Nordvpn not working after fresh reinstall

I had a power cut last night and it corrupted my install of Dietpi a Raspberry PI 4
I did a fresh reinstall this morning, updated to latest and all is working great except NordVPN (via dietpi-vpn)

I’m using the same manual credentials as before and it logs in and connects to the server (lu106.nordvpn.com) fine but fails to get a WAN Ip with the error - WAN IP : curl: (28) Resolving timed out after 3000 milliseconds.

Any ideas what to do?

dietpi@NASPi:~$ sudo systemctl -l status dietpi-vpn
● dietpi-vpn.service - VPN Client (DietPi)
     Loaded: loaded (/etc/systemd/system/dietpi-vpn.service; disabled; preset: enabled)
     Active: active (running) since Thu 2024-01-25 13:44:57 GMT; 58s ago
   Main PID: 4442 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 4471)
        CPU: 104ms
     CGroup: /system.slice/dietpi-vpn.service
             └─4442 /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client.ovpn

Jan 25 13:44:58 NASPi openvpn[4442]: net_addr_v4_add: 10.7.2.4/24 dev tun0
Jan 25 13:44:58 NASPi openvpn[4442]: /var/lib/dietpi/dietpi-vpn/static_up.sh tun0 1500 0 10.7.2.4 255.255.255.0 init
Jan 25 13:44:58 NASPi openvpn[4456]: net.ipv6.conf.all.disable_ipv6 = 1
Jan 25 13:44:58 NASPi openvpn[4459]: net.ipv6.conf.default.disable_ipv6 = 1
Jan 25 13:44:58 NASPi openvpn[4442]: net_route_v4_add: 194.110.85.64/32 via 192.168.2.1 dev [NULL] table 0 metric -1
Jan 25 13:44:58 NASPi openvpn[4442]: net_route_v4_add: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1
Jan 25 13:44:58 NASPi openvpn[4442]: net_route_v4_add: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1
Jan 25 13:44:58 NASPi openvpn[4442]: Initialization Sequence Completed
Jan 25 13:44:58 NASPi openvpn[4442]: Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
Jan 25 13:44:58 NASPi openvpn[4442]: Timers: ping 60, ping-restart 180
dietpi@NASPi:~$ sudo openvpn /etc/openvpn/client.ovpn
2024-01-25 13:46:56 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-01-25 13:46:56 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
2024-01-25 13:46:56 OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-01-25 13:46:56 library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
2024-01-25 13:46:56 DCO version: N/A
2024-01-25 13:46:56 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2024-01-25 13:46:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-01-25 13:46:56 NOTE: --fast-io is disabled since we are not using UDP
2024-01-25 13:46:56 TCP/UDP: Preserving recently used remote address: [AF_INET]194.110.85.64:443
2024-01-25 13:46:56 Socket Buffers: R=[131072->131072] S=[16384->16384]
2024-01-25 13:46:56 Attempting to establish TCP connection with [AF_INET]194.110.85.64:443
2024-01-25 13:46:56 TCP connection established with [AF_INET]194.110.85.64:443
2024-01-25 13:46:56 TCPv4_CLIENT link local: (not bound)
2024-01-25 13:46:56 TCPv4_CLIENT link remote: [AF_INET]194.110.85.64:443
2024-01-25 13:46:56 TLS: Initial packet from [AF_INET]194.110.85.64:443, sid=a96f8994 806a791b
2024-01-25 13:46:56 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-01-25 13:46:56 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2024-01-25 13:46:56 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
2024-01-25 13:46:56 VERIFY KU OK
2024-01-25 13:46:56 Validating certificate extended key usage
2024-01-25 13:46:56 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-01-25 13:46:56 VERIFY EKU OK
2024-01-25 13:46:56 VERIFY X509NAME OK: CN=lu106.nordvpn.com
2024-01-25 13:46:56 VERIFY OK: depth=0, CN=lu106.nordvpn.com
2024-01-25 13:46:56 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-01-25 13:46:56 [lu106.nordvpn.com] Peer Connection Initiated with [AF_INET]194.110.85.64:443
2024-01-25 13:46:56 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-01-25 13:46:56 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-01-25 13:46:57 SENT CONTROL [lu106.nordvpn.com]: 'PUSH_REQUEST' (status=1)
2024-01-25 13:46:57 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.5 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2024-01-25 13:46:57 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2024-01-25 13:46:57 OPTIONS IMPORT: --ifconfig/up options modified
2024-01-25 13:46:57 OPTIONS IMPORT: route options modified
2024-01-25 13:46:57 OPTIONS IMPORT: route-related options modified
2024-01-25 13:46:57 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-01-25 13:46:57 net_route_v4_best_gw query: dst 0.0.0.0
2024-01-25 13:46:57 net_route_v4_best_gw result: via 192.168.2.1 dev eth0
2024-01-25 13:46:57 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=eth0 HWADDR=dc:a6:32:4f:6d:08
2024-01-25 13:46:57 TUN/TAP device tun1 opened
2024-01-25 13:46:57 net_iface_mtu_set: mtu 1500 for tun1
2024-01-25 13:46:57 net_iface_up: set tun1 up
2024-01-25 13:46:57 net_addr_v4_add: 10.7.2.5/24 dev tun1
2024-01-25 13:46:57 /var/lib/dietpi/dietpi-vpn/static_up.sh tun1 1500 0 10.7.2.5 255.255.255.0 init
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
