Hello, I want to do double VPN with NordVPN as likePhone>VPS>NordVPN
I have already made connection
VPS>PhoneVPS>NAS in my home
so currently I can connect to NAS through VPS.But I want to connect to the internet with NordVPN instead of VPS’s Global IP address.
Now my VPN network created by Docker-compose
version: "3.8"
services:
adguardhome:
image: adguard/adguardhome
container_name: adguardhome
restart: unless-stopped
ports:
# I open the ports it required by adguardhome
networks:
proxy:
wg-net:
ipv4_address: 10.2.0.100
environment:
- PUID=xxxx
- PGID=xxxx
labels:
# adguard dashboard
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`xxx.xxxx.xxx`)"
- "traefik.http.routers.adguard.entrypoints=websecure"
- "traefik.http.routers.adguard.tls=true"
- "traefik.http.routers.adguard.tls.certresolver=myresolver"
- "traefik.http.services.adguard.loadbalancer.server.port=80"
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"
volumes:
- ./workdir:/opt/adguardhome/work
- ./confdir:/opt/adguardhome/conf
wg-easy:
image: weejewel/wg-easy
container_name: wg-easy
restart: unless-stopped
volumes:
- .:/etc/wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
# ?? Required:
# Change this to your host's public address
- WG_HOST=xxx.xxxx.xxx
# Optional:
- PASSWORD=xxxxxxxxxx
- WG_PORT=${EXTERNAL_WG_PORT}
- WG_DEFAULT_DNS= 10.2.0.100
labels:
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"
ports:
- "${EXTERNAL_WG_PORT}:51820/udp"
- "51821:51821/tcp"
dns:
- 10.2.0.100 # Points to AGH
networks:
wg-net:
ipv4_address: 10.2.0.3
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
networks:
wg-net:
ipam:
config:
- subnet: 10.2.0.0/24
proxy:
external: true
Then I add nordVPN container
version: "3.8"
services:
adguardhome:
image: adguard/adguardhome
container_name: adguardhome
restart: unless-stopped
ports:
#as I wrote above
networks:
proxy:
wg-net:
ipv4_address: 10.2.0.100
environment:
- PUID=xxxx
- PGID=xxxx
labels:
# adguard dashboard
- "traefik.enable=true"
- "traefik.http.routers.adguard.rule=Host(`xxxx.xxxx.xxx`)"
- "traefik.http.routers.adguard.entrypoints=websecure"
- "traefik.http.routers.adguard.tls=true"
- "traefik.http.routers.adguard.tls.certresolver=myresolver"
- "traefik.http.services.adguard.loadbalancer.server.port=80"
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"
volumes:
- ./workdir:/opt/adguardhome/work
- ./confdir:/opt/adguardhome/conf
nordvpn:
image: ghcr.io/bubuntux/nordvpn
container_name: nordvpn
cap_add:
- NET_ADMIN # Required
- SYS_MODULE
ports:
- ${EXTERNAL_WG_PORT}:51820/udp
- 51821:51821/tcp
environment: # Review https://github.com/bubuntux/nordvpn#environment-variables
- USER=${NORDUSR} # Required
- PASS=${NORDPW} # Required
- CONNECT=${COUNTRY}
- TECHNOLOGY=NordLynx
- NETWORK=10.2.0.0/24 # So it can be accessed within the local network
- PORTS=${EXTERNAL_WG_PORT};${EXTERNAL_SOCKS5_PORT};51820;51821
- FIREWALL=Disable
- KILLSWITCH=Disable
- CYBER_SEC=Disable
- DNS=${NV_DNS}
sysctls:
- net.ipv4.conf.eth0.rp_filter=2
devices:
- /dev/net/tun
restart: unless-stopped
networks:
wg-net:
ipv4_address: 10.2.0.2
wg-easy:
image: weejewel/wg-easy
container_name: wg-easy
restart: unless-stopped
volumes:
- .:/etc/wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
# ?? Required:
# Change this to your host's public address
- WG_HOST=xxx.xxxx.xxxx
# Optional:
- PASSWORD=1DifW6C4yeLxN1gi
- WG_PORT=${EXTERNAL_WG_PORT}
- WG_DEFAULT_DNS= 10.2.0.100
- WG_POST_UP=ip rule add from 10.2.0.2 table 128; ip route add table 128 to 10.2.0.0/24 dev eth0; ip route add table 128 default via 10.2.0.1; iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT;
- WG_POST_DOWN=ip rule del from 10.2.0.2 table 128; ip route del table 128 to 10.2.0.0/24 dev eth0; ip route del table 128 default via 10.2.0.1
labels:
# Watchtower Update
- "com.centurylinklabs.watchtower.enable=true"
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
network_mode: service:nordvpn
depends_on:
- nordvpn
networks:
wg-net:
ipam:
config:
- subnet: 10.2.0.0/24
proxy:
external: true
but mostly it does not work. (I don’t know why it worked 2times but after docker compose down && docker compose up -d, it dies connection.)I tried to ping from NAS to VPS or Phone, but neither to work. Maybe I need to change some parameters on WG_POST_UP or WG_POST_DOWN but I am not sure. What should I do?
Edit: I found I can connect the internet through nordvpn that I changed - NETWORK=10.2.0.0/24 # So it can be accessed within the local network to - NETWORK=IP address of my global address of home # So it can be accessed within the local network I don’t know why it works even I can connect from Cellular network and I am worried about when the global IP changed of my house.