From a400e0761792d084f68a87d86ad88e03129d2b1a Mon Sep 17 00:00:00 2001 From: Prasad Tengse <10941447+tprasadtp@users.noreply.github.com> Date: Sat, 16 Mar 2024 23:21:58 +0100 Subject: [PATCH] feat: remove deb/rpm and only support running as container (#299) --- .goreleaser.yml | 125 +----- .vscode/settings.json | 12 +- Dockerfile | 3 +- README.md | 248 +---------- debian/protonwire.postinstall | 13 - debian/protonwire.postremove | 10 - debian/protonwire.preremove | 22 - .../examples/protonwire-example-app.container | 16 + docs/examples/protonwire.container | 22 +- docs/examples/protonwire.pod | 26 ++ docs/examples/systemd-run.sh | 52 --- docs/faq.md | 10 - docs/help.md | 74 +--- protonwire | 412 ++---------------- rpm/protonwire.postinstall | 9 - rpm/protonwire.postremove | 8 - rpm/protonwire.preremove | 19 - systemd/polkit/protonwire.pkla | 49 --- systemd/polkit/protonwire.rules | 26 -- systemd/sysctl.d/protonwire.conf | 5 - systemd/system/protonwire.service | 101 ----- systemd/sysusers.d/protonwire.conf | 8 - systemd/tmpfiles.d/protonwire.conf | 7 - 23 files changed, 124 insertions(+), 1153 deletions(-) delete mode 100644 debian/protonwire.postinstall delete mode 100644 debian/protonwire.postremove delete mode 100644 debian/protonwire.preremove create mode 100644 docs/examples/protonwire-example-app.container create mode 100644 docs/examples/protonwire.pod delete mode 100755 docs/examples/systemd-run.sh delete mode 100644 rpm/protonwire.postinstall delete mode 100644 rpm/protonwire.postremove delete mode 100644 rpm/protonwire.preremove delete mode 100644 systemd/polkit/protonwire.pkla delete mode 100644 systemd/polkit/protonwire.rules delete mode 100644 systemd/sysctl.d/protonwire.conf delete mode 100644 systemd/system/protonwire.service delete mode 100644 systemd/sysusers.d/protonwire.conf delete mode 100644 systemd/tmpfiles.d/protonwire.conf diff --git a/.goreleaser.yml b/.goreleaser.yml index 32a12d6..1b74fbf 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json project_name: protonwire snapshot: @@ -20,109 +21,6 @@ builds: archives: - format: binary -nfpms: - - id: linux-packages - file_name_template: "{{ .PackageName }}" - homepage: https://github.com/tprasadtp/protonwire - maintainer: Prasad Tengse - description: ProtonVPN Wireguard Client for Linux - license: GPLv3 - formats: - - deb - - rpm - - overrides: - deb: - dependencies: - - wireguard-tools - - iproute2 - - procps - - curl - - jq - - bash - - coreutils - - openresolv|resolvconf|systemd - - recommends: - - systemd - - policykit-1 - - scripts: - postinstall: debian/protonwire.postinstall - postremove: debian/protonwire.postremove - preremove: debian/protonwire.preremove - - rpm: - dependencies: - - wireguard-tools - - iproute - - curl - - jq - - procps-ng - - bash - - coreutils - - openresolv|systemd-resolved - recommends: - - polkit - - polkit-pkla-compat - - scripts: - postinstall: rpm/protonwire.postinstall - postremove: rpm/protonwire.postremove - preremove: rpm/protonwire.preremove - - section: default - priority: extra - contents: - - src: systemd/sysctl.d/protonwire.conf - dst: /usr/lib/sysctl.d/protonwire.conf - file_info: - mode: 0644 - owner: root - group: root - - - src: systemd/sysusers.d/protonwire.conf - dst: /usr/lib/sysusers.d/protonwire.conf - file_info: - mode: 0644 - owner: root - group: root - - - src: systemd/tmpfiles.d/protonwire.conf - dst: /usr/lib/tmpfiles.d/protonwire.conf - file_info: - mode: 0644 - owner: root - group: root - - - src: systemd/system/protonwire.service - dst: /usr/lib/systemd/system/protonwire.service - file_info: - mode: 0644 - owner: root - group: root - - - src: systemd/polkit/protonwire.pkla - dst: /var/lib/polkit-1/localauthority/10-vendor.d/protonwire.pkla - file_info: - mode: 0644 - owner: root - group: root - - - src: systemd/polkit/protonwire.rules - dst: /usr/share/polkit-1/rules.d/protonwire.rules - file_info: - mode: 0644 - owner: root - group: root - - - src: dist/protonwire.1 - dst: /usr/share/man/man1/protonwire.1 - file_info: - mode: 0644 - owner: root - group: root - changelog: sort: asc groups: @@ -145,14 +43,6 @@ changelog: - '^.*release(s)?[(\\w)]*:+.*$' - '^.*bot(s)?[(\\w)]*:+.*$' -checksum: - name_template: checksums.txt - algorithm: sha256 - ids: - - linux-packages - extra_files: - - glob: dist/protonwire - # Build docker images dockers: - image_templates: @@ -289,12 +179,15 @@ docker_manifests: release: mode: replace - ids: - - linux-packages prerelease: auto - extra_files: - - glob: dist/protonwire - - glob: dist/protonwire.1 + + # Set this to true if you want to disable just the artifact upload to the SCM. + # If this is true, GoReleaser will still create the release with the + # changelog, but won't upload anything to it. + # + # Since: v1.11 + # Templates: allowed (since v1.15) + skip_upload: true docker_signs: - cmd: cosign diff --git a/.vscode/settings.json b/.vscode/settings.json index 99a3656..2d15d6f 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,7 +1,9 @@ { - "files.associations": { - "*.pkla": "ini", - "*.rules": "javascript" - }, - "search.useIgnoreFiles": false, + "files.associations": { + "*.pkla": "ini", + "*.rules": "javascript", + "*.container": "systemd-unit-file", + "*.pod": "systemd-unit-file" + }, + "search.useIgnoreFiles": false, } diff --git a/Dockerfile b/Dockerfile index 384c57d..ef2f912 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,8 @@ #syntax=docker/dockerfile:1.2 -FROM debian:bookworm-20240211-slim as base +FROM debian:bookworm-20240311-slim as base FROM base -# Install Packages # hadolint ignore=DL3008,DL3009 RUN --mount=type=tmpfs,target=/var/lib/apt/lists \ --mount=type=cache,sharing=private,target=/var/cache/apt \ diff --git a/README.md b/README.md index 536e410..0793657 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,7 @@ - LAN, private and Tailscale networks remain accessible and are not routed over VPN. **No special configuration required**. -- Supports split horizon DNS **automatically**, if `systemd-resolved` is in use. -- Supports running as systemd unit (natively and as podman container) +- Supports systemd integration when running via podman - Supports roaming clients ## Container Images @@ -119,7 +118,6 @@ flag is **ALSO** specified. - Kill-switch is **NOT** reliable when upgrading the protonwire package. This is because binary itself may change during upgrade and it might include breaking changes. This only applies to native packages as containers are immutable and re-created during upgrades. -- Using kill-switch with systemd unit **AND** using `protonwire` to manually disable kill-switch will lead to kill-switch being re-created during service restarts. ## Usage @@ -140,9 +138,6 @@ Options: -k, --private-key FILE|KEY Wireguard private key or file containing private key --container Run as container - (Cannot be used with --systemd) - --systemd Run as systemd service - (Cannot be used with --container) --metadata-url URL Server metadata endpoint URL --check-interval INT IP check interval in seconds (default 60) --check-url URL IP check endpoint URL @@ -368,247 +363,6 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/ --to https://ip.me:443 ``` -## Dependencies - -Following dependencies are **in addition** to WireGuard support in Kernel. -See https://www.wireguard.com/install/ for more info. This is only required -if running as systemd unit outside of containers. - -- If running on Ubuntu, Linux Mint, Elementary OS and other **Ubuntu** based derivatives etc. - - - If using `systemd-resolved` (default), - ```console - sudo apt-get install curl jq procps iproute2 libcap2-bin policykit-1 util-linux wireguard-tools - ``` - - Otherwise, - ```console - sudo apt-get install curl jq procps iproute2 libcap2-bin policykit-1 util-linux wireguard-tools openresolv - ``` - -- If running on Debian, Raspberry Pi OS, and other Debian derivatives, - - - If using `systemd-resolved` (**NOT** default), - ```console - sudo apt-get install curl jq procps iproute2 libcap2-bin policykit-1 util-linux wireguard-tools - ``` - - Otherwise, - ```console - sudo apt-get install curl jq procps iproute2 libcap2-bin policykit-1 wireguard-tools openresolv - ``` - -- If running on CentOS-Stream, Fedora 34+, Amazon Linux 2022, RHEL 9, Rocky Linux 9, Alma Linux 9 - - - If using `systemd-resolved` (default), - ```console - sudo dnf install curl jq procps-ng libcap iproute polkit util-linux wireguard-tools - ``` - - Otherwise, - ```console - sudo dnf install curl jq procps-ng libcap iproute polkit util-linux wireguard-tools openresolv - ``` - -- If running on CentOS 8, RHEL 8, Rocky Linux 8, Alma Linux 8 - - - If using `systemd-resolved` (NOT default), - ```console - sudo dnf install curl jq procps-ng libcap iproute polkit util-linux wireguard-tools - ``` - - - Otherwise, - ```console - sudo dnf install curl jq procps-ng libcap iproute polkit util-linux wireguard-tools openresolv - ``` - -## Installation - -- Install DEB or RPM packages from releases. -- Alternatively, clone this repository and run `sudo make install` - -## Usage - -- To connect to a server, - ```bash - sudo protonwire -k connect - ``` -- To disconnect from server - ```bash - sudo protonwire disconnect - ``` -- To check/verify connection - ```bash - sudo protonwire check - ``` - -> [!TIP] -> -> Add `--debug` flag to see debug logs. - -## Systemd Integrations - -Provides rich systemd integration. Connected server kill-switch state is displayed -with `systemctl status protonwire`. For running containers as systemd unit see -[podman-systemd-integration][podman-systemd] - -
- -![systemd-demo](./docs/images/systemd.png) - -
- - -### Requirements - -- **MUST** have `CAP_NET_ADMIN` capability -- **MUST** set `NotifyAccess` to `all` -- **MUST NOT** use `DynamicUser`. See [systemd/systemd#22737](https://github.com/systemd/systemd/issues/22737) -- Unit **MUST NOT** use `RemoveIPC=yes` -- You **MUST** use `systemd-resolved` for DNS -- polkit rules **MUST** allow unit's user to invoke to following D-Bus actions - - `org.freedesktop.resolve1.set-dns-servers` - - `org.freedesktop.resolve1.set-domains` - - `org.freedesktop.resolve1.set-default-route` - - `org.freedesktop.resolve1.revert` - - `org.freedesktop.resolve1.set-dnssec` - - -### Usage - -- By default, unit will load environment variables from files ending with `.env` -extension from `/etc/protonwire/`. This is done by systemd not the unit's user. -See `EnvironmentFile` in [systemd.exec(5)][] for more info. - -- If [`systemd-creds`][systemd-creds] is available (requires systemd version 250 or above), -use [drop-in][] units to supply credentials. see [this](https://systemd.io/CREDENTIALS/) for more info. - - Create drop-in unit directory (if required) - - ```bash - sudo mkdir -p /etc/systemd/system/protonwire.service.d - ``` - - - Create encrypted credentials - - ```bash - sudo sh -c 'systemd-ask-password -n | (printf "[Service]\n" && systemd-creds encrypt --name=protonwire-private-key -p - -) > /etc/systemd/system/protonwire.service.d/10-protonwire-private-key.conf' - ``` - - - Reload systemd - - ```bash - sudo systemctl daemon-reload - ``` - -- If `systemd-creds` is not available, save key to in `/etc/protonwire/wireguard-private-key` -or one of the search paths. - - - Create `/etc/protonwire` if it does not exist - ```bash - sudo mkdir -p /etc/protonwire - ``` - - Create private key file, alternatively copy existing key file to this location. - ```bash - systemd-ask-password | sudo tee -a /etc/protonwire/private-key - ``` - - Allow `systemd-network` group to access, - ```bash - sudo chown root:systemd-network /etc/protonwire/private-key - ``` - - Ensure ony `root` can write to file, members of group `systemd-network` can - read the file and others have no access to file. - ```bash - sudo chmod 640 /etc/protonwire/private-key - ``` - - > Script will refuse to use key file, if its is readable by others. - > If running as non-root user(default), ensure unit's user has access to the key file. - > Using `SupplementaryGroup=systemd-network` and giving `systemd-network` group read - > access to the key file. - -- For non-sensitive settings, use environment files(`.env`) in `/etc/protonwire/`. - They are loaded automatically be the default unit. - ```bash - # /etc/protonwire/settings.env - PROTONVPN_SERVER="node-nl-96.protonvpn.net" - ``` - -- Reload systemd - ```bash - sudo systemctl daemon-reload - ``` -- Enable protonwire service via - ```bash - sudo systemctl enable protonwire - ``` -- Start protonwire service via - ```bash - sudo systemctl start protonwire - ``` -- Stop VPN service via - - ```bash - sudo systemctl stop protonwire - ``` - -- Check status of VPN service via - ```bash - systemctl status protonwire - ``` - -- To check logs, use `journalctl -u protonwire`. - -- Disable VPN service via - ```bash - sudo systemctl disable --now protonwire - sudo protonwire disable-ks - ``` - -### Watchdog - -- Systemd watchdog feature is supported and enabled if `NOTIFY_SOCKET` and `WATCHDOG_USEC` are set. -- `IPCHECK_INTERVAL` or `--check-interval`, with non-zero value cannot be used with watchdog as it creates conflicts. -- `WatchdogSec` cannot be less than 20 seconds. -- Default watchdog signal(`SIGABRT`) cannot be used with containers if with `--init` flag. -**MUST** set `WatchdogSignal=SIGTERM` as both `tini` (docker) and `catatonit`(podman) do not -forward this signal to their children. - -## Split Horizon DNS with systemd-resolved - -> [!IMPORTANT] -> -> Requires systemd version 244 or later. - -- Split horizon DNS is only supported with `systemd-resolved` **AND** when **NOT** running in a container. -- It depends on `systemd-resolved` to be up and running and `/etc/resolv.conf` to be in stub resolver mode. -`nss-resolve` is buggy as most statically compiled programs (especially Go) may break DNS resolution for -link specific domains. -- It also requires specifying routing domains and/or search domains for **local/other-vpn** networks, -via DHCP options or via `resolvectl`. -- By default script will set default routing domain on VPN interface. -- Run the command below for status of routing domains. - ```bash - resolvectl status --no-pager - ``` -- Disable `systemd-resolved` integration by setting environment variable `SKIP_DNS_CONFIG` to `1` -or via `--skip-dns-config` CLI flag. - -### Dependent units - -Depend on `protonwire` unit by adding **ALL** the properties below to `[Unit]` section in -dependent units. See [systemd.unit(5)][] for more info. - -- [`BindsTo=protonwire.service`][BindsTo] -- [`After=protonwire.service`][After] - -This setup ensures that service depending on VPN will be **ONLY** started when `protonwire` -is activated. (Dependent units still have to be enabled) If for some reason protonwire service -becomes unhealthy and exits, dependent unit will be stopped. - -If system package already provides a systemd unit file for the service, use [drop-in][] units -to configure dependencies. - -> [!IMPORTANT] -> -> Don't forget to run `sudo systemctl daemon-reload` upon updating/installing unit files. - ## Troubleshooting & FAQ See [Troubleshooting][] and [FAQ][] diff --git a/debian/protonwire.postinstall b/debian/protonwire.postinstall deleted file mode 100644 index 2bd2558..0000000 --- a/debian/protonwire.postinstall +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/bash -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -set -e - -case "$1" in - configure) - systemd-sysusers protonwire.conf - /usr/lib/systemd/systemd-sysctl protonwire.conf - systemd-tmpfiles --create protonwire.conf - ;; -esac diff --git a/debian/protonwire.postremove b/debian/protonwire.postremove deleted file mode 100644 index 2d9f1f7..0000000 --- a/debian/protonwire.postremove +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - - -if [ "$1" = "purge" ]; then - deluser --quiet --system protonwire 2>/dev/null || userdel --force protonwire 2>/dev/null || true - delgroup --quiet --system protonwire 2>/dev/null || groupdel protonwire 2>/dev/null || true - systemd-tmpfiles --remove protonwire.conf 2>/dev/null || true -fi diff --git a/debian/protonwire.preremove b/debian/protonwire.preremove deleted file mode 100644 index a835a1b..0000000 --- a/debian/protonwire.preremove +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/bash -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -set -e -case "$1" in -remove) - echo "Disabling kill switch (if any)" - protonwire disable-killswitch || true - echo "Stopping unit protonwire" - systemctl stop -q protonwire || true - - for i in $(seq 100); do - echo "Waiting until unit $unit is stopped [attempt $i]" - if ! systemctl is-active -q protonwire; then - echo "protonwire is stopped." - break - fi - sleep 0.5 - done - ;; -esac diff --git a/docs/examples/protonwire-example-app.container b/docs/examples/protonwire-example-app.container new file mode 100644 index 0000000..b1f0df3 --- /dev/null +++ b/docs/examples/protonwire-example-app.container @@ -0,0 +1,16 @@ +[Unit] +Description=Example application using protonwire VPN container +Documentation=https://github.com/tprasadtp/protonvpn-docker + +After=protonwire.service +BindsTo=protonwire.service + +[Container] +Pod=protonwire.pod +Image=docker.io/library/caddy:latest +Timezone=local +RunInit=true +Exec=caddy reverse-proxy --change-host-header --from :8000 --to https://ip.me:443 + +[Install] +WantedBy=default.target diff --git a/docs/examples/protonwire.container b/docs/examples/protonwire.container index 511598a..62a8f70 100644 --- a/docs/examples/protonwire.container +++ b/docs/examples/protonwire.container @@ -1,17 +1,27 @@ [Unit] -Description=Example application using protonwire VPN container +Description=ProtonVPN Container Documentation=https://github.com/tprasadtp/protonvpn-docker +After=protonwire-pod.service [Container] +# Enable protonwire itself to handle systemd readiness protocol. Notify=true # Runtime configuration Image=ghcr.io/tprasadtp/protonwire:7 -AddCapability=NET_ADMIN +Timezone=local RunInit=true + +# Server Configuration. +EnvironmentFile=-/etc/protonwire + +# Private Key +Secret=protonwire-private-key,mode=600 + +# Image specific extra permissions. +AddCapability=NET_ADMIN Sysctl=net.ipv4.conf.all.rp_filter=2 Sysctl=net.ipv6.conf.all.disable_ipv6=1 -Timezone=local # Mounts Tmpfs=/tmp @@ -23,10 +33,8 @@ HealthRetries=3 HealthStartPeriod=30s HealthTimeout=20s -# Ports -# This example only publishes a single port. port 8000 both on host and container. -# Add as many ports as your applications require. -PublishPort=8000 +# Group all VPN apps into single pod. +Pod=protonwire.pod [Install] WantedBy=default.target diff --git a/docs/examples/protonwire.pod b/docs/examples/protonwire.pod new file mode 100644 index 0000000..89b18ae --- /dev/null +++ b/docs/examples/protonwire.pod @@ -0,0 +1,26 @@ +[Unit] +Description=Pod for apps using via ProtonVPN +Documentation=https://github.com/tprasadtp/protonvpn-docker + +[Pod] +# Name +# +# Define a pod name so that we can re-use the pod name later +# without depending on auto generated pod names. +PodName=protonwire + +# Network +# +# Name of the network. Alternatively use netwok Quadlet. +# See https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html +Network=protonwire + +# PublishPort +# +# This example only publishes a single port. port 8000 both on host and container. +# Add as many ports as your applications require. +# See https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#pod-units-pod +PublishPort=8000 + +[Install] +WantedBy=default.target diff --git a/docs/examples/systemd-run.sh b/docs/examples/systemd-run.sh deleted file mode 100755 index 76327dc..0000000 --- a/docs/examples/systemd-run.