I installed NordVPN from the AUR (nordvpn-bin package) around a week or two weeks ago. After installing and getting logged in it worked as it was supposed to. However, after rebooting my computer, every time I try to connect, no matter what server I try to connect to, I get the following message: at 07:44:37 ❯❯❯ nordvpn connect chicago Connecting to United States #8798 (us8798.nordvpn.com) Whoops! We couldn't connect you to 'chicago'. Please try again. If the problem persists, contact our customer support. I tried logging out and back in, restarting nordvpnd, and running as sudo. All of my packages are up to date. I'm not sure what else to try. Any ideas?

**Goal** Set up NordVPN on my Raspberry Pi and use it as a gateway. **Current set-up** - Raspberry Pi2 running Arch ARM, connected to my router via ethernet cable - NordVPN account - nordvpn installed on my Rpi **Configuration** Here is how I configured my Raspberry. The first step is running nordvpn and selected the desired country. Then I have to take care of the traffic routing. *Enabling IP forwarding:* echo -e 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf *Settig up NAT:*

sudo iptables -t nat -A POSTROUTING -o nordlynx  -j MASQUERADE
sudo iptables -A FORWARD -i nordlynx -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o nordlynx -j ACCEPT

**The problem** At this point, everything is working smoothly and I get an IP that is located in the right country. Unfortunately, most of the services like Netflix, Youtube, and some other websites, won't recognize I'm in another country. I know it's not a NordVPN issue because the Chrome extension works properly. Any ideas?

This is a Docker setup that runs a Tailscale node , routes traffic through Gluetun with NordVPN connected, and advertises the Tailscale node as an exit node.

services:
  gluetun:
    image: qmcgaw/gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - VPN_TYPE=openvpn
      - OPENVPN_USER=${NORDVPN_OPENVPN_USER}
      - OPENVPN_PASSWORD=${NORDVPN_OPENVPN_PASSWORD}
      - SERVER_COUNTRIES=${NORDVPN_SERVER_COUNTRIES}
    ports:
      - 41641:41641 # tailscale port
      - 3478:3478 # stun port
  tailscale:
    image: tailscale/tailscale:latest
    network_mode: "service:gluetun"
    restart: unless-stopped
    cap_add:
      - net_admin
      - sys_module
    volumes:
      - ${PWD}/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    environment:
      - TS_AUTHKEY=${TAILSCALE_AUTHKEY}
      - TS_EXTRA_ARGS=--advertise-exit-node
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_USERSPACE=true
      - TS_HOSTNAME=${TAILSCALE_HOSTNAME}
    depends_on:
      gluetun:
        condition: service_healthy

The problem is that it seems only relayed connection's through DERP are happening. Is it possible to establish direct connection to the exit node, considering NordVPN doesn't allow port forwarding?

The problem is this: The only officially supported router configuration for nordvpn is to use a static config file and openvpn. That doesn't work for me. The question: Using linux, how does one setup a nordvpn router/gateway that allows use of dynamic connections, nordlynx, and whatever other options available in the native nordvpn apps?

I'd really like **nordvpn** to survive sleep/resume events but of course, if the remote end doesn't hear from my laptop then it's going to drop the connection. Fair enough, I'm happy to do a disconnect before sleep and a re-connect on resume as long as I can automate it - I have the usual thing in */usr/lib/systemd/system-sleep/sleep-stuff* (below). But it doesn't quite work. On resume, 'nordvpn connect' is run and the routing table looks good if observed immediately (ie from within the sleep/resume script:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.1.1        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlp3s0
10.8.1.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
103.137.12.219  192.168.0.1     255.255.255.255 UGH       0 0          0 wlp3s0
128.0.0.0       10.8.1.1        128.0.0.0       UG        0 0          0 tun0
172.16.2.0      0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
172.16.71.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0

Unfortunately, by the time I log in, the routing table has been zapped back to non-vpn mode by 'something', I don't know what, maybe NetworkManager:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlp3s0
172.16.2.0      0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
172.16.71.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0

nordvpn status reports that its working:

$ nordvpn status
Status: Connected
Current server: au492.nordvpn.com
Country: Australia
City: Brisbane
Your new IP: 144.48.39.91
Current technology: OpenVPN
Current protocol: UDP
Transfer: 7.89 MiB received, 6.00 MiB sent
Uptime: 24 minutes 52 seconds

... but of course I have to do an additional disconnect/connect which is cheesy. Any ideas? Here's the script (put into /usr/lib/systemd/system-sleep/sleep-stuff and chmod +x):

#!/bin/sh
if [ "${1}" == "pre" ]; then
    # before suspend
    pgrep nordvpnd &> /dev/null && nordvpn status |grep -q 'Status: Connected' && {
        # This will run as root, so root needs to have been initialised by
        # nordvpn login at some time in the past.
        /bin/nordvpn disconnect
    }
elif [ "${1}" == "post" ]; then
    # after resume
    pgrep nordvpnd &> /dev/null && {
        # This will run as root, so root needs to have been initialised by
        # nordvpn login at some time in the past.
        (
            sleep 5 # I've tried sleep from 0 to 5
            /bin/nordvpn connect
            netstat -rn # routing table looks OK now but it gets zapped by something else later!!
        ) &
    }
fi

This is on Fedora-31.

This is an unfortunately specific question, I'd much rather ask something more generic, but I'm just stumped. I install the latest Linux Mint, then I go to the NordVPN site and follow the guide to install NordVPN there, and ... nothing. I follow the companies own guide. https://support.nordvpn.com/Connectivity/Linux/1325531132/Installing-and-using-NordVPN-on-Debian-Ubuntu-Raspberry-Pi-Elementary-OS-and-Linux-Mint.htm

sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh) 
nordvpn login
nordvpn connect

It accepts my login credentials and then says "Close this window to return to the app?" so I do that and go back to the console, then it just says "You are not logged into NordVPN" if I try to run any command. Can someone with Ubuntu/Debian/LinuxMint related experience with NordVPN point out what I'm missing or doing wrong please?

So, the goal is simple: - I want to work remotely within an employer's VPN network - While at the same time, I want to route everything else through NordVPN In the end, everything should go through some VPN service, either employer's, or NordVPN. --- I have some requirements, though: - NordVPN threat protection should be turned on (so DNS settings is not possible) - I don't want to manually alter iptables - I'd like the setup to be more-or-less automated

I am trying to use the cURL utility to fetch a web page through a NordVPN SOCKS5 proxy, but not having any luck. I would expect the following command line to work.

curl -v -x "socks5://:@se.socks.nordhold.net:1080" -4 http://google.com 

However, this returns the following.

*   Trying 185.236.42.56:1080...
* SOCKS5 connect to IPv6 2a00:1450:4009:815::200e:80 (locally resolved)
* Can't complete SOCKS5 connection to google.com. (4)
* Closing connection 0
curl: (97) Can't complete SOCKS5 connection to google.com. (4)

Is there some special configuration I need for cURL to connect to a SOCKS5 proxy operated by NordVPN? The customer support were able to tell me that > We’ve changed the way for users to connect to socks5 to reduce the chances for socks5 from being used for malicious purposes such as web scans/proxying/credential stuffing attacks. ... but they could not offer any suggestions on how to use cURL. All I can say is that some other software seems to be able to use NordVPN SOCKS5 proxies without issue.

I have been banging my head against the wall for a couple of weeks trying to figure out how to set up a Linux VM on a Mac to act both as a NordVPN client and a gateway/router to forward all traffic from certain devices on my LAN through the VPN connection. My setup: - My LAN subnet is 192.168.2.0/24. - I have a Mac Pro running macOS Big Sur 11.6, with Parallels Desktop Pro 17.0.1 installed, and connected to my LAN using wired Ethernet. - In Parallels, I've set up a Ubuntu 21.04 VM. This VM has two NICs configured - enp0s5 and enp0s6. - Both VM NICs are bridged to the default wired adapter on the host machine, and both receive an IP from my LAN's DHCP server. - In the VM, NordVPN is installed and working fine, configured to use Nordlynx (Wireguard) as the protocol. My intention is to have the VM use enp0s5 to access the Internet and connect to NordVPN, while using enp0s6 as an incoming interface to receive traffic from other devices on my LAN (and forward them through the VPN). So, first I connect to the VPN:

$ nordvpn connect us
Connecting to United States #6918 (us6918.nordvpn.com)
You are connected to United States #6918 (us6918.nordvpn.com)!

