diff --git a/Dockerfile b/Dockerfile
index 1b96380..789c328 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,4 +34,4 @@ RUN ln -s /usr/bin/protonwire /usr/bin/protonvpn
ENTRYPOINT [ "/usr/bin/protonwire" ]
-CMD [ "connect", "--container" ]
+CMD [ "connect", "--service" ]
diff --git a/README.md b/README.md
index 639f9b1..c310b19 100644
--- a/README.md
+++ b/README.md
@@ -131,52 +131,6 @@ flag is **ALSO** specified.
-
-ProtonVPN WireGuard Client
-
-Usage: protonwire [OPTIONS...]
-or: protonwire [OPTIONS...] c|connect [SERVER]
-or: protonwire [OPTIONS...] d|disconnect
-or: protonwire [OPTIONS...] check
-or: protonwire [OPTIONS...] disable-killswitch
-or: protonwire [OPTIONS...] server-info [SERVER]
-
-Options:
- -k, --private-key FILE|KEY Wireguard private key or
- file containing private key
- --container Run as container
- --metadata-url URL Server metadata endpoint URL
- --check-interval INT IP check interval in seconds (default 60)
- --check-url URL IP check endpoint URL
- --skip-dns-config Skip configuring DNS.
- (Useful for Kubernetes and Consul)
- --kill-switch Enable killswitch (Experimental)
- --p2p Verify if specified server supports P2P
- --streaming Verify if specified server supports streaming
- --tor Verify if specified server supports Tor
- --secure-core Verify if specified server supports secure core
- -q, --quiet Show only errors
- -v, --verbose Show debug logs
- -h, --help Display this help and exit
- --version Display version and exit
-
-Examples:
- protonwire connect nl-1 Connect to server nl-1
- protonwire d --kill-switch Disconnect from current server and disable kill-switch
- protonwire verify [SERVER] Check if connected to a server
-
-Files:
- /etc/protonwire/private-key WireGuard private key
-
-Environment:
- WIREGUARD_PRIVATE_KEY WireGuard private key or file
- PROTONVPN_SERVER ProtonVPN server
- IPCHECK_INTERVAL Custom IP check interval in seconds (default 60)
- IPCHECK_URL IP check endpoint URL (must be https://)
- SKIP_DNS_CONFIG Set to '1' to skip configuring DNS
- KILL_SWITCH Set to '1' to enable killswitch (Experimental)
- DEBUG Set to '1' to enable debug logs
-
## Health-checks
@@ -184,7 +138,7 @@ Environment:
- Script supports `healthcheck` sub-command. By default, when running as a service,
script will keep checking every `IPCHECK_INTERVAL` _(default=60)_ seconds using the
`IPCHECK_URL` api endpoint. To disable healthchecks entirely set `IPCHECK_INTERVAL` to `0`
-- Use `protonwire healthcheck --silent --container` as the `HEALTHCHECK` command.
+- Use `protonwire healthcheck --silent --service` as the `HEALTHCHECK` command.
Same can be used as liveness probe and readiness probe for Kubernetes.
## Docker Compose
@@ -289,10 +243,10 @@ This section covers running containers via podman. But for deployments use
--sysctl=net.ipv6.conf.all.disable_ipv6=1 \
--publish=8000:8000 \
--health-start-period=20s \
- --health-cmd="protonwire check --container --silent" \
+ --health-cmd="protonwire check --service --silent" \
--health-interval=120s \
--health-on-failure=stop \
- ghcr.io/tprasadtp/protonwire:7
+ ghcr.io/tprasadtp/protonwire:latest
```
- Create app(s) sharing network namespace with `protonwire` container. As an example,
@@ -374,6 +328,22 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/
See [Troubleshooting][] and [FAQ][]
+## SLSA Provenance
+
+
+
+[![slsa-badge-level3][slsa-badge-level3]][slsa-level3]
+
+
+
+All _artifacts_ provided by this repository meet [SLSA L3][slsa-level3].
+See [docs](./docs/slsa.md) for more info.
+
+## Cosign Images
+
+All artifacts provided by this repository are signed using [cosign].
+See [docs](./docs/cosign.md) for more info.
+
## Building
Building requires [`task`](https://taskfile.dev/installation/),
@@ -400,4 +370,7 @@ Building requires [`task`](https://taskfile.dev/installation/),
[Troubleshooting]: ./docs/help.md
[FAQ]: ./docs/faq.md
[slsa-verify-docs]: ./docs/slsa.md
+[slsa-badge-level3]: ./docs/images/slsa-level3-logo.svg
+[slsa-level3]: https://slsa.dev/spec/v1.0/levels#build-l3
+
[slsa-badge]: https://img.shields.io/badge/SLSA-level%203-39AC60?labelColor=3a3a3a&logoColor=959da5&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAMAAAAolt3jAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAABMlBMVEXvMQDvMADwMQDwMADwMADvMADvMADwMADwMQDvMQDvMQDwMADwMADvMADwMADwMADwMQDvMQDvMQDwMQDvMQDwMQDwMADwMADwMQDwMADwMADvMADvMQDvMQDwMADwMQDwMADvMQDwMADwMQDwMADwMADwMADwMADwMADwMADvMQDvMQDwMADwMQDwMADvMQDvMQDwMADvMQDvMQDwMADwMQDwMQDwMQDvMQDwMADvMADwMADwMQDvMQDwMADwMQDwMQDwMQDwMQDvMQDvMQDvMADwMADvMADvMADvMADwMQDwMQDvMADvMQDvMQDvMADvMADvMQDwMQDvMQDvMADvMADvMADvMQDwMQDvMQDvMQDvMADvMADwMADvMQDvMQDvMQDvMADwMADwMQDwMAAAAAA/HoSwAAAAY3RSTlMpsvneQlQrU/LQSWzvM5DzmzeF9Pi+N6vvrk9HuP3asTaPgkVFmO3rUrMjqvL6d0LLTVjI/PuMQNSGOWa/6YU8zNuDLihJ0e6aMGzl8s2IT7b6lIFkRj1mtvQ0eJW95rG0+Sid59x/AAAAAWJLR0Rltd2InwAAAAlwSFlzAAAOwwAADsMBx2+oZAAAAAd0SU1FB+YHGg0tGLrTaD4AAACqSURBVAjXY2BgZEqGAGYWVjYGdg4oj5OLm4eRgZcvBcThFxAUEk4WYRAVE09OlpCUkpaRTU6WY0iWV1BUUlZRVQMqUddgSE7W1NLS1gFp0NXTB3KTDQyNjE2Sk03NzC1A3GR1SytrG1s7e4dkBogtjk7OLq5uyTCuu4enl3cyhOvj66fvHxAIEmYICg4JDQuPiAQrEmGIio6JjZOFOjSegSHBBMpOToxPAgCJfDZC/m2KHgAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMi0wNy0yNlQxMzo0NToyNCswMDowMC8AywoAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjItMDctMjZUMTM6NDU6MjQrMDA6MDBeXXO2AAAAGXRFWHRTb2Z0d2FyZQB3d3cuaW5rc2NhcGUub3Jnm+48GgAAAABJRU5ErkJggg==
diff --git a/docs/faq.md b/docs/faq.md
index 501abb3..94a3f47 100644
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -195,8 +195,6 @@ your pod are using the VPN. Do note that `.cluster` domains like `. || exit 1
- ```
-
+- Setup your port forwarding using `natpmpc` and write mapped port to a shared volume
+- In a loop verify the connection and keep refreshing port forwarding at regular intervals.
