Updated: June 1, 2024

NordVPN Linux

NordVPN has its own firewall. When NordVPN is running, it blocks all ports and services except thoses that are absolutely necessary. You can access your computer from your local network, but you have to white list it for each user. See instructions below. This is because the nordvpn setting are different for each user. Hence, if you are logged in to your computer via user_2, and there is no nordvpn whitelist for user_2, you can not log in remotely as user_1 even though the nordvpn setting for user_1 are whitelisted. You CANNOT access your computer from the Internet! NordVPN does NOT support Port Forwarding!

Reference: NordVPN Port Forwarding and VPNs

Install Nordvpn

To install nordvpn from the terminal:

sudo apt install curl
sh <(curl -sSf https://downloads.nordcdn.com/apps/linux/install.sh)

To run nordvpn, you must be a member of the nordvpn group:

sudo gpasswd -a your_user_name nordvpn

After all users of nordvpn have been added the nordvpn group, reboot your machine.

sudo reboot

Next, you need to login into your nordvpn account:

nordvpn login --token your_token

Next connnect to one of nordvpn's servers:

nordvpn connect US

Now, everything that is output from your Ethernet or Wi-Fi interfaces goes through a secure tunel to the connected nordvpn server.

This is probably more restrictive than you want. To access other computers, network drives, and printers on your local area network, you need to "whitelist" your local area network:

nordvpn whitelist add subnet 192.168.0.0/24

Nordvpn will save and remember your whitelist.

To check the status of your connection, enter:

nordvpn status

Sample output:
Status: Connected
Current server: us8688.nordvpn.com
Country: United States
City: New York
Server IP: 185.187.243.43
Current technology: OpenVPN
Current protocol: UDP
Transfer: 14.36 KiB received, 5.92 KiB sent
Uptime: 51 seconds

Now, when you want to connect to Nordvpn all you have to enter is:

nordvpn connect US

Similarly, to disconnect fron the Nordvpn server, enter:

nordvpn disconnect

Nordvpn Settting

To view Nordvpn's setting:

nordvpn settings

Sample outuput:
Technology: OpenVPN
Protocol: UDP
Firewall: enabled
Kill Switch: enabled
CyberSec: disabled
Obfuscate: disabled
Notify: disabled
Auto-connect: enabled
IPv6: disabled
DNS: disabled
Whitelisted ports:
22 (UDP|TCP)
Whitelisted subnets:
192.168.0.0/16

The following command will auto-connect Nordvpn to a USA server:

nordvpn set autoconnect enabled US
 
The auto-connect to US command selects a random US server. When I manually connected using:
 
nordvpn connect US
 
I was always connected to a server in the Dallas, TX area.

Note, if autoconnect is already enabled to another country or city, you must first run:

nordvpn set autoconnect disabled

This sometime happens after an upgrade. For exemple, after an upgrade, I was always connecting to the Ukraine.

kill switch:
 nordvpn set killswitch on  
 nordvpn set killswitch off  

If you do not whitelist the LAN, you will not be able to ssh into the raspberry pi.
white list:
 nordvpn whitelist add subnet 192.168.0.0/24  

If you add a 2nd subnet, it will replace the 1st subnet. Hence, only one subnet.

 nordvpn whitelist remove subnet 192.168.0.0/24  

nordvpn set technology OpenVPN
nordvpn set protocol tcp

Allways check that Nordvpn is connected with nordvpn status - Even if you have autoconnect enable. Occcasionally, nordvpn will require you to log back into thier server. If you are not logged in, autoconnect will not work, and there is no warning what so ever that you are not using a VPN.

DNS Leaks

To tests for Domain Name Server (DNS) leaks go to:
 
https://dnsleaktest.com
 
Because I was using the default setting with Firefox, I had DNS leaks. I was informed via Nordvpn chat to go to Firefox Settings-General-NetworkSettings and uncheck the Enable DNS over HTTPS box. This fixed my DNS leak.
 
I also tried leaving Enable DNS over HTTPS checked and changing the "provider" to "custom" and entering Nordvpn DNS's IP addresses seperated by a comma: 103.86.96.100, 103.96.99.100 . This appeared to also work.

