This article is also available in Arabic and Chinese
Update 2021-03-11: Please note, to connect to our servers using the method explained in this article, you will now need to use the NordVPN service credentials, instead of the regular e-mail/password. You may find further explanation below in the article.
The setup:
1. Make sure you have all the required dependencies on your device. To do this, run the following command:
sudo apt-get update && sudo apt-get upgrade
2. Next, get the following packages:
sudo apt-get install strongswan libcharon-extra-plugins libcharon-standard-plugins
Note: For Arch-based distributions and others, you might not have libcharon packages, as they are in the strongswan package. Simply run: pacman -S strongswan and that should be enough.
3. Open ipsec.secrets
(Please note: copy-pasting the command may lead to issues. It would be best to type out by hand)
sudo nano /etc/ipsec.secrets
4. Now, change the fields Username and your password for your NordVPN username and password as found below.
You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard. Copy the credentials using Copy the buttons on the right.
Your password must be wrapped inside double-quotes. Also, notice the spaces after Username, “:” and EAP.
To save the changes, press CTRL+O, and then exit nano editor by pressing CTRL+X.
5. Once again, use the preferred text editor to enter /etc/ipsec.conf file. Do not forget root privileges since the file is write-protected from anyone except root.
sudo nano /etc/ipsec.conf
6. Copy-paste this into the config:
conn NordVPN
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
eap_identity="USERNAME"
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=SERVER_IP
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%SERVER_HOSTNAME
rightca=/etc/ipsec.d/cacerts/NordVPN.pem
type=tunnel
auto=add
Change USERNAME to your NordVPN service username from above, SERVER_IP to the IP from the list of servers below, for example 172.105.20.56, and SERVER_HOSTNAME to the hostname of the server from the list below:
8. Enter /etc/strongswan.d/charon/constraints.conf file.
sudo nano /etc/strongswan.d/charon/constraints.conf
Inside the file change load = yes to load = no.
9. Download the NordVPN RSA certificate.
sudo wget https://downloads.nordcdn.com/certificates/root.pem -O /etc/ipsec.d/cacerts/NordVPN.pem
10. Now let’s restart ipsec in order to reload all configuration files.
sudo ipsec restart
If you’ve made any typos in /etc/ipsec.conf file you’ll be notified when the service will begin starting.
11. After it’s done, you can connect by launching this command:
sudo ipsec up NordVPN
This command should show the output “Connection NordVPN has been established successfully”.
12. To disconnect, simply type:
sudo ipsec down NordVPN
Changing the server:
1. Edit the file /etc/ipsec.conf:
sudo nano /etc/ipsec.conf
2. Change the right and rightid fields with ones that correspond with a different server and save the file. For example:
right=45.79.113.73
rightid=us5733.nordvpn.com
3. Run the commands:
sudo ipsec restart
sudo ipsec up NordVPN
Common errors and their solutions:
No config named 'NordVPN':
If you are receiving No config named 'NordVPN' error after running the ipsec up NordVPN command, please refer to this article.
Error "generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]":
1. Run the command:
sudo rm /etc/ipsec.sec*
2. Create a new ipsec.secret file using the command:
sudo nano /etc/ipsec.secrets
3. Enter the credentials as described in the step 4 of the main guide, and save the file.
4. Run the commands:
sudo ipsec restart
sudo ipsec up NordVPN