- To disconnect, run
```bash
diff --git a/docs/slsa.md b/docs/slsa.md
index 4c944af..33ccded 100644
--- a/docs/slsa.md
+++ b/docs/slsa.md
@@ -30,11 +30,6 @@ All _artifacts_ provided by this repository meet [SLSA L3][slsa-level3].
ghcr.io/tprasadtp/protonwire@
```
-## SLSA provenance for metadata
-
-Generating slsa provenance for metadata is tricky without leaking all the server names.
-As slsa L3 workflows need to save intermediate artifacts which contain server names.
-
[cosign]: https://docs.sigstore.dev/system_config/installation/
[slsa-verifier]: https://github.com/slsa-framework/slsa-verifier
[slsa-badge-level3]: ./images/slsa-level3-logo.svg
diff --git a/protonwire b/protonwire
index 7f65c9b..6781ad8 100755
--- a/protonwire
+++ b/protonwire
@@ -2410,7 +2410,10 @@ or: protonwire [OPTIONS...] server-info [SERVER]
Options:
-k, --private-key FILE|KEY Wireguard private key or
file containing private key
- --container Run as container
+ --service Run as service
+ --service-status-file Use status file created by --service
+ for healthchecks. Only valid when both process
+ are running within the same container.
--metadata-url URL Server metadata endpoint URL
--check-interval INT IP check interval in seconds (default 60)
--check-url URL IP check endpoint URL
@@ -2449,10 +2452,10 @@ function main() {
declare -i log_lvl_v_lock=0
declare -i log_lvl_q_lock=0
declare -i cmd_lock=0
- declare -i looper_lock=0
local color_mode="auto"
local cmd_mode="HELP"
- local container_flag="false"
+ local looper_flag="false"
+ local healthcheck_service_status_file="false"
if __is_bool_true "${DEBUG}"; then
LOG_LVL="0"
@@ -2463,7 +2466,7 @@ function main() {
-h | --help | help)
cmd_mode="HELP"
;;
- --version|version)
+ --version | version)
cmd_mode="VERSION"
;;
--verbose | --debug | -v)
@@ -2525,9 +2528,13 @@ function main() {
shift
__PROTONWIRE_FEATURE_COUNTRY="$1"
;;
- --container)
- ((++looper_lock))
- container_flag="true"
+ # --container flag is deprecated, but is left here for
+ # CLI compatibility reasons.
+ --container | --service)
+ looper_flag="true"
+ ;;
+ --service-status-file)
+ healthcheck_service_status_file="true"
;;
connect | c)
((++cmd_lock))
@@ -2541,7 +2548,7 @@ function main() {
cmd_mode="HEALTHCHECK"
((++cmd_lock))
;;
- lookup | server-info | server-lookup)
+ lookup | server-info | server-lookup | lookup-server)
cmd_mode="SERVER_LOOKUP"
((++cmd_lock))
;;
@@ -2605,11 +2612,16 @@ function main() {
fi
fi
- if [[ $cmd_mode == "HEALTHCHECK" ]] && [[ $container_flag == "true" ]]; then
- cmd_mode="HEALTHCHECK_CONTAINER"
+ if [[ $cmd_mode == "HEALTHCHECK" ]]; then
+ if [[ $looper_flag == "true" ]]; then
+ cmd_mode="HEALTHCHECK_SERVICE_STATUS_FILE"
+ fi
+ if [[ $healthcheck_service_status_file == "true" ]]; then
+ cmd_mode="HEALTHCHECK_SERVICE_STATUS_FILE"
+ fi
fi
- if [[ $cmd_mode == "CONNECT" ]] && [[ $container_flag == "true" ]]; then
+ if [[ $cmd_mode == "CONNECT" ]] && [[ $looper_flag == "true" ]]; then
cmd_mode="LOOPER"
fi
@@ -2659,7 +2671,7 @@ function main() {
protonvpn_verify_cmd
exit $?
;;
- HEALTHCHECK_CONTAINER)
+ HEALTHCHECK_SERVICE_STATUS_FILE)
protonvpn_healthcheck_status_file
exit $?
;;