Describe the bug
This is probably a simple one, but I am new to all this. Basically when I enable the container internet access for all the other containers and the host (a NAS running openmediavault) stops

To Reproduce
created through the openmediavault GUI. Will upload screenshot if needed.

Describe the bug
The docker tries to connect all the time to the same server who timed out.

To Reproduce
docker stop vpn
docker rm vpn
docker pull bubuntux/nordvpn:latest

docker run -ti --cap-add=NET_ADMIN --device /dev/net/tun --name 'vpn'
-p port:port
-e NETWORK=network
-e USER=user -e PASS=pass
-e COUNTRY=CH
-e CATEGORY='Standard VPN servers'
-e "OPENVPN_OPTS=--pull-filter ignore ping-restart --ping-exit 180"
-e GROUP_ID=2
-d bubuntux/nordvpn:latest

Logs
Staring firewall...
,Adding network route ...
,Whitelisting downloads.nordcdn.com...
,Downloading config files...
,Whitelisting api.nordvpn.com...
,Selecting the best server...
,Searching for country : CH (209)
,Searching for group: legacy_standard
,Best server : ch82.nordvpn.com
,Using config file /vpn/ovpn/ch82.nordvpn.com.tcp.ovpn...
,Connecting ...
,+ sg vpn -c 'openvpn --config /vpn/ovpn/ch82.nordvpn.com.tcp.ovpn --auth-user-pass /vpn/auth --auth-nocache --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh --pull-filter ignore ping-restart --ping-exit 180'
,Sun Apr 28 07:50:21 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
,Sun Apr 28 07:50:21 2019 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10
,Sun Apr 28 07:50:21 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 07:50:21 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 07:50:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
,Sun Apr 28 07:50:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
,Sun Apr 28 07:50:21 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 07:50:21 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 07:50:21 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 07:52:21 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 07:52:21 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 07:52:21 2019 Restart pause, 5 second(s)
,Sun Apr 28 07:52:26 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 07:52:26 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 07:52:26 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 07:52:26 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 07:52:26 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 07:54:26 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 07:54:26 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 07:54:26 2019 Restart pause, 5 second(s)
,Sun Apr 28 07:54:31 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 07:54:31 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 07:54:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 07:54:31 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 07:54:31 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 07:56:31 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 07:56:31 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 07:56:31 2019 Restart pause, 5 second(s)
,Sun Apr 28 07:56:36 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 07:56:36 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 07:56:36 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 07:56:36 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 07:56:36 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 07:58:36 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 07:58:36 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 07:58:36 2019 Restart pause, 5 second(s)
,Sun Apr 28 07:58:41 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 07:58:41 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 07:58:41 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 07:58:41 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 07:58:41 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 08:00:41 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 08:00:41 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 08:00:41 2019 Restart pause, 10 second(s)
,Sun Apr 28 08:00:51 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 08:00:51 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 08:00:51 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 08:00:51 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 08:00:51 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 08:02:51 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 08:02:51 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 08:02:51 2019 Restart pause, 20 second(s)
,Sun Apr 28 08:03:11 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 08:03:11 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 08:03:11 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 08:03:11 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 08:03:11 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 08:05:11 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 08:05:11 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 08:05:11 2019 Restart pause, 40 second(s)
,Sun Apr 28 08:05:51 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 08:05:51 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 08:05:51 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 08:05:51 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 08:05:51 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,Sun Apr 28 08:07:51 2019 TCP: connect to [AF_INET]185.236.201.141:443 failed: Operation timed out
,Sun Apr 28 08:07:51 2019 SIGUSR1[connection failed(soft),init_instance] received, process restarting
,Sun Apr 28 08:07:51 2019 Restart pause, 80 second(s)
,Sun Apr 28 08:09:11 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
,Sun Apr 28 08:09:11 2019 NOTE: --fast-io is disabled since we are not using UDP
,Sun Apr 28 08:09:11 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.141:443
,Sun Apr 28 08:09:11 2019 Socket Buffers: R=[87380->87380] S=[16384->16384]
,Sun Apr 28 08:09:11 2019 Attempting to establish TCP connection with [AF_INET]185.236.201.141:443 [nonblock]
,

Additional context*
A Server connection is working if iam lucky on the COUNTRY and SERVER combination. But the problem is that he will not ignore an broken server and try another one.

-e OPENVPN_OPTS='--pull-filter ignore "ping-restart" --ping-exit 180' isn't working too.

Thank you!

It would be nice to be able to interactively control the selection of a specific nordvpn gateway... openpyn (https://github.com/jotyGill/openpyn-nordvpn) seems to provide this function... would it be possible (and even make sense?) to integrate this package into your nordvpn project? I'd do it myself, but I'm unfortunately no developer...

Thanks!

Not sure what i am doing wrong, but i keep getting

Similar to the the other bug report, the client doesn't connect to the desired Country/Server!

When I boot up the container with the env COUNTRY=Netherlands this output will show up:

nordvpn    | Selecting the best server...
nordvpn    | jq: error: syntax error, unexpected IDENT, expecting ';' or ')' (Unix shell quoting issues?) at <top-level>, line 2:
nordvpn    |                           select( (.name|test("^"Netherlands"$";"i")) or                                                 
nordvpn    | jq: error: syntax error, unexpected IDENT, expecting ';' or ')' (Unix shell quoting issues?) at <top-level>, line 3:
nordvpn    |                                   (.code|test("^"Netherlands"$";"i")) ) |                                                 
nordvpn    | jq: 2 compile errors
nordvpn    | Searching for technology: openvpn_tcp
nordvpn    | Best server : de542.nordvpn.com

Is there a way to open up the daemon port from the vpn container? I'd like to connect to it with my thin client, but by the looks of it, it's enclosed in the vpn container.

I got an AUTH_ERROR in my logs. Note that my password does not have any weird character and I tried with the quotes anyway, but without success.

vpn_1           | Staring firewall...
vpn_1           | Adding network route 192.168.1.0/24...
vpn_1           | Whitelisting api.nordvpn.com...
vpn_1           | Selecting the best server...
vpn_1           | parse error: Invalid numeric literal at EOF at line 1, column 4
vpn_1           | parse error: Invalid numeric literal at EOF at line 1, column 4
vpn_1           | Searching for technology: openvpn_udp
vpn_1           | parse error: Invalid numeric literal at EOF at line 1, column 4
vpn_1           | Unable to find a server with the specified parameters, using any recommended server
vpn_1           | parse error: Invalid numeric literal at EOF at line 1, column 4
vpn_1           | Best server : 
vpn_1           | Using config file /vpn/ovpn/ch118.nordvpn.com.udp.ovpn...
vpn_1           | Connecting ... 
vpn_1           | + sg vpn -c 'openvpn --config /vpn/ovpn/ch118.nordvpn.com.udp.ovpn --auth-user-pass /vpn/auth --auth-nocache                                 --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh                                 --pull-filter ignore "ping-restart" --ping-exit 180'
vpn_1           | Fri Aug 16 17:09:33 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
vpn_1           | Fri Aug 16 17:09:33 2019 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
vpn_1           | Fri Aug 16 17:09:33 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
vpn_1           | Fri Aug 16 17:09:33 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
vpn_1           | Fri Aug 16 17:09:33 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
vpn_1           | Fri Aug 16 17:09:33 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.105.90:1194
vpn_1           | Fri Aug 16 17:09:33 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
vpn_1           | Fri Aug 16 17:09:33 2019 UDP link local: (not bound)
vpn_1           | Fri Aug 16 17:09:33 2019 UDP link remote: [AF_INET]195.206.105.90:1194
vpn_1           | Fri Aug 16 17:09:33 2019 TLS: Initial packet from [AF_INET]195.206.105.90:1194, sid=03059abb 9c18385a
vpn_1           | Fri Aug 16 17:09:33 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
vpn_1           | Fri Aug 16 17:09:33 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
vpn_1           | Fri Aug 16 17:09:33 2019 VERIFY KU OK
vpn_1           | Fri Aug 16 17:09:33 2019 Validating certificate extended key usage
vpn_1           | Fri Aug 16 17:09:33 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
vpn_1           | Fri Aug 16 17:09:33 2019 VERIFY EKU OK
vpn_1           | Fri Aug 16 17:09:33 2019 VERIFY OK: depth=0, CN=ch118.nordvpn.com
vpn_1           | Fri Aug 16 17:09:35 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
vpn_1           | Fri Aug 16 17:09:35 2019 [ch118.nordvpn.com] Peer Connection Initiated with [AF_INET]195.206.105.90:1194
vpn_1           | Fri Aug 16 17:09:37 2019 SENT CONTROL [ch118.nordvpn.com]: 'PUSH_REQUEST' (status=1)
vpn_1           | Fri Aug 16 17:09:37 2019 AUTH: Received control message: AUTH_FAILED
vpn_1           | Fri Aug 16 17:09:37 2019 SIGTERM[soft,auth-failure] received, process exiting
vpn_1           | + set +x

