Debian Security OpenVPN – How to Setup NordVPN Nameservers for VPN and Non-VPN Use?

debianopenvpnresolv.confSecurity

I am trying to setup my VPN connections of NordVPN such that I can use internet without VPN nameservers and internet with VPN.
Code in /etc/resolv.conf setup by the official NordVPN instructions in the thread How to do these NordVPN changes for CyberSec in Debian? + my first line which allows me to use internet when not using VPN

nameserver 8.8.4.4
nameserver 103.86.99.99
nameserver 103.86.96.96

RuiFRibeiro's comment about the situation where he points out that my settings are creating DNS in turns.

This means you are using Google DNS in and out of VPN, and thus having DNS leaking outside of the VPN. Their DNS servers must be used while inside the VPN, and Google outside – in fact you may be using DNS in turns, more complicated, but you got the idea. Actually I have setup VPNs for use in our organization, and I intercept DNS requests, and it does not matter whichever DNS the client has configured. I am surprised both they do not do that, and also they do not provide clearer instructions.

Supported /etc/resolv.conf by NordVPN

This way, you cannot access internet without VPN, but you will have no leaks while using VPN. 

nameserver 103.86.99.99
nameserver 103.86.96.96

Dynamic setting

Pseudocode

  1. If no openvpn active, use Google nameservers, etc 8.8.4.4.

  2. If openvpn active, use NordVPN nameservers such that the key method can be

    • you might change resolv.conf if calling a script to activate the VPN (RuiFRibeiro)
    • with iptables rules intercepting DNS when going the VPN route (RuiFRibeiro)
    • checking for the presence of a VPN connection/interface in a script piggybacking the dhcp client – – ugly hack (RuiFRibeiro)

NordVPN answer acceptable by me

I received a few answers from them but accept only the following ones.
I asked them a schedule when this bottleneck will be solved.

Currently Cybersec feature does not work with Linux machines as there
will be internet connection only when connected to the VPN.

If you wish to have no leaks on your Linux machine while connected to
the VPN and internet while not connected, use these DNS addresses.
These are our DNS servers: 162.242.211.137 and 78.46.223.24

We are sorry to inform you, that CyberSec for Linux is not in the priority list at the moment. ETA is unknown.

Future wishes for NordVPN

  1. Some binary blob to fix the issue but I want documentation what it does
  2. Use OpenVPN directly instead of IPesc or PPPT

OS: Debian 9

Best Answer

No support exists for the feature in NordVPN for Linux at the moment. I hope this answer will be deprecated soon.

Related Question