Skip to content

nordvpn: init at 4.0.0 #406725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: staging
Choose a base branch
from
Open

nordvpn: init at 4.0.0 #406725

wants to merge 3 commits into from

Conversation

different-error
Copy link

@different-error different-error commented May 13, 2025
edited
Loading

Add the popular NordVPN to NixOS. Tested using the following configuration:

{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.firewall.enable = false;  # required

  services.nordvpn.enable = true;  # required

  virtualisation.vmVariant = {
    virtualisation = {
      memorySize = 4096;
      cores = 3;
    };
  };

  users.groups.alice = {};
  users.users.alice = {
    isSystemUser = true;
    password = "alice";
    group = "alice";
    extraGroups = [
      "wheel"
      "nordvpn"  # strongly recommended
    ];
    shell = pkgs.bash;
    home = "/home/alice";
    createHome = true;
    packages = with pkgs; [
      tree
    ];
  };

  system.stateVersion = "24.11"; # Did you read the comment?
}

The configuration was tested by running:

nixos-rebuild build-vm --use-remote-sudo -I nixos-config=/path/to/above/configuration.nix -I nixpkgs=/path/to/this/pr/nixpkgs

There is another PR (#220616) for NordVPN, which is over two years old and has been stale for a year. Additionally, there are issues requesting NordVPN support for NixOS here and here.

I chose to extract the .deb package instead of building from source to avoid modifying or leaking the salt. Meshnet is not yet supported, but core NordVPN features work. I’ll create another PR once the Meshnet issues are resolved.

2025-05-13-123306_hyprshot

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels May 13, 2025
@NixOSInfra NixOSInfra added the 12.first-time contribution This PR is the author's first one; please be gentle! label May 13, 2025
@different-error different-error marked this pull request as ready for review May 13, 2025 10:08
drupol
drupol requested changes May 13, 2025
View reviewed changes
Copy link
Contributor

@drupol drupol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

Thanks for your first PR.

I made some feedback, let me know if you need some help.

@NyCodeGHG
Copy link
Member

NyCodeGHG commented May 13, 2025
edited
Loading

For such a security relevant package such as a vpn software, we should build from source if possible.
I'm not sure why you want to avoid "leaking" the salt, since it can be easily extracted from the binary in the .deb you linked.

This would also allow us to patch out quirks such as relying on /usr

NyCodeGHG
NyCodeGHG suggested changes May 13, 2025
View reviewed changes
@different-error
Copy link
Author

For such a security relevant package such as a vpn software, we should build from source if possible. I'm not sure why you want to avoid "leaking" the salt, since it can be easily extracted from the binary in the .deb you linked.

This would also allow us to patch out quirks such as relying on /usr

Your claims about salts are valid and correct! My earlier statement was based on an incorrect misunderstanding, and I've updated the comment accordingly.

Another way to address quirks is to make changes directly in the NordVPN repository, which was my implicit assumption for the next release.

I could update this to build from scratch, but I don’t see the added security benefit. All other Linux distributions download from repo.nordvpn.com (.deb or .rpm) via their install script. I’ve also noticed that ExpressVPN extracts their .deb. Fortunately, building from source is nearly complete thanks to community efforts. Regardless, I’m not convinced there’s a significant advantage. Lmk your thoughts, thanks!

@drupol
Copy link
Contributor

drupol commented May 13, 2025

I could update this to build from scratch, but I don’t see the added security benefit. All other Linux distributions download from repo.nordvpn.com (.deb or .rpm) via their install script. I’ve also noticed that ExpressVPN extracts their .deb. Fortunately, building from source is nearly complete thanks to community efforts. Regardless, I’m not convinced there’s a significant advantage. Lmk your thoughts, thanks!

You are right that most distributions fetch the .deb or .rpm packages from repo.nordvpn.com using the official install script, and that ExpressVPN follows a similar approach in Nixpkgs by extracting the .deb archive.

However, the key issue here is trust and verifiability.

At the moment, there's no reliable way to verify that the binaries provided on repo.nordvpn.com are actually built from the publicly available sources. By using those prebuilt packages, we are implicitly trusting the vendor without any way to independently validate the build integrity.