And it goes on, whitelisting api.nordvpn to find a new server, but the authentication fails again. The container is running with a docker-compose file, below is the relevant extract:

  vpn:
    image: bubuntux/nordvpn
    privileged: true
    restart: always
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    volumes:
      - /dev/net:/dev/net:z
    environment:
      - USER=${USER}
      - PASS=${PASSWORD}
      - COUNTRY=US
      - PROTOCOL=UDP
      - CATEGORY=P2P
      - NETWORK=192.168.1.0/24
      - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
      - TZ=America/Chicago
    ports:
      - 9091:9091

The OPENVPN_OPTS option is broken because of the location of the variable at startup:

The startup script thinks the OPENVPN_OPTS variable contains parameters to the --down script instead of extra options for openvpn. I think moving the variable to before the --up statement will make it work again

exec sg vpn -c "openvpn --config ${config_file} --auth-user-pass ${auth_file} --auth-nocache
--script-security 2 ${OPENVPN_OPTS} --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh"

I'm using the Country Flag CH and specified the CATEGORY with 'Standard VPN servers'.
But the client keeps connecting me to the 'ch-onion1.nordvpn.com' server, even if I enter another CATEGORY like P2P.

Any ideas?

After a while, nordvpn apparantly switches from vpn server. When it does this I can no longer reach the other containers by port anymore.

vpn:
    image: bubuntux/nordvpn
    container_name: nordvpn
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    environment:
      - USER=<SNIPPED>
      - PASS=<SNIPPED>
      - COUNRTY=Netherlands
      - CITY=Amsterdam
      - PROTOCOL=TCP
      - NETWORK=10.0.0.0/24
      - TZ=Europe/Amsterdam
    ports:
      - 8989:8989     # sonarr
    stdin_open: true
    restart: unless-stopped

sonarr:
    network_mode: service:vpn
    image: linuxserver/sonarr
    container_name: sonarr
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Amsterdam
    restart: unless-stopped
    volumes:
      - /home/<SNIPPED>/mediaserver/config/sonarr:/config
      - /data/vid/Series:/tv
      - /opt/workspace/downloads:/downloads
      - /dev/rtc:/dev/rtc:ro

On first start, all seems fine. But when nordvpn container switches from Connecting to Netherlands #368 (nl368.nordvpn.com) to Connecting to Netherlands #66 (nl66.nordvpn.com) I can no longer reach sonarr on port 8989 I need to restart the vpn container before being able to connect again.

Full docker log after a switch:

<SNIPPED>@exeter ~/mediaserver ❯❯❯ docker logs -f nordvpn
start-stop-daemon: warning: failed to kill 421: No such process
Restarting /usr/sbin/nordvpnd: nordvpn.
spawn nordvpn login
Please enter your login details.
Email / Username: <SNIPPED>
Password:
You are logged in. Welcome to NordVPN! You can now connect via 'nordvpn connect'.
Protocol is successfully set to 'TCP'.
Kill Switch is successfully set to 'enabled'.
CyberSec is already set to 'disabled'.
Obfuscation is already set to 'disabled'.
DNS is already set to 'disabled'.
Connecting to Netherlands #66 (nl66.nordvpn.com)
We could not disable IPv6. Check logs for more information.
Great! You are now connected to Netherlands #66 (nl66.nordvpn.com)
Full input access enabled
Added network route 10.0.0.0/24
2019/02/24 09:50:22 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019/02/24 09:50:22 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2019/02/24 09:50:22 TUN/TAP device tun0 opened
2019/02/24 09:50:22 TUN/TAP TX queue length set to 100
2019/02/24 09:50:22 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2019/02/24 09:50:22 /sbin/ifconfig tun0 10.7.7.107 netmask 255.255.255.0 mtu 1500 broadcast 10.7.7.255
2019/02/24 09:50:22 /sbin/route add -net 5.79.79.43 netmask 255.255.255.255 gw 172.19.0.1
2019/02/24 09:50:22 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.7.1
2019/02/24 09:50:22 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.7.1
2019/02/24 09:50:22 Initialization Sequence Completed

Describe the bug

Container is unable to reach hosts outside the CIDR block provided via the NETWORK env var. This behavior only appears to occur when running on aarch64. Occurs when using both the latest and aarch64-latest tagged images.

To Reproduce

From an aarch64 machine:

docker run -it --cap-add=NET_ADMIN --device /dev/net/tun --name vpn -e NETWORK=192.168.1.0/24 -e USER={uname} -e PASS='{pw}' -d bubuntux/nordvpn:latest
docker exec {container} ping 192.168.1.1
docker exec {container} ping 1.1.1.1

Logs

OpenVPN logs indicate a successful connection is established.

