Accessing LAN with NordVPN active

Question

This used to work, but for some reason no longer does. NordVPN support had no idea. Have spent all day researching and getting nowhere.

Problem summary: I can't ping other Ubuntu boxes on my network (same subnet), except when NordVPN is disconnected (and, in that case, everything pings just fine).

Status:

Two Ubuntu boxes, headless machines, both 22.04.4 LTS, and kept up to date.

Client = 192.168.1.210. Runs NordVPN. Server = 192.168.1.195. Is my main file server.

root@client:/home/adam# nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: enabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: enabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
Allowlisted ports:
           22 (UDP|TCP)
         8080 (UDP|TCP)
Allowlisted subnets:
        192.168.1.0/24

Checking out the firewall settings (showing both input and output chains - the "forward" chain is completely empty):

root@client:/home/adam# iptables -L | grep 192
ACCEPT     all  --  192.168.1.0/24       anywhere             /* nordvpn */
ACCEPT     all  --  192.168.1.0/24       anywhere             /* nordvpn */
ACCEPT     all  --  anywhere             192.168.1.0/24       /* nordvpn */
ACCEPT     all  --  anywhere             192.168.1.0/24       /* nordvpn */

Checking out the VPN status:

root@client:/home/adam# nordvpn status
Status: Connected
Server: United States #9458
Hostname: us9458.nordvpn.com
IP: 91.132.137.107
Country: United States
City: New York
Current technology: NORDLYNX
Current protocol: UDP
Transfer: 35.86 KiB received, 28.96 KiB sent
Uptime: 10 minutes 33 seconds

Checking external net access:

root@client:/home/adam# ping cnn.com
PING cnn.com (151.101.131.5) 56(84) bytes of data.
64 bytes from 151.101.131.5 (151.101.131.5): icmp_seq=1 ttl=60 time=37.0 ms

Pinging 192.168.1.195, however, and it just times out:

root@client:/home/adam# ping 192.168.1.195
PING 192.168.1.195 (192.168.1.195) 56(84) bytes of data.
^C
--- 192.168.1.195 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4081ms

Now, go nordvpn disconnect and then try pinging the server, and all is well - it pings just fine. So the LAN connectivity issue is ONLY when NordVPN is active.

Question: from the client box when NordVPN is active, why can't I ping other machines on the same LAN, even when I've whitelisted the subnet, and the firewall rules appear to reflect that. And, how can I get this working, so I can get my NFS and/or Samba shares going.

Answer 1

Sometimes, NordVPN customer support really isn't good, and it takes them a while to realize that their developers introduced a bug in the new version of their software.

When NordVPN stops working for you for no apparent reason, rather than struggle with customer support, consider downgrading to the prior version instead. My procedure was:

Uninstall NordVPN (whatever current version that doesn't work)

apt purge nordvpn

Then look for prior versions

apt list -a nordvpn

Which might result in a list like the below (note that it may look slightly different for you, as I ran this command after I already downgraded):

root@client:/home/adam# apt list -a nordvpn
Listing... Done
nordvpn/stable 3.18.1 amd64 [upgradable from: 3.18.0]
nordvpn/stable,now 3.18.0 amd64 [installed,upgradable to: 3.18.1]
nordvpn/stable 3.17.4 amd64
nordvpn/stable 3.17.3 amd64
nordvpn/stable 3.17.2 amd64
...
(etc)
...

So, for me, it was version 3.18.1 that didn't work, so 3.18.0 was the next-earlier version.

Then install the next-earlier version as follows:

apt install nordvpn=3.18.0

And to stop the package from being upgraded automatically, later, hold the package back until NordVPN issues yet another version that hopefully does work.

apt-mark hold nordvpn

Then, you should be good to go. Check back in a couple of months to see if NordVPN issued a new version using the commands above, and if so, try upgrading. You can always downgrade again if they still didn't fix whatever the issue was.