mattstechinfo / meshnet Goto Github PK

25.0 3.0 5.0 18 KB

NordVPN Meshnet Docker client

License: MIT License

Dockerfile 51.21% Shell 48.79%

docker docker-compose docker-image meshnet nordvpn vpn

meshnet's Introduction

Meshnet

This (Docker) container provides the official NordVPN client configured for Meshnet VPN usage. Easily deploy fully configurable Meshnet nodes that automatically join your Meshnet network. This project is in not a supported/official container image by NordVPN and is in no way endorsed by the company NordVPN.

Note: I've created this container for my personal needs, which is to run Meshnet nodes at different locations to be used as outgoing gateways. If you have another use for this container, feel free to let me know or help add functionality if what you are trying to do doesn't work as expected.

General Meshnet information

Meshnet is a free self hosted VPN network connecting multiple nodes together. It's functionality, provided with the NordVPN application, is available on most platforms, including Android/Google TV. This could potentially make for an excellent Netflix password sharing workaround and viewing your own country's content when abroad, but obviously I would never recommend to do anything against the rules now would I. Read more about Meshnet over here: https://meshnet.nordvpn.com/

Installation and configuration

Deploying this container is quite easy as it does not require specific ports to function as a gateway node, initial traffic is outgoing. Other uses may require different configurations.

Preparations

A (free) NordVPN is required to enable Meshnet and use the services. This container requires an Access token to log on the NordVPN client. Follow the following steps to generate a new Access token:

Login to https://my.nordaccount.com/
Scroll down to "NordVPN Meshnet Free"
Click "View details"
Scroll down to "Manual setup"
Press the "Setup NordVPN manually" button
Enter the verification code from e-mail
Scroll down to "Access token"
Press the "Generate new token" button
Set the desired time to live

iptables requirement

The NordVPN client makes use of iptables to route and block traffic. The underlying host OS is required to have iptables libraries installed before this container can enable Meshnet. Next to the default iptables functionality, it also requires several iptables modules.

Environment variables

A .env file is supplied with the docker-compose.yml file for configuration purposes, this file already contains quite some commentary. A configMap is supplied for Kubernetes deployments.

General config

NORDVPN_TOKEN - Supply your Access token to be able to login. If you want to use a file or secret instead, please leave this ENV blank or comment it out.
NORDVPN_TOKENFILE - Load the Access token from a file mounted in the container. Make sure nothing else but the token is inside. Please leave this blank if you are using NORDVPN_TOKEN or comment it out.
NORDVPN_MESHNET_DEBUG - Enable debug mode, anything non-empty will ENABLE. Use this if you need more verbose error logging for troubleshooting.
NORDVPN_HEALTHCHECK_INTERVAL - Set the interval to verify connectivity to the set URL, defaults to 300 (seconds).
NORDVPN_HEALTHCHECK_URL - An address to verify if connectivity is available. Choose something depending on what connectivity you want to verify, defaults to www.google.com. Please keep in mind, if the healthcheck fails the container will be killed.

Meshnet Permissions

In this version of NordVPN, permissions must be configured directly on the client. NordVPN currently ALLOWS all peers connected to Meshnet by default for Fileshare and Remote access services and DENIES Routing and Local network services. Configuring peer permissions through the NordVPN account website is still in development and not currently available.

This container will run DENY configuration first, followed by ALLOW. ALLOW will overwrite the DENY! Entering a peer in both DENY and ALLOW will first DENY the peer and then overwrite it with an ALLOW.

Peers must be entered with their FQDN/Name assigned by Meshnet, comma separated, example: peer-atlas.nord,peer-fuji.nord

NORDVPN_DENY_PEER_ROUTING - Block peers from using this node as a router.
NORDVPN_DENY_PEER_LOCAL - Block peers from accessing the local network of this node.
NORDVPN_DENY_PEER_FILESHARE - Block peers from sharing files with this node.
NORDVPN_DENY_PEER_REMOTE - Block peers from remote access to this node.
NORDVPN_ALLOW_PEER_ROUTING - Allow peers to use this node as a router.
NORDVPN_ALLOW_PEER_LOCAL - Allow peers to access the local network of this node (ROUTING permissions required!).
NORDVPN_ALLOW_PEER_FILESHARE - Allow peers to sharing files with this node.
NORDVPN_ALLOW_PEER_REMOTE = Allow peers to use remote access on this node.