dietpi@Node2:~$ sudo docker logs 17ac
Staring firewall...
Adding network route 192.168.1.0/24...
Whitelisting downloads.nordcdn.com...
Downloading config files...
Whitelisting api.nordvpn.com...
Selecting the best server...
Best server : us3191.nordvpn.com
Using config file /vpn/ovpn/us3191.nordvpn.com.tcp.ovpn...
Connecting ... 
+ sg vpn -c 'openvpn --config /vpn/ovpn/us3191.nordvpn.com.tcp.ovpn --auth-user-pass /vpn/auth --auth-nocache                                 --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh                                 '
Thu Jan 23 23:02:39 2020 OpenVPN 2.4.7 aarch64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  5 2019
Thu Jan 23 23:02:39 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Thu Jan 23 23:02:39 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Jan 23 23:02:39 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jan 23 23:02:39 2020 NOTE: --fast-io is disabled since we are not using UDP
Thu Jan 23 23:02:39 2020 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 23 23:02:39 2020 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Jan 23 23:02:39 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]23.226.131.147:443
Thu Jan 23 23:02:39 2020 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Jan 23 23:02:39 2020 Attempting to establish TCP connection with [AF_INET]23.226.131.147:443 [nonblock]
Thu Jan 23 23:02:40 2020 TCP connection established with [AF_INET]23.226.131.147:443
Thu Jan 23 23:02:40 2020 TCP_CLIENT link local: (not bound)
Thu Jan 23 23:02:40 2020 TCP_CLIENT link remote: [AF_INET]23.226.131.147:443
Thu Jan 23 23:02:40 2020 TLS: Initial packet from [AF_INET]23.226.131.147:443, sid=a3aa5668 e80d1d40
Thu Jan 23 23:02:40 2020 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Jan 23 23:02:40 2020 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Thu Jan 23 23:02:40 2020 VERIFY KU OK
Thu Jan 23 23:02:40 2020 Validating certificate extended key usage
Thu Jan 23 23:02:40 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jan 23 23:02:40 2020 VERIFY EKU OK
Thu Jan 23 23:02:40 2020 VERIFY OK: depth=0, CN=us3191.nordvpn.com
Thu Jan 23 23:02:40 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Jan 23 23:02:40 2020 [us3191.nordvpn.com] Peer Connection Initiated with [AF_INET]23.226.131.147:443
Thu Jan 23 23:02:42 2020 SENT CONTROL [us3191.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Jan 23 23:02:42 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: compression parms modified
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Jan 23 23:02:42 2020 Socket Buffers: R=[372480->425984] S=[87040->425984]
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: route options modified
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: route-related options modified
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: peer-id set
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: adjusting link_mtu to 1659
Thu Jan 23 23:02:42 2020 OPTIONS IMPORT: data channel crypto options modified
Thu Jan 23 23:02:42 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jan 23 23:02:42 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 23 23:02:42 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 23 23:02:42 2020 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:02
Thu Jan 23 23:02:42 2020 TUN/TAP device tun0 opened
Thu Jan 23 23:02:42 2020 TUN/TAP TX queue length set to 100
Thu Jan 23 23:02:42 2020 /sbin/ip link set dev tun0 up mtu 1500
Thu Jan 23 23:02:42 2020 /sbin/ip addr add dev tun0 10.7.2.2/24 broadcast 10.7.2.255
Thu Jan 23 23:02:42 2020 /etc/openvpn/up.sh tun0 1500 1587 10.7.2.2 255.255.255.0 init
Thu Jan 23 23:02:42 2020 /sbin/ip route add 23.226.131.147/32 via 172.17.0.1
Thu Jan 23 23:02:42 2020 /sbin/ip route add 0.0.0.0/1 via 10.7.2.1
Thu Jan 23 23:02:42 2020 /sbin/ip route add 128.0.0.0/1 via 10.7.2.1
Thu Jan 23 23:02:42 2020 Initialization Sequence Completed

I install via a docker-compose file and have an env file that had to be recreated after an accidental overwrite. Now for some reason I'm getting a auth_failure. I've verified I'm using the correct username/pass. In the env file both are contained in single quotes and I've also tried placing them both in the compose file as well. I've stopped and pruned all containers then redeployed. Also now getting the parse errors below.

Whitelisting api.nordvpn.com...
Selecting the best server...
parse error: Invalid numeric literal at EOF at line 1, column 4
parse error: Invalid numeric literal at EOF at line 1, column 4
Searching for technology: openvpn_tcp
parse error: Invalid numeric literal at EOF at line 1, column 4
Unable to find a server with the specified parameters, using any recommended server
parse error: Invalid numeric literal at EOF at line 1, column 4
Best server :
Using config file /vpn/ovpn/uk-nl2.nordvpn.com.tcp.ovpn...
Connecting ...

• sg vpn -c 'openvpn --config /vpn/ovpn/uk-nl2.nordvpn.com.tcp.ovpn --auth-user-pass /vpn/auth --auth-nocache --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh --pull-filter ignore "ping-restart" --ping-exit 180'
  Wed Nov 27 18:50:31 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
  Wed Nov 27 18:50:31 2019 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10
  Wed Nov 27 18:50:31 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Wed Nov 27 18:50:31 2019 NOTE: --fast-io is disabled since we are not using UDP
  Wed Nov 27 18:50:31 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
  Wed Nov 27 18:50:31 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
  Wed Nov 27 18:50:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]194.36.110.132:443
  Wed Nov 27 18:50:31 2019 Socket Buffers: R=[131072->131072] S=[16384->16384]
  Wed Nov 27 18:50:31 2019 Attempting to establish TCP connection with [AF_INET]194.36.110.132:443 [nonblock]
  Wed Nov 27 18:50:32 2019 TCP connection established with [AF_INET]194.36.110.132:443
  Wed Nov 27 18:50:32 2019 TCP_CLIENT link local: (not bound)
  Wed Nov 27 18:50:32 2019 TCP_CLIENT link remote: [AF_INET]194.36.110.132:443
  Wed Nov 27 18:50:32 2019 TLS: Initial packet from [AF_INET]194.36.110.132:443, sid=908ce2d1 77b384d1
  Wed Nov 27 18:50:33 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
  Wed Nov 27 18:50:33 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
  Wed Nov 27 18:50:33 2019 VERIFY KU OK
  Wed Nov 27 18:50:33 2019 Validating certificate extended key usage
  Wed Nov 27 18:50:33 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
  Wed Nov 27 18:50:33 2019 VERIFY EKU OK
  Wed Nov 27 18:50:33 2019 VERIFY OK: depth=0, CN=uk-nl2.nordvpn.com
  Wed Nov 27 18:50:35 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
  Wed Nov 27 18:50:35 2019 [uk-nl2.nordvpn.com] Peer Connection Initiated with [AF_INET]194.36.110.132:443
  Wed Nov 27 18:50:36 2019 SENT CONTROL [uk-nl2.nordvpn.com]: 'PUSH_REQUEST' (status=1)
  Wed Nov 27 18:50:37 2019 AUTH: Received control message: AUTH_FAILED
  Wed Nov 27 18:50:37 2019 SIGTERM[soft,auth-failure] received, process exiting

Hi,

I have 400mbps bandwidth. I have your vpn container running on a Synology, and a qbittorrent container (from linuxserver) running on another container on the same Synology, along with other containers.

Running a speedtest on the synology (I'm using the 'fast' tool from Netflix https://github.com/ddo/fast/releases), I get an acceptable bandwidth, ~370mbps. When I connect the synology to NordVPN, the bandwidth is a bit slower depending on the server, but usually acceptable, always above 250mbps. Running the same speedtest on another container gives me similar results.

But when I run the speedtest on a container using the --net=container:vpn, I get slow results, around 50-100mbps. I tried running a speedtest on the vpn container itself but didn't succeed, the tool doesn't seem compatible with the architecture.

Any idea on how to fix this ?

For the vpn container, I'm using -e CATEGORY=P2P -e PROTOCOL=UDP -e OPENVPN_OPTS='--pull-filter ignore "ping-restart" --ping-exit 180' --cap-add=NET_ADMIN --device /dev/net/tun.

Thanks

I wanted to use the VPN network to route a headless jdownloader container and this docker is simply fantastic! So many thanks for this!
I managed to set it up and get it running as intended.
The next step is to provide some reconnect functionality to shorten wait times between downloads.
I tried to simply restart the vpn docker but the client docker is not automatically reconnecting once the vpn container drops.
Of course, this is probably not the most elegant solution to reconnect to a different nordVPN server, but I don't know better yet.
So, how do I:

1. have the client docker automatically reconnecting
   or
2. issue a reconnect command from the host console to the vpn docker to reconnect the vpn.
   Option, and this is actually the feature request:
3. Add an option to the vpn docker, to connect to a random nordVPN location and make sure not to reconnect to the most recent server.

In the end, the plan is to have jdownloader trigger a reconnect action. Maybe via a file that is created somewhere on the host filesystem (download folder). A shell script will constantly scan for this file and issue the above command to reconnect to another VPN server.
Thanks for your support and once again: nice work this container!

Hi dear,

i hope your going well? Thank you for your great work!
Im sure that you help me very fast because i have only one simple question.
I got the connection to nordvpn without problems ( i see the sucess login in the logs ).

How did i now make a route to the the working vpn?

I use your docker-compose
And choose the network: 192.168.2.0/24 Ports: 9104:80

Thank you very much!

