[?BUG?] Certbot and NordVPN won't play together

Another one of those that keeps the likes of me with my limited knowledge of routing, etc. out in the paddock.

Been trying to get my server to run everything and no matter what I do, poor old NordVPN seems to break stuff coming in from the outside world. SSH, SFTP, HTTP, HTTPS you name it… well, I’ve only tried those but you get the idea.

I’m rather in the dark here but I’ve got around it by putting another server out with a different IP address so the router can send 22, 80 and 443 traffic to that one rather than my Pi which runs PiHole, Nord (and now, Privoxy) for outgoing stuff.

I wonder if Nord/OVPN would break OpenBazaar too?

I should say this isn’t an irritation or even a grumble, in fact, without DietPi I’d still be making scratch marks in stone tablets so I’m very, very thankful. I just wonder if there’s a way to let some cheap POS like me get away with running everything on a single box.

EDIT: I should say that I did manage to get CertBot to work and, once again, DietPi’s team has made a fiddling job very pleasant and even possible!

Jep by default, any VPN client breaks direct access to this device (outside of VPN tunnel), it all packets (even answers) are forced to be send through the VPN interface.

To allow answering of requests outside of VPN (as long as a connection was initiated outside VPN as well), you could try the following:

G_CONFIG_INJECT '42[[:blank:]]' '42 bypass_vpn' /etc/iproute2/rt_tables
ip r add default dev wlan0 via table 42
iptables -t mangle -A PREROUTING -i wlan0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 42
iptables -t mangle -A OUTPUT -m connmark --mark 42 -j MARK --set-mark 42
ip rule add fwmark 42 table 42
  • Replace “wlan0” by the actual internet capable network interface.
  • Replace “” by the internet gateway, most likely the IP of your router.

What it does is marking all connections that are established by an incoming packet through the main interface. For any outgoing packet it then checks, if it is part of a marked connection. If so it marks the single packet as well and a routing table assures that all packets with this mark are send through the main interface, instead of through the VPN.

But I have tested this just quickly. Please do some tests as well to assure that any outgoing request/connection stay inside the VPN.
If it works reliable, then you could add those e.g. as a dash script to /var/lib/dietpi/postboot.d/vpn_bypass.sh to be loaded on boot automatically, hmm or actually better to have this as PreUp commands for the NordVPN service and remove the rules on PostDown.

I planned to add this into DietPi-NordVPN menu as option.

I really have to set my email so it doesn’t send alerts to SPAM MichaIng

I must seem awfully rude not coming back when you reply. Time isn’t something I’m blessed with so I rely on the ***ing alerts (not your fault) to know when it’s time to pop in.

Anyhoooo… That’s a great option - firewalls are something that came into major play long after I’d ceased learning new stuff (you know, as you do).

My Pi bit the dust - a power outage - and took the backup drive with it which was nice. If I’d only been aware of TestDisk and PhotoRec https://www.cgsecurity.org/wiki/TestDisk_Download I wouldn’t have to have jury-rigged an old laptop to recover a few Tb of por… I mean data, yes… data your honor. :rofl: :sunglasses:

So I’ve dragged another Gen 3 i5 laptop out of the bin and retrofitted it with DietPi - because I hate adverts more than I need a VPN and PiHoled that up.

Just in case anyone is reading this later (even me because I’ll forget as I always do) it’s vital to set NordVPN first if you’re going to use a proxy like Privoxy. Micha, I’m sure you understand this better than I do, but if you install and set up Privoxy before Nord it all goes to much and Privoxy doesn’t work. I don’t find it much use for blocking ads (compared to PiHole) but it’s a dream to switch the Proxy on all my machines and sail through the VPN - even without DNS leaks from what I can tell but I’m re-building right now so I’ll double-check.
==== Drat ====

Yup, DNS is leaking like a fish. Plan B I think unless/until you can pop Privoxy or similar on the installer so dopes like yours truly don’t have to do everything the long way.

Thanks Micha - appreciate all you do for us.