How to use OpenVPN with NordVPN's NordLynx/WireGuard without NordVPN App?

[EnthusiastXYZ]

NordVPN states that it only allows the use of its WireGuard/WinTun protocol (branded NordLynx) via its own NordVPN App. On Windows, NordVPN App uses a very outdated OpenVPN version and in many ways, it is just bloatware... I would much rather use the latest OpenVPN Alpha (Technology Preview) that supports WireGuard/WinTun protocol. Here's the link to it - https://openvpn.net/download/openvpn-2-5_git-wintun-technology-preview/ .

When following instructions outlined in the link I provided above, I can't connect to any NordVPN servers, even the servers that do work with NordLynx Protocol when connecting via NordVPN App. I also wonder if I should care because with standalone OpenVPN Windows App (UDP Protocol) my latency is actually better than latency I get with my ISP, my top speed is within 95% of the speed I get without any VPN, and that speed is achieved within seconds. OpenVPN Client CPU utilization stays below 2%. I know WireGuard/WinTun/NordLynx is much lighter compared to OpenVPN, but in my case, I wonder if there would be any major difference. My only issue with NordVPN is that every once in a while, I get disconnected during online play...

 

[SamirD]

VPNs are only taking your info and spitting it out somewhere else, so it's a akin to peeing at a public restroom vs at home--if someone is tracking your peeing, they will still find you no matter what.

That being said, the vpn service companies want people to lock into their services and keep people from compromising their service so expect a proprietary implementation of even something industry standard.

 

[EnthusiastXYZ]

It is indeed confusing. I don't understand whether VPN encrypts your data on your devices before sending it to their servers or whether it encrypts your data after it already leaves your device. I run basic TCP dumps from my WiFi devices connected to VPN and those dumps show a ton of info. If bad actors not connected to my WiFi can also capture my WiFi packets that shows all that info, then what exactly is encrypted/hidden? I don't use non-encrypted proxies, only encrypted protocols like IKEv2, OpenVPN, etc...

 

[blackmomba]

Isn't the client supposed to encrypt the traffic before it leaves your machine, isn't that one of the main purposes of the client ?

Both NordVpn apps, for Linux and for Windows are pretty bad. On Linux, the connection drops once every 3-4 hours easily and when the Killswitch kicks in, it won't reconnect to anything including Nord until after a reboot

Funny that this was posted because I just started using this last night to replace the Nord app and so far so good https://github.com/jotyGill/openpyn-nordvpn

 

[SamirD]

The whole idea behind a VPN is that it is a Virtual Private Network. These are typically used to join corporate locations to form a WAN (Wide Area Network). Each bit of traffic is encrypted inside a regular ethernet packet which is then decrypted at the destination. The reason for all this is to simple avoid dedicated links between sites (which wouldn't need encryption) and instead use the Internet to route the packets cheaply. The problem with the Internet is that it is also susceptible to all sorts of misuse now that nation-states are involved in a race to basically weaponize it.

And while corporate data is valuable, most consumer data is not worth wasting time on. However, VPN has somehow become synonymous with 'safety' and hence the marketing is that somehow encrypting your traffic and pumping out somewhere else in the world is somehow 'safer' even though no one would really care about such data.

The consumer vpn clients are hack jobs imo and don't compare with the IPsec VPN tunnels that you typically find in the enterprise; still, they are supposed to function similarly--encrypting data into an ethernet packet which is then routed to the providers 'endpoint' where the packet is decrypted and allowed to access the Internet. This is why VPN services can route around isp routing problems as well as isp geoblocking as they are literally connecting you to the Internet from the providers Internet access and not yours--your Internet access is simply a pipe to theirs. This is also why vpns can be slow, buggy, and drop as they are dependent on the weakest link in the route from you to your providers endpoint.

 

[Nicklebon]

100% agree with SamirD. Consumer VPN has a few specific use cases most of which involve geolocation/blocking. Otherwise they are designed to separate you from your money.

 

[EnthusiastXYZ]

Uh... Have you ever experienced a man-in-the-middle attack? I have and it was a brutal one that resulted in a hospitalization... From a non-personal, objective point of view, using a VPN is another way to reduce attack surface. You can never be 100% secure, but you can the surface of attack and the number of security vectors.

 

[SamirD]

Uh... Have you ever experienced a man-in-the-middle attack? I have and it was a brutal one that resulted in a hospitalization... From a non-personal, objective point of view, using a VPN is another way to reduce attack surface. You can never be 100% secure, but you can the surface of attack and the number of security vectors.

A man in the middle attack can be done even with a vpn--just that the man would be attacking at the provider's endpoint ie your Internet inpoint.

The only way to be truly secure is to own the whole kit and kaboodle. If I wanted to get around geoblocking and whatnot, I would find someone in the country I wanted and pay them to have a separate connection there with my own vpn router there that runs an ipsec tunnel back to me. But there's no need to do that when you can just use any of the cloud providers and run an ipsec tunnel to them and use that infrastructure to exit somewhere else in the world.

 

[EnthusiastXYZ]

If your VPN connects you to a different server with different exit node each time you connect, finding that exact endpoint would be extremely difficult, especially if you use Tor on top of VPN. AFAIK, IPSec is considered old and insecure. I wouldn't allow IPSec Passthrough on any router/modem.

 

[Nicklebon]

Uh... Have you ever experienced a man-in-the-middle attack? I have and it was a brutal one that resulted in a hospitalization... From a non-personal, objective point of view, using a VPN is another way to reduce attack surface. You can never be 100% secure, but you can the surface of attack and the number of security vectors.

That's comedy gold! Once you accept a malicious certificate, first step in mitm, all the VPN in the world won't protect you. Seriously, aside from a very specific use cases, none of which have to do with privacy or security, consumer VPN is worthless. VPN is only useful for security or privacy when the entire public path is encapsulated. PT Barnum would love this.

 

[BlueLineSwinger]

If your VPN connects you to a different server with different exit node each time you connect, finding that exact endpoint would be extremely difficult, especially if you use Tor on top of VPN.

Except for the company actually offering the VPN. And few if any of those are subject to any kind of regulatory oversight like ISPs typically are.

AFAIK, IPSec is considered old and insecure. I wouldn't allow IPSec Passthrough on any router/modem.

IPSec is established and proven, there's nothing insecure about it. Its drawbacks are mostly that it can be difficult to set up and otherwise somewhat finicky, has a steeper learning curve, and doesn't get along well with NAT. But once up, its solid. Other VPN protocols, such as OpenVPN or Wireguard, might make sense in certain circumstances (e.g., transient and/or roaming clients), but if I'm going to tie together remote networks in a stable connection with full support for any network protocols that might pass over it, I'm using IPSec.

 

[EnthusiastXYZ]

NordVPN's NordLynx/WireGuard and OpenVPN TCP dumps I performed on my mobile devices displayed some of the app names I used in plain text... Why didn't it encrypt those? Another VPN I tried used IKEv2 and TCP dump only showed IP addresses in plain text...

On a slightly separate note, does anyone know how to create a KillSwitch for OpenVPN? The instructions here are not working - .