outline linux terminal client

[ashwin31]

What would you like the app to enable you to do?
I want to use outline from docker or on linux server for CI/CD purpose. my git server can be accessed using vpn only.

Describe alternatives you've considered
Nothing at the moment. I need to explore

[blshkv]

The quick hint (after 5 minutes looking at the code):
https://github.com/Jigsaw-Code/outline-client/blob/master/src/electron/sslibev_badvpn_tunnel.ts

// Establishes a full-system VPN with the help of Outline's routing daemon and child processes
// ss-local and badvpn-tun2socks. ss-local listens on a local SOCKS server and forwards TCP and UDP
// traffic through Shadowsocks. badvpn-tun2socks processes traffic from a TAP device and relays to
// a SOCKS proxy. The routing service modifies the routing table so that the TAP device receives all
// device traffic.
//
// |TAP| <-> |badvpn-tun2socks| <-> |ss-local| <-> |Shadowsocks proxy|

ss-local -s x.x.x.x -p 65336 -k mypassword -m chacha20-ietf-poly1035 -l 1081 -u 

and

badvpn-tun2socks.exe \
   --tundev "tap0901:outline-tap0:10.0.85.2:10.0.85.0:255.255.255.0" \
   --netif-ipaddr 10.0.85.1 --netif-netmask 255.255.255.0 \
   --socks-server-addr 127.0.0.1:1081 \
   --socks5-udp --udp-relay-addr 127.0.0.1:1081 \
   --transparent-dns

[ashwin31]

@blshkv can you tell how to do it from linux server

[blshkv]

Ok, I figured it out. Here is how.

Get your key:

1. ss://<strBase64@vpnServer:vpnPort/?outline=1
2. decode strBase64 into: cipher:accessKey, get vpnServer ip address
3. start

sudo OutlineProxyController --socket-filename=/var/run/outline_controller

4. start

ss-local -s vpnServerIP -p vpnPort -k accessKey -m cipher -l 1081 -u 

5. start

badvpn-tun2socks --tundev outline-tun0 --netif-ipaddr 10.0.85.1 --netif-netmask 255.255.255.0 --socks-server-addr 127.0.0.1:1081 --transparent-dns --socks5-udp --udp-relay-addr 127.0.0.1:1081 --loglevel error

6. Fix routing by running (press ctrl-C after)

echo '{"action":"configureRouting","parameters":{"proxyIp":"vpnServerIP","isAutoConnect":false}}' | nc -U /var/run/outline_controller

---

To stop, run:

echo '{"action":"resetRouting","parameters":{}}' | nc -U /var/run/outline_controller

and kill all badvpn,ss-local and OutlineProxyController

P.S. OutlineController is not really required, you can fix routing table and /etc/resolv.conf manually

[Shahin-rmz]

Hi, is this still legit?
I need outline terminal client for a computer located inside Iran.
I do not have access to it's gui.

[fortuna]

We have a prototype Linux command-line client at a branch of our SDK: https://github.com/Jigsaw-Code/outline-internal-sdk/tree/junyi-outline-cli/x/outline-cli

/cc @jyyi1

[blshkv]

@jyyi1 unable to find https://github.com/Jigsaw-Code/outline-internal-sdk/blob/junyi-outline-cli/x/outline-cli/main.go#LL15C41-L15C41

"github.com/Jigsaw-Code/outline-internal-sdk/tun2socks/lwip"

could you help please?

[jyyi1]

Hi @blshkv , the CLI PR is not ready yet (so it's still in draft), but I'm actively working on that. The package (and all the APIs) have been totally redesigned, and the new package is "github.com/Jigsaw-Code/outline-internal-sdk/network/lwip2transport". Please feel free to try the API there.

But if you'd like to try a working CLI, you may use this PoC: https://github.com/jyyi1/outline-vpn-cli-poc. I'm migrating it to use the SDK.

[blshkv]

./outline-vpn-cli-poc
OutlineVPN CLI (experimental-01271815)
panic: runtime error: index out of range [3] with length 2

any ideas?

[jyyi1]

This comment is now outdated, please refer to the comment below.

