diff --git a/README.md b/README.md index 0793657..dcec148 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ > [!WARNING] > -> [gVisor](https://gvisor.dev) and cgroup v1 runtime is **NOT** supported! +> [gVisor](https://gvisor.dev) and cgroup v1 are **NOT** supported! Images are published at [ghcr.io/tprasadtp/protonwire][ghcr]. @@ -65,7 +65,7 @@ Images are published at [ghcr.io/tprasadtp/protonwire][ghcr]. AllowedIPs = 0.0.0.0/0 Endpoint = 91.229.23.180:51820 ``` -- Only thing needed from the above config is `PrivateKey`. +- You will `PrivateKey` and optionally `Endpoint`(without port part) from the above config. - See https://protonvpn.com/support/wireguard-configurations/ for more info. ## Environment Variables & Config @@ -78,6 +78,12 @@ in following locations. - `/run/secrets/protonwire-private-key` - `/run/secrets/protonwire/private-key` - `${CREDENTIALS_DIRECTORY}/private-key` (Only if `$CREDENTIALS_DIRECTORY` is set) + - `${CREDENTIALS_DIRECTORY}/protonwire-private-key` (Only if `$CREDENTIALS_DIRECTORY` is set) + +> [!IMPORTANT] +> +> Private key file **MUST NOT** be world-readable. + | Name | Default/Required | Description |---|---|--- @@ -86,7 +92,7 @@ in following locations. | `IPCHECK_URL` | https://protonwire-api.vercel.app/v1/client/ip | (String) URL to check client IP. | `IPCHECK_INTERVAL` | `60` | (Integer) Interval between internal health-checks in seconds. Set this to `0` to disable IP checks. | `SKIP_DNS_CONFIG` | false | (Boolean) Set this to `1` or `true` to skip configuring DNS. -| `KILL_SWITCH` | false | (Boolean) Enable KillSwitch (Experimental and can cause issues) +| `KILL_SWITCH` | false | (Boolean) Enable KillSwitch (Experimental) ## PROTONVPN_SERVER @@ -260,19 +266,20 @@ This section covers running containers via podman. But for deployments use - Create a podman secret for private key ```console - sudo podman secret create protonwire-private-key + podman secret create protonwire-private-key ``` - Run _protonwire_ container. ```console - sudo podman run \ + podman run \ -it \ + --rm \ --init \ --replace \ --tz=local \ --tmpfs=/tmp \ - --name=protonwire-demo \ + --name=protonwire \ --secret="protonwire-private-key,mode=600" \ --env=PROTONVPN_SERVER="nl-free-127.protonvpn.net" \ --env=DEBUG=0 \ @@ -293,12 +300,12 @@ we are using caddy to proxy website which shows IP info. Replace these with your container(s) like [pyload](https://github.com/pyload/pyload#docker-images), [firefox](https://docs.linuxserver.io/images/docker-firefox) etc. ```console - sudo podman run \ + podman run \ -it \ --rm \ --tz=local \ --name=protonwire-demo-app \ - --network=container:protonwire-demo \ + --network=container:protonwire \ docker.io/library/caddy:latest \ caddy reverse-proxy --change-host-header --from :8000 --to https://ip.me:443 ``` @@ -355,7 +362,6 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/ -it \ --rm \ --net=container:protonwire \ - --name=protonwire-demo \ caddy:latest \ caddy reverse-proxy \ --change-host-header \ diff --git a/Vagrantfile b/Vagrantfile index bbf5590..e0bfa3b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -156,7 +156,7 @@ Vagrant.configure("2") do |config| $libvirt_provision = <<-SCRIPT echo "---------------------------------" - echo "Installing qemu daemon" + echo "Installing qemu-guest-agent" echo "---------------------------------" apt-get update apt-get install -y qemu-guest-agent diff --git a/protonwire b/protonwire index 10686d8..22b4a33 100755 --- a/protonwire +++ b/protonwire @@ -640,13 +640,13 @@ function protonvpn_looper_cmd() { log_warning "Not verifying connection, as healthchecks are disabled" fi else - log_error "Failed to connect to ${PROTONVPN_SERVER}" + log_error "Failed to connect to ${PROTONVPN_SERVER:-NA}" if [[ -z $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then log_debug "Wireguard interface for protonwire is not