Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to do fully disable nordvpn firewall? #158

Open
tm4ig opened this issue Nov 11, 2023 · 6 comments
Open

How to do fully disable nordvpn firewall? #158

tm4ig opened this issue Nov 11, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@tm4ig
Copy link

tm4ig commented Nov 11, 2023
edited
Loading

How to do fully disable nordvpn firewall?
If I use "nordvpn set firewall 0" nordvpn iptables nordvpn rules not using in filter iptables table, but Firewall Mark using in mangle iptables table and I still must add adresses and ports to nordvpn whitelist for allow them.

I want use only system firewall (ufw) and not use nordvpn firewall

my env:
NordVPN Version 3.16.7
Ubuntu 22.04.3 LTS
Linux 5.15.0-88-generic

nordvpn settings
Technology: NORDLYNX
Firewall: disabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: disabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
Allowlisted ports:
80 (TCP)
443 (TCP)
Allowlisted subnets:

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From

80/tcp on ens3 ALLOW IN Anywhere
443/tcp on ens3 ALLOW IN Anywhere
@mariusSincovici
Copy link
Contributor

Hello,
Unfortunately, at the moment, is not possible to entirely block NordVPN from using the firewall.
We have created a ticket on our end to address this matter.

@mariusSincovici mariusSincovici added the bug Something isn't working label Nov 14, 2023
@tm4ig tm4ig mentioned this issue Mar 30, 2024
Closed
@hpsaturn
Copy link

hpsaturn commented Dec 11, 2024
edited
Loading

Hi, I have a similar issue.
I had before nordvpn works well with firewall disabled and sharing my vpn connection using nmcli (NetworkManager) and a Hotspot connection that I did. But I notice that it doesn't works now. So, I try the next settings:

nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
Virtual Location: enabled
Allowlisted ports:
       22 (UDP|TCP)
       67 (UDP|TCP)
Allowlisted subnets:
	10.42.0.0/24

And I have working my hotspot in this subnet, I mean that my clients have these IPs. Also the hotspot works fine without nordvpn connection. When I try to enable any nordvpn connection, my clients still connected to the hotspot but without internet.

Maybe is missing some port forwarding? or something? or a rule in the nordvpn firewall for that?

@mariusSincovici
Copy link
Contributor

Hi @hpsaturn,

This doesn't seam to be the same issue like the original. Because you are using the firewall Firewall: enabled.
If you want to fully disable the firewall please use nordvpn set firewall 0, but this will require for you to configure the firewall.
If you still want to have the firewall, but there are some issues with the setup, please create a separate issue. I this way we can better keep track of the issue and provide better information for your issue.

Thank you

@hpsaturn
Copy link

Ok, thanks for your quick answer. But I already also tested the firewall 0 set, and nothing. But is true, let me try to configure the Raspbian firewall.. The weird thing, is that I remember that my development before was working well with the firewall disabled, without any firewall config in Raspian, with the Hotspot using nmcli, and all together.. but now not.

That is my development, with a little demo of one year ago:

Youtube video demo PiLauncher
https://github.com/hpsaturn/pilauncher

@mariusSincovici
Copy link
Contributor

Hi,

Normally there should not be any firewall rules added to the system if firewall option is off, but just to be safe.
Could you try to check what firewall rules you have on the raspberry pi(when NordVPN firewall option is off), for all the chains?
Compare them with what was before connecting to VPN and try to remove anything that was added by the nordvpn, in case there is something.

In case you're using meshnet, see #659 not be in the same situation.

@hpsaturn
Copy link

hpsaturn commented Dec 19, 2024
edited
Loading

Is strange but nothing changes. The iptables rules are the same in the both cases. When I enabled a NordVPN connection in my RaspberryPi that is my Hotspot, the client lost the connection, for instance an Android phone, show in the wifi "no internet". When I disabled the NordVPN, the connection in the client instantly changes a "connected"

I have the next outputs:

(Note: are the same in the both cases, when the Nordvpn connection is enable or disable. Whatever. I did a vimdiff to compare the outputs)

pi@pimain:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.42.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.42.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# Warning: iptables-legacy tables present, use iptables-legacy to see them
pi@pimain:~ $ sudo iptables -L FORWARD -vn
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
4396K 5924M ACCEPT     all  --  *      wlan0   0.0.0.0/0            10.42.0.0/24         state RELATED,ESTABLISHED
1137K  271M ACCEPT     all  --  wlan0  *       10.42.0.0/24         0.0.0.0/0           
    0     0 ACCEPT     all  --  wlan0  wlan0   0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
# Warning: iptables-legacy tables present, use iptables-legacy to see them

And my NordVPN settings:

pi@pimain:~ $ nordvpn settings
Technology: NORDLYNX
Firewall: disabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
Virtual Location: enabled
Allowlisted ports:
       22 (UDP|TCP)
       67 (UDP|TCP)
       80 (UDP|TCP)
Allowlisted subnets:
	10.42.0.0/24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hpsaturn @tm4ig @mariusSincovici