./outline-vpn-cli-poc
OutlineVPN CLI (experimental-01271815)
panic: runtime error: index out of range [3] with length 2

any ideas?

sudo ./outline-vpn-cli-poc "<shadowsocks-server-ip-address>" <shadowsocks-server-port-number> "<shadowsocks-server-password>"

Use Ctrl+C to stop the server (if the server is not correctly stopped, you won't be able to launch it next time, because it will pollute your system routing table, so please try it with care)

[dmatora]

@jyyi1 when I run outline-vpn-cli-poc, it kills local network and internet
what do I fill int password field?
tried base64 cipher and accessKey

[jyyi1]

Hi @dmatora , the comment above is out-dated. Please refer to the latest outline-cli document: https://github.com/Jigsaw-Code/outline-sdk/tree/main/x/examples/outline-cli

[dmatora]

@jyyi1
go build -o outline-cli -ldflags="-extldflags=-static" ./outline-cli

# github.com/Jigsaw-Code/outline-sdk/x/examples/outline-cli
/usr/bin/ld: /tmp/go-link-1001848889/000004.o: in function `_cgo_9c8efe9babca_C2func_getaddrinfo':
/tmp/go-build/cgo-gcc-prolog:58: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

go run github.com/Jigsaw-Code/outline-sdk/x/examples/outline-cli@latest -transport "ss://xxx@x.x.x.x:xxx/?outline=1"

OutlineVPN CLI (experimental)
[INFO] 2023/10/29 08:19:51 updated global IPv6 support: false
[INFO] 2023/10/29 08:19:51 remote server supports UDP, we will delegate all UDP packets to it
[INFO] 2023/10/29 08:19:51 OutlineDevice -> tun stopped: 0 <nil>
[INFO] 2023/10/29 08:19:51 tun -> OutlineDevice stopped: 48 network device already closed
[INFO] 2023/10/29 08:19:51 updated global IPv6 support: true
[ERROR] 2023/10/29 08:19:51 failed to configure system DNS: failed to backup DNS config file '/etc/resolv.conf.head' to '/etc/resolv.head.outlinecli.backup': rename /etc/resolv.conf.head /etc/resolv.head.outlinecli.backup: no such file or directory

touch /etc/resolv.conf.head gets it sort of working, but when outline client is running, only internet is working, localnetwork (192.168.1.x) is dead, making it useless

[jyyi1]

Thanks @dmatora ,

The compilation warning and the local network routing are both expected. You can ignore the compilation warning.

The local network routing is also expected because we are adding "from all not to <outline-server-ip> via table <outline-tun-device-table>". This means that all traffic except traffic to the Outline server will be routed through the Outline's routing table (which is 233). As a result, the "192.168.1.x" subnet will be routed to the Outline server, and the server will not be able to access its own local network IP address. This behavior is the same for all of our products, including Outline Client and Intra.

To resolve this issue, we would need to implement split-tunneling. Split-tunneling would allow us to add more exception entries to the routing rules so that local network traffic would be routed to the default routing table instead of the Outline routing table. However, implementing split-tunneling would require a lot of work, and we have very limited bandwidth to implement that at this time.

As a workaround, you can use the command ip rule add to add exceptions with higher priority (we are using priority 23333, note that lower number means higher priority) to route all local network traffic to the default routing table (default) instead of the Outline routing table (233).

[dmatora]

Local network is going down only when using outline cli. When using GUI client - this is not an issue. I've temporarily "solved" it by increasing VM storage/memory, installing XFCE and switching to GUI client. It is huge resource waste and an overkill but it works

[Kir-Antipov]

Can we show a bit more love for outline-cli? I didn't even know it existed until I stumbled upon it entirely by accident in a completely unrelated issue (specifically, #1794). It isn't advertised in either this repository or the outline-sdk one, where it's actually located. At the very least, please consider including it in the README to enhance its discoverability, because it's highly unlikely that anyone will search for it in the examples directory of the SDK repo's "experimental" section. I certainly didn't.

Despite minor, easily fixable annoyances, outline-cli offers a superior user experience compared to the GUI client. It doesn't deserve to be buried the way it is now.

As for the annoyances, I could only discover two:

1. The DNS resolver is hardcoded. This is also true for the GUI client, but given we compile outline-cli from the source anyways, I would say here the situation is somewhat better - we can alter the hardcoded string before the actual compilation. In my setup, I've implemented a simple 8-line patch enabling me to specify my preferred DNS through a custom &dns=<ip> URL parameter.
2. LAN becomes inaccessible as requests to it are also redirected to the VPN server. The solution to this issue is pretty straightforward and has been described pretty well by @jyyi1 (one small addendum, for the most part, requests should use the main routing table, not the default one).

Even these present issues are manageable and, once again, easily fixable. And after dealing with those, we can tailor outline-cli and integrate it into our systems as we see fit. For instance, my setup, which includes like 2 shell scripts on top of the CLI itself, offers all the same features as the GUI (i.e., access key management and automatic reconnection to the server when your connection goes down) and even adds a few pleasant bonuses like global hotkeys (for example, I can toggle the VPN state via Super + v, and so on). For anyone interested, my setup can be found here: Kir-Antipov/outline-cli.