it’s baffling me as well lol, actually considering installing another linux distro in a virtual machine to see if i get the same results, if i execute wg in a terminal not as root but just as my normal user it just brings up a new command line like you’ve quoted above
Good news guys eventually got my private key after installing Debian on a virtual machine then installing wireguard under root and installing nordvpn 3.3.0 under root, it now shows it as an interface in wireguard, so glad I got this working lol thanks for all the assistance guys
1 Like
This is exciting, out of curiosity what are the performance differences you are seeing with wireguard vs ovpn on nordvpn? I tried re-creating your steps but failed miserably. So I am going to start again from scratch. Any chance you could put together the step by steps one would need to do to get this implemented correctly?
I run surfshark vpn, they only have wireguard app for apple, windows and android, is it possible to find some config files in those app to create wireguard files on router?
thanks
ok,first off please excuse my punctuation i didnt feel like proof reading and corrections 
also i am VERY novice at linux… i just kinda figured this out by playing around but it works for what i need it for which is a vpn connection with a killswitch that is always on in the os not an app. i DO NOT know the security implications for connecting this way or if it is safe, only that it WORKS!
so, for anyone who is curious i am using kali which is debian based linux and i have figured out how to manually connect to nordvpn reliably at startup so the vpn is permanently connected and all traffic goes through it and if it drops all trafic is halted NOTHING LEAKS as far as i can tell… again as i said, i am very novice at linux so maybe it does or this is ridiculous and defeats its own purpose or who knows i only added this as i know its similar to what may be helpful for other applications and again as i said, IT WORKS for manual wg-quick connections.
so first thing, ill do all this in the terminal
i configure systemd/networkd (“nano /etc/systemd/networking/wg0.network”) for wg0 because thats what im using because i wanted dhcp disabled completly but you may need to edit the /etc/network/interfaces if thats how yours is set up and add something in the correct syntax equivilant of this to it instead
[Match]
Name=wg0
[Network]
Address=10.5.0.2/32
DNS=103.86.96.100
DNS=103.86.99.100
DHCP=false
i had problems with it not assigning the ip correctlty to wg0 on its own with the way wg showconf presents the file contents and so for me i decided i liked this way best
OR/BUT
im pretty sure you can just manually add only the desired ip of 10.5.0.2/32 to the [Interfaces] section of the wg0.conf file and get the same result… anyway…
then i add the sources for nordvpn
“nano /etc/apt/sources.list.d/nordvpn.list”
deb Index of /deb/nordvpn/debian/ stable main
and save with ctl x
and “apt update”
then apt “install nordvpn”
and then “nordvpn login” and enter my credentials and it says connected or something similar
then “nordvpn set technology nordlynx” to set it from openvpn to wireguard
i then “nordvpn c --group p2p us los_angeles” this connects me to a p2p friendly server in los angeles
once it says connected i “ifconfig” and ensure that the nordlynx connection is there and it is both sending and RECEIVING data. i then “ping” once again making sure that things are indeed working correctly.
if everythings good to this point i then:
“wg showconf nordlynx”
and it prints out the info of what would be the wireguard configuration file in correct file format
here is what the command gives me (the keys and endpoint redacted):
[Interface]
ListenPort = 43329
PrivateKey = ***********************************************
[Peer]
PublicKey = *************************************************
AllowedIPs = 0.0.0.0/0
Endpoint = ...:51820
PersistentKeepalive = 25
i then disconnect from nordlynx “nordlynx d”
highlight and copy the info given and
create a file “nano /etc/wireguard/wg0.conf” with which i paste the given info from the wg showconf nordlynx command,
and also this to the [Interface] section from wg-quick manual (man wg-quick) for the killswitch:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i
fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i
fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
so it looks like:
[Interface]
ListenPort = 43329
PrivateKey = ***********************************************
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = ******************************************
AllowedIPs = 0.0.0.0/0
Endpoint = ...:51820
PersistentKeepalive = 25
and then save with ctl x.
i then edit the resolv.conf and delete whats in it and replace it with the 2 nordvpn dns servers instead
“nano /etc/resolv.conf” so it looks like this:
nameserver 103.86.96.100
nameserver 103.86.99.100
and then save with ctl x
and “chattr +I /etc/resolv.conf” to prevent any further changes
at this point everything should be good to go and i just need to enable the process at boot and start it
“systemctl enable wg-quick@wg0”
“systemctl start wg-quick@wg0”
then i check everything with “ifconfig” and make sure there is a listing for wg0 now, (just like the nordlynx was before when i had the nordvpn app connected) and that it is both sending AND receiving data
i also “ping” to verify its up and running
at this point i should now be able to go to my browser and to any ip or dns leak testing site and get back the los angeles based vpn ip with no sign of my own whatsoever.
i then remove the nordvpn program
“apt remove nordvpn”
and comment out the nordvpn sources.list additions
“nano /etc/apt/sources.list.d/nordvpn.list”
#deb Index of /deb/nordvpn/debian/ stable main
save ctl x
and then
“apt update”
this should now be persistent across reboots also and will permanently be there until it is stopped with:
“systemctl stop wg-quick@wg0”
any ifconfig after stopping will now only show my eth0 and lo NOT the wg0 at which time my personal ip address will then be showing in any ip or dns test site untill it is rebooted or the service restarted with
“systemctl restart wg-quick@wg0”
anyway i wrote this hoping that the way the wg showconf command will give the wireguard config file contents and the way ive implemented things here might be useful for someone elses needs as well so i hope this helps someone because i sure find it useful…
i realize that by relaying this info here it inevitably tips off the vpn this is possible which only encourages them to change it so it isnt possible to do this but my hope is that maybe we all just keep this quiet and it doesnt get back around to them
again i am novice at BEST with all this so for all i know this is a horrible idea
1 Like
Hi everyone,
sorry I am late to the party…
Anyways, thanks to all the great information on this post, I was able to create a script that generates the Wireguard configuration file for a NordVPN connection.
