How can we help you?

How to connect to NordVPN with IKEv2/IPSec on Linux?

This guide utilizes the Strongswan packages to manage the IKEv2/IPSec connection on Linux.

Don’t want to manage the VPN setup manually? Download the NordVPN app for Linux, where all you need to do is install the app, log in, and pick the server you want.

This guide covers the basic debian based guide, however, it should work the same on other distributions. 

1. First, make sure you have all the dependencies on your device. You can do that by running the following command:

sudo apt-get update && apt-get upgrade

2. Get the following packages:

sudo apt-get install strongswan libcharon-extra-plugins libcharon-standard-plugins

Note: For arch based distros and others, you might not have libcharon packages, as they are in the strongswan package. You can just run: pacman -S strongswan and it should be enough.

3. Now, we need to edit ipsec.secrets file with your NordVPN username and password.

sudo nano /etc/ipsec.secrets​



4. Change Username with your NordVPN username and your password with your password. Your password has to be warped inside double commas, and NOTICE the spaces after username, after “:” and after EAP.

5. Once again, use preferred text editor to enter /etc/ipsec.conf file. Do not forget root privileges since file is write-protected from anyone except root.

sudo nano /etc/ipsec.conf



6. The following config should be like this:

conn NordVPN
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        eap_identity="USERNAME"
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config
        right=SERVER
        rightauth=pubkey
        rightsubnet=0.0.0.0/0
        rightid=%SERVER
        rightca=/etc/ipsec.d/cacerts/NordVPN.pem
        type=tunnel
        auto=add


Change SERVER to the hostname of the server you are going to use, and USERNAME to your NordVPN username.

7. We recommend using the "recommended server" utlity to get the best possible server for the IKEv2 setup. You can find the utility here: https://nordvpn.com/servers/tools/



For this guide, we used the US#1019 server.

right=us1019.nordvpn.com


8. Enter /etc/strongswan.d/charon/constraints.conf file.

sudo nano /etc/strongswan.d/charon/constraints.conf

Inside the file change load = yes to load = no.

9. Now we will need to download our NordVPN RSA certificate.

sudo wget https://downloads.nordvpn.com/certificates/root.der -O /etc/ipsec.d/cacerts/NordVPN.der

sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

10. Now let’s restart ipsec in order to reload all configuration files.

sudo ipsec restart

If you’ve made any typos in /etc/ipsec.conf file you’ll be notified when service will be trying to start.

11. After it’s done, you can connect by launching this command:

sudo ipsec up NordVPN​

This command should show the output “connection NordVPN has been established successfully”.

Note: if you are receiving No config named 'NordVPN' error after running the ipsec up NordVPN command, please refer to this article.

12. To disconnect, simply type:

sudo ipsec down NordVPN

13. If you have any issues with the setup, you can get the logs at this location: 

sudo cat /var/log/syslog

And send it to our support!

Related Articles

© Copyright 2019 all rights reservedSelf-service byNanorep