After which my interfaces look like so:

$ ifconfig
enp0s5: flags=4163  mtu 1500
        inet 192.168.2.76  netmask 255.255.255.0  broadcast 192.168.2.255
        ether 00:1c:42:b9:d5:a3  txqueuelen 1000  (Ethernet)
        RX packets 120786  bytes 157627189 (157.6 MB)
        RX errors 0  dropped 6  overruns 0  frame 0
        TX packets 17840  bytes 1450595 (1.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s6: flags=4163  mtu 1500
        inet 192.168.2.64  netmask 255.255.255.0  broadcast 192.168.2.255
        ether 00:1c:42:59:54:ba  txqueuelen 1000  (Ethernet)
        RX packets 11342  bytes 3589378 (3.5 MB)
        RX errors 0  dropped 6  overruns 0  frame 0
        TX packets 277  bytes 77293 (77.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 948  bytes 99424 (99.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 948  bytes 99424 (99.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

nordlynx: flags=209  mtu 1420
        inet 10.5.0.2  netmask 255.255.255.255  destination 10.5.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 39  bytes 14380 (14.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61  bytes 11396 (11.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Here I do a simple speed and connectivity test, and the VPN connection works fine. OK so now I want to forward all traffic sent to the enp0s6 interface by other devices on my network, through the nordlynx interface. So I do:

iptables --flush
iptables --table nat --flush
iptables --table nat --append POSTROUTING --out-interface nordlynx -j MASQUERADE
iptables --append FORWARD --in-interface enp0s6 -j ACCEPT

I also check to make sure IP forwarding is enabled:

$ cat /proc/sys/net/ipv4/ip_forward
1

Finally, to test the gateway functionality, on another laptop (a Macbook Pro) on my LAN I configure a static IP and set the the default gateway to be the enp0s6 IP from my VM (192.168.2.64). Then I try to browse the web from the Macbook - but it doesn't work. What am I missing or doing wrong? How can I best troubleshoot this? I tried doing a traceroute from the Macbook Pro to see how far I get, but tracing to any IP outside my local LAN subnet while having the Ubuntu VM set as the default gateway just gets me this:

$ traceroute 37.156.192.50
traceroute: findsaddr: write: No such process

The routing table on the Linux VM looks like so:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         nordvpn-gw      128.0.0.0       UG    0      0        0 nordlynx
default         _gateway        0.0.0.0         UG    100    0        0 enp0s5
default         _gateway        0.0.0.0         UG    101    0        0 enp0s6
128.0.0.0       nordvpn-gw      128.0.0.0       UG    0      0        0 nordlynx
unn-138-199-52- _gateway        255.255.255.255 UGH   0      0        0 enp0s5
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s6
192.168.2.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s5
192.168.2.0     0.0.0.0         255.255.255.0   U     101    0        0 enp0s6

Thankful for any help or advice. Thanks! **UPDATE:** As per @A.B's comment I also tried simplifying the setup to use only one NIC on the VM, but it made no difference.