2024-01-25 13:46:57 net_route_v4_add: 194.110.85.64/32 via 192.168.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:46:57 sitnl_send: rtnl: generic error (-17): File exists
2024-01-25 13:46:57 NOTE: Linux route add command failed because route exists
2024-01-25 13:46:57 net_route_v4_add: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:46:57 sitnl_send: rtnl: generic error (-17): File exists
2024-01-25 13:46:57 NOTE: Linux route add command failed because route exists
2024-01-25 13:46:57 net_route_v4_add: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:46:57 sitnl_send: rtnl: generic error (-17): File exists
2024-01-25 13:46:57 NOTE: Linux route add command failed because route exists
2024-01-25 13:46:57 Initialization Sequence Completed
2024-01-25 13:46:57 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
2024-01-25 13:46:57 Timers: ping 60, ping-restart 180
^C2024-01-25 13:47:30 event_wait : Interrupted system call (fd=-1,code=4)
2024-01-25 13:47:30 net_route_v4_del: 194.110.85.64/32 via 192.168.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:47:30 net_route_v4_del: 0.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:47:30 net_route_v4_del: 128.0.0.0/1 via 10.7.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:47:30 Closing TUN/TAP interface
2024-01-25 13:47:30 net_addr_v4_del: 10.7.2.5 dev tun1
2024-01-25 13:47:30 /var/lib/dietpi/dietpi-vpn/static_down.sh tun1 1500 0 10.7.2.5 255.255.255.0 init
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
2024-01-25 13:47:30 SIGINT[hard,] received, process exiting
dietpi@NASPi:~$ sudo openvpn /etc/openvpn/client.ovpn
2024-01-25 13:47:39 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-01-25 13:47:39 Note: '--allow-compression' is not set to 'no', disabling data channel offload.
2024-01-25 13:47:39 OpenVPN 2.6.3 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2024-01-25 13:47:39 library versions: OpenSSL 3.0.11 19 Sep 2023, LZO 2.10
2024-01-25 13:47:39 DCO version: N/A
2024-01-25 13:47:39 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2024-01-25 13:47:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-01-25 13:47:39 NOTE: --fast-io is disabled since we are not using UDP
2024-01-25 13:47:39 TCP/UDP: Preserving recently used remote address: [AF_INET]194.110.85.64:443
2024-01-25 13:47:39 Socket Buffers: R=[131072->131072] S=[16384->16384]
2024-01-25 13:47:39 Attempting to establish TCP connection with [AF_INET]194.110.85.64:443
2024-01-25 13:47:39 TCP connection established with [AF_INET]194.110.85.64:443
2024-01-25 13:47:39 TCPv4_CLIENT link local: (not bound)
2024-01-25 13:47:39 TCPv4_CLIENT link remote: [AF_INET]194.110.85.64:443
2024-01-25 13:47:39 TLS: Initial packet from [AF_INET]194.110.85.64:443, sid=e4709e9f 38edf6da
2024-01-25 13:47:39 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-01-25 13:47:40 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2024-01-25 13:47:40 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA9
2024-01-25 13:47:40 VERIFY KU OK
2024-01-25 13:47:40 Validating certificate extended key usage
2024-01-25 13:47:40 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-01-25 13:47:40 VERIFY EKU OK
2024-01-25 13:47:40 VERIFY X509NAME OK: CN=lu106.nordvpn.com
2024-01-25 13:47:40 VERIFY OK: depth=0, CN=lu106.nordvpn.com
2024-01-25 13:47:40 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2024-01-25 13:47:40 [lu106.nordvpn.com] Peer Connection Initiated with [AF_INET]194.110.85.64:443
2024-01-25 13:47:40 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-01-25 13:47:40 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-01-25 13:47:40 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2024-01-25 13:47:40 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2024-01-25 13:47:40 OPTIONS IMPORT: --ifconfig/up options modified
2024-01-25 13:47:40 OPTIONS IMPORT: route options modified
2024-01-25 13:47:40 OPTIONS IMPORT: route-related options modified
2024-01-25 13:47:40 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-01-25 13:47:40 net_route_v4_best_gw query: dst 0.0.0.0
2024-01-25 13:47:40 net_route_v4_best_gw result: via 192.168.2.1 dev eth0
2024-01-25 13:47:40 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=eth0 HWADDR=dc:a6:32:4f:6d:08
2024-01-25 13:47:40 TUN/TAP device tun1 opened
2024-01-25 13:47:40 net_iface_mtu_set: mtu 1500 for tun1
2024-01-25 13:47:40 net_iface_up: set tun1 up
2024-01-25 13:47:40 net_addr_v4_add: 10.7.1.2/24 dev tun1
2024-01-25 13:47:40 /var/lib/dietpi/dietpi-vpn/static_up.sh tun1 1500 0 10.7.1.2 255.255.255.0 init
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
2024-01-25 13:47:40 net_route_v4_add: 194.110.85.64/32 via 192.168.2.1 dev [NULL] table 0 metric -1
2024-01-25 13:47:40 net_route_v4_add: 0.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 metric -1
2024-01-25 13:47:40 net_route_v4_add: 128.0.0.0/1 via 10.7.1.1 dev [NULL] table 0 metric -1
2024-01-25 13:47:40 Initialization Sequence Completed
2024-01-25 13:47:40 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
2024-01-25 13:47:40 Timers: ping 60, ping-restart 180

