So i have spent a good few days getting to the bottom of this, but i have managed to use a manual wireguard configuration for Nordvpn (nordlynx) and a namespace setup so that all traffic uses my clearnet eth0 interface via my isp address, but assigned a namespace (vpnns) to use the nordlynx connection under the interface wg0
until recently, i simply used the nordvpn app but set it to ‘routing disabled’ which used to leave all my traffic rules as standard, in that traffic wnet via eth0, but i could add some uid based routing to send all traffic via nordlynx interface (so just execute a command as the configured user to use vpn), but this has recently stopped working so i have had to find another approach.
you need wireguard installed (obvs)
The first challenge is to get the nordvpn config details, but there are a couple of really useful blog posts out there, in particular this
NordLynx (WireGuard NordVPN implementation) (opnsense.org)
based on that information you should then create a wg0.conf file (in /etc/wireguard)
this file should look like this
[Interface]
PrivateKey = [your private key]
ListenPort = 51820
Address = 10.5.0.2
DNS = 103.86.96.100, 103.86.99.100
[Peer]
PublicKey = [public key of specific server obtained from the step above]
AllowedIPs = 0.0.0.0/0
Endpoint = [address from step above]:51820
PersistentKeepalive = 25
once you have that, you can test that it works by executing
sudo wg-quick up /etc/wireguard/wg0.conf
then
curl ifconfig.me
you should get the exit ip of your vpn, not your isp address
if you just want all your traffic through the vpn, you are finished (albeit you could add some startup scripts to launch it on boot)
but i want to create an effective split tunnel, which i will achieve by creating a namespace called vpnns with eth0 as the default route for the main namespace, and wg0 as the default route for vpnns
so this script
#!/bin/bash
# Start WireGuard
sudo wg-quick up /etc/wireguard/wg0.conf
# Remove IP rule
sudo ip rule del not fwmark 51820 table 51820
# Create network namespace
sudo ip netns add vpnns
# Move wg0 interface to the network namespace
sudo ip link set wg0 netns vpnns
# Add IP address to wg0 interface within the namespace
sudo ip netns exec vpnns ip addr add 10.5.0.2/32 dev wg0
# Bring up wg0 interface within the namespace
sudo ip netns exec vpnns ip link set wg0 up
# Add default route via eth0
sudo ip route add default via 192.168.0.1 dev eth0
# Add default route via wg0 within the namespace
sudo ip netns exec vpnns ip route add default dev wg0
# Test external connectivity within the namespace
sudo ip netns exec vpnns curl ifconfig.me
you need to make this script executable (chmod +x)
(obviously the curl command is unnecessary for the startup process, but useful as confirmation that the script worked if run manually via terminal)
if you want this to run at startup pop it in /etc/init.d and create the following symlinks
sudo ln -s /etc/init.d/wireguard.sh /etc/rc2.d/S99wireguard
sudo ln -s /etc/init.d/wireguard.sh /etc/rc3.d/S99wireguard
sudo ln -s /etc/init.d/wireguard.sh /etc/rc4.d/S99wireguard
sudo ln -s /etc/init.d/wireguard.sh /etc/rc5.d/S99wireguard
now when my server boots, my main namespace continues to ues eth0 but if i run
sudo ip netns exec vpnns
it will execute through my nordlynx wireguard interface
specifically i use this for geo-location circumvention with yt-dlp, but once you have these namespaces set up, you can configure a whole variety of split tunnel goodness