First, thanks for the great image. I'm using it since a few weeks and I'm quite happy with it.
But there is one problem i encountered with the latest version.

The --ping-exit 180 which has recently been added as a recommendation doesn't seem like a good idea
Whenever the vpn container loses its connection for more than 180 sec, all containers which connect through the vpn will lose their internet connection forever. (Until they are restarted manually)
They will not reconnect through the vpn even if the vpn restarts and reconnects successfully.
The problem is whenever multiple child container share the network of a mother container via 'network_mode:service', they will lose their network adapter indefinitely when the mother container restarts.
I opened an issue for docker compose. but i don't know if they will improve this behavior.

replacing --ping-exit with --ping-restart seems to fix the issue, since this doesn't exit the whole container and keeps the network interface intact.

hi, i've been getting authentication failures when connecting to a selected nordvpn gateway since yesterday. uid/pw work fine to login to nordvpn website (account management). error has been there since yesterday, 27.Feb.2019. Log is below:

Selecting the best server...


White listing api.nordvpn.com...


Searching for country : CH (209)


Searching for group: legacy_p2p


Searching for technology: openvpn_udp


Best server : ch76.nordvpn.com


Using config file /vpn/ovpn/ch76.nordvpn.com.udp.ovpn...


Connecting...


Thu Feb 28 12:59:58 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018


Thu Feb 28 12:59:58 2019 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10


Thu Feb 28 12:59:58 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit


Thu Feb 28 12:59:58 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts


Thu Feb 28 12:59:58 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication


Thu Feb 28 12:59:58 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication


Thu Feb 28 12:59:58 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]185.236.201.131:1194


Thu Feb 28 12:59:58 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]


Thu Feb 28 12:59:58 2019 UDP link local: (not bound)


Thu Feb 28 12:59:58 2019 UDP link remote: [AF_INET]185.236.201.131:1194


Thu Feb 28 12:59:58 2019 TLS: Initial packet from [AF_INET]185.236.201.131:1194, sid=e1d9facc ca00f9dd


Thu Feb 28 12:59:59 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA


Thu Feb 28 12:59:59 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3


Thu Feb 28 12:59:59 2019 VERIFY KU OK


Thu Feb 28 12:59:59 2019 Validating certificate extended key usage


Thu Feb 28 12:59:59 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication


Thu Feb 28 12:59:59 2019 VERIFY EKU OK


Thu Feb 28 12:59:59 2019 VERIFY OK: depth=0, CN=ch76.nordvpn.com


Thu Feb 28 13:00:01 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA


Thu Feb 28 13:00:01 2019 [ch76.nordvpn.com] Peer Connection Initiated with [AF_INET]185.236.201.131:1194


Thu Feb 28 13:00:02 2019 SENT CONTROL [ch76.nordvpn.com]: 'PUSH_REQUEST' (status=1)


Thu Feb 28 13:00:02 2019 AUTH: Received control message: AUTH_FAILED


Thu Feb 28 13:00:02 2019 SIGTERM[soft,auth-failure] received, process exiting

As per https://nordvpn.com/blog/nordlynx-protocol-wireguard/, implementation of the Wireguard protocol is available through the Linux client, by using the first party nordvpn client.

Looking at the Docker file and associated scripts though it looks like this image uses openvpn, so perhaps changing it to use the nordvpn client may be out of scope. Please feel free to close this issue if it's not something you're considering doing.

Thanks!

How would you specify a region?

Looking at nordVpn.sh, it looks like it makes a request to the NordVPN API to get a server recommendation, but it would most likely get back a server that is close by. How could a specify that I want a server in another county?

Hey,

thanks for this image - it works beautifully. I'm trying to achieve the following setup

1. A container foo using network_mode: service:vpn to access the internet
2. Another container bar also using network_mode: service_vpn to access the internet

So far, this works like a charm - however, now I'd like to make foo and bar able to connect to each other (e.g. so that bar can run curl http://foo and it would work), while still using the vpn for connections to the outside. Is this possible to do?

Here's a simple demo docker-compose (only need to fill in nordvpn username & password):

version: "2"

services:

  vpn:
    image: 'bubuntux/nordvpn'
    cap_add:
      - NET_ADMIN
    devices:
      - "/dev/net/tun"
    ports:
      - 8080:80   # foo
    environment:
      USER: "XXXXX"
      PASS: "YYYYY"
      COUNTRY: "ch"
      CATEGORY: "P2P"
      OPENVPN_OPTS: "--inactive 3600 --ping 10 --ping-exit 60"
      NETWORK: "192.168.0.0/24"
    restart: "unless-stopped"

  
  foo:
    image: 'nginx'
    network_mode: service:vpn

  bar:
    image: 'giantswarm/tiny-tools'
    network_mode: service:vpn
    command: "/bin/sh -c 'while sleep 1; do curl -sS http://foo/; done'"

Is your feature request related to a problem? Please describe.
I want to avoid connection the best server in my country if it fails for some reason to connect to the server with the COUNTRY or some other restriction defined. I don't want the container to silently reconnect to the proxy in my country and act as if nothing happened when nordvpn changes their api or some other reason

Describe the solution you'd like
Add an env. variable like FALLBACK_BEST_SERVER=false which controls the behavior

Hi,

I am trying to build a following setup. I have a separate docker container establishing a single nordvpn connection and couple services using this gateway via network_mode: container:nordvpn.

My concern is that sometimes a single connection won't utilize my full bandwidth (600mbps), so I am trying to build a container which would open multiple connections (possibly also to different nordvpn servers) and balance between them. From the licensing I am allowed to have 5 simultaneous connections..

Possible solution?
Have an env variable CONNECTIONS, which will open between 1-5 connections to the specified server and balance per destination IP for example..

Or if you can point me other direction user can achieve full UPLINK bandwidth.

Appreciate, Michal

Where are the logs I can check to see what's the problem.
It's happening both under Docker for windows:
Client: Docker Engine - Community
Version: 18.09.1
API version: 1.39
Go version: go1.10.6
Git commit: 4c52b90
Built: Wed Jan 9 19:34:26 2019
OS/Arch: windows/amd64
Experimental: false

Server: Docker Engine - Community
Engine:
Version: 18.09.1
API version: 1.39 (minimum version 1.12)
Go version: go1.10.6
Git commit: 4c52b90
Built: Wed Jan 9 19:41:49 2019
OS/Arch: linux/amd64
Experimental: false

And synology:
Client:
Version: 17.05.0-ce
API version: 1.29
Go version: go1.8
Git commit: 9f07f0e-synology
Built: Thu Oct 11 21:32:14 2018
OS/Arch: linux/amd64

Server:
Version: 17.05.0-ce
API version: 1.29 (minimum version 1.12)
Go version: go1.8
Git commit: 9f07f0e-synology
Built: Thu Oct 11 21:32:14 2018
OS/Arch: linux/amd64
Experimental: false

Hi

I am getting a lot of fallback errors when starting the connection to Nordvpn:

UDP config for server de439.nordvpn.com not found
Filtered pool is empty or configs not found. Select server from recommended list

Is there any way to pull the current server config list from Nordvpn, or are the server config lists only updated when the image is updated?

Thanks (also thanks for making this Image in general - it works like a charm, I'd just like to have a little more control over where it's connecting)

I have several containers which depend on the NordVPN container to have a successful connection and the network all set up. If they start too quickly sometimes I have to restart them after NordVPN is running. This means that on a reboot I can't rely on all my containers simply working.

Could you include code in the container for a Healthcheck? This would allow me to use Healthcheck code in my docker-compose file to stop containers if the VPN is dropped or not not yet ready, and to restart containers when the VPN is up again.

