NordLynx information (NordVPN)

Since a while we have IKEv2 connecting to working fine with different VPN providers and the new kid on the block is WireGuard what named NordLynx by NordVPN. They are using a double NAT to obfuscate your IP address. So far so good.

Thanks to this posting and the following postings I also got it working on ROS v7 supporting Wireguard.
http://forum.mikrotik.com/t/v7-1beta6-development-is-released/149195/278

After a few hiccups I have now the promised speed and can select which traffic enters the Wireguard tunnel. Hi still have to first use the NordLynx client on a Linux system to jump-start the connection and I can then take that connection over with my router by ending the jump-start connection. If this possible in an other way then please let met know.

You need to set it up two keys, the private key and the peer key, (public key in the WireGuard peer tab) the public key in peer (peer-public) key is for every country different to you have keep that apart.
When you jump-start the connection you can see it with the command wg show on the Linux system

I still not get the routing rule

/routing rule add action=lookup-only-in-table disabled=no dst-address=10.0.0.0/24 src-address=10.0.0.0/24 table=main

I am using SRC-NAT to get traffic to the 10.5.0.2 address of the connection and that works for me now but I assume there is better way because there is also a router mark via-wg but my router nor the internal network uses that network range.

If you are working on your Linux system through SSH the you will lock yourself out when the VPN connection is active. To avoid this you can whitelist SSH and your internal network:

Whitelisted ports: 22 (UDP|TCP)
Whitelisted subnets: 192.168.88.0/24

nordvpn whitelist add port 22
nordvpn whitelist add subnet 192.168.88.0/24

I am thinking about a script that does the following:

It checks in connections if there is a incoming connection (timeout/keep alive) with SRC port 51820 because the user has just severed the connection on the client (Linux/Windows). Then grab the DST port and put in the WG profile under listening port and apply.

Then the connection will taken (stealing) over by your router and you have an connection to NordVPN on that port.

So you don’t have to watch the connections table yourself.

UPDATE!

I have tried an other method to make the connection. I put a changed NAT rule in my inner router and I change the SRC address of the connection to the external IP of the outside router. This way the connection is initiated and the reply is in the connection table in outside router to external address and not being routed anymore to the inner router. The client never gets an answer and times out.

In the meantime I transfer the listening port (dst-address) of the connection to the WG settings and the connection is made. If possible then the problem is which of the connections to use to find the new listening port. This can be overcome to compare each listening port to the ports aready used and the two that not match is the one to be replaced.

I don’t yet know how you can make multiple connections to NordVPN because the peer key are the same for the servers I tried. ROS is complaining about the same keys and won’t accept the peer.