Just a quick update on this, I decided to try to use the remove and reset option in dietpi-vpn and then re-setup nordVPN and the same happened again.

So I installed nordvpn through the cli and set it to tcp and ovpn to mimic the dietpi config and its working fine.
curl -s https://icanhazip.com confirms i’m connected to a Luxembourg IP and if I enter dietpi-vpn it now shows this:

image

So perhaps something is broken with dietpi-vpn → Nordvpn and DietPi version 9 ?
Anyhow, i have nordvpn working so I’m happy myself, maybe worth looking at from a dietpi-vpn perspective though?

Happy to provide further logs if it helps.

:thinking:
Nothing regarding dietpi-vpn was changed with the last update
https://dietpi.com/docs/releases/v9_0/

In all the logs I can see the Initialization Sequence Completed message, which means successfully established VPN. Maybe there is something else wrong, with the DNS for example.

hmm nothing changed from our side. I’m just aware on a case where NordVPN changed the way how to authenticate. But it was 6 months ago already. Dietpi-VPN Not Connecting · Issue #6453 · MichaIng/DietPi · GitHub

I dont understand it either, was weird. There is nothing fancy on my network and it was fine before the power outage. I used Balena etcher to reimage the sdcard and everything is working perfectly as does nordvpn installed outside of dietpi-vpn. I dont know whats happening in the dietpi-vpn version this time

Yeah, I’m already using the manual way to authenticate.
When I installed it manually (cli) I used the token login instead, maybe that’s the working difference now? (I dont think so as i did get connected in dietpi-vpn , using manual linux user and pass) just saying how i logged in on manual method in case it case someone smarter than me figure it out.