No internet access or routing since january 1st.

[sbeaudoin]

:warning: Make sure to follow the template, troubleshoot on your own first, review Open/Closed Issues, Discussions, Wiki and consider creating a discussion thread instead. :warning:

Describe the bug

No DNS resolution since january 1st 2025 as there seems to be a routing or connection issue to the internet since this version.

To Reproduce using docker-compose

version: "3.8"
services:
  nordlynx:
    container_name: nordlynx
    image: ghcr.io/bubuntux/nordlynx:latest
    cap_add:
      - NET_ADMIN
    environment:
      - PRIVATE_KEY=[[REDACTED]]
      - TZ=America/Montreal
      - QUERY=filters\[servers_groups\]\[identifier\]=legacy_p2p
      - NET_LOCAL=10.0.0.0/24
      - END_POINT=ca1623.nordvpn.com:51820
    ports:
      - 6790:6789        #nzbGet
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped
    networks:
      - local-bridge

  nzbget:
    image: ghcr.io/linuxserver/nzbget
    container_name: nzbget
    environment:
      - PUID=1001
      - PGID=1001
      - UMASK=022
      - TZ=America/Montreal
    volumes:
      - /home/docker/volumes/nzbGet:/config
      - /mnt/nas/downloads:/downloads
    restart: unless-stopped
    network_mode: service:nordlynx
    depends_on:
      - nordlynx
     
networks:
  local-bridge:
    external: true
    name: local-bridge

Expected behavior

Was working until watchtover updated it with image 953d0801081e on the second seconds of 2025 (00h00.02). Now :

• Nordlynx container returns "unhealthy" on the container.
• NZBGet returnes the following tens of time a minute, had to stop it : Could not resolve hostname news.newsdemon.com: Error -3 - Try again
• Unable to ping 8.8.8.8 either from the nzbGet container nor the nordlynx container (console session).
• Unable to resolve news.newsdemon.com either from the nzbGet container nor the nordlynx container (console session).

Logs

      "type": {
        "id": 3,
        "created_at": "2017-06-13 13:40:17",
        "updated_at": "2017-06-13 13:40:23",
        "title": "Legacy category",
        "identifier": "legacy_group_category"
      }
    },
    {
      "id": 15,
      "created_at": "2017-06-13 13:43:38",
      "updated_at": "2017-06-13 13:43:38",
      "title": "P2P",
      "identifier": "legacy_p2p",
      "type": {
        "id": 3,
        "created_at": "2017-06-13 13:40:17",
        "updated_at": "2017-06-13 13:40:23",
        "title": "Legacy category",
        "identifier": "legacy_group_category"
      }
    },
    {
      "id": 21,
      "created_at": "2017-10-27 14:23:03",
      "updated_at": "2017-10-30 08:09:48",
      "title": "The Americas",
      "identifier": "the_americas",
      "type": {
        "id": 5,
        "created_at": "2017-10-27 14:16:30",
        "updated_at": "2017-10-27 14:16:30",
        "title": "Regions",
        "identifier": "regions"
      }
    }
  ],
  "specifications": [
    {
      "id": 8,
      "title": "Version",
      "identifier": "version",
      "values": [
{
          "id": 257,
          "value": "2.1.0"
}
      ]
    }
  ],
  "ips": [
    {
      "id": 599111,
      "created_at": "2022-07-12 07:30:04",
      "updated_at": "2022-07-12 07:30:04",
      "server_id": 979949,
      "ip_id": 216440,
      "type": "entry",
      "ip": {
        "id": 216440,
        "ip": "37.19.212.172",
        "version": 4
      }
    }
  ]
}
[2025-01-01T16:16:09-05:00] Connecting...
[#] 
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.5.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables-restore -n
[#] 
[2025-01-01T16:16:09-05:00] Connected! \(ᵔᵕᵔ)/
[2025-01-01T21:25:27+00:00] Connection summary:
interface: wg0
  public key: +ksi9ChzIUNAkiG/hHym54oT5jA7M5zbkzFaftHNeQg=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c
peer: qIhtTW9K4iXWFo5Q4dOPdXg8/xubXr9yEGoN55D8xnA=
  endpoint: 45.88.190.100:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 15.90 KiB sent
  persistent keepalive: every 25 seconds
[#] 
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
[#] resolvconf -d wg0 -f
s6-rc: fatal: unable to take locks: Resource busy
[#] iptables-restore -n
[#] 

Additional context

• Executed the procedure to generate a new api token from nordVPN and updated the stack, no change.
• Destroyed the nordlynx and nzbget containers and recreated the stack.

[grrminator]

Same issue as well.

[sbeaudoin]

Watchtower updated it to image 953d0801081e this night, no changes.

[chazwarp923]

Also having this issue, however it was resulting in leaked traffic, which I thought wasn't supposed to be possible. Despite the VPN not being up and the container being unhealthy as a result, the containers i had set for their networking to go through the VPN container, still leaked traffic.

[sbeaudoin]

Not sure this is due to this package. Specified "ghcr.io/bubuntux/nordlynx:2024-12-03" for the image and the problem is still there. Sadly, not much informations from the log as it says "Connected! (ᵔᵕᵔ)/" but the container state is "unhealty". Maybe there as been a breaking change from NordVPN who must be implemented in the nordlynx package. I will post details here if I find something.

