dietpi-nordvpn "killswitch" feature ?

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Posts: 4
Joined: Sun Dec 06, 2020 10:03 am

Re: dietpi-nordvpn "killswitch" feature ?

Post by Treejumping »

I’ve had a couple of ‘worst case scenario’ situations where NordVPN has simply disconnected without warning. I think I was completely exposed for at least 7-8 hours before I noticed (this was before I had implemented my cron script above to kill deluge).
But I think this was user error, I set a startup script to launch nord on startup before realising that it was launching itself anyway, so perhaps that was causing problems?
At any rate though, I have never struggled with anything that wouldn’t be resolved by a quick ‘NordVPN c’ command.
Nord is clearly less stable than my previous provider (airvpn using their lightweight hummingbird client), but nord seems to be the only ‘out the box’ wireguard provider for the pi.
User avatar
Site Admin
Posts: 2499
Joined: Sat Nov 18, 2017 6:21 pm

Re: dietpi-nordvpn "killswitch" feature ?

Post by MichaIng »

I was looking into a way to implement NordVPN WireGuard (NordLynx) into dietpi-nordvpn, but there is the fundamental issue of WireGuard that each client is assigned a single static IP address (for the VPN network only of course). So theoretically one can track actions of a single user by watching connections from a single IP, when having access to connection info of course.

Each VPN provider has its own method to work around this privacy issue, often via config generators which create short-term configurations (with IP and keys) that hence need to be re-created regularly and re-applied to all clients. NordVPN has a double NAT method implemented to randomise IP addresses and I don't think that there is or will be a public API to use this with the official standard WireGuard tools in a way.

Sad that a dynamic IP range was not thought about right from the start with the WireGuard protocol. If you control your own server, that is not an issue, but for public VPN providers that is a real privacy concern: Not a single (reasonable large) VPN provider uses the WireGuard protocol as it is and lets customers create and use keys+config the regular war. A nice overview can be found here:
A bit too long repeating around the point, but at the end you get the info:

Native WireGuard solution is work-in-progress:
Post Reply