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash -sudo systemd-run \ - --pty \ - --same-dir \ - --wait \ - --collect \ - --unit=protonwire-run.service \ - --service-type=notify \ - --property="Description=ProtonVPN Wireguard Client" \ - --property="Documentation=man:protonwire(1)" \ - --property="Documentation=https://github.com/tprasadtp/protonvpn-docker" \ - --property="SupplementaryGroups=systemd-network" \ - --property="NotifyAccess=all" \ - --property="User=protonwire" \ - --property="Group=protonwire" \ - --property="SupplementaryGroups=systemd-network" \ - --property="Environment=HOME=/var/lib/protonwire" \ - --property="Environment=LANG=C.UTF-8" \ - --property="EnvironmentFile=-/etc/defaults/protonwire" \ - --property="EnvironmentFile=-/etc/protonwire/*.env" \ - --property="AmbientCapabilities=CAP_NET_ADMIN" \ - --property="CapabilityBoundingSet=CAP_NET_ADMIN" \ - --property="SystemCallFilter=@system-service" \ - --property="SystemCallArchitectures=native" \ - --property="ProtectProc=invisible" \ - --property="ProtectHostname=true" \ - --property="PrivateTmp=yes" \ - --property="ProtectControlGroups=true" \ - --property="ProtectKernelModules=true" \ - --property="ProtectKernelTunables=true" \ - --property="ProtectKernelLogs=true" \ - --property="KeyringMode=private" \ - --property="RestrictNamespaces=true" \ - --property="LockPersonality=true" \ - --property="MemoryDenyWriteExecute=true" \ - --property="RestrictSUIDSGID=true" \ - --property="PrivateTmp=yes" \ - --property="ProtectSystem=full" \ - --property="StateDirectory=protonwire" \ - --property="CacheDirectory=protonwire" \ - --property="RuntimeDirectory=protonwire" \ - --property="RuntimeDirectoryPreserve=restart" \ - --property="IPAccounting=true" \ - --property="CPUAccounting=true" \ - --property="BlockIOAccounting=true" \ - --property="MemoryAccounting=true" \ - --property="TasksAccounting=true" \ - --property="WatchdogSec=20" \ - --property="TimeoutAbortSec=30" \ - --property="TimeoutStopSec=30" \ - --property="TimeoutStartSec=180" \ - "$@" diff --git a/docs/faq.md b/docs/faq.md index 432955c..997b123 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -15,11 +15,6 @@ it might result in a single VPN server to be selected as "best" and might cause - If response is something like ` dev protonwire0 table 51821 src 10.2.0.2 uid 0`, then the IP address will be routed via VPN. -## How to check if systemd-resolved is in use - -- If using Ubuntu/Fedora with defaults most likely using systemd-resolved is in use for local DNS. -- Run `resolvectl status --no-pager`. If it has `resolv.conf mode: stub`. `systemd-resolved` is in use. - ## Whats with route table 51821 - This route table is kept separate to avoid cluttering main route table and avoid conflicts. @@ -115,11 +110,6 @@ Script **WILL** flush this routing table automatically if found to be non empty. WireGuard is not a chatty protocol. However for _most_ if not all use cases, end user devices are using some form of NAT via docker, Kubernetes, home router or some other means. So _Keep alive_ is enabled and set to 20 seconds which should be enough for almost all NAT firewalls. -## Split horizon DNS - -- This is only possible with `systemd-resolved`. After connecting to VPN (via `protonwire connect `). Verify split dns configuration using `resolvectl query ` and check the interface being used to resolve it. -- Ensure that DHCP server/router or VPN gateway advertises search domains. They will be automatically picked up if using NetworkManager(most desktops) or `systemd-networkd` (most servers) or `ifupdown` hooks. - ## Use with corporate/other VPN - If other VPN routes only private subnets you don't need to do anything! It just works! diff --git a/docs/help.md b/docs/help.md index f18e71f..277b596 100644 --- a/docs/help.md +++ b/docs/help.md @@ -131,87 +131,15 @@ to calculate `PROTONVPN_ALLOWED_SUBNETS_IPV6`. User namespaces can cause file permission issues. If you have problem accessing mounted secret files or sharing network stack, disable user namespaces for the container. -## Systemd watchdog keeps killing the service - -- Check if its `IP mismatch` error -- Try switching servers -- If you keep encountering this issue, you can disable IP checks with by setting `IPCHECK_INTERVAL` to `0` or `--check-interval 0`. - ## Cannot update DNS, /etc/resolv.conf is not writable Try to run as `root` and ensure /etc/resolv.conf is writable. -## Transport endpoint is not connected errors when using systemd - -Turn off `DynamicUser` and `RemoveIPC` from you unit configuration and reload systemd. - -## Systemd unit failed with some error - -- Disable systemd unit `protonwire.service` for debugging. -- Run transient unit via `systemd-run` - ``` - sudo systemd-run \ - --pty \ - --same-dir \ - --wait \ - --collect \ - --unit=protonwire-run.service \ - --service-type=notify \ - --property="Description=ProtonVPN Wireguard Client" \ - --property="Documentation=man:protonwire(1)" \ - --property="Documentation=https://github.com/tprasadtp/protonvpn-docker" \ - --property="SupplementaryGroups=systemd-network" \ - --property="NotifyAccess=all" \ - --property="User=protonwire" \ - --property="Group=protonwire" \ - --property="SupplementaryGroups=systemd-network" \ - --property="Environment=HOME=/var/lib/protonwire" \ - --property="Environment=LANG=C.UTF-8" \ - --property="EnvironmentFile=-/etc/defaults/protonwire" \ - --property="EnvironmentFile=-/etc/protonwire/*.env" \ - --property="AmbientCapabilities=CAP_NET_ADMIN" \ - --property="CapabilityBoundingSet=CAP_NET_ADMIN" \ - --property="SystemCallFilter=@system-service" \ - --property="SystemCallArchitectures=native" \ - --property="ProtectProc=invisible" \ - --property="ProtectHostname=true" \ - --property="PrivateTmp=yes" \ - --property="ProtectControlGroups=true" \ - --property="ProtectKernelModules=true" \ - --property="ProtectKernelTunables=true" \ - --property="ProtectKernelLogs=true" \ - --property="KeyringMode=private" \ - --property="RestrictNamespaces=true" \ - --property="LockPersonality=true" \ - --property="MemoryDenyWriteExecute=true" \ - --property="RestrictSUIDSGID=true" \ - --property="PrivateTmp=yes" \ - --property="ProtectSystem=full" \ - --property="StateDirectory=protonwire" \ - --property="CacheDirectory=protonwire" \ - --property="RuntimeDirectory=protonwire" \ - --property="RuntimeDirectoryPreserve=restart" \ - --property="IPAccounting=true" \ - --property="CPUAccounting=true" \ - --property="BlockIOAccounting=true" \ - --property="MemoryAccounting=true" \ - --property="TasksAccounting=true" \ - --property="WatchdogSec=20" \ - --property="TimeoutAbortSec=30" \ - --property="TimeoutStopSec=30" \ - --property="TimeoutStartSec=180" \ - protonwire connect --debug - ``` - ## Manually Disconnecting from VPN Please use `protonwire disconnect --kill-switch` as it handles things properly. If not possible, try the following. -- Restore the DNS if using systemd-resolved via, - ``` - resolvectl revert protonwire0 - ``` -- If **NOT** using systemd-resolved (like in containers) restore the DNS using following commands. +- Restore the DNS using following commands. ```bash cat /etc/resolv.conf.protonwire > /etc/resolv.conf && rm /etc/resolv.conf.protonwire ``` diff --git a/protonwire b/protonwire index 5768cbc..10686d8 100755 --- a/protonwire +++ b/protonwire @@ -366,9 +366,6 @@ function __is_bool_true() { } function __is_skip_dns_config() { - if [[ ${__PROTONWIRE_DNS_UPDATER,,} == "none" ]]; then - return 0 - fi if __is_bool_true "${SKIP_DNS_CONFIG}"; then return 0; else return 1; fi } @@ -386,45 +383,21 @@ function __has_notify_socket() { function __systemd_notify() { local status="${1}" if [[ -z ${1} ]]; then - log_error "Message is not defined or empty!" + log_error "Notify message is not defined or empty!" return 1 fi - if has_command systemd-notify; then - if timeout 3s \ - systemd-notify "${status}" 2>&1 | log_tail "systemd-notify"; then - return 0 - else - log_debug "systemd-notify failed to send status ${status}" - fi - elif has_command nc; then - if printf "%s" "${status}" | - timeout 3s nc -w 0 -uU "$NOTIFY_SOCKET" 2>&1 | log_tail "nc-notify"; then - return 0 - else - log_debug "nc failed to send status ${status}" - fi + if printf "%s" "${status}" | + timeout 3s nc -w 0 -uU "$NOTIFY_SOCKET" 2>&1 | log_tail "nc-notify"; then + return 0 else - log_error "Neither systemd-notify nor nc is available!" + log_debug "nc failed to send status ${status}" fi return 1 } function __sd_notify_checks() { local errs=0 - if [[ ${WATCHDOG_USEC} =~ ^[1-9][0-9]+$ ]]; then - local ping_interval - ping_interval="$((WATCHDOG_USEC / 2000000))" - if [[ $ping_interval -lt 10 ]]; then - log_error "Watchdog ping interval is too low($ping_interval) should be at least 10 secs" - ((++errs)) - else - log_debug "Watchdog ping interval is $ping_interval secs" - fi - else - log_debug "WATCHDOG_USEC is not set or invalid" - fi - if [[ -n $NOTIFY_SOCKET ]]; then if [[ -S $NOTIFY_SOCKET ]]; then log_debug "NOTIFY_SOCKET is set to $NOTIFY_SOCKET" @@ -443,85 +416,14 @@ function __sd_notify_checks() { return 1 } -function __detect_dns_updater() { - if [[ -n $__PROTONWIRE_DNS_UPDATER ]]; then - return 0 - fi - - if ! __is_skip_dns_config; then - if has_command systemctl; then - if systemctl is-active --quiet systemd-resolved; then - if [[ -L /etc/resolv.conf ]]; then - log_debug "Using systemd-resolved for DNS" - __PROTONWIRE_DNS_UPDATER="systemd-resolved" - else - log_debug "Using /etc/resolv.conf for DNS (not a symlink to stub)" - __PROTONWIRE_DNS_UPDATER="resolvconf" - fi - else - log_debug "Using /etc/resolv.conf for DNS (systemd-resolved is not running)" - __PROTONWIRE_DNS_UPDATER="resolvconf" - fi - else - log_debug "Using /etc/resolv.conf for DNS (systemd is not available)" - __PROTONWIRE_DNS_UPDATER="resolvconf" - fi - else - log_debug "Skipping DNS configuration" - __PROTONWIRE_DNS_UPDATER="none" - fi -} - function __check_caps() { if capsh --has-p=CAP_NET_ADMIN >/dev/null 2>&1; then log_debug "Can use CAP_NET_ADMIN capability" return 0 else log_error "CAP_NET_ADMIN capability is not available!" - log_error "If running as systemd unit ensure 'AmbientCapabilities' is set to 'CAP_NET_ADMIN'" log_error "If running as podman/docker use --cap-add=CAP_NET_ADMIN flag." - log_error "Otherwise, run as root and/or add CAP_NET_ADMIN capability" - fi - return 1 -} - -function __check_systemd() { - local errs=0 - if [[ $__PROTONWIRE_LOOPER == "systemd" ]]; then - if ! __sd_notify_checks; then - ((++errs)) - fi - declare -ar systemd_populated_vars=( - "RUNTIME_DIRECTORY" - "CACHE_DIRECTORY" - ) - - for var in "${systemd_populated_vars[@]}"; do - if [[ -z ${!var} ]]; then - log_debug "$var is not defined!" - else - log_variable "$var" - fi - done - elif [[ $__PROTONWIRE_LOOPER == "container" ]]; then - if ! __sd_notify_checks; then - ((++errs)) - fi - - # Containers cannot change sysctls so check it now - if [[ $(sysctl -n net.ipv4.conf.all.rp_filter) != "2" ]]; then - ((++errs)) - log_error "Invalid sysctl, net.ipv4.conf.all.rp_filter!=2" - log_error "If using docker/podman add --sysctl net.ipv4.conf.all.rp_filter=2 flag to your run command" - log_error "If using docker-compose add 'net.ipv4.conf.all.rp_filter: 2' under 'sysctls' section for protonvpn service." - log_error "If using Kubernetes see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ to set sysctl values." - fi - else - log_debug "--systemd/--container both are not specified" - fi - - if [[ $errs -eq 0 ]]; then - return 0 + log_error "If running in Kubernetes, See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container" fi return 1 } @@ -540,26 +442,6 @@ function __check_tools() { "sysctl" # procps "flock" # flock | linux-utils ) - __detect_dns_updater - - case ${__PROTONWIRE_DNS_UPDATER,,} in - systemd-resolved) - commands+=( - "resolvectl" # systemd - ) - ;; - resolvconf) - if [[ ! -w /etc/resolv.conf ]]; then - log_error "Cannot update DNS, /etc/resolv.conf is not writable" - ((++errs)) - fi - ;; - none) ;; - *) - log_error "Unknown __PROTONWIRE_DNS_UPDATER - ${__PROTONWIRE_DNS_UPDATER:-NA}" - ((++errs)) - ;; - esac declare -a missing_commands for command in "${commands[@]}"; do @@ -588,8 +470,12 @@ function __run_checks() { __detect_paths - if ! __check_systemd; then + if [[ $(sysctl -n net.ipv4.conf.all.rp_filter) != "2" ]]; then ((++errs)) + log_error "Invalid sysctl, net.ipv4.conf.all.rp_filter!=2" + log_error "If using docker/podman add --sysctl net.ipv4.conf.all.rp_filter=2 flag to your run command" + log_error "If using docker-compose add 'net.ipv4.conf.all.rp_filter: 2' under 'sysctls' section for protonvpn service." + log_error "If using Kubernetes see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ to set sysctl values." fi # check if any interfaces have reserved ip addresses @@ -624,70 +510,12 @@ function __run_checks() { ((++errs)) fi - # If IPCHECK_INTERVAL is defined, and it's not 0, then ensure that WATCHDOG_USEC is not defined - if [[ -n $IPCHECK_INTERVAL ]] && - [[ $IPCHECK_INTERVAL != "0" ]] && - [[ ${WATCHDOG_USEC} =~ ^[1-9][0-9]+$ ]]; then - log_error "IPCHECK_INTERVAL(${IPCHECK_INTERVAL}) cannot be used with systemd watchdog WATCHDOG_USEC(${WATCHDOG_USEC})" - ((++errs)) - fi - if [[ $errs -eq 0 ]]; then return 0 fi return 1 } -function __resolvctl_up_hook() { - local errs=0 - - # Configure search/routing domains and the default-route before configuring the DNS server. - if resolvectl domain protonwire0 "~." 2>&1 | log_tail "resolvectl-domain"; then - log_success "Set routing domain to ~. (via resolvectl)" - else - log_error "Failed to set routing domain to ~. (via resolvectl)" - ((++errs)) - fi - - if resolvectl default-route protonwire0 "true" 2>&1 | log_tail "resolvectl-default-route"; then - log_success "Set default route" - else - log_error "Failed to set default DNS route (via resolvectl)" - ((++errs)) - fi - - if resolvectl dns protonwire0 "10.2.0.1" 2>&1 | log_tail "resolvectl-dns"; then - log_success "Set DNS server to 10.2.0.1 (via resolvectl)" - else - log_error "Failed to set DNS server to 10.2.0.1 (via resolvectl)" - ((++errs)) - fi - - if [[ $errs -eq 0 ]]; then - return 0 - else - __resolvctl_down_hook # ignore errors - fi - return 1 -} - -function __resolvctl_down_hook() { - local errs=0 - declare wg_iface - wg_iface="$(ip --json link | jq -r '.[] | select(.ifname=="protonwire0") | .ifname' 2>/dev/null)" - if [[ -n $wg_iface ]]; then - if resolvectl revert protonwire0 2>&1 | log_tail "resolvectl-revert"; then - log_success "Reverted systemd-resolved configuration for protonwire0" - return 0 - else - log_error "Failed to revert systemd-resolved configuration for protonwire0" - return 1 - fi - else - log_notice "Wireguard interface 'protonwire0' has already been deleted" - fi -} - # resolvconf hook. openresolv cannot be used because it uses mv sematics # and it is unsuitable for container management systems which bind mount /etc/resolv.conf. function __resolvconf_up_hook() { @@ -765,40 +593,9 @@ function __resolvconf_down_hook() { } function __detect_paths() { - local runtime_dir - - log_variable "RUNTIME_DIRECTORY" - log_variable "XDG_RUNTIME_DIR" - - if [[ -z $RUNTIME_DIRECTORY ]]; then - if [[ -n $XDG_RUNTIME_DIR ]]; then - if [[ -d "$XDG_RUNTIME_DIR" ]] && [[ -w "${XDG_RUNTIME_DIR}" ]]; then - runtime_dir="$XDG_RUNTIME_DIR" - if [[ -z ${cache_dir} ]]; then - cache_dir="${XDG_RUNTIME_DIR}" - fi - else - log_warning "XDG_RUNTIME_DIR(${XDG_RUNTIME_DIR}) is not a directory or not writable!" - fi - fi - else - if [[ -d $RUNTIME_DIRECTORY ]] && [[ -w $RUNTIME_DIRECTORY ]]; then - runtime_dir="${RUNTIME_DIRECTORY}" - if [[ -z ${cache_dir} ]]; then - cache_dir="${RUNTIME_DIRECTORY}" - fi - else - log_warning "RUNTIME_DIRECTORY($RUNTIME_DIRECTORY) is not a directory or not writable!" - fi - fi - - if [[ -z ${runtime_dir} ]]; then - runtime_dir="/tmp" # fallback to tmp - fi - - declare -g __PROTONWIRE_SRV_INFO_FILE="${runtime_dir%/}/protonwire.server.json" - declare -g __PROTONWIRE_HCR="${runtime_dir%/}/protonwire.hc.response" - declare -g __PROTONWIRE_HCS="${runtime_dir%/}/protonwire.hc.status" + declare -g __PROTONWIRE_SRV_INFO_FILE="/tmp/protonwire.server.json" + declare -g __PROTONWIRE_HCR="/tmp/protonwire.hc.response" + declare -g __PROTONWIRE_HCS="/tmp/protonwire.hc.status" log_variable "__PROTONWIRE_SRV_INFO_FILE" log_variable "__PROTONWIRE_HCR" log_variable "__PROTONWIRE_HCS" @@ -806,19 +603,6 @@ function __detect_paths() { # looper command function protonvpn_looper_cmd() { - case "$__PROTONWIRE_LOOPER" in - systemd) - log_debug "Running as systemd unit, IDENTITY=$(id 2>&1)" - ;; - container) - log_debug "Running as container USER=$(id -un 2>&1)" - ;; - *) - log_error "Invalid LOOPER - $__PROTONWIRE_LOOPER" - return 1 - ;; - esac - if ! __run_checks; then log_error "Please fix the errors above and try again!" return 1 @@ -868,31 +652,16 @@ function protonvpn_looper_cmd() { return 1 fi - local sleep_int=60 - local watchdog_pings="false" + local sleep_int=120 - # detect ping interval - if [[ -n $IPCHECK_INTERVAL ]]; then - if [[ $IPCHECK_INTERVAL == "0" ]] && - [[ ${WATCHDOG_USEC} =~ ^[1-9][0-9]+$ ]]; then - sleep_int="$((WATCHDOG_USEC / 2000000))" - log_debug "Watchdog enabled, ping interval $sleep_int seconds" - watchdog_pings="true" - elif [[ $IPCHECK_INTERVAL != "0" ]]; then - sleep_int="$IPCHECK_INTERVAL" - fi + # configure ping interval + if [[ -n $IPCHECK_INTERVAL ]] && [[ $IPCHECK_INTERVAL != "0" ]]; then + sleep_int="$IPCHECK_INTERVAL" else - if [[ ${WATCHDOG_USEC} =~ ^[1-9][0-9]+$ ]]; then - sleep_int="$((WATCHDOG_USEC / 2000000))" - log_debug "Watchdog enabled, ping interval $sleep_int seconds" - watchdog_pings="true" - else - log_debug "Using default check interval 120s" - sleep_int="120" - fi + log_debug "Using default check interval ${sleep_int}s" fi - # Initial ready and watchdog notification. + # Initial ready notification. if __has_notify_socket; then log_notice "Notifying systemd that we are ready" if ! __systemd_notify "READY=1"; then @@ -900,17 +669,8 @@ function protonvpn_looper_cmd() { __protonvpn_disconnect return 1 fi - - if [[ $watchdog_pings == "true" ]]; then - log_debug "Sending WATCHDOG ping" - if ! __systemd_notify "WATCHDOG=1"; then - log_error "Failed to notify systemd!" - __protonvpn_disconnect - return 1 - fi - fi else - log_debug "No systemd notify socket found, skiping READY/WATCHDOG notification" + log_debug "No systemd notify socket found, skiping READY=1 notification" fi if [[ $IPCHECK_INTERVAL == "0" ]]; then @@ -922,15 +682,6 @@ function protonvpn_looper_cmd() { log_debug "Disconnect handler is active, exiting loop" break fi - - if [[ $watchdog_pings == "true" ]]; then - if __has_notify_socket; then - if ! __systemd_notify "WATCHDOG=1"; then - log_error "Failed to notify systemd watchdog!" - fi - fi - fi - sleep "${sleep_int:-120}" & wait $! done @@ -967,17 +718,6 @@ function protonvpn_looper_cmd() { else log_error "Failed to re-connect to ${PROTONVPN_SERVER}" fi - else - if [[ $watchdog_pings == "true" ]]; then - if __has_notify_socket; then - log_debug "Sending WATCHDOG ping" - if ! __systemd_notify "WATCHDOG=1"; then - log_error "Failed to notify systemd watchdog!" - fi - else - log_warning "NOTIFY_SOCKET is missing!" - fi - fi fi done fi @@ -1148,21 +888,13 @@ function protonvpn_healthcheck_status_file() { return 0 fi __detect_paths - if [[ -n $IPCHECK_INTERVAL ]] && - [[ ${WATCHDOG_USEC} =~ ^[1-9][0-9]+$ ]]; then - log_error "IPCHECK_INTERVAL(${IPCHECK_INTERVAL}) cannot be used with systemd watchdog WATCHDOG_USEC(${WATCHDOG_USEC})" - return 1 - fi log_debug "Checking via file timestamp (${__PROTONWIRE_HCS})" - if [[ -z $IPCHECK_INTERVAL ]] && - [[ ${WATCHDOG_USEC} =~ ^[1-9][0-9]+$ ]]; then - local check_interval="$((WATCHDOG_USEC / 2000000))" - elif [[ -n $IPCHECK_INTERVAL ]]; then + if [[ -n $IPCHECK_INTERVAL ]]; then local check_interval="$IPCHECK_INTERVAL" else - log_debug "No healthcheck interval defined, using default(60)" - local check_interval="60" + log_debug "No healthcheck interval defined, using default(120)" + local check_interval="120" fi if [[ -f ${__PROTONWIRE_HCS} ]]; then @@ -1574,7 +1306,7 @@ function __build_route_table() { if ! __is_bool_true "${KILL_SWITCH}"; then log_warning "Existing killswitch routes found! but killswitch is not enabled! (IPv$proto)" else - log_notice "Validating Killswitch routes (IPv$proto)" + log_debug "Validating Killswitch routes (IPv$proto)" fi local ksr_mismatch=0 @@ -2004,23 +1736,27 @@ function __protonvpn_connect() { "/etc/protonwire/protonwire-private-key" "/etc/protonwire/protonvpn-private-key" "/etc/protonwire/wireguard-private-key" + "/run/secrets/private-key" "/run/secrets/protonwire-private-key" "/run/secrets/protonvpn-private-key" "/run/secrets/wireguard-private-key" + "/run/secrets/protonwire/private-key" "/run/secrets/protonwire/protonwire-private-key" "/run/secrets/protonwire/protonvpn-private-key" "/run/secrets/protonwire/protonvpn-private-key" - ) - # CREDENTIALS_DIRECTORY is defined if using systemd-creds - if [[ -n $CREDENTIALS_DIRECTORY ]]; then - lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/private-key") - lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonwire-private-key") - lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonvpn-private-key") - lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/wireguard-private-key") - fi + "/run/credentials/private-key" + "/run/credentials/protonwire-private-key" + "/run/credentials/protonvpn-private-key" + "/run/credentials/protonvpn-private-key" + + "/run/credentials/protonwire/private-key" + "/run/credentials/protonwire/protonwire-private-key" + "/run/credentials/protonwire/protonvpn-private-key" + "/run/credentials/protonwire/protonvpn-private-key" + ) for lookup_path in "${lookup_paths[@]}"; do if [[ -f ${lookup_path} ]]; then @@ -2272,22 +2008,10 @@ function __protonvpn_connect() { if __is_skip_dns_config; then log_info "Skipping DNS configuration" else - if [[ $__PROTONWIRE_DNS_UPDATER == "systemd-resolved" ]]; then - if __resolvctl_up_hook; then - log_success "Successfully configured DNS (systemd-resolved)" - else - log_error "Failed to configure DNS (systemd-resolved)" - return 1 - fi - elif [[ $__PROTONWIRE_DNS_UPDATER == "resolvconf" ]]; then - if __resolvconf_up_hook; then - log_success "Successfully configured DNS (resolvconf)" - else - log_error "Failed to configure DNS (resolvconf)" - return 1 - fi + if __resolvconf_up_hook; then + log_success "Successfully configured DNS (protonwire)" else - log_error "Unknown DNS updater: $__PROTONWIRE_DNS_UPDATER" + log_error "Failed to configure DNS (protonwire)" return 1 fi fi @@ -2303,22 +2027,6 @@ function protonvpn_connect_cmd() { return 1 fi - if has_command systemctl; then - if systemctl is-enabled --quiet protonwire; then - if systemctl is-active --quiet protonwire; then - log_error "systemd unit protonwire.service is running" - log_error "Use systemctl to manage this unit or disable, this unit to manually connect" - return 1 - elif systemctl is-failed --quiet protonwire; then - log_error "systemd unit protonwire.service is enabled, but is in failed state" - log_error "You should wither fix the unit and manage it via systemctl or disable it to manually connect" - return 1 - fi - fi - else - log_debug "command systemctl not found, not checking if there are conflicts with systemd units" - fi - if __protonvpn_connect; then return 0 fi @@ -2437,26 +2145,15 @@ function __protonvpn_disconnect() { log_debug "No systemd notify socket found, skiping stopping notification" fi local errs=0 - # Order in which DNS is reconfigured ensures that we dont have broken dns during disconnect. - if [[ $__PROTONWIRE_DNS_UPDATER == "systemd-resolved" ]]; then - if __resolvctl_down_hook; then - log_success "Successfully restored DNS(systemd-resolved)" - else - log_error "Failed to restore DNS" - ((++errs)) - fi - elif [[ $__PROTONWIRE_DNS_UPDATER == "resolvconf" ]]; then + + if __is_skip_dns_config; then + log_info "Skipping DNS configuration" if __resolvconf_down_hook; then log_success "Successfully restored DNS(resolvconf)" else log_error "Failed to restore DNS" ((++errs)) fi - elif [[ $__PROTONWIRE_DNS_UPDATER == "none" ]]; then - : - else - log_error "Unknown DNS updater: $__PROTONWIRE_DNS_UPDATER" - ((++errs)) fi if ! __protonvpn_delete_wg_routes; then @@ -2694,9 +2391,6 @@ Options: -k, --private-key FILE|KEY Wireguard private key or file containing private key --container Run as container - (Cannot be used with --systemd) - --systemd Run as systemd service - (Cannot be used with --container) --metadata-url URL Server metadata endpoint URL --check-interval INT IP check interval in seconds (default 60) --check-url URL IP check endpoint URL @@ -2738,6 +2432,7 @@ function main() { declare -i looper_lock=0 local color_mode="auto" local cmd_mode="HELP" + local container_flag="false" if __is_bool_true "${DEBUG}"; then LOG_LVL="0" @@ -2812,11 +2507,7 @@ function main() { ;; --container) ((++looper_lock)) - __PROTONWIRE_LOOPER="container" - ;; - --systemd) - ((++looper_lock)) - __PROTONWIRE_LOOPER="systemd" + container_flag="true" ;; connect | c) ((++cmd_lock)) @@ -2871,11 +2562,6 @@ function main() { ((++args_errors)) fi - if [[ ${looper_lock} -gt 1 ]]; then - log_error "Cannot use --container and --systemd at the same time." - ((++args_errors)) - fi - if [[ $cmd_lock -gt 1 ]]; then log_error "More than one exclusive command specified!" ((++args_errors)) @@ -2899,14 +2585,12 @@ function main() { fi fi - if [[ $cmd_mode == "HEALTHCHECK" ]] && [[ $__PROTONWIRE_LOOPER == "container" ]]; then + if [[ $cmd_mode == "HEALTHCHECK" ]] && [[ $container_flag == "true" ]]; then cmd_mode="HEALTHCHECK_CONTAINER" fi - if [[ $cmd_mode == "CONNECT" ]]; then - if [[ $__PROTONWIRE_LOOPER == "container" ]] || [[ $__PROTONWIRE_LOOPER == "systemd" ]]; then - cmd_mode="LOOPER" - fi + if [[ $cmd_mode == "CONNECT" ]] && [[ $container_flag == "true" ]]; then + cmd_mode="LOOPER" fi if [[ -n ${IPCHECK_INTERVAL} ]]; then diff --git a/rpm/protonwire.postinstall b/rpm/protonwire.postinstall deleted file mode 100644 index 941c70c..0000000 --- a/rpm/protonwire.postinstall +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/bash -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -set -e - -systemd-sysusers protonwire.conf -/usr/lib/systemd/systemd-sysctl protonwire.conf -systemd-tmpfiles --create protonwire.conf diff --git a/rpm/protonwire.postremove b/rpm/protonwire.postremove deleted file mode 100644 index 9de0b7e..0000000 --- a/rpm/protonwire.postremove +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/bash -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -set -e -deluser --quiet --system protonwire 2>/dev/null || userdel --force protonwire 2>/dev/null || true -delgroup --quiet --system protonwire 2>/dev/null || groupdel protonwire 2>/dev/null || true -systemd-tmpfiles --remove protonwire.conf 2>/dev/null || true diff --git a/rpm/protonwire.preremove b/rpm/protonwire.preremove deleted file mode 100644 index 508cfdb..0000000 --- a/rpm/protonwire.preremove +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/bash -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -set -e - -echo "Disabling kill switch (if any)" -protonwire disable-killswitch || true -echo "Stopping unit potonwire" -systemctl stop -q protonwire || true - -for i in $(seq 100); do - echo "Waiting until unit $unit is stopped [attempt $i]" - if ! systemctl is-active -q protonwire; then - echo "protonwire is stopped." - break - fi - sleep 0.5 -done diff --git a/systemd/polkit/protonwire.pkla b/systemd/polkit/protonwire.pkla deleted file mode 100644 index 402e2df..0000000 --- a/systemd/polkit/protonwire.pkla +++ /dev/null @@ -1,49 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -# Do not modify this file manually -# This file is part of protonwire package. - -# Referece: https://github.com/systemd/systemd/blob/main/src/resolve/org.freedesktop.resolve1.policy - -[Allow protonwire to set-dns-servers] -Identity=unix-user:protonwire -Action=org.freedesktop.resolve1.set-dns-servers -ResultAny=yes -ResultInactive=yes -ResultActive=yes - -[Allow protonwire to change set-domains] -Identity=unix-user:protonwire -Action=org.freedesktop.resolve1.set-domains -ResultAny=yes -ResultInactive=yes -ResultActive=yes - -[Allow protonwire to set-default-route] -Identity=unix-user:protonwire -Action=org.freedesktop.resolve1.set-default-route -ResultAny=yes -ResultInactive=yes -ResultActive=yes - -[Allow protonwire to set set-dnssec] -Identity=unix-user:protonwire -Action=org.freedesktop.resolve1.set-dnssec -ResultAny=yes -ResultInactive=yes -ResultActive=yes - -[Allow protonwire to set-dns-over-tls] -Identity=unix-user:protonwire -Action=org.freedesktop.resolve1.set-dns-over-tls -ResultAny=yes -ResultInactive=yes -ResultActive=yes - -[Allow protonwire to revert links] -Identity=unix-user:protonwire -Action=org.freedesktop.resolve1.revert -ResultAny=yes -ResultInactive=yes -ResultActive=yes \ No newline at end of file diff --git a/systemd/polkit/protonwire.rules b/systemd/polkit/protonwire.rules deleted file mode 100644 index 8d31ac6..0000000 --- a/systemd/polkit/protonwire.rules +++ /dev/null @@ -1,26 +0,0 @@ -// SPDX-License-Identifier: GPL-3.0 -// SPDX-FileCopyrightText: 2023 Prasad Tengse - -// Do not modify this file manually -// This file is part of protonwire package. - -// Authorize 'protonwire' user to use -// the systemd-resolved DBus interface -polkit.addRule(function (action, subject) { - - if (action.id == 'org.freedesktop.resolve1.set-dns-servers' || - action.id == 'org.freedesktop.resolve1.set-domains' || - action.id == 'org.freedesktop.resolve1.set-default-route' || - action.id == 'org.freedesktop.resolve1.revert' || - action.id == 'org.freedesktop.resolve1.set-dns-over-tls' || - action.id == 'org.freedesktop.resolve1.set-dnssec') { - - // Allow protonwire user to use - // systemd-resolved DBus interface - if (subject.user == 'protonwire') { - return polkit.Result.YES; - } - } - // Let other rules decide - return polkit.Result.NOT_HANDLED; -}); diff --git a/systemd/sysctl.d/protonwire.conf b/systemd/sysctl.d/protonwire.conf deleted file mode 100644 index 812fd97..0000000 --- a/systemd/sysctl.d/protonwire.conf +++ /dev/null @@ -1,5 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse - -# This file is part of protonwire package. -net.ipv4.conf.all.rp_filter = 2 diff --git a/systemd/system/protonwire.service b/systemd/system/protonwire.service deleted file mode 100644 index 94c3059..0000000 --- a/systemd/system/protonwire.service +++ /dev/null @@ -1,101 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse -# -# This file is part of protonwire package. - -[Unit] -Description=ProtonVPN Wireguard Client -Documentation=man:protonwire(1) -Documentation=https://github.com/tprasadtp/protonvpn-docker - -# Wait for Network dependency (networking) -Wants=network-online.target -After=network-online.target -After=systemd-resolved.service - -[Service] -# Service Type -# ---------------------------------------- -Type=notify -NotifyAccess=all - -# Service Identity -# ---------------------------------------- -User=protonwire -Group=protonwire -SupplementaryGroups=systemd-network - -# Service Settings and Environment -# ---------------------------------------- -Environment=HOME=/var/lib/protonwire -Environment=LANG=C.UTF-8 -EnvironmentFile=-/etc/defaults/protonwire -EnvironmentFile=-/etc/protonwire/*.env - -## OOM Settings -# ---------------------------------------- -ManagedOOMPreference=avoid -OOMPolicy=stop - -# Sandboxing (Capabilities & System calls) -# ---------------------------------------- -AmbientCapabilities=CAP_NET_ADMIN -CapabilityBoundingSet=CAP_NET_ADMIN -SystemCallFilter=@system-service -SystemCallArchitectures=native - -## Sandboxing (Kernel, sysfs and procfs) -# ---------------------------------------- -ProtectProc=invisible -ProtectHostname=true -ProtectControlGroups=true - -ProtectKernelModules=true -ProtectKernelTunables=true -ProtectKernelLogs=true -KeyringMode=private - -ProtectClock=true -RestrictRealtime=true - -RestrictNamespaces=true -LockPersonality=true - -MemoryDenyWriteExecute=true -RestrictSUIDSGID=true - -# Sandboxing (Filesystem) -# ---------------------------------------- -ProtectSystem=full -PrivateTmp=yes - -StateDirectory=protonwire -CacheDirectory=protonwire -RuntimeDirectory=protonwire -RuntimeDirectoryPreserve=restart - -# Other Settings -# ---------------------------------------- -IPAccounting=true -CPUAccounting=true -BlockIOAccounting=true -MemoryAccounting=true -TasksAccounting=true - -# Service commands -# ---------------------------------------- -ExecStart=protonwire connect --systemd --logfmt journald - -# Service lifecycle -# ---------------------------------------- -Restart=on-failure - -# Service timeouts & Watchdog -# ---------------------------------------- -WatchdogSec=120 -TimeoutAbortSec=30 -TimeoutStopSec=30 -TimeoutStartSec=180 - -[Install] -WantedBy=multi-user.target diff --git a/systemd/sysusers.d/protonwire.conf b/systemd/sysusers.d/protonwire.conf deleted file mode 100644 index 3af0743..0000000 --- a/systemd/sysusers.d/protonwire.conf +++ /dev/null @@ -1,8 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse -# -# This file is part of protonwire package. -# -#Type Name ID GECOS Home directory Shell -u protonwire - "Protonwire-User" -m protonwire systemd-network diff --git a/systemd/tmpfiles.d/protonwire.conf b/systemd/tmpfiles.d/protonwire.conf deleted file mode 100644 index 244dc6c..0000000 --- a/systemd/tmpfiles.d/protonwire.conf +++ /dev/null @@ -1,7 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0 -# SPDX-FileCopyrightText: 2023 Prasad Tengse -# -# This file is part of protonwire package. -# -#Type Path Mode User Group Age Argument -D /var/cache/protonwire 755 protonwire protonwire 10d -