problems with nordvpn CLI in debian LXC

C

chenks

Member
May 19, 2024
30
0
6
i have a strange problem using nordvpn installed within an LXC.

i have a debian 12 LXC with nordvpn linux client installed (command line only).
the problem is that whilst nordvpn connects and works as expected, it only works for around 15-30 minutes then at that point i get zero DNS resolution from within the LXC. the vpn is still connected, and i can still ping any WAN IP address, but any attempt to resolve DNS fails. i disconnect the VPN, reconnect and it's rinse and repeat.
i've tried using nordlynx, openvpn (on both TCP and UDP), tried chaning the DNS servers from within the nordvpn client (default to nords DNS and tried cloudflare 1.1.1.) with no success.
nord support are also scratching their heads at this also.

i've tried this in 3 separate debian LXCs and all do the same.

as nordvpn works fine on my other devices on the same LAN (windows laptop, mobile devices etc), i can only assume it's something wrong at the proxmox end.

any ideas?

current LXC is debian 12 (unprivelidged), fully up to date. LXC has reserved DHCP IP, and LAN DNS is the local router (with the router using cloudflare as DNS).

below shows the current status of the vpn connection.
root@debtest:~# nordvpn status
Status: Connected
Server: United Kingdom #2189
Hostname: uk2189.nordvpn.com
IP: 194.35.233.88
Country: United Kingdom
City: London
Current technology: OPENVPN
Current protocol: TCP
Post-quantum VPN: Disabled
Transfer: 82.05 KiB received, 91.63 KiB sent
Uptime: 3 hours 49 minutes 32 seconds
Click to expand...

root@debtest:~# nordvpn settings
Technology: OPENVPN
Protocol: TCP
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: disabled
Kill Switch: enabled
Threat Protection Lite: disabled
Obfuscate: enabled
Notify: enabled
Tray: enabled
Auto-connect: enabled
IPv6: disabled
Meshnet: disabled
DNS: 103.86.96.100, 103.86.99.100
LAN Discovery: disabled
Virtual Location: enabled
Allowlisted subnets:
192.168.50.1/24
Click to expand...

root@debtest:~# curl https://api.ipify.org
curl: (6) Could not resolve host: api.ipify.org
Click to expand...

root@debtest:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=21.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=23.0 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=21.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=57 time=26.8 ms
Click to expand...

root@debtest:~# ping google.com
ping: google.com: Temporary failure in name resolution
Click to expand...

LXC conf
arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: debtest
memory: 1024
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:9B:75: D4,ip=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-113-disk-0,size=8G
swap: 512
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
Click to expand...
 
Last edited:
I think I have a similar problem. I am running 2 adguard home LXCs on different proxmox nodes for resolving DNS requests. DNS requests from clients outside proxmox work perfectly; the names are resolved. DNS request from clients on proxmox LXCs do not always get resolved, and I get a Temporary failure in name resolution. It seems to flip now and than. I checked the connectivity from the lxc clients to the adguard DNS with ping, and they were positive: the connectivity was not the problem.
These probles started some weeks ago. Before that it worked perfectly. 2 major things changed in my setup: the bind9 upgrade was installed on proxmox and I upgraded my access points to openwrt 24.10. I don't think the latter is the problem.
I tend to think it is bind9 and ipv6 related, but I am not sure.

I also find the following link describing the same problem: https://serverfault.com/questions/1172551/dns-suddenly-not-working-in-my-proxmox-containers

Did you find a solution?
 
Last edited:
not sure if your problem is the same as mine.

however what i have found is that when the VPN is first connected /etc/resolv.conf correctly shows the DNS from the VPN
root@debtest:~# cat /etc/resolv.conf
nameserver 103.86.96.100
nameserver 103.86.99.100

after a period of time, checking /etc/resolv.conf again shows that the DNS has reverted back to the local DNS
root@debtest:~# cat /etc/resolv.conf
domain chenks.lan
search chenks.lan
nameserver 192.168.50.1

hence why any DNS resolution fails because the VPN is correctly blocking access to it.

now, my LXCs were configured for DHCP (albeit reserved DCHP at router level so they always get the same LAN IP).
when i changed the LXCs over to static IP configured from within the LXC network settings the problem went away.

so i can only assume that, for some reason, the DNS server on the LXC was being overwritten via the DHCP assignment.
why? I'm not sure as surely the vpn client should work correctly regardless of whether the LXC (or whatever it is) is using DHCP or not.

what i can say, though, is that since changing the LXCs to static IP i've not had any further drops in the VPN connection.
 
I am also not sure if this is related. In my case enabling the IPv6 DHCP functionality for the LXC caused the /etc/resolv.conf of the LXC container to be overwritten with the wrong settings. Reverting this to IPv6 static without an IPv6 address solved the problem.
 
Last edited:
i already have IPv6 disabled so that's not the case for me.
i am not serving IPv6 from my router, and my ISP also doesn't.

it is already set to "static" with no info entered.
 
Please help my LXC Ubuntu 24.04.2 LTS.
After connecting to NordVPN, the internet connection is disconnected.

Code: 
root@Ubuntu:~# nordvpn c de
Connecting to Germany #1225 (de1225.nordvpn.com)
You are connected to Germany #1225 (de1225.nordvpn.com)!

root@Ubuntu:~# ping google.com
ping: google.com: Temporary failure in name resolution

root@Ubuntu:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=18.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=17.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=17.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=119 time=17.5 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=119 time=17.4 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 17.407/17.797/18.868/0.541 ms

my network settings
Code: 
root@Ubuntu:~# cat /etc/resolv.conf
# --- BEGIN PVE ---
search fritz.box
nameserver 192.168.178.36
nameserver 192.168.178.1
# --- END PVE ---

root@Ubuntu:~# ip route
default via 192.168.178.1 dev eth0 proto static
10.0.0.0/10 dev nordlynx proto kernel scope link src 10.5.0.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.71

nordvpn settings
Code: 
root@Ubuntu:~# nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
Virtual Location: enabled
Post-quantum VPN: disabled
Allowlisted subnets:
        192.168.178.0/24
        127.0.0.1/8
        172.17.0.0/16
 
You must log in or register to reply here.
Top Bottom