Deployment - docker-compose

An example docker-compose.yml has been supplied to easily deploy the Meshnet node. There is one specific piece of configuration, which is the hostname. Without configuring a hostname, every restart of the container will show as a new node within the Meshnet. Having a hostname configured will make sure the node is remembered/recognized.

NordVPN and Meshnet functionality require permissions to create a tunnel interface within the container. The container will require both capabilities NET_ADMIN and NET_RAW.

Make sure you have the .env file next to the docker-compose.yml and run docker-compose up -d to start the container. The node/peer should show up in your Meshnet within a few seconds.

Deployment - Kubernetes

Kubernetes examples are supplied to easily deploy the Meshnet node on a Kubernetes cluster. There are two files, meshnet-deployment.yaml and meshnet-env.yaml. In the meshnet-deployment.yaml, please make sure the hostname is not empty. Without configuring a hostname, every restart of the container will show as a new node within the Meshnet. Having a hostname configured will make sure the node is remembered/recognized.

NordVPN and Meshnet functionality require permissions to create a tunnel interface within the container. The container will require both capabilities NET_ADMIN and NET_RAW.

Make sure you have the meshnet-env.yaml file configured and run kubectl apply -f <meshnet_folder> -n <namespace> to start the container. The node/peer should show up in your Meshnet within a few seconds.

ARM64

Next to the default AMD64 platform this container is also built for ARM64. This will allow for easy deployment on Ampere based K8s nodes or VM's in, for example, the Free-Tier Oracle Cloud Infrastructure. At this moment, specific OKE images seem to miss some iptables modules, running sudo modprobe iptable_filter on your worker nodes will fix this.

Synology

A few users have had some problems with certain Synology devices as these do not come with the correct iptables modules, a manual will be added to the documentation when I have time to do this. For now, please join the Discord as the solution is posted to the support channel there.

Credits

Starting this image has been based on the excellent work of https://github.com/bubuntux/nordvpn with their NordVPN client implementation in Docker.

meshnet's People

Contributors

Stargazers

Watchers

Forkers

petersenna beserberg yureutaejin marcocosattoeu eplord

meshnet's Issues

Add Kubernetes examples

Add Kubernetes Deployment files and examples to the repository and documentation.

.env through docker compose installation?

Anyway to update .env through docker compose installation? running portioner on HAOS and it won't let me zip the .env and build. or any solution or path the bind to the .env? I can't look at the file structure as the container reboots instantly over and over

needed to edit docker-compose to function

Hi, not sure if this could be a widespread issue or just an annomaly in my case. (using unraid btw)
When I initally set up this docker container I couldn't get any of my devices to connect.
It was only after I added
network_mode:"host" to docker-compose.yml that I was able to get it working properly.

Now it works great, thanks for making this!

Can't load web pages while routing traffic

Hi Matt,

First off, thanks so much for your work on this docker image! I run an unraid server in my house and this is by far the simplest, most straightforward way to route my traffic through that machine.

I was able to get the container up and running, and the machine shows up in my NordVPN app as a node I can route my traffic through. However, while routing traffic through it, web pages don't seem to load, eventually timing out. It's almost like my internet connection is down, except I'm able to execute a ping www.google.com in the terminal and I get a response back, with times all hovering around 14ms.

I have a family member who lives on the other side of the US that helped me test this, and she's getting the same results while routing traffic through the machine running this docker container.

The logs don't contain any information that would help diagnose this, just successful startup messages and acknowledging the nodes I've fed into the "ALLOW_" series of environment variables.

Can you help me figure out what the problem might be? Thank you! The image is running on Unraid v6.12.10.

A new version of NordVPN is available! Please update the application.

Matt,

After installing your files i got a notice in my log saying:

A new version of NordVPN is available! Please update the application.
Meshnet is not enabled.

How can i fix this problem?

Verify Meshnet services using this container

Container platforms mostly use overlay networks to enable the network abstraction layer. Since Meshnet is a service relying and depending on networking, and is not originally intended to be run in a container, it's possible not all Meshnet services function as expected.

Routing through this container using the Meshnet network is working fine, this is my original use-case, to use a Meshnet node/peer as an exit node like any traditional VPN.

