of run foler etc it is obvious that it shouldnt be done manually.( I am just describing process of what I discover as I go along) init.d file I changed already in the  ebuild files folder so it will be ok after updating.

as for the pub keys and and other files in /var/lib/nordvpn folder - yeah I agree that they need to be installed in to prper place by enuild but I also don't like the double slash in the path deamon uses.

There is the other problem mentioned above of nordvpn deamon or script its using looking for ip command in sbin therfor needing to have sym link created to ip command - should that be also added to nordvpn ebuild package?

@Hu do you know where I can find info how to cerate the run folder properly - that is the one I am not sure how to do. (I gues doing that in init script would be easiest ( check if folder exists and if not create it?)Last edited by lahouari on Fri Aug 13, 2021 9:02 pm; edited 1 time in total

----------

## lahouari

this is simpler solution though:

Following this guide:

https://support.nordvpn.com/Connectivity/Linux/1047409422/How-can-I-connect-to-NordVPN-using-Linux-Terminal.htm

One can download openvpn script files and use them to connect directly using openVPN client. (like Network Manager with openvpn plugin)

----------

## Hu

The double slash is a cosmetic issue only.  The kernel will collapse it properly.  It may indicate that the daemon tried to insert some empty string as an extra level of directory component.

No, this package should not symlink ip.  Can you patch the package to use the proper path?

Historically, initscripts did handle the run directory on their own.  However, the preferred path is now through tmpfiles.  See man tmpfiles.d for documentation, although you may find it easier to find a similar package and derive your configuration from that.

----------

## lahouari

Thanks again:

I found how to manage the run path in here:

https://www.linuxhowtos.org/manpages/8/openrc-run.htm

checkpath should do nicely (I see other init scripts using it)

as to the ip path I will dig around but as it is binary package distribution I don't think I can do it - maybe it will be possible to get NordVPN guys to fix that... 

Sometimes it is so frustrating that Gentoo is a fringe distribution  :Smile:  but I would not trade it for any other  :Smile: 

----------

## lahouari

Ok so I got it working almost out of the box:

only remaining problem is the ip being looked at in /usr/sbin instead of /usr/bin - work around for now create a sym link -ill ask nord vpn guys if this can be fixed better - but that will likely take time.

my code for now:

net-vpn/nordvpn/nordvpn-3.10.0.1.ebuild

```

# Copyright 1999-2017 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

EAPI=7

inherit eutils unpacker

MY_PV=$(ver_rs 3 '-')

DESCRIPTION="NordVPN native client"

HOMEPAGE="https://nordvpn.com"

SRC_URI="https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/nordvpn_${MY_PV}_amd64.deb"

LICENSE="NordVPN"

SLOT="0"

KEYWORDS="-* ~amd64"

IUSE=""

# TODO: verify that list of RDEPEND is complete

RDEPEND="net-misc/networkmanager

      net-vpn/networkmanager-openvpn

      sys-apps/iproute2

      acct-group/nordvpn"

RESTRICT="strip"

S="${WORKDIR}"

src_unpack() {

   # Unpack Debian package containing application's files

   unpack_deb ${A}

   gzip "${S}"/usr/share/doc/nordvpn/changelog.gz -d "${S}"

   gzip "${S}"/usr/share/man/man1/nordvpn.1.gz -d "${S}"

}

src_install() {

   cd ${S}

#   doinitd>etc/init.d/nordvpn

   newinitd "${FILESDIR}/nordvpn.initd" ${PN}

#   into<-->/usr

   dobin usr/bin/nordvpn

   dosbin usr/sbin/nordvpnd

   insinto /var/lib/

   doins -r var/lib/nordvpn

   fowners root:nordvpn /var/lib/nordvpn/openvpn

   fperms 0550 /var/lib/nordvpn/openvpn

   insinto /usr/share/bash-completion/completions

   doins usr/share/bash-completion/completions/nordvpn

   dodoc usr/share/doc/nordvpn/changelog

   doman usr/share/man/man1/nordvpn.1

}

```

net-vpn/nordvpn/files/nordvpn.initd

```

#!/sbin/openrc-run

# Copyright 1999-2019 Gentoo Authors

# Distributed under the terms of the GNU General Public License v2

LOGFILE="/var/log/${RC_SVCNAME}/daemon"

command="/usr/sbin/nordvpnd"

pidfile="/run/${RC_SVCNAME}.pid"

retry="SIGTERM/30/SIGKILL/5"

start_stop_daemon_args="--make-pidfile -g ${RC_SVCNAME} --background -1 ${LOGFILE}"

depend() {

   use logger net

   provide dns

}

start_pre() {

   checkpath -d -m 0775 -o root:${RC_SVCNAME} /run/${RC_SVCNAME}

   checkpath -d -m 0755 -o root:${RC_SVCNAME} /var/log/${RC_SVCNAME}

}