[chazwarp923]

Not sure this is due to this package. Specified "ghcr.io/bubuntux/nordlynx:2024-12-03" for the image and the problem is still there. Sadly, not much informations from the log as it says "Connected! (ᵔᵕᵔ)/" but the container state is "unhealty". Maybe there as been a breaking change from NordVPN who must be implemented in the nordlynx package. I will post details here if I find something.

That's certainly odd, because switching to the 2024-12-03 image resolves the issue for me. Under the hood nordlynx is literally just standard wireguard with mostly just some fancy marketing on top. There's plenty of ways out there to grab your private key and just toss it in any old wireguard client and have it work.

[sbeaudoin]

Not sure this is due to this package. Specified "ghcr.io/bubuntux/nordlynx:2024-12-03" for the image and the problem is still there. Sadly, not much informations from the log as it says "Connected! (ᵔᵕᵔ)/" but the container state is "unhealty". Maybe there as been a breaking change from NordVPN who must be implemented in the nordlynx package. I will post details here if I find something.

That's certainly odd, because switching to the 2024-12-03 image resolves the issue for me. Under the hood nordlynx is literally just standard wireguard with mostly just some fancy marketing on top. There's plenty of ways out there to grab your private key and just toss it in any old wireguard client and have it work.

You are correct. One of the things I tried to correct the problem was still there. I restored the original configuration and it works with the 2024-12-03 version of the container. I will wait for a notification that the problem is solved to try it, I am available as a tester.

[stevenlafl]

Same problem. Unfortunately my setup pulls latest every time I reboot my K8s nodes, so this broke everything for me. Quick link to available tags: https://github.com/bubuntux/nordlynx/pkgs/container/nordlynx

On recommendation from @sbeaudoin I switched to 2024-12-03 and it does not appear to log in.

      containers:
      - name: vpn
        image: ghcr.io/bubuntux/nordlynx:2024-12-03
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        envFrom:
        - secretRef:
            name: vpn-secrets
        env:
        - name: CONNECT
          value: "United_States"
        - name: TECHNOLOGY
          value: "NordLynx"
        - name: NETWORK
          value: "10.0.0.0/8"
        ports:
        - containerPort: 1080
        - containerPort: 9091
        - containerPort: 24549

The image tag that did work with this setup is 2023-06-01. It logs into NordVPN. Bizarrely, internet connectivity is gone. No changes to anything else.

I am starting to suspect this is actually an upstream problem at NordVPN or WireGuard if old images stopped working.

[grrminator]

Another way is to turn off ipv6 and that fixes it

On Thu, Jan 9, 2025, 1:28 PM Steven Linn @.***> wrote:

Same problem. Unfortunately my setup pulls latest every time I reboot my K8s nodes, so this broke everything for me. Quick link to available tags: https://github.com/bubuntux/nordlynx/pkgs/container/nordlynx

On recommendation from @sbeaudoin https://github.com/sbeaudoin I switched to 2024-12-03 and it does not appear to work.

  containers:
  - name: vpn
    image: ghcr.io/bubuntux/nordlynx:2024-12-03
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
    envFrom:
    - secretRef:
        name: vpn-secrets
    env:
    - name: CONNECT
      value: "United_States"
    - name: TECHNOLOGY
      value: "NordLynx"
    - name: NETWORK
      value: "10.0.0.0/8"
    ports:
    - containerPort: 1080
    - containerPort: 9091
    - containerPort: 24549

— Reply to this email directly, view it on GitHub https://github.com/bubuntux/nordlynx/issues/183#issuecomment-2581092306, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGYW76U4SDK5VRCNYD7MZLT2J3EWZAVCNFSM6AAAAABUO75456VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBRGA4TEMZQGY . You are receiving this because you commented.Message ID: @.***>

[GEAR-IT-UP]

Looks like its also broken for me. It worked before Christmas but now does not seem to. looks like we will need to wait on a fix from the dev.

oddly when I try to run the get_privite_key command (as I thought a new token might be the issue), it states:

Waiting for daemon to start up... It's not you, it's us. We're having trouble reaching our servers. If the issue persists, please contact our customer support. Invalid token. ¯_(ツ)_/¯

yet the token is newly created. Maybe something has changed with the NordVPN API or something.

[stevenlafl]

Troubleshooting on 2023-01-01:

I see earlier in logs the endpoint I connected to in NordVPN, 64.44.80.123:51820

# wg show
interface: wg0
  public key: xxxx
  private key: (hidden)
  listening port: 51820
  fwmark: xxxx

peer: fjj2388fj32f94
  endpoint: 0.0.0.0:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 6.79 KiB sent
  persistent keepalive: every 25 seconds

# wg set wg0 peer fjj2388fj32f94 endpoint 64.44.80.123:51820

Then I get connectivity. So something is not setting the wireguard peer correctly. This behavior is different despite using identical configuration as I was running it years ago. No idea why.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sbeaudoin]

It is stale because there is nothing done to correct it.

[arkandias]

As explained in this comment, I updated this image some time ago with a new fork of the upstream linuxserver/wireguard repo.

Here is my fork, in case it can help anyone else: arkandias/docker-nordlynx. It's been working very well for me (and others) since then.

P.S. Not trying to hijack this repo. Most of the credit goes to @bubuntux for his work, but since there are several issues without any updates I thought it might be helpful to link mine.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.