One of the strengths of Nix is its focus on reproducibility. Building from source allows us (most of the time) to produce reproducible outputs. This enables a verifiable 1-to-1 mapping between the source code and the resulting binaries, which significantly improves the security of the software supply chain.

Fortunately, thanks to recent community efforts, we’re getting close to being able to build the client fully from source.

That’s why I believe it’s worth pushing in that direction.

@different-error
Copy link
Author

I could update this to build from scratch, but I don’t see the added security benefit. All other Linux distributions download from repo.nordvpn.com (.deb or .rpm) via their install script. I’ve also noticed that ExpressVPN extracts their .deb. Fortunately, building from source is nearly complete thanks to community efforts. Regardless, I’m not convinced there’s a significant advantage. Lmk your thoughts, thanks!

You are right that most distributions fetch the .deb or .rpm packages from repo.nordvpn.com using the official install script, and that ExpressVPN follows a similar approach in Nixpkgs by extracting the .deb archive.

However, the key issue here is trust and verifiability.

At the moment, there's no reliable way to verify that the binaries provided on repo.nordvpn.com are actually built from the publicly available sources. By using those prebuilt packages, we are implicitly trusting the vendor without any way to independently validate the build integrity.

One of the strengths of Nix is its focus on reproducibility. Building from source allows us (most of the time) to produce reproducible outputs. This enables a verifiable 1-to-1 mapping between the source code and the resulting binaries, which significantly improves the security of the software supply chain.

Fortunately, thanks to recent community efforts, we’re getting close to being able to build the client fully from source.

That’s why I believe it’s worth pushing in that direction.

Gotcha. A malicious attacker might somehow tamper with their binaries. Building from source is the secure way to go. Ok, will do, thanks!

@different-error
Copy link
Author

Modified the package to build from source instead of extracting the .deb file.
Attribution: I adapted the working configuration found here.

Verified that core features function correctly.
2025-05-13-232059_hyprshot

Thank you all for your time!

drupol
drupol requested changes May 14, 2025
View reviewed changes
NyCodeGHG
NyCodeGHG reviewed May 15, 2025
View reviewed changes
@different-error different-error force-pushed the nordvpn branch 3 times, most recently from 6a79c37 to 30f70e6 Compare May 15, 2025 21:33
@different-error
Copy link
Author

different-error commented May 15, 2025
edited
Loading

I've reduced privileges by using a dedicated nordvpn user. DynamicUser=true behaved inconsistently when I specified the nordvpn group, including when I set it only in SupplementaryGroups=.

Additionally, the nordvpnd source was modified to find helper executables in the <<pkg>>/bin directory (and the PATH, of course). The PATH configured in the systemd unit file now includes only paths to the binaries that are needed.

One more thing, nordvpnd failed to recognize the norduserd process, even though both ran as the same user, which is incorrect behavior. As far as I know, this only affects notifications for VPN server connection/disconnection. I verified basic connect/disconnect operations using OpenVPN and NordLynx protocols.

Thanks again for the review!

2025-05-16-002450_hyprshot

NyCodeGHG
NyCodeGHG reviewed May 16, 2025
View reviewed changes
NyCodeGHG
NyCodeGHG reviewed May 16, 2025
View reviewed changes
@alyssais
Copy link
Member

Requesting security team review due to the pinned libxml2 with known vulnerabilities fixed in the default version.

@leona-ya leona-ya removed their request for review June 30, 2025 11:12
@different-error
Copy link
Author

  • add CVE-2025-6021 to meta.knownVulnerabilities
  • successful connection to vpn
  • rebase onto latest master

To test, one may add the following to configuration.nix

nixpkgs.config.permittedInsecurePackages = [
  "libxml2-2.14.3"
];

Requesting security team review due to the pinned libxml2 with known vulnerabilities fixed in the default version.

fwiw - "pinned libxml2" change looks similar to these: one, two, three.

LeSuisse
LeSuisse requested changes Jul 3, 2025
View reviewed changes
LeSuisse
LeSuisse reviewed Jul 3, 2025
View reviewed changes
@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 7, 2025
@different-error different-error mentioned this pull request Jul 12, 2025
Open
@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 12, 2025
@different-error
Copy link
Author

  • set version to 4.0.0
  • tested using openvpn and nordlynx technologies
  • removed CVE-2025-6021 since afaik it does not apply to libxml2 v2.13.8 (and no other CVEs apply to the same version)
  • stored openvpn patches locally to avoid depending on third party url which may change in the future
  • I opened an issue upstream to clarify questions regarding configuration encryption

Thanks for the reviews everyone!