I considered writing a bunch of scripts to start and stop various containers at the right times, but incorporating Healthcheck would be much simpler.

here's a link to the documentation https://docs.docker.com/engine/reference/builder/#healthcheck

Before submitting please review Troubleshooting wiki

Describe the bug
TLS Key negotiation failed. after OS reinstall.

I recently switched my server from Debian to Manjaro to allow more flexibility. Not sure if it's related. When I was setting up my docker containers I got all 10 or so working. Unfortunetely, it looks like the VPN they're all using is failing to connect to Nord through a TLS key negotiation.

Logs
Staring firewall...
Adding network route 172.20.1.0/16...
RTNETLINK answers: Invalid argument
Whitelisting api.nordvpn.com...
Selecting the best server...
Searching for country : United States (228)
Searching for group: legacy_p2p
Searching for technology: openvpn_udp
Best server : us4607.nordvpn.com
Using config file /vpn/ovpn/us4607.nordvpn.com.udp.ovpn...
Connecting ...

• sg vpn -c 'openvpn --config /vpn/ovpn/us4607.nordvpn.com.udp.ovpn --auth-user-pass /vpn/auth --auth-nocache --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh --pull-filter ignore "ping-restart" --ping-exit 180'
  Tue Dec 31 13:54:46 2019 OpenVPN 2.4.7 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 5 2019
  Tue Dec 31 13:54:46 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
  Tue Dec 31 13:54:46 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
  Tue Dec 31 13:54:46 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
  Tue Dec 31 13:54:46 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
  Tue Dec 31 13:54:46 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.158.226.27:1194
  Tue Dec 31 13:54:46 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
  Tue Dec 31 13:54:46 2019 UDP link local: (not bound)
  Tue Dec 31 13:54:46 2019 UDP link remote: [AF_INET]192.158.226.27:1194
  Tue Dec 31 13:55:46 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
  Tue Dec 31 13:55:46 2019 TLS Error: TLS handshake failed
  Tue Dec 31 13:55:46 2019 SIGUSR1[soft,tls-error] received, process restarting
  Tue Dec 31 13:55:46 2019 Restart pause, 5 second(s)

Additional context
I believe that the network is working inside the docker because it contacts api.nordvpn.com and successfully uses the .ovpn profile. I tried running docker exec -it [container] /bin/bash - then running ping nordvpn.com. This fails, but I believe it fails since the killswitch cannot be turned off.

I think it may be a misconfiguration on my part, but I am not familiar enough with OpenVPN to troubleshoot. Please let me know what you think. This line in the logs is particularly interesting I think: RTNETLINK answers: Invalid argument - perhaps my subnet mask is incorrect?

Given a docker-compose.yml of (per readme):

version: "3"
services:
  vpn:
    image: bubuntux/nordvpn:2019.03.09
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    environment:
      - USER=...
      - PASS=...
      - COUNRTY=United_States
      - PROTOCOL=UDP
      - CATEGORY=P2P
      - NETWORK=192.168.1.0/24
      - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
      - TZ=America/Detroit
    ports:
      - 8080:8080
      - 6881:6881
    restart: unless-stopped

I get a Canadian config:

Staring firewall...
Adding network route 192.168.1.0/24...
Whitelisting api.nordvpn.com...
Selecting the best server...
Searching for group: legacy_p2p
Searching for technology: openvpn_udp
Best server : ca187.nordvpn.com
Using config file /vpn/ovpn/ca187.nordvpn.com.udp.ovpn...
Connecting ( --pull-filter ignore "ping-restart" --ping-exit 180 )... 

I'm running this on a development laptop (macOS mojave) with docker-compose, and a separate service with network_mode: service:vpn works fine until I close the laptop and re-open it, or otherwise interrupt the physical network connection of the VPN, and then the separate service loses all connectivity, but the vpn service simply shows

Sat Mar  9 17:56:59 2019 /etc/openvpn/up.sh tun0 1500 1585 10.8.8.27 255.255.255.0 init
Sat Mar  9 17:56:59 2019 /sbin/ip route add 207.189.30.102/32 via 172.31.0.1
Sat Mar  9 17:56:59 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
Sat Mar  9 17:56:59 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.8.1
Sat Mar  9 17:56:59 2019 Initialization Sequence Completed

Usage

  testdocker:
    build: ./
    network_mode: service:vpn
    depends_on:
      - vpn
    restart: unless-stopped

  vpn:
    image: bubuntux/nordvpn
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    env_file:
      - creds.env
    environment:
      - COUNTRY=United_States
      - PROTOCOL=UDP
      - CATEGORY=P2P
      - NETWORK=192.168.1.0/24
      - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
      - TZ=America/Denver
    ports:
      - 8080:80
    restart: unless-stopped

Is there any way to use obfuscated servers?

Trying to run NordVPN in bridge mode on a Synology NAS. Using recommended parameters I get the following error:

Am I the only one?

Parameters (COUNTRY = NL makes no difference):

Hi,

I want to use my vpn connection from my docker container with my tv where I can't specify proxy.
How can I do it ?

Right now x86-64 and armhf are supported. Is it possible to add support for aarch64 as well?

Last image seems to be broken

Restarting /usr/sbin/nordvpnd: nordvpn.
spawn nordvpn login
Email / Username: (edited)@gmail.com
Password:
Invalid User
start-stop-daemon: warning: failed to kill 24: No such process

Restarting /usr/sbin/nordvpnd: nordvpn.
spawn nordvpn login
Email / Username: (edited)@gmail.com
Password:
Invalid User

the image won't take the password given

command used
docker run -d --name='nordvpn' --net='br0.41' --ip='192.168.41.2' --privileged=true -e TZ="America/New_York" -e 'USER'='(edited)@gmail.com' -e 'PASS'='(edited)' -e 'COUNTRY'='Canada' -e 'CATEGORY'='P2P' -e 'PROTOCOL'='openvpn_udp' 'bubuntux/nordvpn'

Add a way to restart the network if the VPN goes down.

I have this script that could be adapted, makes use of firewall rules so that it does not ping when the network falls and the firewall denies requests to prevent leaks

#!/bin/bash
SERVERIP=8.8.8.8
while [ "true" ]
do
    ping -c 3 $SERVERIP > /dev/null 2>&1
    if [ $? -ne 0 ]
    then
       # restart the service
       systemctl restart openvpn.service
    fi
    sleep 15
done

This is not a bug but rather a question.

My scenario is similar to the example provided in section 'Local Network access to services connecting to the internet through the VPN.'.

Let's suppose I setup a webserver to be served at 8080, by -p 8080:8080 on the VPN docker. I can successfully access it through localhost:8080 and 192.168.1.xxx:8080. But, in addition to those, I'd need to access it from <subdomain>.asuscomm.com, that is, from a DDNS service.

Is that possible? If so, how could it be done?

Thank you

my existing compose file got borked in one of the newer releases... i also had the "invalid uername" issue, which seems to be fixed now,. But I'm having a problem with specifying multiple countries with the "COUNTRY=" parameter. Previously, "COUNTRY=us;Switzerland;Germany" worked fine. Now it's returning an error:

Whoops! We can't connect you to 'us;ch;de'. Please try again. If the problem persists, contact our customer support.

Using just "COUNTRY=us" works...

Any ideas?

Thanks!

*EDIT - I also tried "COUNTRY=US;CH;DE" -which also didn't work... ;)

Description
Hello, I'm trying to set up the container in a stack (I'm using docker swarm) and I'm getting the errors below in the logs. I tried renaming NET_ADMIN to net_admin and the error persists. I've also tried to add privileged and it doesn't fix the problem.