Another excellent site for checking for DNS leaks and WebRTC (Web Real Time Communications) leaks is:
 
https://IPLeak.net

To see your DNS servers:  cat /etc/reslov.conf  

Nordvpn chat support is excellent. However, you will need a way to send them a screenshot.
 
 sudo apt install gnome-screenshot 
 
Menu-Accessories-Screenshot

Nordvpn 38.18.1

Whitelist does not work with version 38.18.1

To install a the previous version:

sudo apt install nordvpn=38.18.0

To hold back newer version of this package when doing general updates:

sudo apt-mark hold nordvpn

To release the unhold back:

sudo apt-mark unhold nordvpn

To see all held back packages:

sudo apt-mark showhold

Telemetry Data Collection

Raspberry Pi Imager / Telemetry

The Raspberry Pi Imager is a tool for putting an OS image onto an SD card. It is available for Linux, Windows, and MacOS. In version 1.5, they added telemetry, which collects which OS you are putting on SD card. Starting with version 1.6, you can opt out of telemetry by opening the tool and hitting Ctrl+Shift+X, which brings up the hidden advance options diaglog box. Uncheck enable telemetry (the last checkbox). Afterwards there will be a hidden file, ~/.config/Raspberry Pi/Imager.conf. Check this file to make sure telemetry=false. One of the advance options is to configure a wireless LAN. This option has my wireless LAN SSID in it, and I have not figured out how to remove my SSID. I am very leary of this program.

Raspberry Pi Recommended Software

I am suspicous of the Raspberry Pi Menu/Preferences/Recommended Software program. This program, calls home and updates the list of Recommmended Software. It is not going through a browser (and/VPN) so I suspect it is exposing your IP address.

Raspberry Pi Updater

The Raspberry Pi Updater runs everytime the Pi is powered up and at least once every 24 hours. This program has to read the files on your computer and compare them to the latest versions. It is not running in a browser so it may be exposing your IP address. I do not know what protocol it is using. Dido for sudo apt update and sudo apt upgrade. But a least apt update and apt upgrade do not run randomly. You can right click on the Tast Bar and select "Add / Remove Panel Items" and remove the RPi Updater (between System Tray and Ejector). However, I do not know at this time, if this stops the updater program or just prevents the update notice from appearing in the Tast Bar. You have to be a member of the sudo group to add and remove items from the Task Bar.

Raspberry Pi Date and Clock

The Raspberry Pi does not have a real time clock. It gets its date and time from a server on the web.

Microsoft Visual Sudio Code (Editor)

The Microsoft Visual Sudio Code Editor "does" collect telemetry data. This is one of programs listed in the Recommended Software under Menu/Preferences. There is a version of this program that does not collect telemetry data. However, the Raspberry Pi Fondation chose the Microsoft version with telemetry.

Real VNC Server

The Real VNC Server is installed by default. However, you can remove it: Under Menu/Opitions, there is "Updates" and checkbox that allows the VNC server to automatically check for critical sercurity patches and for product updates. There is also a link on this page to read their privacy policy. You can uncheck this box, hit Apply and OK.

Chromium Browser (Google)

Even if you have downloaded another browser and set it to be your default browser, if you double click on some files such a jpg, it wil open up in Google's chromium-browser. You can remove it:
 
sudo apt purge --autoremove chromium-browser
 
If you right click on a file and select open with, there is a checkbox at the bottom of the dialog window: "Set selected application as default action for this type of file".

Summary

There is probably no way to hide your IP address from the Internet. However, you can hid your browser activity from your Internet Service Provider, Google, Facebook, Micosoft, Amazon, etc., with a good VPN that does not leak your IP address (DNS and WebRTC leaks). You can also stop most programs from collecting telemetry data that might be used to finger print you.

History

Bash commands are stored in the file ~/.bash_history and in memory. To clear the history file:
 
history -c && history -w
 
To not save bash commands in the history file: set HISTFILESIZE=0 in ~/.bashrc.
To limit the bash commands in memory: set HISTSIZE=10 in ~/.bashrc

References:

NordVPN on Debian and Raspberry Pi

53bcd82ec649440c93e1f4fbf5bd5131b0fc8f3292b12ff02506f4e647ae6a08

e9f2abd3a5c6dbc6a04e633661d7e9ea498e557a2562a8cf8991438213e8915d