azinchen/nordvpn

By azinchen

Updated 11 days ago

NordVPN Docker Client

Image
28

1M+

azinchen/nordvpn repository overview

logo

NordVPN OpenVPN Docker Container

GitHub release GitHub release date GitHub build
GitHub stars GitHub forks Open issues GitHub last commit
Docker pulls Docker stars Docker image size
Multi-arch

OpenVPN client docker container that routes other containers' traffic through NordVPN servers automatically.

Prefer WireGuard? This has a sibling project, azinchen/nordvpn-wg — the same auto-routing NordVPN container over WireGuard (NordLynx). Both share the same configuration model and feature set.

✨ Key Features

  • 🚀 Easy Setup — Route any container's traffic through VPN with --net=container:vpn
  • 🌍 Smart Server Selection — Auto-select servers by country, city, group, or specific hostname (details)
  • ⚖️ Load Balancing — Intelligent sorting by server load when multiple locations specified
  • 🔄 Auto-Reconnection — Periodic server switching and health monitoring (details)
  • 🕵️ XOR Obfuscation — Built-in XOR patches disguise OpenVPN traffic to bypass DPI (details)
  • 🛡️ Kill Switch — Default-deny firewall blocks all traffic when VPN is down (details)
  • 🏠 Local/LAN Access — Allow specific CIDRs with NETWORK=... (details)
  • 📵 IPv6 Firewall — Built-in chains default to DROP (details)
  • 🧱 iptables Compatibility — Auto-selects nft or legacy backend (details)
  • 🚪 VPN Gateway Mode — Route downstream networks out through the tunnel with FORWARD_FROM=... (details)

📖 Full documentation on the Wiki — configuration guides, examples, troubleshooting, FAQ, and architecture.


Quick Start

docker run -d --cap-add=NET_ADMIN --device /dev/net/tun --name vpn \
           -e USER=service_username -e PASS=service_password \
           azinchen/nordvpn

Route other containers through VPN:

docker run --net=container:vpn -d your/application

Also available from GitHub Container Registry: ghcr.io/azinchen/nordvpn

Requirements
  • Docker with --cap-add=NET_ADMIN and --device /dev/net/tun
  • NordVPN Service Credentials (not regular account credentials)
Getting Service Credentials
  1. Log into your Nord Account Dashboard
  2. Click on NordVPNAdvanced SettingsSet up NordVPN manually
  3. Go to the Service credentials tab
  4. Copy the Username and Password shown there

Note: These are different from your regular NordVPN login credentials.

Docker Compose Example

services:
  vpn:
    image: azinchen/nordvpn:latest
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - USER=service_username
      - PASS=service_password
      - COUNTRY=United States;CA
      - RANDOM_TOP=10
      - RECREATE_VPN_CRON=0 */6 * * *
      - NETWORK=192.168.1.0/24
    ports:
      - "8080:8080"
    restart: unless-stopped

  app:
    image: nginx:alpine
    network_mode: "service:vpn"
    depends_on:
      - vpn
    restart: unless-stopped

More examples: Docker Compose · Docker Run

Environment Variables

VariableDetails
USERRequired — NordVPN service credentials username.
PASSRequired — NordVPN service credentials password.
PUIDUser ID for the nordvpn process. Default: 912
PGIDGroup ID for the nordvpn process. Default: 912
COUNTRYFilter by countries: names, codes, IDs, or server hostnames (list). Semicolon‑separated.
CITYFilter by cities: names, IDs, or server hostnames (list). Semicolon‑separated.
GROUPFilter by server group (list).
TECHNOLOGYOpenVPN protocol (list). Default: openvpn_udp
RANDOM_TOPRandomize top N servers. Default: 0
PORTForce a specific port for the VPN connection. Must be supported by the server. Default: auto
RECREATE_VPN_CRONServer switching schedule (cron). Default: disabled
CHECK_CONNECTION_CRONHealth monitoring schedule (cron). Default: disabled
CHECK_CONNECTION_URLURLs to test connectivity; semicolon‑separated. Default: https://www.google.com
CHECK_CONNECTION_ATTEMPTSConnection test retry count. Default: 5
CHECK_CONNECTION_ATTEMPT_INTERVALSeconds between retries. Default: 10
NETWORKLAN/inter‑container CIDRs to allow; semicolon‑separated. Default: none
FORWARD_FROMDownstream CIDRs allowed to route OUT through the tunnel (gateway mode). Traffic must arrive already SNATed into these nets. Semicolon‑ or comma‑separated. Default: none
NORDVPNAPI_IPAPI bootstrap IPs (semicolon‑separated). Default: 104.16.208.203;104.19.159.190
XOR_KEYXOR scramble obfuscation key for openvpn_xor_* technologies. Default: NordVPN's built-in key
OPENVPN_OPTSAdditional OpenVPN parameters.
NETWORK_DIAGNOSTIC_ENABLEDEnable network diagnostics on connect. Default: false
HEALTHCHECK_ENABLEDEnable the Docker HEALTHCHECK probe (checks tun0 + connectivity via CHECK_CONNECTION_URL). When false, the container always reports healthy. Default: false

Issues

If you have any problems with or questions about this image, please contact me through a GitHub issue or email.

Check the Troubleshooting and FAQ wiki pages first.

Tag summary

Content type

Image

Digest

sha256:eab3411e1

Size

14.9 MB

Last updated

11 days ago

docker pull azinchen/nordvpn