How to reproduce my bug?
Here's my compose for the container:

vpn:
        image: bubuntux/nordvpn
        privileged: true
        cap_add:
            - NET_ADMIN
        devices:
            - /dev/net/tun
        environment:
            - USER=
            - PASS=
            - COUNTRY=Belgium
            - PROTOCOL=UDP
            - CATEGORY=P2P
            - NETWORK=192.168.0.0/24
            - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
            - TZ=Europe/Brussels
        ports:
            - 8083:80
        restart: unless-stopped

Logs

iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
getsockopt failed strangely: Operation not permitted
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Adding network route 192.168.0.0/24...
RTNETLINK answers: Operation not permitted
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Whitelisting downloads.nordcdn.com...
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Downloading config files...
Whitelisting api.nordvpn.com...
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Selecting the best server...
Searching for country : Belgium (21)
Searching for group: legacy_p2p
Searching for technology: openvpn_udp
Best server : be118.nordvpn.com
Using config file /vpn/ovpn/be118.nordvpn.com.udp.ovpn...
+ sg vpn -c 'openvpn --config /vpn/ovpn/be118.nordvpn.com.udp.ovpn --auth-user-pass /vpn/auth --auth-nocache                                 --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh                                 --pull-filter ignore "ping-restart" --ping-exit 180'
Connecting ...
Fri Dec  6 20:15:53 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Fri Dec  6 20:15:53 2019 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Fri Dec  6 20:15:53 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec  6 20:15:53 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Dec  6 20:15:53 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Fri Dec  6 20:15:53 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]91.207.57.253:1194
Fri Dec  6 20:15:53 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Dec  6 20:15:53 2019 UDP link local: (not bound)
Fri Dec  6 20:15:53 2019 UDP link remote: [AF_INET]91.207.57.253:1194
Fri Dec  6 20:15:53 2019 TLS: Initial packet from [AF_INET]91.207.57.253:1194, sid=54d346b4 b2964c57
Fri Dec  6 20:15:53 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Fri Dec  6 20:15:53 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Fri Dec  6 20:15:53 2019 VERIFY KU OK
Fri Dec  6 20:15:53 2019 Validating certificate extended key usage
Fri Dec  6 20:15:53 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Dec  6 20:15:53 2019 VERIFY EKU OK
Fri Dec  6 20:15:53 2019 VERIFY OK: depth=0, CN=be118.nordvpn.com
Fri Dec  6 20:15:55 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec  6 20:15:55 2019 [be118.nordvpn.com] Peer Connection Initiated with [AF_INET]91.207.57.253:1194
Fri Dec  6 20:15:57 2019 SENT CONTROL [be118.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Fri Dec  6 20:15:57 2019 AUTH: Received control message: AUTH_FAILED
Fri Dec  6 20:15:57 2019 SIGTERM[soft,auth-failure] received, process exiting
+ set +x
Whitelisting api.nordvpn.com...
iptables v1.6.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
Selecting the best server...

Loops again and again...

the issues is with the expect

New to github so i hope i entered the issue correctly. Struggeling with the getting the code in correctly in the issue my excuses for this. Regarding the code is checked and don't get errors that something is wrong with it.

Describe the bug
When i use docker-compose the environment variables are not set. When i use docker then the environment variables are set correctly. With docker-compose the container gets into an restarting loop and never goes up.
when i use docker-compose logs it says the parameters user and password are missing

When i start the container and do an docker inspect the following variables are missing:
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"UDEV=off",
"NET_IFACE=eth0"
],

With docker i got the following results with docker inspect and the container runs:
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"UDEV=off",
"NET_IFACE=eth0",
"NETWORK=192.168.1.0/24",
"USER=[email protected]",
"PASS=password"

To Reproduce

docker-compose up -d
version: "3"
services:
vpn:
image: bubuntux/nordvpn:latest
container_name: vpn
cap_add:
- net_admin
devices:
- /dev/net/tun
environment:
- USER=[email protected]
- PASS='password'
- COUNTRY=Netherlands
- PROTOCOL=UDP
- CATEGORY=P2P
- NETWORK=192.168.1.0/24
- OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
- TZ=Europe/Amsterdam
ports:
- 8081:8080
- 8990:8989
- 7879:7878
restart: always
logging:
driver: json-file
options:
max-size: "10m"

I also tried to use the envorinment variables with : instead of = but then i have got the same result

version: "3"
services:
vpn:
image: bubuntux/nordvpn:latest
container_name: vpn
cap_add:
- net_admin
devices:
- /dev/net/tun
environment:
USER: [email protected]
PASS: password
COUNTRY: Netherlands
PROTOCOL: UDP
CATEGORY: P2P
NETWORK: 192.168.178.0/24
#- OPENVPN_OPTS:--pull-filter ignore "ping-restart" --ping-exit 180
TZ: Europe/Amsterdam
ports:
- 8081:8080
- 8990:8989
- 7879:7878
restart: always
logging:
driver: json-file
options:
max-size: "10m"

with docker run
docker run -d\ --name vpn \ --cap-add=NET_ADMIN \ --device /dev/net/tun \ -p 9117:9117 \ -e NETWORK=192.168.178.0/24 \ -e [email protected] \ -e PASS='password' \ bubuntux/nordvpn

I am getting a little bot lost what the issue can be thats the reason i created the issue. Hopefully someone can help me out, did a lot of research on the internet but reall can't solve the issue. Maybe i am overlookin something.

I am running this on Synology with the following version
docker-compose version 1.24.0, build 0aa59064
docker-py version: 3.7.2

Docker Version: 18.09.6

Been using this container for quite some time now and I'm really happy with the functionality. Up until now I've been implementing through docker-compose using the code below to route all qbittorrent traffic through the container and to access the webui.

I recently built a new system that is running Unraid and for the life of me I can't get it operational. I've been using Community Apps plugin for access to Docker Hub to pull the container but as my only experience is with using docker-compose I'm not sure how to translate what I was doing to what I need to do now. I can get it installed and a curl request shows I'm connected through the VPN but the log is showing some errors. (https://pastebin.com/82HDWsBu)

The big problem is that I can't seem to figure out how the --device /dev/net/tun needs to be added so I can route qBittorrent through it. I've also included a screenshot of the current variables set in Unraid.

Was wondering if you could lend any insight into how to get it working.

    vpn:
        image: bubuntux/nordvpn:latest
        container_name: nordvpn
        cap_add:
            - net_admin
        devices:
            - /dev/net/tun
        restart: always
        environment:
            - USER=${nord_user}
            - PASS=${nord_pass}
            - COUNTRY=United_States
            - PROTOCOL=UDP
            - CATEGORY=P2P
            - NETWORK=192.168.1.0/24,10.0.75.0/24
            - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
            - TZ=${TZ}
        ports:
            - 6881:6881
            - 8113:8113
            - 8112:8112
            - 58846:58846
      qbittorrent:
        image: linuxserver/qbittorrent:latest
        container_name: qbit
        network_mode: service:vpn
        environment:
            - PUID=${PUID}
            - PGID=${PGID}
            - TZ=${TZ}
            - UMASK_SET=000
            - WEBUI_PORT=8113
            - VERSION=latest
        volumes:
            - ${cont_dir}/qbittorrent/config:/config
            - ${download_dir}:/downloads
        restart: always
        #depends_on:
            #- vpn

I'm using the nordvpn-bin version.
It sets up these iptable rules:

iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             172.19.0.0/16
ACCEPT     all  --  anywhere             anywhere             owner GID match vpn

ps axjf | grep nordvpnd
  195   768   767   195 pts/1      767 S+       0   0:00  \_ grep nordvpnd
   13    51     1     1 pts/0        1 S+       0   0:00  \_ sg vpn -c nordvpnd
   51    53     1     1 pts/0        1 S+       0   0:00  |   \_ sh -c nordvpnd
   53    54     1     1 pts/0        1 Sl+      0   0:04  |       \_ nordvpnd

grep '^Groups' /proc/54/status
Groups: 104

getent group vpn
vpn:x:104:

So, nordvpnd runs as the vpn group, but the iptables rule doesn't apply. The connection works if i add iptables -A OUTPUT -m owner --gid-owner root -j ACCEPT with the root gid. I have no idea what is going on here. I'm running debian 10 with the latest docker version

Why not just using nordvpnd's own killswitch in combination with whitelist and completely ditch iptables?