present." return 1 fi if __has_notify_socket; then - __systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER}" + __systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER:-NA}" fi __protonvpn_disconnect return 1 @@ -696,7 +696,12 @@ function protonvpn_looper_cmd() { fi if [[ $__PROTONWIRE_HC_ERRORS -ge ${max_verify_attemps} ]]; then - log_error "Connection verification ($((__PROTONWIRE_HC_ERRORS))/${IPCHECK_THRESHOLD:-5}) failed" + log_error "Connection verification (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) failed" + if __has_notify_socket; then + __systemd_notify "Connection verification failed (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) " + else + log_debug "No systemd notify socket found, skiping reconnect notification" + fi break fi @@ -704,9 +709,16 @@ function protonvpn_looper_cmd() { wait $! if ! __protonvpn_verify_connection; then - log_error "Failed to verify connection ($((__PROTONWIRE_HC_ERRORS + 1))/${IPCHECK_THRESHOLD:-5})" + local xt=$((__PROTONWIRE_HC_ERRORS + 1)) + log_error "Failed to verify connection (${xt}/${max_verify_attemps})" ((++__PROTONWIRE_HC_ERRORS)) log_warning "Attempting to re-connect to ${PROTONVPN_SERVER}" + if __has_notify_socket; then + __systemd_notify "Attempting to re-connect to ${PROTONVPN_SERVER} (${xt}/${max_verify_attemps})" + else + log_debug "No systemd notify socket found, skiping reconnect notification" + fi + if __protonvpn_connect; then sleep 2 & # avoid transient errors wait $! @@ -1732,32 +1744,30 @@ function __protonvpn_connect() { else log_debug "WIREGUARD_PRIVATE_KEY is not set" declare -a lookup_paths=( - "/etc/protonwire/private-key" "/etc/protonwire/protonwire-private-key" "/etc/protonwire/protonvpn-private-key" "/etc/protonwire/wireguard-private-key" + "/etc/protonwire/private-key" - "/run/secrets/private-key" "/run/secrets/protonwire-private-key" "/run/secrets/protonvpn-private-key" "/run/secrets/wireguard-private-key" + "/run/secrets/private-key" - "/run/secrets/protonwire/private-key" "/run/secrets/protonwire/protonwire-private-key" "/run/secrets/protonwire/protonvpn-private-key" - "/run/secrets/protonwire/protonvpn-private-key" - - "/run/credentials/private-key" - "/run/credentials/protonwire-private-key" - "/run/credentials/protonvpn-private-key" - "/run/credentials/protonvpn-private-key" - - "/run/credentials/protonwire/private-key" - "/run/credentials/protonwire/protonwire-private-key" - "/run/credentials/protonwire/protonvpn-private-key" - "/run/credentials/protonwire/protonvpn-private-key" + "/run/secrets/protonwire/wireguard-private-key" + "/run/secrets/protonwire/private-key" ) + # If CREDENTIALS_DIRECTORY is defined, use it (for systemd-creds) + if [[ -n $CREDENTIALS_DIRECTORY ]]; then + lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonwire-private-key") + lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonvpn-private-key") + lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/wireguard-private-key") + lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/private-key") + fi + for lookup_path in "${lookup_paths[@]}"; do if [[ -f ${lookup_path} ]]; then if __is_usable_keyfile "${lookup_path}"; then @@ -2140,6 +2150,7 @@ function __protonvpn_disconnect() { if __has_notify_socket; then log_debug "Notify to systemd that vpn is disconnecting" + __systemd_notify "Disconnecting from ${PROTONVPN_SERVER:-NA}" __systemd_notify "STOPPING=1" else log_debug "No systemd notify socket found, skiping stopping notification" @@ -2197,8 +2208,17 @@ function __protonvpn_disconnect() { fi if [[ $errs -eq 0 ]]; then + if __has_notify_socket; then + log_debug "Notify to systemd that vpn has disconnected" + __systemd_notify "Disconnected" + fi return 0 fi + + if __has_notify_socket; then + log_debug "Notify to systemd that vpn disconnection errored" + __systemd_notify "Failed to disconnect" + fi return 1 }