Skip to content

nordvpn: init at 5.2.0#406725

Closed
different-error wants to merge 1 commit into
NixOS:masterfrom
different-error:nordvpn
Closed

nordvpn: init at 5.2.0#406725
different-error wants to merge 1 commit into
NixOS:masterfrom
different-error:nordvpn

Conversation

@different-error

@different-error different-error commented May 13, 2025

Copy link
Copy Markdown
Contributor

Add the popular NordVPN to NixOS. Tested using the following configuration:

{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.firewall.enable = false;  # required

  services.nordvpn.enable = true;  # required

  virtualisation.vmVariant = {
    virtualisation = {
      memorySize = 4096;
      cores = 3;
    };
  };

  users.groups.alice = {};
  users.users.alice = {
    isSystemUser = true;
    password = "alice";
    group = "alice";
    extraGroups = [
      "wheel"
      "nordvpn"  # strongly recommended
    ];
    shell = pkgs.bash;
    home = "/home/alice";
    createHome = true;
    packages = with pkgs; [
      tree
    ];
  };

  system.stateVersion = "24.11"; # Did you read the comment?
}

The configuration was tested by running:

nixos-rebuild build-vm --use-remote-sudo -I nixos-config=/path/to/above/configuration.nix -I nixpkgs=/path/to/this/pr/nixpkgs

There is another PR (#220616) for NordVPN, which is over two years old and has been stale for a year. Additionally, there are issues requesting NordVPN support for NixOS here and here.

I chose to extract the .deb package instead of building from source to avoid modifying or leaking the salt. Meshnet is not yet supported, but core NordVPN features work. I’ll create another PR once the Meshnet issues are resolved.

2025-05-13-123306_hyprshot

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Note: I use Claude btw.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions Bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels May 13, 2025
@NixOSInfra NixOSInfra added the 12.first-time contribution This PR is the author's first one; please be gentle! label May 13, 2025
@different-error different-error marked this pull request as ready for review May 13, 2025 10:08

@drupol drupol left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

Thanks for your first PR.

I made some feedback, let me know if you need some help.

Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
@NyCodeGHG

NyCodeGHG commented May 13, 2025

Copy link
Copy Markdown
Member

For such a security relevant package such as a vpn software, we should build from source if possible.
I'm not sure why you want to avoid "leaking" the salt, since it can be easily extracted from the binary in the .deb you linked.

This would also allow us to patch out quirks such as relying on /usr

Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
@different-error

Copy link
Copy Markdown
Contributor Author

For such a security relevant package such as a vpn software, we should build from source if possible. I'm not sure why you want to avoid "leaking" the salt, since it can be easily extracted from the binary in the .deb you linked.

This would also allow us to patch out quirks such as relying on /usr

Your claims about salts are valid and correct! My earlier statement was based on an incorrect misunderstanding, and I've updated the comment accordingly.

Another way to address quirks is to make changes directly in the NordVPN repository, which was my implicit assumption for the next release.

I could update this to build from scratch, but I don’t see the added security benefit. All other Linux distributions download from repo.nordvpn.com (.deb or .rpm) via their install script. I’ve also noticed that ExpressVPN extracts their .deb. Fortunately, building from source is nearly complete thanks to community efforts. Regardless, I’m not convinced there’s a significant advantage. Lmk your thoughts, thanks!

@drupol

drupol commented May 13, 2025

Copy link
Copy Markdown
Contributor

I could update this to build from scratch, but I don’t see the added security benefit. All other Linux distributions download from repo.nordvpn.com (.deb or .rpm) via their install script. I’ve also noticed that ExpressVPN extracts their .deb. Fortunately, building from source is nearly complete thanks to community efforts. Regardless, I’m not convinced there’s a significant advantage. Lmk your thoughts, thanks!

You are right that most distributions fetch the .deb or .rpm packages from repo.nordvpn.com using the official install script, and that ExpressVPN follows a similar approach in Nixpkgs by extracting the .deb archive.

However, the key issue here is trust and verifiability.

At the moment, there's no reliable way to verify that the binaries provided on repo.nordvpn.com are actually built from the publicly available sources. By using those prebuilt packages, we are implicitly trusting the vendor without any way to independently validate the build integrity.

One of the strengths of Nix is its focus on reproducibility. Building from source allows us (most of the time) to produce reproducible outputs. This enables a verifiable 1-to-1 mapping between the source code and the resulting binaries, which significantly improves the security of the software supply chain.

Fortunately, thanks to recent community efforts, we’re getting close to being able to build the client fully from source.

That’s why I believe it’s worth pushing in that direction.

@different-error

Copy link
Copy Markdown
Contributor Author

I could update this to build from scratch, but I don’t see the added security benefit. All other Linux distributions download from repo.nordvpn.com (.deb or .rpm) via their install script. I’ve also noticed that ExpressVPN extracts their .deb. Fortunately, building from source is nearly complete thanks to community efforts. Regardless, I’m not convinced there’s a significant advantage. Lmk your thoughts, thanks!

You are right that most distributions fetch the .deb or .rpm packages from repo.nordvpn.com using the official install script, and that ExpressVPN follows a similar approach in Nixpkgs by extracting the .deb archive.

However, the key issue here is trust and verifiability.

At the moment, there's no reliable way to verify that the binaries provided on repo.nordvpn.com are actually built from the publicly available sources. By using those prebuilt packages, we are implicitly trusting the vendor without any way to independently validate the build integrity.

One of the strengths of Nix is its focus on reproducibility. Building from source allows us (most of the time) to produce reproducible outputs. This enables a verifiable 1-to-1 mapping between the source code and the resulting binaries, which significantly improves the security of the software supply chain.

Fortunately, thanks to recent community efforts, we’re getting close to being able to build the client fully from source.

That’s why I believe it’s worth pushing in that direction.

Gotcha. A malicious attacker might somehow tamper with their binaries. Building from source is the secure way to go. Ok, will do, thanks!

@different-error

Copy link
Copy Markdown
Contributor Author

Modified the package to build from source instead of extracting the .deb file.
Attribution: I adapted the working configuration found here.

Verified that core features function correctly.
2025-05-13-232059_hyprshot

Thank you all for your time!

drupol
drupol previously requested changes May 14, 2025
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
@different-error different-error force-pushed the nordvpn branch 3 times, most recently from 6a79c37 to 30f70e6 Compare May 15, 2025 21:33
@different-error

different-error commented May 15, 2025

Copy link
Copy Markdown
Contributor Author

I've reduced privileges by using a dedicated nordvpn user. DynamicUser=true behaved inconsistently when I specified the nordvpn group, including when I set it only in SupplementaryGroups=.

Additionally, the nordvpnd source was modified to find helper executables in the <<pkg>>/bin directory (and the PATH, of course). The PATH configured in the systemd unit file now includes only paths to the binaries that are needed.

One more thing, nordvpnd failed to recognize the norduserd process, even though both ran as the same user, which is incorrect behavior. As far as I know, this only affects notifications for VPN server connection/disconnection. I verified basic connect/disconnect operations using OpenVPN and NordLynx protocols.

Thanks again for the review!

2025-05-16-002450_hyprshot

Comment thread doc/release-notes/rl-2505.section.md Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread nixos/modules/services/networking/nordvpn.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
@nixos-discourse

Copy link
Copy Markdown

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/2601

@adam248

adam248 commented Nov 26, 2025

Copy link
Copy Markdown
Contributor

hey, really looking forward to this being added in the near future... thanks to everyone who has been working on this

@getreu

getreu commented Dec 8, 2025

Copy link
Copy Markdown
Contributor

What are the blockers/status of this project? Could a minimal viable version be shipped soon?

Comment thread pkgs/by-name/no/nordvpn/package.nix Outdated
# cgo build dependencies go here
# https://github.com/NixOS/nixpkgs/blob/master/doc/languages-frameworks/go.section.md#envcgo_enabled-var-go-cgo_enabled
# libxml2 2.14.[0-4] breaks daemon
libxml2_13

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Funny, with libxml2 being an original blocker when this PR was started, it looks like upstream has sense replaced it xsltproc instead in release v4.2.1 (with the current release now also being v4.2.2).

@different-error

Copy link
Copy Markdown
Contributor Author

What are the blockers/status of this project? Could a minimal viable version be shipped soon?

yeah it seems to have found itself lodged in "ready for review" for quite some time now..

in the meantime I intend to update it with latest changes from NordVPN sometime next week. thank you everyone for your patience.

@andersonjoseph

Copy link
Copy Markdown

Any insight about why meshnet is not supported? I've been using the package just fine until I got hit with an error while trying to use meshnet and I could not find anything useful on the logs.

@ruffsl

ruffsl commented Dec 17, 2025

Copy link
Copy Markdown
Contributor

Any insight about why meshnet is not supported?

@andersonjoseph , meshnet requires dependencies such as libtelio, related discussion from Jun 13th to 18th above:

@different-error

Copy link
Copy Markdown
Contributor Author

Just a quick version bump to 4.3.1. Going to work on the Flutter GUI now. Hopefully it turns out not too difficult thanks to the prior effort of @ruffsl

@different-error

Copy link
Copy Markdown
Contributor Author

Ok, I think the previous build passed because of some cache weirdness. Strangely when I had tested the binary, it spat out that the binary had used version 4.3.1. Anyway, latest commits use the correct vendor and src hashes for 4.3.1. libxml2 successfully removed in the package.

@different-error

different-error commented Dec 22, 2025

Copy link
Copy Markdown
Contributor Author

Attempting to build nordvpn's flutter gui. You can find what I have so far here. It does not build atm, complains with the following error:

[ +154 ms] CMake Error at /nix/store/w9jm660dykns6hzrdhxmqfywnc9ail8g-cmake-4.1.2/share/cmake-4.1/Modules/FindPackageHandleStandardArgs.cmake:227 (message):
[        ]   Could NOT find X11 (missing: X11_X11_INCLUDE_PATH X11_X11_LIB)
[        ] Call Stack (most recent call first):
[        ]   /nix/store/w9jm660dykns6hzrdhxmqfywnc9ail8g-cmake-4.1.2/share/cmake-4.1/Modules/FindPackageHandleStandardArgs.cmake:591 (_FPHSA_FAILURE_MESSAGE)
[        ]   /nix/store/w9jm660dykns6hzrdhxmqfywnc9ail8g-cmake-4.1.2/share/cmake-4.1/Modules/FindX11.cmake:671 (find_package_handle_standard_args)
[        ]   CMakeLists.txt:57 (find_package)

Seems like I need to add xorg somehow (nixos discourse). I intend to try again tomorrow.

@different-error

Copy link
Copy Markdown
Contributor Author

I've added flutter gui support to the package and removed the salt. Also to avoid rebuilding the cli twice, I've separated out the package into cli.nix and gui.nix. I had to patch their linux CMakeLists.txt to use pkgconfig to find the correct x11 path.

Tested and verified that both standalone package and module work as intended over openvpn and nordlynx.

2025-12-23-233331_hyprshot

I intend to work on incorporating meshnet next which I would start on Dec 26th. Hopefully not too difficult thanks to the prior efforts of @dimkNevidimk!

@different-error

Copy link
Copy Markdown
Contributor Author

meshnet progress update:

  • libtelio package builds
  • tests all pass in a pure nix-shell but seem to break when I run nix-build -A libtelio. Not sure why yet..

https://github.com/different-error/nixpkgs/tree/nordvpn-meshnet

https://github.com/different-error/nixpkgs/tree/nordvpn-meshnet/pkgs/by-name/li/libtelio

@different-error

Copy link
Copy Markdown
Contributor Author

update:

  • I've added libdrop and modified the nordvpn cli recipe to use the tags "telio" "drop".
  • they've patched libdrop-go so I believe we can use Go1.24+

Surprisingly, I don't see "meshnet" in the nordvpn settings.

https://github.com/different-error/nixpkgs/tree/nordvpn-meshnet
https://github.com/different-error/nixpkgs/tree/nordvpn-meshnet/pkgs/by-name/li/libdrop
https://github.com/different-error/nixpkgs/tree/nordvpn-meshnet/pkgs/by-name/no/nordvpn

I've caught the flu. I intend to get back to this when I feel healthy enough to do so.

@dimkNevidimk

Copy link
Copy Markdown

@different-error,

Sorry for not replying earlier, but I think NordVPN team dropped meshnet support completely:
https://nordvpn.com/blog/meshnet-shutdown/

@different-error

Copy link
Copy Markdown
Contributor Author

@different-error,

Sorry for not replying earlier, but I think NordVPN team dropped meshnet support completely:
https://nordvpn.com/blog/meshnet-shutdown/

They changed their mind and decided to keep it.

https://nordvpn.com/blog/meshnet-stays

@different-error

Copy link
Copy Markdown
Contributor Author

I could use some help getting meshnet working. Please base your changes around my feature branch nordvpn-meshnet. Ty

@andersonjoseph

andersonjoseph commented Jan 2, 2026

Copy link
Copy Markdown

I could use some help getting meshnet working. Please base your changes around my feature branch nordvpn-meshnet. Ty

I will take a look when I get home from holiday travel (in a couple of hours) 👌


Update here

TL;DR: I got Meshnet working, but it tries to edit /etc/hosts, which causes permission errors.
I can force it to work by changing the file mode to 0644, but that's a dirty hack.

If anyone knows a clean way to grant write permissions to /etc/hosts, it would be great. Another solution is to send a patch with a --no-ns-hosts flag to the upstream repo so we can disable the write attempts and handle hostnames declaratively.

@different-error

Copy link
Copy Markdown
Contributor Author

Some nits. Tested successful connection using the GUI.

While progress with meshnet continues, seeing that including it would cause this PR to increase significantly in size, I think we should PR the current changes without meshnet support and include meshnet in the next PR.

I presently intend to break this PR into smaller, newer ones to facilitate review.

@different-error

Copy link
Copy Markdown
Contributor Author

Updated to version 4.5.0

@romildo

romildo commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

There are merge conflicts.

@different-error

Copy link
Copy Markdown
Contributor Author

Updated to 5.0.0

@different-error

Copy link
Copy Markdown
Contributor Author

NordVPN 5.1.0

@different-error

Copy link
Copy Markdown
Contributor Author

NordVPN 5.2.0

@romildo

romildo commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This branch has conflicts that must be resolved.

@different-error

Copy link
Copy Markdown
Contributor Author
  • Package pr has merged. Ty @romildo!!
  • Meshnet requires some changes upstream and the nixpkgs changes would go inside a different pr. This would take me a few weeks. Thank you for your patience.
  • Verified that nordvpn module with version 5.2.0 works over nordlynx and openvpn protocols and over cli and gui.

@different-error

Copy link
Copy Markdown
Contributor Author

Closing this pr since it has two review requests with write access from reviewers no longer active with the pr. I can open another pr for the module shortly after.

@different-error

Copy link
Copy Markdown
Contributor Author

New module pr #538312 (same commit). Ty

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: tests This PR has tests 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.