I just updated to latest and now it just crashes/shutsdown with just this in the log:
"Stdin/Stdout should be terminal"

I am using Unraid 6.8.2 and had nordvpn running for a few months until i updated just now.

Edit: i tried re-entering all the config values since mine were a bit different than those on the dockerhub, but i still get these errors:

• [[ -n '' ]]
• [[ 1 =~ ^[0-9]+$ ]]
• groupmod -g 1 -o vpn
• NET_IFACE=eth0
  ++ ip -o addr show dev eth0
  ++ awk '$3 == "inet" {print $4}'
• DOCKER_NET=10.5.0.2/16
  ++ ip -o addr show dev eth0
  ++ awk '$3 == "inet6" {print $4; exit}'
• DOCKER_6NET=
• kill_switch
• iptables -F OUTPUT
• ip6tables -F OUTPUT
• iptables -P OUTPUT DROP
• ip6tables -P OUTPUT DROP
• iptables -A OUTPUT -o lo -j ACCEPT
• ip6tables -A OUTPUT -o lo -j ACCEPT
• [[ -n 10.5.0.2/16 ]]
• iptables -A OUTPUT -d 10.5.0.2/16 -j ACCEPT
• [[ -n '' ]]
• iptables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT
• ip6tables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT
• [[ -n 10.5.0.2 ]]
• for net in ${NETWORK//[;,]/ }
• return_route 10.5.0.2
  ++ ip route
  ++ awk '/default/ {print $3}'
• local network=10.5.0.2 gw=10.5.0.1
• ip route add to 10.5.0.2 via 10.5.0.1 dev eth0
• iptables -A OUTPUT --destination 10.5.0.2 -j ACCEPT
• [[ -n '' ]]
• [[ -n '' ]]
• pkill nordvpnd
• rm -f /run/nordvpnd.sock
• sleep 0.5
• sg vpn -c nordvpnd
• nordvpn login -u [email protected] -p password
• setup_nordvpn
• [[ -n NordLynx ]]
• nordvpn set technology NordLynx
• [[ -n '' ]]
• [[ -n '' ]]
• [[ -n Enable ]]
• nordvpn set cybersec Enable
• [[ -n Disable ]]
• nordvpn set dns Disable
• [[ -n 10.5.0.2/16 ]]
• nordvpn whitelist add subnet 10.5.0.2/16
• [[ -n 10.5.0.2 ]]
• for net in ${NETWORK//[;,]/ }
• nordvpn whitelist add subnet 10.5.0.2
• [[ -n on ]]
• nordvpn settings
  Kill Switch: disabled

CyberSec: enabled
Notify: disabled
Auto-connect: disabled
DNS: disabled
Whitelisted subnets:
10.5.0.0/16

• nordvpn connect Switzerland -g p2p
  Stdin/Stdout should be terminal
• exit 1

my config is:
USER: [email protected]
PASS: MyPassword
CONNECT: Switzerland -g p2p
TECHNOLOGY: NordLynx
CYBER_SEC: Enable
DNS: Disable
WHITELIST:
NETWORK: 10.5.0.2
NETWORK6:
TZ: Europe/Amsterdam
GROUPID:
NET_IFACE:
DEBUG: on

Hi,

First of all, thank you for this container.

Next:

In portainer, I am using nordvpn as a stack, along the lines of:

version: "2"
services:
  vpn:
    image: bubuntux/nordvpn
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    environment:
      - [email protected]
      - PASS='password'
      - COUNTRY=Japan
      - PROTOCOL=UDP
      - CATEGORY=P2P
      - NETWORK=192.168.2.0/24
      - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
      - TZ=Asia/Manila
    restart: always

And that's it. I have a qbittorrent container running, just a regular container, and I presume I should connecting using --net=service:vpn

But I just can't figure out how to do that, other than manually starting the qbittorrent container. I'd like to do it through the Web UI offered by portainer as it just is a very convenient long-term way.

Am I.. Missing something?

Hi, first thank you for this amazing container, i'm using it in docker/Openmediavault with the GUI and it work like a charm; as i'm new to docker i would need some tips...
I would like to use it just for what it has born, so, for istance, to route Transmission container traffic throught the vpn container.
I read i should use --net=container:vpn in the Transmission container but i don't know how to do that or better where to add it in the graphic environment.
I don't know if this is the right place to ask this but could you help me anyway please?
Thank you in advance!!!!!

Hello after each restart the IP of Docker application change . Someone Can acces trough the vpn to Docker application by it's name instead IP adress ?

Hi!

It seems that the latest version is connecting to the wrong servers.

Adding network route 192.168.1.0/24...
Whitelisting api.nordvpn.com...
Selecting the best server...
Searching for country : Sweden (208)
Searching for group: legacy_p2p
Searching for technology: openvpn_udp
Best server : se321.nordvpn.com
Unable to find config file /vpn/ovpn/
Using config file /vpn/ovpn/ca561.nordvpn.com.udp.ovpn...
Connecting ...

Any ideas?

Describe the bug
I have just opened a new NordVPN account, using an aliased email address (for example [email protected]).

However I am now receiving authentication issues when trying to start the container.

To Reproduce

docker run -tid --cap-add=NET_ADMIN --device /dev/net/tun --privileged  --name vpn -e [email protected] -e PASS='P4ssw0rd' -e NETWORK=192.168.1.1/24 -e TZ='Australia/Melbourne' -e PROTOCOL=UDP bubuntux/nordvpn

Logs

Connecting ...
Mon Apr  8 10:21:10 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Mon Apr  8 10:21:10 2019 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Mon Apr  8 10:21:10 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Mon Apr  8 10:21:10 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Apr  8 10:21:10 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Apr  8 10:21:10 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Apr  8 10:21:10 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]144.48.37.133:1194
Mon Apr  8 10:21:10 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Apr  8 10:21:10 2019 UDP link local: (not bound)
Mon Apr  8 10:21:10 2019 UDP link remote: [AF_INET]144.48.37.133:1194
Mon Apr  8 10:21:11 2019 TLS: Initial packet from [AF_INET]144.48.37.133:1194, sid=357d3f69 6dced0fa
Mon Apr  8 10:21:11 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Mon Apr  8 10:21:11 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Mon Apr  8 10:21:11 2019 VERIFY KU OK
Mon Apr  8 10:21:11 2019 Validating certificate extended key usage
Mon Apr  8 10:21:11 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Apr  8 10:21:11 2019 VERIFY EKU OK
Mon Apr  8 10:21:11 2019 VERIFY OK: depth=0, CN=au354.nordvpn.com
Mon Apr  8 10:21:13 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Apr  8 10:21:13 2019 [au354.nordvpn.com] Peer Connection Initiated with [AF_INET]144.48.37.133:1194
Mon Apr  8 10:21:14 2019 SENT CONTROL [au354.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Mon Apr  8 10:21:14 2019 AUTH: Received control message: AUTH_FAILED
Mon Apr  8 10:21:14 2019 SIGTERM[soft,auth-failure] received, process exiting

Additional context
My previous NordVPN account, with an email address without the + alias does actually work. I am still able to login to this container correctly with that account. I've tried updating the docker image to latest, but am already using that.

