Linux, nordvpn and sleep/resume

I’d really like nordvpn to survive sleep/resume events but of course, if the remote end doesn’t hear from my laptop then it’s going to drop the connection. Fair enough, I’m happy to do a disconnect before sleep and a re-connect on resume as long as I can automate it – I have the usual thing in /usr/lib/systemd/system-sleep/sleep-stuff (below).

But it doesn’t quite work. On resume, ‘nordvpn connect’ is run and the routing table looks good if observed immediately (ie from within the sleep/resume script:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.1.1        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlp3s0
10.8.1.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
103.137.12.219  192.168.0.1     255.255.255.255 UGH       0 0          0 wlp3s0
128.0.0.0       10.8.1.1        128.0.0.0       UG        0 0          0 tun0
172.16.2.0      0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
172.16.71.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0

Unfortunately, by the time I log in, the routing table has been zapped back to non-vpn mode by ‘something’, I don’t know what, maybe NetworkManager:

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlp3s0
172.16.2.0      0.0.0.0         255.255.255.0   U         0 0          0 vmnet8
172.16.71.0     0.0.0.0         255.255.255.0   U         0 0          0 vmnet1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0

nordvpn status reports that its working:

$ nordvpn status
Status: Connected
Current server: au492.nordvpn.com
Country: Australia
City: Brisbane
Your new IP: 144.48.39.91
Current technology: OpenVPN
Current protocol: UDP
Transfer: 7.89 MiB received, 6.00 MiB sent
Uptime: 24 minutes 52 seconds

… but of course I have to do an additional disconnect/connect which is cheesy.

Any ideas?

Here’s the script (put into /usr/lib/systemd/system-sleep/sleep-stuff and chmod +x):

#!/bin/sh
if [ "${1}" == "pre" ]; then
    # before suspend
    pgrep nordvpnd &> /dev/null && nordvpn status |grep -q 'Status: Connected' && {
        # This will run as root, so root needs to have been initialised by
        # nordvpn login at some time in the past.
        /bin/nordvpn disconnect
    }
elif [ "${1}" == "post" ]; then
    # after resume
    pgrep nordvpnd &> /dev/null && {
        # This will run as root, so root needs to have been initialised by
        # nordvpn login at some time in the past.
        (
            sleep 5 # I've tried sleep from 0 to 5
            /bin/nordvpn connect
            netstat -rn # routing table looks OK now but it gets zapped by something else later!!
        ) &
    }
fi

This is on Fedora-31.