@drupol
Copy link
Contributor

drupol commented Jul 12, 2025

set version to 4.0.0

Don't forget to update the commit message accordingly.

ruffsl
ruffsl reviewed Jul 13, 2025
View reviewed changes
@nixpkgs-ci nixpkgs-ci bot added the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 13, 2025
@LordGrimmauld LordGrimmauld mentioned this pull request Jul 13, 2025
Merged
13 tasks
@getreu
Copy link
Contributor

getreu commented Jul 29, 2025

When can we expect this PR in unstable?

@LordGrimmauld
Copy link
Contributor

LordGrimmauld commented Jul 29, 2025
edited
Loading

whenever staging-next is merged to master and the channel advances
Edit: This PR first needs to be ready. It was waiting on the libxml2_13, which has now reached master: #425387

This means @different-error can now use that libxml version:

I intend to use the libxml2_13 package once that completes

@drupol
Copy link
Contributor

drupol commented Jul 29, 2025
edited
Loading

When can we expect this PR in unstable?

Dumb answer: when it will be done and merged?

No, but more seriously, it's difficult to evaluate such questions. At the moment, I think the author is waiting for #406725 (comment), and then it will be re-evaluated.

There's also a minor conflict that need work, so, once all of this will be fixed, I guess the review process will continue.

@different-error
Copy link
Author

whenever staging-next is merged to master and the channel advances Edit: This PR first needs to be ready. It was waiting on the libxml2_13, which has now reached master: #425387

This means @different-error can now use that libxml version:

I intend to use the libxml2_13 package once that completes

Unfortunately #425387 did not contain the libxml2_13 changes found in #421740. The master branch currently does not contain libxml2_13 package. Maybe @drupol @leona-ya can shed insights on expected timeline?

@LordGrimmauld
Copy link
Contributor

Oh wait damn, indeed you are right, missed that staging cycle by two days, i missed that.
You can target staging instead, where that PR is merged already. While your PR doesn't cause mass rebuilds, it depends on a PR that is currently only in staging, so targetting staging is fine.

@LeSuisse LeSuisse changed the title nordvpn: init at 3.20.2 nordvpn: init at 4.0.0 Jul 29, 2025
@different-error different-error changed the base branch from master to staging July 30, 2025 11:22
@nixpkgs-ci nixpkgs-ci bot closed this Jul 30, 2025
@nixpkgs-ci nixpkgs-ci bot reopened this Jul 30, 2025
@different-error
Copy link
Author

I face some difficulty atm. I cannot build staging locally. Running the tests suite or building the VM either fails or consumes too much memory. You can find these changes in my fork here. Since I cannot build staging, I cannot push my changes to this PR. I intend to try every so often, but worst case I can change base back to master once libxml2_13 merges.

@ruffsl
Copy link

ruffsl commented Aug 16, 2025

I intend to try every so often, but worst case I can change base back to master once libxml2_13 merges.

Looks like libxml2_13 has made its way into staging-next. The PR to watch for when it finally merges into main:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeSuisse LeSuisse LeSuisse requested changes

@alyssais alyssais alyssais left review comments

@leona-ya leona-ya leona-ya left review comments

@LordGrimmauld LordGrimmauld LordGrimmauld left review comments

@NyCodeGHG NyCodeGHG Awaiting requested review from NyCodeGHG

@hsjobeki hsjobeki Awaiting requested review from hsjobeki

@GetPsyched GetPsyched Awaiting requested review from GetPsyched

@fricklerhandwerk fricklerhandwerk Awaiting requested review from fricklerhandwerk

@drupol drupol Awaiting requested review from drupol

+2 more reviewers

@ruffsl ruffsl ruffsl approved these changes

@Blatzar Blatzar Blatzar left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
2.status: merge conflict This PR has merge conflicts with the target branch 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: maintainer-list (update) This PR changes `maintainers/maintainer-list.nix` 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: tests This PR has tests 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person. 12.first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.