I've also confirmed the username and password with docker exec "container_name" cat /vpn/auth and they are set correctly.

I've also tried to escape the + symbol in the username, ie phil\+example and phil\\+example but unfortunately still without success.

Any Bug without this format would be ignored.

Describe the bug
The latest version of this Docker doesn't startup anymore as a docker on Unraid

To Reproduce
Setup docker in unraid and try to start it with OpenVPN
or
Setup docker in unraid and try to start it with NordLynx

Neither method will connect and both exit with error code 1

Logs

 [[ -n '' ]]
+ [[ '' =~ ^[0-9]+$ ]]
+ NET_IFACE=eth0
++ ip -o addr show dev eth0
++ awk '$3 == "inet" {print $4}'
+ DOCKER_NET=172.17.0.2/16
++ ip -o addr show dev eth0
++ awk '$3 == "inet6" {print $4; exit}'
+ DOCKER_6NET=
+ kill_switch
+ iptables -F OUTPUT
+ ip6tables -F OUTPUT
+ iptables -P OUTPUT DROP
+ ip6tables -P OUTPUT DROP
+ iptables -A OUTPUT -o lo -j ACCEPT
+ ip6tables -A OUTPUT -o lo -j ACCEPT
+ [[ -n 172.17.0.2/16 ]]
+ iptables -A OUTPUT -d 172.17.0.2/16 -j ACCEPT
+ [[ -n '' ]]
+ iptables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT
+ ip6tables -A OUTPUT -m owner --gid-owner vpn -j ACCEPT
+ [[ -n 192.168.1.0/24, 192.168.2.0/24 ]]
+ for net in ${NETWORK//[;,]/ }
+ return_route 192.168.1.0/24
++ ip route
++ awk '/default/ {print $3}'
+ local network=192.168.1.0/24 gw=172.17.0.1
+ ip route add to 192.168.1.0/24 via 172.17.0.1 dev eth0
+ iptables -A OUTPUT --destination 192.168.1.0/24 -j ACCEPT
+ for net in ${NETWORK//[;,]/ }
+ return_route 192.168.2.0/24
++ ip route
++ awk '/default/ {print $3}'
+ local network=192.168.2.0/24 gw=172.17.0.1
+ ip route add to 192.168.2.0/24 via 172.17.0.1 dev eth0
+ iptables -A OUTPUT --destination 192.168.2.0/24 -j ACCEPT
+ [[ -n '' ]]
+ [[ -n '' ]]
+ pkill nordvpnd
+ rm -f /run/nordvpnd.sock
+ sleep 0.5
+ sg vpn -c nordvpnd
+ nordvpn login -u REMOVED -p 'REMOVED'
+ setup_nordvpn
+ [[ -n NordLynx ]]
+ nordvpn set technology NordLynx
+ [[ -n UDP ]]
+ nordvpn set protocol UDP
Command 'protocol UDP' doesn't exist.
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n 192.168.1.3 ]]
+ nordvpn set dns 192.168.1.3
+ [[ -n 172.17.0.2/16 ]]
+ nordvpn whitelist add subnet 172.17.0.2/16
+ [[ -n 192.168.1.0/24, 192.168.2.0/24 ]]
+ for net in ${NETWORK//[;,]/ }
+ nordvpn whitelist add subnet 192.168.1.0/24
+ for net in ${NETWORK//[;,]/ }
+ nordvpn whitelist add subnet 192.168.2.0/24
+ [[ -n true ]]
+ nordvpn settings
Kill Switch: disabled

CyberSec: disabled
Notify: disabled
Auto-connect: disabled
DNS: 192.168.1.3
Whitelisted subnets:
172.17.0.0/16
192.168.2.0/24
192.168.1.0/24
+ nordvpn connect NL
Stdin/Stdout should be terminal
+ exit 1

Additional context
The error is the same when using OpenVPN as the technology. I have tried other countries/regions as well.

I am able to sucessfully start the container and connect to it from other containers, but after about 30 seconds, the container exits. How do I keep it running forever?

Here is my command:

docker run --rm \
  -it \
  --name vpn \
  --cap-add=NET_ADMIN \
  --device /dev/net/tun \
  -e USER=USER \
  -e PASS=PASS \
  -e COUNTRY="United States" \
  -e PROTOCOL=UDP \
  bubuntux/nordvpn 

And the logs:

Staring firewall...
Whitelisting downloads.nordcdn.com...
Downloading config files...
Whitelisting api.nordvpn.com...
Selecting the best server...
Searching for technology: openvpn_udp
Best server : us3925.nordvpn.com
Using config file /vpn/ovpn/us3925.nordvpn.com.udp.ovpn...
Connecting ...
+ sg vpn -c 'openvpn --config /vpn/ovpn/us3925.nordvpn.com.udp.ovpn --auth-user-pass /vpn/auth --auth-nocache                                 --script-security 2 --up /etc/openvpn/up.sh --down /etc/openvpn/down.sh                                 '
Thu Aug 22 16:45:40 2019 OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov 26 2018
Thu Aug 22 16:45:40 2019 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Thu Aug 22 16:45:40 2019 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Aug 22 16:45:40 2019 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 22 16:45:40 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 22 16:45:40 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 22 16:45:40 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]199.241.125.94:1194
Thu Aug 22 16:45:40 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 22 16:45:40 2019 UDP link local: (not bound)
Thu Aug 22 16:45:40 2019 UDP link remote: [AF_INET]199.241.125.94:1194
Thu Aug 22 16:45:40 2019 TLS: Initial packet from [AF_INET]199.241.125.94:1194, sid=9aafa788 6abda3f2
Thu Aug 22 16:45:40 2019 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Thu Aug 22 16:45:40 2019 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA3
Thu Aug 22 16:45:40 2019 VERIFY KU OK
Thu Aug 22 16:45:40 2019 Validating certificate extended key usage
Thu Aug 22 16:45:40 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Aug 22 16:45:40 2019 VERIFY EKU OK
Thu Aug 22 16:45:40 2019 VERIFY OK: depth=0, CN=us3925.nordvpn.com
Thu Aug 22 16:45:41 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Aug 22 16:45:41 2019 [us3925.nordvpn.com] Peer Connection Initiated with [AF_INET]199.241.125.94:1194
Thu Aug 22 16:45:42 2019 SENT CONTROL [us3925.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Thu Aug 22 16:45:42 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.2.4 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: explicit notify parm(s) modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: compression parms modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Thu Aug 22 16:45:42 2019 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: route options modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: route-related options modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: peer-id set
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: adjusting link_mtu to 1657
Thu Aug 22 16:45:42 2019 OPTIONS IMPORT: data channel crypto options modified
Thu Aug 22 16:45:42 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Aug 22 16:45:42 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 22 16:45:42 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Aug 22 16:45:42 2019 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
Thu Aug 22 16:45:42 2019 TUN/TAP device tun0 opened
Thu Aug 22 16:45:42 2019 TUN/TAP TX queue length set to 100
Thu Aug 22 16:45:42 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Aug 22 16:45:42 2019 /sbin/ip link set dev tun0 up mtu 1500
Thu Aug 22 16:45:42 2019 /sbin/ip addr add dev tun0 10.8.2.4/24 broadcast 10.8.2.255
Thu Aug 22 16:45:42 2019 /etc/openvpn/up.sh tun0 1500 1585 10.8.2.4 255.255.255.0 init
Thu Aug 22 16:45:42 2019 /sbin/ip route add 199.241.125.94/32 via 172.17.0.1
Thu Aug 22 16:45:42 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.2.1
Thu Aug 22 16:45:42 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.2.1
Thu Aug 22 16:45:42 2019 Initialization Sequence Completed

Any help would be appreciated. Thank you.