NordVPN Gateway is a tool which turns your server into a gateway where NordVPN connection is placed behind different channels, like standalone Shadowsocks, Outline and/or Cloudflare Zero Trust. It is useful when you cannot access NordVPN directly or do not have a stable connection, but you do love their great protection including hiding your IP address and other cool features.
There are three channels that can be used individually or jointly to access the gateway from your devices:
| Channel | Difficulty | Access control | Public access to a server | Requirements |
|---|---|---|---|---|
| Shadowsocks (traffic masking available) | Low | Shared key | Required by a domain or IP | Install Outline Client App |
| Shadowsocks-over-WebSockets | Normal | Shared key | Required by a domain only | Install Outline Client App |
| Shadowsocks with Outline VPN | Normal | Personal keys | Required by a domain or IP | Install Outline Client App and Outline Manager |
| Cloudflare Zero Trust | High | Advanced | Not required | Get a free account for Cloudflare Zero Trust and install Cloudflare One |
If your server has an ARM processor, you should not choose Outline VPN as a channel during installation because vanilla Outline VPN does not support ARM processors. Other channels work perfectly with ARM processors.
-
Make some preparations:
- Buy a subscription for NordVPN.
- Fulfill the requirements for one or several channels specified in the right column of the table above.
- Create a new server based on Ubuntu using DigitalOcean or another similar service.
-
Connect to the server via SSH and log in as root if needed:
sudo --login -
If you have no any possibility to reboot the server without SSH, it is strongly recommended to enable periodic reboot server because NordVPN may hang and block access to the server via SSH until reboot (this has happened a couple of times on ARM processors). For example, you can do it with a command below every Sunday at 12:00 AM:
(crontab -l 2>/dev/null; echo "@weekly /usr/sbin/reboot --force --force >/dev/null 2>&1") | crontab - -
Upgrade the server:
apt update && apt upgrade -y -
Configure the server and follow further instructions:
bash -c "$(curl -sSL https://github.com/give-me/vpn/raw/master/install.sh)"
After following the instructions mentioned above, the channels configured by you will automatically start. After each
rebooting the server, CRON automatically runs a script /opt/vpn-gateway/bin/gateway.sh which configures the
server, connects VPN and checks health periodically. In case of connection loss, the script tries to reconnect VPN and
reboots the server if tryings failed.
A file structure created by this tool during installation or using is as follows:
/
├── opt/
│ └── vpn-gateway/
│ ├── settings/ (a place to store channels' settings)
│ ├── data/ (a place to store channels' data)
│ ├── bin/
│ │ ├── gateway.sh (a task to start the gateway)
│ │ ├── reinstall.sh (a task to reinstall this tool)
│ │ └── uninstall.sh (a task to uninstall this tool)
│ └── guide.txt (instructions generated by this tool)
└── var/
└── log/
└── vpn-gateway.log (this tool logs events here)
Detailed scheme of traffic routing between your device and Internet for each of the channels is shown below:
flowchart LR
Y --Shadowsocks--> SS --Shadowsocks--> VC
Y --Shadowsocks-over-WebSockets--> WS --Shadowsocks-over-WebSockets--> VC
Y --Shadowsocks with Outline VPN--> SO --Shadowsocks with Outline VPN--> VC
Y --Cloudflare--> CN --Cloudflare--> VN --Cloudflare--> VC --Cloudflare--> CC --Cloudflare--> VC
VC --All the channels--> VN ---> I
Y[Your device]
VN[NordVPN network]
CN[Cloudflare network]
I[Internet]
subgraph Your server
SS[Shadowsocks container]
WS[Caddy container]
SO[Outline container]
CC[Cloudflared container]
VC[NordVPN client]
end
It is important to note that whereas all the channels except Cloudflare Zero require the server to be publicly accessible to establish connections from your devices to the gateway, Cloudflare Zero Trust channel can work with any server, even a virtual server running locally and inaccessible from the outside.
While your computer connected to VPN provided with this tool, it is impossible to connect to the server (e.g. via SSH or to Outline Manager) because of strict firewall rules. Just disconnect VPN before such connections.
Instructions generated by this tool can be retrieved anytime by running cat /opt/vpn-gateway/guide.txt. Important
events and useful recommendations for the cases of loosing authorization and other problems will be available in a log
by running tail -f /var/log/vpn-gateway.log. Open ports using by this tool can be found by running
ss --processes --listening --tcp.
In order to reconfigure the gateway without updating this tool, just run /opt/vpn-gateway/bin/reinstall.sh as
root. In order to reconfigure the gateway with updating this tool to the latest version, just repeat the 2nd and 5th
steps of the installation guide. Upgrading Shadowsocks and Cloudflared is made during any way of reconfiguration.
In order to uninstall this tool, just run /opt/vpn-gateway/bin/uninstall.sh as root. In this case, logging out
from NordVPN is made with a command nordvpn logout instead of nordvpn logout --persist-token your token will
expire regardless of which token you specified (expirable in 30 days or non-expirable).
Additionally, if Cloudflare Zero Trust was configured as a channel, you can delete unnecessary API Tokens created upon request of this tool and available here because Cloudflare set a limit of API Tokens.