DietPi-VPN | Rework from DietPi-NordVPN with ProtonVPN and custom provider support

[ravenclaw900]

Status: Ready

• Add way to connect to ProtonVPN
• Add way to just use generic OpenVPN file
• Test with ProtonVPN
• Test with NordVPN
• Add killswitch

Reference: #3948

Commit list/description:

• DietPi-VPN | Start transition from dietpi-nordvpn to dietpi-vpn
• DietPi-Software | Add way to download and parse ProtonVPN server list
• DietPi-VPN | Add way to select ProtonVPN Servers
• DietPi-VPN | Add way to generate .ovpn file
• DietPi-Software | Switch from NordVPN to VPN
• DietPi.bash | Add missing DietPi-VPN alias
• Patches | Remove DietPi-NordVPN

[ravenclaw900]

I'm a little lost on why the G_WHIP_MENU to select a server isn't working. The array seems to be fine, and it worked when I didn't remove the first line.
EDIT: The array doesn't actually work outside of the loop for some reason. Inside everything's fine.

[MichaIng]

Awesome! I didn't know about and love envsubst for automatic variable call substitutions in files.

I'll test what is wrong with the array, at least I cannot see an obvious issue currently. Pipes and redirects work a bit different, probably you can try:

while read -r server
do
	G_WHIP_MENU_ARRAY+=("$(echo "$server" | awk -F\" '/"Name":/{print $4;exit}')" '')
done < <(tail -n +2 "$PROTONVPN_SERVERS")

to bring the list into the loop. Also the list could be trimmed in the first place, so that it's much easier and faster to create the menu from that list:

curl -sSfL https://api.protonvpn.ch/vpn/logicals | sed 's/"Domain":"/\n/g' | mawk -F\" 'NR % 2 == 0 {print $1}'

• Add newline before each domain.
• Print only until first ", which contains the domain.
• Print only even lines, since there are two identical domain fields for each server and to exclude the first line.

---

A few other ideas:

• Since we have an "update" feature which downloads the server list/configs, actually the dietpi-software install option is obsolete IMO. We should simply remove it. But we need to add a provider selection menu entry. When dietpi-vpn is called the first time, one needs to select the VPN provider, which downloads/updates the list/configs for the chosen provider. The steps for the "Update" entry need to become an own function then.
• The ProtonVPN OVPN file creation should btw be done as part of the Save_Settings function, so that selections (aside of provider selection of course) stay purely temporary and do nothing until "Apply" is selected.
• To not have OVPN file overlaps, sub directories for each providers would be an idea, which then also serves as indicator whether the server list does already exist or not for the chosen provider.
• As currently all ProtonVPN configs are removed, before a new one is created, what about keeping it simple and create a single protonvpn.ovpn file that is simply overwritten? No need to keep the domain/server name and port part of the config file name, IMO. In case of NordVPN, it's simply the file names their archive ships, so for simplicity that is kept. Although in case of NordVPN, the chosen servers OVPN could be copied to a static nordvpn.ovpn as well. ... Not thinking about it, why not using a single client.ovpn file for all providers, so the service file does not even need to be changed and we can make it a static service file here: https://github.com/MichaIng/DietPi/tree/master/rootfs/etc/systemd/system ... So /etc/openvpn/nordvpn/ and /etc/openvpn/protonvpn/ for provider-specific stuff and /etc/openvpn/client.ovpn is the config that is always used.

[MichaIng]

Well, now it doesn't even look like the script is being run. It doesn't turn off IPv6, and it can't create a file in my home directory.

• There was a syntax when applying the killswitch rules. But it should not affect disabling IPv6, let me see. Probably it's easier to call the scripts via ExecStartPre and ExecStopPost commands from the systemd service. It's not strictly tied to the actual OpenVPN connection itself (which can be started manually) but to the service only, but further simplifies the client configurations and allows even custom up/down commands (instead of only route-up and route-pre-down) 🤔.
• It's expected that the service cannot write to any home directory due to ProtectHome=true in the systemd unit. It's a system service, not a user service, so must not be setup to read/write anything to/from a login users home directory, at least that's the idea behind those (default) service hardenings.

---

Disabling and re-enabling IPv6 works here as expected:

Mar 28 16:51:41 VM-Buster openvpn[2369]: /var/lib/dietpi/dietpi-vpn/static_up.sh tun0 1500 1585 10.8.2.3 255.255.255.0 init
Mar 28 16:51:41 VM-Buster openvpn[2369]: net.ipv6.conf.all.disable_ipv6 = 1
Mar 28 16:51:41 VM-Buster openvpn[2369]: net.ipv6.conf.default.disable_ipv6 = 1
Mar 28 16:51:42 VM-Buster openvpn[2369]: /sbin/ip route add 185.220.70.235/32 via 192.168.1.1
Mar 28 16:51:42 VM-Buster openvpn[2369]: /sbin/ip route add 0.0.0.0/1 via 10.8.2.1
Mar 28 16:51:42 VM-Buster openvpn[2369]: /sbin/ip route add 128.0.0.0/1 via 10.8.2.1
Mar 28 16:51:42 VM-Buster openvpn[2369]: Initialization Sequence Completed
Mar 28 16:52:27 VM-Buster openvpn[2369]: event_wait : Interrupted system call (code=4)
Mar 28 16:52:27 VM-Buster openvpn[2369]: SIGTERM received, sending exit notification to peer
Mar 28 16:52:27 VM-Buster systemd[1]: Stopping VPN Client (DietPi)...
Mar 28 16:52:28 VM-Buster openvpn[2369]: /sbin/ip route del 185.220.70.235/32
Mar 28 16:52:28 VM-Buster openvpn[2369]: /sbin/ip route del 0.0.0.0/1
Mar 28 16:52:28 VM-Buster openvpn[2369]: /sbin/ip route del 128.0.0.0/1
Mar 28 16:52:28 VM-Buster openvpn[2369]: Closing TUN/TAP interface
Mar 28 16:52:28 VM-Buster openvpn[2369]: /sbin/ip addr del dev tun0 10.8.2.3/24
Mar 28 16:52:28 VM-Buster openvpn[2369]: /var/lib/dietpi/dietpi-vpn/static_down.sh tun0 1500 1585 10.8.2.3 255.255.255.0 init
Mar 28 16:52:28 VM-Buster openvpn[2369]: net.ipv6.conf.all.disable_ipv6 = 0
Mar 28 16:52:28 VM-Buster openvpn[2369]: net.ipv6.conf.default.disable_ipv6 = 0
Mar 28 16:52:28 VM-Buster openvpn[2369]: SIGTERM[soft,exit-with-notification] received, process exiting
Mar 28 16:52:28 VM-Buster systemd[1]: dietpi-vpn.service: Succeeded.
Mar 28 16:52:28 VM-Buster systemd[1]: Stopped VPN Client (DietPi).