I am using the NordVPN-bin package from AUR on my Arch Linux system (Manjaro KDE Plasma). Connecting etc works just fine, but after I connected to the services I always get the notification: "Limited connectivity" on my WLAN/LAN. This sometimes leads to that I have no internet access anymore. Then I have to deactivate my internet connection and reactivate it. That sometimes works, but sometimes I have to reboot. I have deactivated all additional settings for nordvpn (Kill Switch, Cybersec, etc). Also I deactivated IPv6 for my network adapters and I have removed the preinstalled package "openvpn". Everything does not help and NordVPN Customer Service cannot help me, since Arch Linux is not official supported. Hope someone could help me out here! Settings and Status:

I am trying to understand how NordVPN works, from the IP side of things. After establishing a VPN tunnel, my public IP address becomes :

$ dig +short myip.opendns.com @resolver1.opendns.com
138.199.16.59

And the following new routes are created :

0.0.0.0/1 via 10.8.3.7 dev tun0 
128.0.0.0/1 via 10.8.3.7 dev tun0
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.7
138.199.16.57 via 192.168.1.1 dev wlp2s0

I understand all but the last one (138.199.16.57 via 192.168.1.1 dev wlp2s0). It seems NordVPN needs to reach directly (e.g., without going through the tunnel) a public IP address (138.199.16.57) from the same range as the public IP I received (138.199.16.59) What's the purpose of this route ?

In order to configure my VPN, I need to determine these values: Public IP : I can do that with **curl ifconfig.me** Public IP Subnet : **How do get this value ?** Default Gateway : **how to get this value ?** I tried with **route** eth0 is device to gateway : : how to get this value ? I tried with **route**

I'm using NordVPN version 3.12 on an Ubuntu 18.04.6 media server and I've run into many connection issues. The Linux CLI version is very unstable compared to the desktop version, with the VPN getting stuck in a reconnecting loop. When trying to reconnect, it will run a loading animation until I quit the SSH session and rejoin the server.

After SSHing back into the server, the VPN status will be displayed as "Reconnecting". Trying to run systemctl restart nordvpn.service | systemctl restart nordvpnd.service will restart the service but Nord will still get stuck in a connection loop. Trying to use kill -9 [ID] will stop the service but after restarting the service it will throw this error: Whoops! Cannot reach System Daemon. when running nordvpn connect. The only reliable way I've found to get the VPN started again is to restart the system. It seems these issues start after a few days of letting the system run on the VPN connection.

I'm using NordVPN with the Kill Switch feature enabled. If my computer does not shut down gracefully, the file /etc/resolv.conf is set immutable, and any future attempts to resolve names fail. Sometimes, even without an unclean shutdown, when running ping as root, I see: > ping: sendmsg: Operation not permitted How do I use the kill switch and have uninterrupted connectivity?

I am trying to setup Linux machine (192.168.1.47) as a gateway so that I can share VPN connection with another machine (192.168.1.12). Both of the machines are Ubuntu VirtualBox VMs setup on different machines (bridged connection). I have the following setup but I cannot access most websites. **Gateway Machine**: root@pi:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- unn-89-187-175-12.cdn77.com anywhere ACCEPT all -- 192.168.1.0/24 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination NFLOG all -- anywhere anywhere nflog-group 6 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere unn-89-187-175-12.cdn77.com ACCEPT all -- anywhere 192.168.1.0/24 --- root@pi:~# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere --- root@pi:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.5.0.2 128.0.0.0 UG 0 0 0 nordlynx 0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp0s3 128.0.0.0 10.5.0.2 128.0.0.0 UG 0 0 0 nordlynx 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3 192.168.1.1 0.0.0.0 255.255.255.255 UH 100 0 0 enp0s3 **Client:** root@piclient:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.47 0.0.0.0 UG 0 0 0 enp0s3 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3 From the client machine, **I an reach example.com and icanhazip.com but can't reach google.com and other websites** (curl: connection timeout with ipv4). Even ping to 8.8.8.8 works fine. Using the nflog I can see the traffic which is successfully being sent across the gateway machine (mostly DNS/ping). As you can see below client is able to resolve google.com but I don't see follow-up TCP request like it does with example.com. root@pi:~# tcpdump -s 0 -n -i nflog:6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on nflog:6, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes 16:26:51.578039 IP 192.168.1.12.50342 > 8.8.8.8.53: 56494+ A? google.com. (28) 16:26:51.578135 IP 8.8.8.8.53 > 192.168.1.12.50342: 56494 6/13/10 A 173.194.199.101, A 173.194.199.102, A 173.194.199.113, A 173.194.199.139, A 173.194.199.138, A 173.194.199.100 (508) - What can I do to debug further? - Is it possible the router (192.168.1.1) or the host machines of the VMs are interfering? If so, why does it not interfere with example.com?

I recently installed OpenSSH on my Raspberry Pi and tried to automaticly connect the Pi to a VPN (by NordVPN) on boot. Therefore I downloaded the VPN-files from NordVPN and copied the file to this location: /etc/openvpn/nordvpn.conf In the config file I added this line for auto-connect: auth-user-pass /home/pi/auth.txt I also edited /var/default/openvpn and added this line: AUTOSTART=nordvpn But I'm not connected via VPN. This is the output of sudo systecmtl status openvpn@nordvpn.service: ● openvpn@nordvpn.service - OpenVPN connection to nordvpn Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled-runtime; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Mon 2021-04-12 20:15:26 CEST; 681ms Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Process: 3276 ExecStart=/usr/sbin/openvpn --daemon ovpn-nordvpn --status /run/openvpn/nordvpn.sta Main PID: 3276 (code=exited, status=1/FAILURE) Apr 12 20:15:26 raspberrypi systemd: openvpn@nordvpn.service: Main process exited, code=exited, Apr 12 20:15:26 raspberrypi systemd: openvpn@nordvpn.service: Failed with result 'exit-code'. Apr 12 20:15:26 raspberrypi systemd: Failed to start OpenVPN connection to nordvpn. Why don't I get access to the VPN? When running the config file (after renaming it to .ovpn) it works.

The NordVPN for Linux app has a port and subnet whitelisting feature. It is enabled with these commands (for my port and subnet): nordvpn whitelist add subnet 192.168.1.0/24 nordvpn whitelist add port 22 However, when that device is connected to the VPN, I cannot reach it by SSH from another device in my subnet. I wrote NordVPN support and they replied: > Currently, we are having some issues with the NordVPN application for Linux regarding the port and subnet whitelisting. They had no helpful advice to offer. I took a look at the iptables rules. They seem OK to me, but when I flushed all the rules (while connected to the VPN), I was then able to make the SSH connection to this device from my other local device. This indicates that the rules are not working correctly. NordVPN's rules are: # Generated by iptables-save v1.8.4 on Sun Apr 12 16:11:29 2020 *filter :INPUT DROP [86:19526] :FORWARD ACCEPT [0:0] :OUTPUT DROP [103:7935] -A INPUT -i nordlynx -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 89.87.71.71/32 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 89.87.71.71/32 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 89.87.71.71/32 -i nordlynx -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.5.0.0/16 -i nordlynx -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 6568 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 6568 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 7070 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p tcp -m tcp --dport 7070 -j ACCEPT -A INPUT -s 127.0.0.0/8 -i lo -p udp -m udp --dport 51820 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i lo -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp --dport 6568 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp --dport 6568 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp --dport 7070 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m udp --dport 51820 -j ACCEPT -A INPUT -s 192.168.1.0/24 -i eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -d 103.86.99.99/32 -o lo -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 103.86.96.96/32 -o lo -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 103.86.99.99/32 -o nordlynx -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 103.86.96.96/32 -o nordlynx -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -o nordlynx -j ACCEPT -A OUTPUT -d 89.87.71.71/32 -o lo -j ACCEPT -A OUTPUT -d 127.0.0.0/8 -o lo -j ACCEPT -A OUTPUT -d 89.87.71.71/32 -o eth0 -j ACCEPT -A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT -A OUTPUT -d 89.87.71.71/32 -o nordlynx -j ACCEPT -A OUTPUT -d 10.5.0.0/16 -o nordlynx -j ACCEPT -A OUTPUT -d 192.168.1.0/24 -o lo -j ACCEPT -A OUTPUT -d 192.168.1.0/24 -o eth0 -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Sun Apr 12 16:11:29 2020 I flushed them with: iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X My SSH connection worked as desired when the rules were flushed. (I restored NordVPN's rules by restarting it.) **What needs to change in the rules above so this device will accept incoming SSH connections (port 22) from the LAN?** Info added in response to comment: # ip -br address lo UNKNOWN 127.0.0.1/8 eth0 UP 192.168.1.3/24 nordlynx UNKNOWN 10.5.0.2/16 # ip rule 0: from all lookup local 32764: from all lookup main suppress_prefixlength 0 32765: not from all fwmark 0xca6c lookup 51820 32766: from all lookup main 32767: from all lookup default # ip route default via 192.168.1.1 dev eth0 proto dhcp metric 20100 10.5.0.0/16 dev nordlynx proto kernel scope link src 10.5.0.2 192.168.1.0/24 via 192.168.1.1 dev eth0 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3 metric 100 ip route show table 51820 default dev nordlynx scope link I'm using NordVPN's wireguard technology (nordlynx). But the issue exists when using openvpn technology instead of wireguard. I tested both ways.