Such file can be imported to the Wireguard client on all platforms which makes using NordVPN so much faster and easier.
And… of course the content of the generated file can be cut/paste into the GL.iNet Wireguard management section and voila’, all done.
The repository is here:
There is full documentation.
Let me know if that works for you.
Stefano
4 Likes
Thanks for creating the NordVpnToWireguard script. I did a test to generate a Wireguard config file and it works! 
I made a small change to a copy of script to log in and log out with my username/password.
I made a small change to another copy of the script to generate a Wireguard config file for NordVPN Double_VPN (a.k.a. multi hop), which works also! !
I do not work for and I am not directly associated with GL.iNet
1 Like
@wcs2228 Glad it helped!! I setup my whole family and all the media devices to use the Wireguard client to connect to NordVPN and also from the GL.iNet router. It’s so much faster and easy to use than the official app.
Stefano
1 Like
Guys,
I just realized that I named the repository with a dash at the start. Of course, it was cosmetic but it was ugly, so I corrected it.
The correct link is:
Sorry for the confusion.
Stefano
5 Likes
@sfiorini Hey mate. You are an absolute legend! Thanks so much for this.
I noticed there’s no PersistentKeepalive component to the generated conf. Do we need to do anything with that or is it good to go?
1 Like
You are right. I need to add that. It’s very important to keep a persistent connection. It’s should have a value of 25.
Thank you,
Stefano
@Avsynthe I did add “PersistentKeepalive = 25” as I use it on all my permanent VPN connections. Thank you for pointing that out. You can pull the latest code on github.
Stefano
Hello all,
Many many thanks for all the efforts and time in this thread. I’ve hacked around with DD-WRT,
Asuswrt-merlin, Ubuntu and now my 2nd Gl.inet router (Beryl)
Many thanks Stefano for putting it all together in your bash script.
To date, this has been the best result for me, running NordVPN wireguard on a router.
I hope my question is simple. I generate the config files from Ubuntu and Nordvpn linux client.
I have noticed when running the resulting wireguard client on Beryl, that an additional server
is appearing on an extended test, dnsleaktest.com page. A server I don’t see with any of the native
Nordlynx apps (Windows/Linux).
Specifically…
185.152.67.116 unn-185-152-67-116.datapacket.com. Datacamp Limited
I’m wondering if I need to add DNS servers to my linux Nordvpn settings, before running NordVpnToWireguard.sh ? Which doesn’t seem logical as I believe nord defaults to its
own DNS servers, if none specified ?
We had noticed some odd behaviour with Beryl and the above procedures, great download
speeds ! 4x faster than openvpn for us, however some initial landing screens on services,
very slow to load all the graphics. Also the odd ‘warning’ that I was using a VPN.
This led me to the dns leak test.
I’m happy to share any config files, or Beryl MT-1300 screengrab settings if it also helps others.
I notice some DNS references from the past, in this thread, but they don’t seen relevant
to my setup.
I’m extremely grateful to have got this far, and hope the possible ‘dns-leak’ helps others.
I pondered if NordVPN owns Datacamp LTD, however beryl, and this WG setup,
is the only combo that generates Datacamp LTD, in a dns leak test for me.
I think 185.152.67.116 is the NordVPN server (i.e., endpoint) that you have chosen to connect to. You can look up the the IP address of the endpoint that is in your Wireguard config file (network-tools.com).
NordVPN servers are hosted in 3rd-party data centers, including Datacamp Limited. The same applies to other VPN providers.
I do not work for and I do not have formal association with GL.iNet
Hi wes228,
Many thanks for your reply, and you are 100% correct. My initial searches on Datacamp had me nervous as it was being flagged by spam/malware monitors. But I have had confirmation, as you
said, that Nord does use these guys.
I’m still unsure as to why the native Nordvpn clients (linux/windows) never lists datacamp in dns leak
tests using WG, (Perhaps its that double encryption deal Nordlynx does ?) and that we are using
native WG in this instance.
Sorry if I misled anyone. I think this whole setup is fantastic and
sincerely appreciate what’s been done here. If there is a setting, or something I’m doing incorrectly
that introduces the extra 3 Datacamp servers I see. I will post ‘why’ here. But I’m leaning towards
‘It is what it is’…
1 Like
I am a bit confused here… Why is Wireguard for NORDVPN so hard to get configured easily… (For those without easy access to Ubuntu)
For OpenVPN I just go to the Nord site and download the config and I am up. But I take a big hit in speed. Whats it going to take to get the same ease for Wireguard?
NordVPN has their own proprietary WireGuard implementation called “NordLynx”, so they do not provide config files to users. You can “reverse generate” your own config files on Linux that is backwards-compatible with standard WireGuard, but this is not supported by NordVPN.
I do not work for and I do not have formal association with GL.iNet
Not rally concerned if they support it… Just care if it works… Do I really have to set up a linux environment just to create the config file?
Cant I just create one in an editor and fill in the missing pieces? then past it into the router? I am looking for the easy button…
I guess at the last resort, I could set up a linux VM on my old laptop… But what a pain in the ARSE… 
Hey 
first of all many thanks to help with the Config files. I am using the small GLI net 300 for my Smart TV and when we eventually travel again. But I have the problem that when I used OpenVPN config file from nordvpn.com it works faster and better then Wire guard. It connects snd works fine in my phone but live streaming is not working on my tv at all. Is it because this small router is not capable? But I was thinking speeds up to 300 Mbits are supported and if i use LAN directly to my PC I have 300Mbits. Is there anything I can do?