NordVPN is a personal virtual private network (VPN) service provider. It has desktop applications for Windows, macOS, and Linux, mobile apps for Android and iOS, as well as an application for Android TV. Manual setup is available for wireless routers, NAS devices and other platforms.
1 Download NordVPN
This is the first section: Write here your text
- Run the terminal.
- Type sudo apt-get update to update the package list.
- Type sudo apt-get install openvpn to install OpenVPN.
- Navigate to OpenVPN directory, download .ovpn configuration files and unzip.
$ sudo apt-get update $ sudo apt-get install openvpn $ cd /etc/openvpn/ $ sudo wget https://nordvpn.com/api/files/zip $ sudo unzip zip
2 Configure VPN
auth.txtfile with your NordVPN credentials as follows.Copy
Select a location VPN file in the desired region. For example, for us:
$ sudo vi us3359.nordvpn.com.tcp443.ovpn
auth-user-passthe passwords file
Copy the ovpn file you wish to use at startup, simplify its name as well. For example:
$ sudo cp /etc/openvpn/us3359.nordvpn.com.tcp443.ovpn /etc/openvpn/us3359.conf
Lastly, we need to setup OpenVPN to autostart and to use our file.
Enter the following line to edit our config.
$ sudo vi /etc/default/openvpn
Add above it
2.1 Replace auth in all files
You can use the following shell to replace all
ovpn files and set
the auth file.
for file in `ls *.ovpn`; do echo $file cat $file | sed '1,$s/.*auth-user-pass.*/auth-user-pass auth.txt/g' > a.tmp cp a.tmp $file done
2.2 Manually connect to an VPN
Once all files are replace, you can use any of the to setup an VPN. For example, to setup a VPN on France.
$ sudo openvpn /etc/openvpn/fr240.nordvpn.com.tcp443.ovpn
2.3 Verify VPN
You can determine your current IP extenal address by using:
wget http://ipinfo.io/ip -qO -
Or using a browser by connecting to
2.4 Discconnect VPN
If you wish to disconnect, then simply use ctrl+c on the keyboard. If this doesn’t work, then you can use the following command.
$ sudo killall openvpn
3 Setup routing
Now we need to enable IP forwarding. It enables the network traffic to flow in from one of the network interfaces and out the other. Essentially creating a router.
$ sudo /bin/su -c "echo -e '\n#Enable IP Routing\nnet.ipv4.ip_forward = 1' > /etc/sysctl.conf"
If you run
sudo sysctl -p you should see this printed on the screen:
$ sudo sysctl -p
Now routing is enabled and traffic can go through the Raspberry Pi, over the tunnel and out on the internet.
4 Setup Firewall and NAT
Since we will have several clients on the inside accessing the internet over one public IP address we need to use NAT. It stands for network address translation and will keep track on which client requested what traffic when the information returns over the tunnel. We also need to setup some security around the Raspberry Pi it self and the tunnel.
$ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Allowing any traffic from eth0 (internal) to go over tun0 (tunnel).
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
Allowing traffic from tun0 (tunnel) to go back over eth0 (internal). Since we specify the state RELATED,ESTABLISHED it will be limited to connection initiated from the internal network. Blocking external traffic trying to initiate a new connection.
$ sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Allowing the Raspberry Pi's own loopback traffic.
$ sudo iptables -A INPUT -i lo -j ACCEPT
Allowing computers on the local network to ping the Raspberry Pi.
$ sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT
Allowing SSH from the internal network.
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Allowing all traffic initiated by the Raspberry Pi to return. This is the same state principal as earlier.
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
If traffic doesn't match any of the the rules specified it will be dropped.
$ sudo iptables -P FORWARD DROP $ sudo iptables -P INPUT DROP $ sudo iptables -L
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -i eth0 -p icmp -j ACCEPT sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -P FORWARD DROP sudo iptables -P INPUT DROP sudo iptables -L
4.1 Save iptables configuration
First line installs a peace of code that makes the iptable rules we just created persistent between reboots. The second one saves the rules after you changed them. This time it's enough to run the first one.
sudo apt-get install iptables-persistent sudo systemctl enable netfilter-persistent
If you change the rules run the second one to save. Iptable rules are in effect as soon as you add them if you mess up and lose access just reboot and the ones not already saved will revert.