When I attempt to connect to a machine via open ssh over a local network I get the following error:

kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.1.39 port 22

This appears to be because of the iptables entries that I have set to the machine. When I allow all traffic on iptables then I can ssh just fine. But when my vpn sets rules to the iptables I am not able to connect. When the iptables are set to the following I am not able to ssh successfully:

Chain INPUT (policy DROP)
target  prot opt source            destination 
..........
ACCEPT  all  --  192.168.1.0/24    anywhere   cstate RELATED,ESTABLISHED
ACCEPT  all  --  192.168.1.0/24    anywhere   cstate NEW,RELATED,ESTABLISHED
ACCEPT  udp  --  192.168.1.0/24    anywhere   udp dpt:51280
ACCEPT  all  --  192.168.1.0/24    anywhere   cstate NEW,RELATED,ESTABLISHED
..........
Chain OUTPUT (policy DROP)
target  prot opt source     destination 
..........
ACCEPT  all  --  anywhere   192.168.1.0/24 
ACCEPT  all  --  anywhere   192.168.1.0/24 
ACCEPT  all  --  anywhere   192.168.1.0/24  
..........

When the iptables are set to the following I am able to ssh successfully:

Chain INPUT (policy ACCEPT)
Chain OUTPUT(policy ACCEPT)

The ip of the machine that I am connecting to is 192.168.1.39/24 and the machine that I am connecting from is 192.168.1.189/24. So they are both on the same 192.168.1.0 network (the iptables rule should ACCEPT the connection). I also tried adding a rule to allow all connections to that that PC but this did not resolve the issue. The iptable entries are set by NordVPN client (to remove the entries I just disable NordVPN). I tried reinstalling the latest version of NordVPN from the aur package but this did not resolve the issue. But obviously I want to have this running fine with NordVPN I know that this has something to do with the iptables but I am having trouble trying to find the precise cause (im not an expert at networking but those entries above look fine) or how to fix it. This network is just a home network. Before it used to work fine (same pcs, same vpn, same ...) but my router just broke so i am using a new one (asus rt-ac68u) which is when the problem has started occuring. I also had a look at my router settings just to see if there was anything that could explain this further but did not find anything. Also if I turn off the vpn on 192.168.1.39 but turn on the vpn on 192.168.1.189 (which has the same iptables rules) then I am able to ssh to 192.168.1.39. But if I turn the vpn on for both machines then I cannot ssh. In summary - Client (192.168.1.189) cannot ssh to Server (192.168.1.39) when servers NordVPN is on. - Client can ssh to Server when servers NordVPN is off. - Client can ssh to Server when clients NordVPN is off. - Error appears to be related to Servers iptable entries - Adding catch all rule to Server iptable does not appear to resolve problem - Change to network which may be related is a new router (Asus RT-AC68U) but I cannot identify any problem with its setup Im a bit stumped on how to proceed. Can anyone help? Thankyou EDIT - I am continuing to look into this but I dont think there is much more that I can add. I will update if there is anything else i think that I may find useful 1. In case people were thinking that the problem could be NordVPN instead of the iptables I did set the Chain INPUT policy to accept when NordVPN was on and the SSH worked fine. So I think that it is definitely something I have messed up on the ip tables