I'm trying to understand how does a VPN I'm using works. In this case it's nordvpn, but the question should be vendor neutral focusing on the underlying Linux mechanisms and tools to check what's up without relying on any vendor tools.
First I had to install an app and run it with sudo. It did stuff and now I have a VPN connection. I don't know if it installed a kernel module or it's just userspace.
There is a new network interface created:
$ ip a
6: nordlynx: <POINTOPOINT,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.5.0.2/32 scope global nordlynx
valid_lft forever preferred_lft forever
However there the routing tables haven't changed:
$ ip route show
default via 10.1.10.1 dev wlp3s0 proto dhcp metric 20600
10.1.10.0/24 dev wlp3s0 proto kernel scope link src 10.1.10.210 metric 600
169.254.0.0/16 dev wlp3s0 scope link metric 1000
And it did some stuff with the firewall:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere connmark match 0xe1f1 /* nordvpn */
ACCEPT all -- anywhere anywhere connmark match 0xe1f1 /* nordvpn */
ACCEPT all -- anywhere anywhere connmark match 0xe1f1 /* nordvpn */
DROP all -- anywhere anywhere /* nordvpn */
DROP all -- anywhere anywhere /* nordvpn */
DROP all -- anywhere anywhere /* nordvpn */
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere mark match 0xe1f1 /* nordvpn */ CONNMARK save
ACCEPT all -- anywhere anywhere connmark match 0xe1f1 /* nordvpn */
CONNMARK all -- anywhere anywhere mark match 0xe1f1 /* nordvpn */ CONNMARK save
ACCEPT all -- anywhere anywhere connmark match 0xe1f1 /* nordvpn */
CONNMARK all -- anywhere anywhere mark match 0xe1f1 /* nordvpn */ CONNMARK save
ACCEPT all -- anywhere anywhere connmark match 0xe1f1 /* nordvpn */
DROP all -- anywhere anywhere /* nordvpn */
DROP all -- anywhere anywhere /* nordvpn */
DROP all -- anywhere anywhere /* nordvpn */
So my questions are:
- if the firewall is being used for routing, won't that make a mess where routing tables and firewall tables start stepping on each other's toes?
- if the
iptables
is just a mislead, what other mechanism could be working in the background to achieve the VPN connectivity and how can I check them (with CLI commands)?
10.1.10.1
?