```

and one more:

acct-group/nordvpn/nordvpn-0.ebuild

```

# Copyright 2021 Gentoo Authors

# Distributed under the terms of the GNU General Public License v2

EAPI=8

inherit acct-group

ACCT_GROUP_ID=-1

```

I do not like also that there is an executable openvpn installed into /var/lib/nordvpn folder - I don't think it should be necesary we could instead depend on native openvpn - but will have to check with NordVPN guys if it is possible. any way I hope this helps some  :Smile: 

----------

## lahouari

I created overlay containig above package 

https://gitlab.com/lahouari.dc/nordvpn/

It is now avariable through overlay  (nordvpn)

```

# eselect repository enable nordvpn

# emerge --sync nordvpn

# emerge nordvpn

# rc-service nordvpn start

# rc-update add nordvpn default

```

----------

## lahouari

@Hu - what do you think of adding an use flag conditional to add the symlink to ip? (USE=ipsymlink) I don't know if nordvpn will ever fix the deamon not to rely on the ip being in /sbin... 

and it is a bit inconvenient to do a manual step after instalation...

Just thinking if it would be acceptable...

----------

## Hu

I don't think a USE flag would be right here.  I think installing such a symlink is always wrong, but on the other hand, if the package is broken without the link, then there should not be an option not to install the link, because then users could readily install a non-working package.  I'm pretty sure Nordvpn has never been right here.  ip may once have been in /sbin, and is now in /bin.  I am not aware of /usr/sbin/ip ever having been the correct path.

Is this path not something you can patch?  Fixing one character should be an easy patch regardless of the language NordVPN is written in, particularly since we need to delete a character, not add one.  If there are alignment requirements, changing s to / will let you preserve the length of the string, and still fix the problem, since //bin/ip is an inefficient alias for /bin/ip.

You wrote earlier in the thread that there are openvpn script files for this, and also that the package installs a binary openvpn.  Exactly which component uses the wrong path?  OpenVPN is GPLv2, so if Nord is redistributing an openvpn with the bad path embedded in there, you should be able to get the source and recompile with the right path.

----------

## lahouari

ok to clarify I used paths /usr/{s}bin by mistake - it is /sbin in the package - problem with patching is that it is binary package and I do not feel proficient enough to fix binary package with a patch. 

I referred to openvpn scripts as those are available alternative to using native client from nordvpn and can be downloaded from nordvpn servers - but I find usage of openvpn scripts inconvenient.

nordvpn package consists of 3 binary files and some certificates and maybe some other little data files; binaries are

* nordvpnd - service deamon;

* nordvpn - command line client to manage nordvpnd and connect to vpn service 

* openvpn - binary in /var/lib/nordvpn open vpn version used by nordvpnd.

I did talk with NordVPN customer support and asked them about changing or allowing for various location of ip command but given Gentoo is not officially supported distribution that may never happen - especially as we are not too many to justify changes from established paths. (I assume ip is installed to /sbin in Debian based distributions)

I am not certain if it is nordvpn or nordvpnd that uses wrong path to ip (I assume it is the deamon) according to customer support it is used to establish server nearest to you to connect to. 

I am certain it isn't the openvpn binary that uses ip as it was first error that appeared when trying to get this to work and path to openvpn was an error after that... 

I assume we could replace the binary openvpn delivered by this package with link to system native openvpn but that is separate issue

----------

## Hu

Patching one string in the binary should be pretty easy, but you would need to check the license terms first.  Many vendors that fail to distribute source code also like to require restrictive licenses that prohibit modifying their binaries, even to fix their bugs.  If the nordvpn daemon is just a patched/rebranded OpenVPN, then the license should be fairly friendly, and getting the source should be easy.  If it's a custom program they wrote, they may have it under a restrictive license.

I seem to recall that /sbin was once the path of ip, but that was changed long ago, partly on the basis that Debian did it first.

----------

## lahouari

hmm so from that thread of 11years ago (BTW great memory Hu); 

 *Quote:*   

> debian seems to install ip in /bin and installing a symlink from /sbin/ip to /bin/ip (...)

 

our iproute2 package does not provide such symlink; I guess debian still does. 

yeah nordvpn is their own program they give option to use openvpn technology or nordlynx I think... 

it is security software so I doubt they would allow for any modifications to their binary. ill try to check that.

Ill pursue that with them and see what they have to say about that. for now ill add the use flag to ebuild in the overlay.

Thanks for your help.

----------

## lahouari

or better idea  - I could create a sbin symlink ebuild - that its sole responsibility would be to create /sbin/ip symlink 

that could depend on iproute2 

and then make nordvpn depend on that...

that sound cleaner to me

----------

