Leveraging the latest native NordVPN client, iptables and the Nord API to create the fastest, safest, and most stable connection possible for other containers and systems on your network.
Build based on:
- NordVPN
latest- Automatically updated from the NordVPN repository
- Ubuntu
latest LTS- Updated nightly
Examples of use:
Docker Hub repository:
Optimized for NordLynx:
- NordLynx is NordVPN's fast/stable implementation of Wireguard; it is the recommended and default TECHNOLOGY
Wireguard on the host
- You must install Wireguard on your host in order to leverage NordLynx
Capabilities
Environment
-
- ONLY TOKENS ARE VIABLE IN A CONTAINER
- The use of USERNAME and PASSWORD has been deprecated wherein only TOKEN or login via browser are accepted with the Linux client
- You may use a secret in place of TOKEN
- If TOKEN is set, it takes precedence over the secret
-
- Technically not required for the container to work, but it should be set if local traffic is to be routed through NordVPN
IPv6
-
IPv6 support is limited and generally not supported by most VPN providers at this time
-
Therefore, it is recommended to disable IPv6 support in your container via sysctl:
net.ipv6.conf.all.disable_ipv6=1
DNS
-
Prior to establishing the tunnel, the host DNS settings will be used
-
If you are concerned with DNS leakage (which will only be nordvpn.com), you should set docker DNS
- Note, this is not the same as the DNS environment variable
Generally, the default settings will provide a great experience, however, several environment variables are available to provide flexibility:
| Variable | Default | Description |
|---|---|---|
| BYPASS_LIST | Comma-separated list of domain names that should bypass VPN (i.e. these connections should not be secured); if set, FIREWALL will default to FALSE |
|
| CHECK_CONNECTION_INTERVAL | 60 | Time in seconds to check connection state and remediate as required |
| CHECK_CONNECTION_URL | https://www.google.com | URL used by CHECK_CONNECTION_INTERVAL |
| CONNECTION_FILTERS | To connect to the fastest, lowest load server of special interest. Use the NordVPN API to help craft your filters; largely for OpenVPN, though useful with NordLynx when wanting to set a specific country/city (e.g filters[country_city_id]=8980922) |
|
| CONNECT | Provide a [country] (Australia), [server] (jp35), [country_code] (us), [city] (Hungary Budapest) or [group] (Onion_Over_VPN) (note CONNECT overrides CONNECTION_FILTERS; use one or the other) |
|
| CYBER_SEC | FALSE | Learn more at NordVPN (TRUE/FALSE) |
| DNS | A comma-separated list of IPv4/IPv6 addresses to be set as the VPN tunnel DNS servers, or non-IP hostnames to be set as the tunnel's DNS search domains (leave unset to use NordVPN servers) | |
| FIREWALL | TRUE | Use the NordVPN firewall over iptables (TRUE/FALSE; will default to FALSE when BYPASS_LIST in use) |
| KILLSWITCH | TRUE | Use the NordVPN kill switch; FIREWALL must also be TRUE (TRUE/FALSE) |
| NET_LOCAL | Add a route to local IPv4 network once the VPN is up; the Docker network is automatically added; must be CIDR IPv4 format (e.g. 192.168.1.0/24) |
|
| NET6_LOCAL | Add a route to local IPv4 network once the VPN is up; the Docker network is automatically added; must be CIDR IPv6 format (e.g. fe00:d34d:b33f::/64) |
|
| OBFUSCATE | FALSE | Only valid when using TECHNOLOGY OpenVPN; learn more at NordVPN (TRUE/FALSE) |
| PORT_RANGE | Port range to whitelist for both UDP and TCP; (e.g. PORT_RANGE=9091 9095) |
|
| PORTS | Semicolon delimited list of ports to whitelist for both UDP and TCP; (e.g PORTS=9091;9095) |
|
| POST_CONNECT | Command to execute after successful connection | |
| PRE_CONNECT | Command to execute before attempt to connect | |
| PROTOCOL | UDP | Only valid when using TECHNOLOGY OpenVPN (TCP/UDP) |
| REFRESH_CONNECTION_INTERVAL | 120 | Time in minutes to trigger VPN reconnection to help ensure best connection available (0 = disable) |
| TECHNOLOGY | NordLynx | Specify the VPN Technology to use (NordLynx/OpenVPN) |
| TOKEN | Generated from your NordVPN account web portal. You can use the secrets feature in place of TOKEN to deliver the NordVPN token; specify the secret with the name nordvpn_token_file and ensure the nordvpn container can access the file path |
- Ensure you have read all of the above information
- Ensure you have pulled the latest available image
- Use
--force-recreateto be sure
- Use
- Check and double-check all of your values
- Perform the following:
- Start a basic container:
- docker run -it --rm --name=nordvpn-tmp tmknight88/nordvpn:latest bash
- Perform the following in the container:
- nordvpnd &
- nordvpn login --token [your token]
- nordvpn connect
- If basic container connects without issue, then slowly/one-at-a-time, start applying any customizations and go through the previous steps with each change (yes, laborious, but that's what it takes)
- docker run -it --rm --name=nordvpn-tmp -v [something] tmknight88/nordvpn:latest bash
- docker run -it --rm --name=nordvpn-tmp -v [something] -e [something else] tmknight88/nordvpn:latest bash
- docker run -it --rm --name=nordvpn-tmp -v [something] -e [something else] -e [and so on] tmknight88/nordvpn:latest bash
- Start a basic container:
- If you've performed all of the above without determining the issue, feel free to open an issue
- Be sure to include your log entries and be as descriptive as possible
Using the NordVPN API
This project is independently developed for personal use; there is no affiliation with NordVPN or Nord Security companies. Nord Security companies are not responsible for, nor have control over, the nature, content and availability of this project.