Local network access works as expected. All local IP ranges (RFC 1918) seem to be available. Blocking this access will initiate firewall rules to block all non-internet routable IP ranges. The fact that NordVPN runs in a container does not change anything about this functionality.

To be tested:

Does the filesharing function work? Is this even something that should be enabled/used within a container?
Does the Remote Access service work? According to the docs this allows Pings and other direct connected service access.

Expand documentation - create article/blogpost

Documentation is very basic right now.

Move docs from README to wiki.
Create an article on https://mattstech.info explaining use-cases.

Error connecting Meshnet on Oracle Cloud ARM64 OKE Kubernetes nodes

Currently getting the following error running on Kubernetes arm64.
Can't really find the problem yet, NordVPN client logs on correctly but fails when trying to enable Meshnet.
Whoops! Connection failed. Please try again. If the problem persists, contact our customer support.

NordVPN has updated Meshnet default new client permissions

Recently, NordVPN has updated default permissions for the clients.
Routing and Local Network are now DENIED by default.

Adjust .env file and documentation to reflect changes.

Set up DEV branch

Start working outside of master branch for development stuff to avoid breaking latest images.

Switch to smaller base image

Current image is quite large, not quite certain how much space the NordVPN client uses, but I'm sure the final image can be quite a bit smaller than the current ubuntu image.

Maybe switch to Alpine with s6 if possible?

"Network is unreachable" bug with Jellyfin integration

I have setup a meshnet and pointed my jellyfin container to use it, see config below. The problem I have is that when I go to my browser to load my-nord-vpn-dns.nord on port 8096, nothing loads. The meshnet logs show that it is up and running fine, however the Jellyfin logs are giving back this SocketException. Any idea if I am missing something?

[14:00:22] [ERR] [30] Emby.Dlna.Main.DlnaEntryPoint: Error sending socket message from ************* to ************* 
System.Net.Sockets.SocketException (101): Network is unreachable

meshnet:
    image: ghcr.io/mattstechinfo/meshnet:latest
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - PUID=1000
      - PGID=1000
      - NORDVPN_TOKEN=*************
      - NORDVPN_ALLOW_PEER_ROUTING=*************
      - NORDVPN_ALLOW_PEER_LOCAL=*************
    hostname: meshnet   # Make sure hostname is set! Without it, every restart will add a new peer to your Meshnet.
    ports:
      - 8096:8096
      - 7359:7359/udp

jellyfin:
    image: lscr.io/linuxserver/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - ~/docker-services/jellyfin/config:/config
    restart: 'unless-stopped'
    network_mode: service:meshnet

Meshnet Permissions refactor

Current permission settings are quite ugly in code, also functionality is far from optimal.

Idea's:

Make peer permissions more dynamic, less static. Iterate through nordvpn meshnet peer list
Create an ENV var + code to BLOCK all services and peers on startup instead of configuring every single service.

Caveats:
Might be doing a lot of work for nothing as permission management will be available from the NordVPN account Meshnet WebUI. At the time of writing it's mentioned as an upcoming feature.

The VPN connection has failed

Hello there,

my problem that the container say The VPN connection has failed. My Docker host is a Alpine linux.

Here my docker compose:

version: "3"
services:
  meshnet:
    image: ghcr.io/mattstechinfo/meshnet:v3.17.0
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - NET_RAW
    hostname: alpine-virtual
    environment:
      - NORDVPN_TOKEN=$NORDVPN_TOKEN
      - NORDVPN_HEALTHCHECK_URL=$NORDVPN_HEALTHCHECK_URL
      - NORDVPN_HEALTHCHECK_INTERVAL=$NORDVPN_HEALTHCHECK_INTERVAL
      - NORDVPN_ALLOW_PEER_ROUTING=$NORDVPN_ALLOW_PEER_ROUTING
      - NORDVPN_ALLOW_PEER_LOCAL=$NORDVPN_ALLOW_PEER_LOCAL
      - NORDVPN_ALLOW_PEER_FILESHARE=$NORDVPN_ALLOW_PEER_FILESHARE
      - NORDVPN_ALLOW_PEER_REMOTE=$NORDVPN_ALLOW_PEER_REMOTE

the container log: