[HowTo] Permanent NordVPN tunnel on OSMC


#1

I will describe the method I used to permanently have a connection with NordVPN on my Vero4K, but this should work on any OSMC box.
This method determines the best reachable NordVPN server in or near your country and then connects with it during startup of your machine. When the tunnel is closed for any reason, it will be automatically re-connected, again by first determining the best reachable NordVPN server available. NordVPN’s DNS servers are used by default and DNS queries are sent through the VPN Tunnel to prevent DNS leaking.
All this functionality is actually provided by openpyn and this how-to will describe how to install it on OSMC.

In my opinion, this is the most family-friendly solution, as the VPN is managed completely automatically and transparantly without the need for users to manually start tinkering in an openvpn manager inside Kodi. Only disadvantage that I see is that you also don’t have a status of the connection inside Kodi…

Installation

  • Open a SSH connection to your OSMC box
  • Install dependencies sudo apt install openvpn unzip wget python3-setuptools python3-pip
  • Install python wheel, required for openpyn install sudo python3 -m pip install wheel --upgrade
  • Install openpyn: sudo python3 -m pip install openpyn --upgrade
  • Execute the openpyn initialization. This will request your NordVPN credentials and store them, download the ovpn configfiles and install a systemd service): sudo openpyn --init
  • For fast ping tests of the NordVPN servers you will require a version of ping that supports -n and -i: sudo apt install iputils-ping
  • Enable the system service to start on boot: sudo systemctl enable openpyn
  • Start the VPN: sudo systemctl start openpyn

Support for downloading torrents
However, if you will be downloading torrents on your OSMC box, you will need to connect to a NordVPN server that actually allows that to prevent being kicked from the server and losing your connection all the time:
Edit /etc/systemd/system/openpyn.service and change the line

ExecStart=/usr/local/bin/openpyn --silent

into

ExecStart=/usr/local/bin/openpyn --p2p --silent

Disable NordVPN DNS
Openpyn also automatically will start using the NordVPN DNS servers, through the tunnel, to prevent DNS leaking. This is a good thing, and you should skip this step if you don’t have an internal DNS server in your network. However if you do have an internal DNS server in your network, you will no longer be able to resolve host-names of your internal network.
In that case, make sure your internal DNS servers forwards external requests to NordVPN DNS servers, preferable also through a NordVPN tunnel, set up on your DNS server itself and change /etc/systemd/system/openpyn.service to include the --skip-dns-patch option to prevent openpyn to manage your DNS resolving:

change

ExecStart=/usr/local/bin/openpyn --silent

into

ExecStart=/usr/local/bin/openpyn be --skip-dns-patch --silent

(of-course, if you already added the --p2p option, you should also leave that option there)

KILLSWITCH
Openpyn also has experimental support for a killswitch, meaning that it won’t allow any traffic going out in the case the tunnel goes down. This can be enabled by adding the -f option to the ExecStart line. I don’t use this option myself, so I cannot give any more details about it. See https://github.com/jotyGill/openpyn-nordvpn for more information about the kill switch and how to allow a few ports to be accessed from outside (kodi webinterface etc… )

Add extra static routes
At this point, all internet traffic should go through the tunnel and any traffic to your internal network (NAS? etc… ) should still stay internal. This is, if you only have one subnet, which is the same as your OSMC box is sitting in.
If you however have multiple subnets (for example a different subnet for wired and for wireless) you will need to add an extra static route so that traffic for the other subnet is not sent down through the tunnel to be lost forever…
I did this by adding an ExecStartPost and ExecStopPost entry in the /etc/systemd/system/openpyn.service-file:

ExecStart=/usr/local/bin/openpyn be --silent
ExecStartPost=/sbin/ip route add 192.168.1.0/24 via 192.168.0.1 dev eth0
ExecStop=/usr/local/bin/openpyn --kill
ExecStopPost=/sbin/ip route del 192.168.1.0/24 via 192.168.0.1 dev eth0

Ofcourse:

  • change 192.168.1.0/24 into the required subnet,
  • 192.168.0.1 into your default gateway and
  • change eth0 into the interface your network is connected at.

Check VPN status and logging
You can check the status of the VPN using systemctl status openpyn and the openvpn logging can be found by running journalctl -u openpyn

Updating VPN config-files
Once in a while you probably will need to update the NordVPN ovpn configfiles. This can be done with openpyn --update.
This could be added to a crontab, however crontab also is not installed by default on an OSMC. You are free to experiment with that :slight_smile: