Getting NordVPN WireGuard details

GetNordVPNWireGuardDetails.md

About

Instructions to obtain WireGuard details of your NordVPN account. These can be used to setup a WireGuard tunnel on your router to NordVPN.

Source: https://forum.gl-inet.com/t/configure-wireguard-client-to-connect-to-nordvpn-servers/10422/27

Prerequisites

If you have any linux machine, use that or install a vm if you don't have one.

Get their official linux app installed. Make sure you have wireguard installed too. And set the used technology to Nordlynx by running nordvpn set technology nordlynx

Fetching details

Connect to nordvpn with command: nordvpn connect (don't forget to login with nordvpn login --legacy).

Fetch (your) IP address

After successful connection run

ifconfig nordlynx

Fetch your private key

Run

sudo wg show nordlynx private-key

Output of this command should be something like this:

CKMAE9LARlt2eZHgGnNaSUYiKllKJN7f3hed/bWm5E8=

The key above is just a random key for demo purposes.

Fetch your public key

Run

sudo wg show nordlynx public-key

Output of this command should be something like this:

TO158iXbNXt2eZHgGnNaSUYiKZHgGN7f3hed/bWm5E8=

The key above is just a random key for demo purposes.

Fetch server details

Make sure you have curl and jq installed on your host/router. These are needed to be able to fetch the config of NordVPN Server. If not installed, go ahead and install

opkg install curl jq

After installation enter the command below to fetch the recommended server config:

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

Output:

uk1818.nordvpn.com #your endpoint host
178.239.166.185 #its ip address
London #city
United Kingdom #country
K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE= #Server public key
10 #Server load at the time.

Or just visit the following url https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1 from your browser and look for the details manually.

Hey all, I hacked together a little CLI inspired by the guide here, that extracts the WG privatekey from macOS keychain, then calls the NordVPN API to fetch server information, and outputs ready to use .conf files

https://github.com/dvcrn/generate-nordvpn-wgconf

It can either generate for a specific country (--country DE) or all countries (--all-countries). You can also specify to generate multiple configs for a specific country (--country DE --amount 3 --outdir out/)

I wanted something that allows me to quickly regenerate configs with whatever NordVPN recommends as server, and make managing those files a bit easier.

It's only tested on macOS, but in theory, if you know your private key already (following the guide here), you should be able to use it under linux as well, by directly specifying --pk foobar.

(Specifying --nordvpn-accountid will make it go into keychain mode, so it'll try to extract the credentials from macOS keychain)

Hey @dvcrn,

I've developed a NordVPN WireGuard Configuration Generator and Proxy Servers Fetcher tool inspired by your work. Unlike similar tools, mine offers a streamlined setup process, automatic server sorting for optimal performance, and categorized server organization by country and city for easy navigation. The tool also includes proxy server fetching from NordVPN's API and a multi-language support feature with versions available in Python, Go, and a web-based interface.

Check it out here: NordVPN WireGuard Configuration Generator

Your tool was a great starting point, and I've added enhancements such as improved server selection algorithms and flexible configuration options. I'd appreciate your feedback on my project.

Thanks for the inspiration!

Best regards.

Thank you for this great work.
I use it on my Banana Pi M3 with Armbian OS.
@GY8VSdYYzvL8-K6T it will work with Raspberry Pi, too.
@macnug it won't work with FritzBox. My solution is too use two Fritzbox-Devices and in between of these my Banana Pi, like this:
WWW---FritzBox1--(LAN)--BananaPi with VPN --(LAN)--FritzBox2---Cilents.
For me it would be very useful to use this Script with other VPN-Providers.
Is there a possibility to write this script for other VPN-Providers?

Thank you for this great work. I use it on my Banana Pi M3 with Armbian OS. @GY8VSdYYzvL8-K6T it will work with Raspberry Pi, too. Is there a possibility to write this script for other VPNs?

Absolutely, Surfshark and Mullvad VPN are great options that support WireGuard technology. From my research, they indeed offer WireGuard servers, and you can manually set it up. Although I don't have direct access to these VPNs currently, if you can provide more detailed data about them, we could potentially explore some innovative solutions together!

Absolutely, Surfshark and Mullvad VPN are great options that support WireGuard technology. From my research, they indeed offer WireGuard servers, and you can manually set it up. Although I don't have direct access to these VPNs currently, if you can provide more detailed data about them, we could potentially explore some innovative solutions together!

Let's test it with Mullvad VPN or Hide.me

Absolutely, Surfshark and Mullvad VPN are great options that support WireGuard technology. From my research, they indeed offer WireGuard servers, and you can manually set it up. Although I don't have direct access to these VPNs currently, if you can provide more detailed data about them, we could potentially explore some innovative solutions together!

Let's test it with Mullvad VPN or Hide.me
I decided to give Mullvad a test run and stumbled upon an API to fetch all their servers. It took me a little while to whip up some usable code, but things got tricky when I tried to snag the addresses. Turns out they're dynamic, which I realized after messing around with their config generator on https://mullvad.net/en/account/wireguard-config. Each time I generated a config for a new device, it spat out a unique address for the [Interface] part.

I hit a bit of a snag trying to crack the code on those dynamic addresses. But hey, I reckon using their tool should do the trick. On the other hand, I drew a blank when it came to Hide.me. Couldn't find a thing about setting up WireGuard configs.If u find anything we shall meet again in the comments :>

The only way to use hide.me with Wireguard is to use the hide.client.linux. There are no WireGuard configs.
I found this https://github.com/Seyloria/hide.me-server-switch and this https://github.com/passepartoutvpn/api-source-hideme?tab=readme-ov-file

alternative way without downloading their software (needs curl and jq):

1. go to https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/ and create an access token
2. get your private key

curl -s -u token:<ACCESS_TOKEN> https://api.nordvpn.com/v1/users/services/credentials | jq -r .nordlynx_private_key

3. get server info

curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

4. create config:

[Interface]
PrivateKey = <PRIVATE_KEY> # from step 2
Address = 10.5.0.2/32 # this IP is always the same
DNS = 9.9.9.9 # your favorite DNS server

[Peer]
PublicKey = <PUBLIC_KEY> # from step 3
AllowedIPs = 0.0.0.0/0, ::/0 # route everything
Endpoint = <ENDPOINT>:51820 # endpoint or IP from step 3, the port is always the same

This didn't work for me. Here it is adjusted that worked:

Fetching the Server Information:

SERVER_INFO=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1")
HOSTNAME=$(echo $SERVER_INFO | jq -r '.[0].hostname')
PUBLIC_KEY=$(echo $SERVER_INFO | jq -r '.[0].technologies[] | select(.identifier == "wireguard_udp").metadata[] | select(.name == "public_key").value')
ENDPOINT=$(echo $SERVER_INFO | jq -r '.[0].station')

echo "Hostname: $HOSTNAME"
echo "Public Key: $PUBLIC_KEY"
echo "Endpoint: $ENDPOINT"

Fetching the Private Key:

ACCESS_TOKEN="<ACCESS_TOKEN>"
PRIVATE_KEY=$(curl -s -u token:$ACCESS_TOKEN https://api.nordvpn.com/v1/users/services/credentials | jq -r .nordlynx_private_key)
echo "Private Key: $PRIVATE_KEY"
echo "Endpoint: $ENDPOINT"

Had a massive faff doing this, didn't work through WSL at all for me, but ended up getting the key after fiddling with an Ubuntu VM on VMWare Player. This shouldn't be this difficult, thanks for the guidance.

curl -s -u token:<ACCESS_TOKEN> https://api.nordvpn.com/v1/users/services/credentials

Worked fine for me thanks @dumbasPL

Interesting way to retrieve the credentials, thanks for sharing! Maybe we can add that to https://github.com/dvcrn/generate-nordvpn-wgconf/ as another way to fetch the necessary creds besides just osxkeychain or manual specifying

For anyone wondering how to set this up on a FRITZ!Box router here's how I did it

1. Follow the steps
2. Create a config (.conf) file and write as follows:

[Interface]
PrivateKey = {YOUR PRIVATE KEY} # sudo wg show nordlynx private-key (step 2)
Address = 10.5.0.2/32 # don't change this as it's always the same
DNS = {A DNS SERVER} # I used 8.8.8.8
 
[Peer]
PublicKey = {ENDPOINT PUBLIC KEY} # step 4
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = {ENDPOINT HOST}:51820 # ex. uk1818.nordvpn.com (step 4)

3. Log in the router's interface
4. Go to Internet > Permit Access > VPN (Wireguard)
5. Click Add Connection and then click "Connect networks or establish special connections", then "Next"
6. "Has this WireGuard connection already been set up at the remote connection?" click "Yes" and then "Next"
7. Enter a name for the connection
8. Upload the .conf file you created
9. Enable the option "Send all network traffic via the VPN connection"
10. Click "Finish"

This worked perfectly for me on my FRITZ!Box 7590

Hey @dvcrn,

I've developed a NordVPN WireGuard Configuration Generator and Proxy Servers Fetcher tool inspired by your work. Unlike similar tools, mine offers a streamlined setup process, automatic server sorting for optimal performance, and categorized server organization by country and city for easy navigation. The tool also includes proxy server fetching from NordVPN's API and a multi-language support feature with versions available in Python, Go, and a web-based interface.

Check it out here: NordVPN WireGuard Configuration Generator

Your tool was a great starting point, and I've added enhancements such as improved server selection algorithms and flexible configuration options. I'd appreciate your feedback on my project.

Thanks for the inspiration!

Best regards.

This is GIVING thank you for your work. Incredible

Hey @dvcrn,
I've developed a NordVPN WireGuard Configuration Generator and Proxy Servers Fetcher tool inspired by your work. Unlike similar tools, mine offers a streamlined setup process, automatic server sorting for optimal performance, and categorized server organization by country and city for easy navigation. The tool also includes proxy server fetching from NordVPN's API and a multi-language support feature with versions available in Python, Go, and a web-based interface.
Check it out here: NordVPN WireGuard Configuration Generator
Your tool was a great starting point, and I've added enhancements such as improved server selection algorithms and flexible configuration options. I'd appreciate your feedback on my project.
Thanks for the inspiration!
Best regards.

This is GIVING thank you for your work. Incredible

Glad i could be of help :>

I currently can't check on the webinterface, but could someone with a subscription could check, if this leads to the key?:

https://my.nordaccount.com/dashboard/nordvpn/manual-configuration/authorize/
You'll need a key, that you will receive per mail to access those settings tho

Commandline seems to be the easiest option tho:

 jakami@kubuntu-1337  ~  sudo nordvpn connect                                             
Connecting to Germany #1058 (de1058.nordvpn.com)
You are connected to Germany #1058 (de1058.nordvpn.com)!
 jakami@kubuntu-1337  ~  sudo wg show nordlynx private-key
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Another way of getting the NordVPN server details you want (steps after installation of curl and jq):

1. Use the NordVPN site ([https://nordvpn.com/servers/tools/]) to get the hostname of a server you desire. Feel free to use the server preferences on the right and/or advanced options

2. Copy the hostname of the desired server (this will be in the format of e.g. "us8261.nordvpn.com")

3. In the terminal type in the following, replace the ##HOSTNAME## with the above hostname:
   curl --silent "https://api.nordvpn.com/v1/servers?limit=16384" | jq --raw-output '.[] | select(.hostname == "##HOSTNAME##") | "\nServer: \(.name)\nHostname: \(.hostname)\nIP Address: \(.station)\nLocation: \(.locations.[].country.name) - \(.locations.[].country.city.name)\nType: \(.technologies.[].name)\nPubKey: \(.technologies.[].metadata.[].value)\nLoad: \(.load)\nStatus: \(.status)\n"'

4. Wait for a moment and the terminal will print out the required details for your desired host, e.g.:
   Server: United States #8261
Hostname: us8261.nordvpn.com
IP Address: 212.102.47.74
Location: United States - Seattle
Type: Wireguard
Public Key: 1GaNB9RbeGNzekcuRDcxTXvqtXWFe2K9GtUd+EjNuyI=
Load: 21
Status: online

I just want to say thank you to all those that posted. Running a simple python program made this incredibly easy, you guys are amazing.

For anyone using UDM Pro devices, you can setup a manual entry in the gui. Based on the notes in https://gist.github.com/bluewalk/7b3db071c488c82c604baf76a42eaad3?permalink_comment_id=4967841#gistcomment-4967841, the output of #2 goes in Private Key field, step #3 goes in Server Address (note the port#). Note the fixed value of Tunnel IP/Netmask. Add your preferred Primary/Secondary DNS Servers.

You can choose to route all, or just some of your devices through the VPN:

u could checkout my second web version for this project tryed to make it as easy as possible to get your configs u could find it at
https://nord-configs.onrender.com/

Another way of getting the NordVPN server details you want (steps after installation of curl and jq):

1. Use the NordVPN site ([https://nordvpn.com/servers/tools/]) to get the hostname of a server you desire. Feel free to use the server preferences on the right and/or advanced options
2. Copy the hostname of the desired server (this will be in the format of e.g. "us8261.nordvpn.com")
3. In the terminal type in the following, replace the ##HOSTNAME## with the above hostname:
   curl --silent "https://api.nordvpn.com/v1/servers?limit=16384" | jq --raw-output '.[] | select(.hostname == "##HOSTNAME##") | "\nServer: \(.name)\nHostname: \(.hostname)\nIP Address: \(.station)\nLocation: \(.locations.[].country.name) - \(.locations.[].country.city.name)\nType: \(.technologies.[].name)\nPubKey: \(.technologies.[].metadata.[].value)\nLoad: \(.load)\nStatus: \(.status)\n"'
4. Wait for a moment and the terminal will print out the required details for your desired host, e.g.:
   Server: United States #8261
Hostname: us8261.nordvpn.com
IP Address: 212.102.47.74
Location: United States - Seattle
Type: Wireguard
Public Key: 1GaNB9RbeGNzekcuRDcxTXvqtXWFe2K9GtUd+EjNuyI=
Load: 21
Status: online

Hello, what could be wrong if I got "jq: 1 compile error" ?

For my people under windows that don't have curl and jq, I have converted it to powershell:
https://gist.github.com/2-click/d3267354648bd6175db78ef171472e1d