[MichaIng]

@ravenclaw900
Does it work for you now with switching IPv6?

[ravenclaw900]

Looks like it.

[MichaIng]

Perfect, let's merge.

[zizou1912]

Status: Ready

• Add way to connect to ProtonVPN
• Add way to just use generic OpenVPN file
• Test with ProtonVPN
• Test with NordVPN
• Add killswitch

Reference: #3948

Commit list/description:

• DietPi-VPN | Start transition from dietpi-nordvpn to dietpi-vpn
• DietPi-Software | Add way to download and parse ProtonVPN server list
• DietPi-VPN | Add way to select ProtonVPN Servers
• DietPi-VPN | Add way to generate .ovpn file
• DietPi-Software | Switch from NordVPN to VPN
• DietPi.bash | Add missing DietPi-VPN alias
• Patches | Remove DietPi-NordVPN

Could you please add support for "Private Internet Access" Wireguard VPN? They have an open-source script for it. Here https://www.privateinternetaccess.com/helpdesk/kb/articles/manual-connection-and-port-forwarding-scripts

[ravenclaw900]

Hello,
Note that you can use any .ovpn file with DietPi-VPN, and installing WireGuard from DietPi-Software will let you use it as a client. DietPi-VPN doesn't support custom VPN starting scripts.

[zizou1912]

Ture, but wireguard setup is complicated using their script. Idont know (they don't provide wireguard config, but rather a script that generate them every day). I thought it would be nice to integrate their script if u already have integrated custom Nordvpn Wireguard and others.🙂 Just an idea. Openvpn utilizing single core is so much slower. 260Mbps vs 780Mbps.

…

On Tue, 6 Apr 2021, 19:39 ravenclaw900, ***@***.***> wrote: Hello, Note that you can use any .ovpn file with DietPi-VPN, and installing WireGuard from DietPi-Software will let you use it as a client. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4180 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJ6UZ4CV5ETQXFX2B2FFBRTTHNBMHANCNFSM4YX4F5VQ> .

[ravenclaw900]

As of yet, DietPi-VPN doesn't actually support WireGuard, just OpenVPN.

[MichaIng]

Indeed, WireGuard for public VPN providers is difficult, as WireGuard itself requires static IPs for each client, stored in the server config, which is a privacy issue. For this reason, public providers do not use WireGuard natively, but wrap it into own custom scripts or tools, often but not always open-source, to have a wrapping NAT or regular IP rotation.

Implementing/copying and maintaining/updating the needs for those WireGuard wrappers for each VPN provider into DietPi-VPN is IMO not reasonable. If someone finds time to figure it out for a particular provider, and it does not explode the size of the script, I'm fine with it, but from myself it would draw too much time away from more important things.

Light at the horizon is that the WireGuard developers are working on an internal dynamic IP implementation already. Not sure what state it is, but with that it should be possible for providers to ship a native WireGuard client config file, which can then be reasonable natively integrated into DietPi-VPN 😃.

• Official idea: https://github.com/WireGuard/wg-dynamic/blob/master/docs/idea.md
• Last commit, 8 months ago 🤔: https://github.com/WireGuard/wg-dynamic/branches/all

[zizou1912]

Yeah that's totally understandable. I thought at the beginning you guys did some sort of such implementation with Nordvpn. And thanks for the great news. I didn't know they're working on dynamic IPs. Jeez i don't know how they slept through it from the start😂. Probably for the promo (oNlY 4000 LiNeS oF cOdE). Edit: Oh, Yiiikes, seems pretty dead, wonder why they're so uninterested in it.

…

On Tue, 6 Apr 2021, 21:08 MichaIng, ***@***.***> wrote: Indeed, WireGuard for public VPN providers is difficult, as WireGuard itself requires static IPs for each client, stored in the server config, which is a privacy issue. For this reason, public providers do not use WireGuard natively, but wrap it into own custom scripts or tools, often but not always open-source, to have a wrapping NAT or regular IP rotation. Implementing/copying and maintaining/updating the needs for those WireGuard wrappers for each VPN provider into DietPi-VPN is IMO not reasonable. If someone finds time to figure it out for a particular provider, and it does not explode the size of the script, I'm fine with it, but from myself it would draw too much time away from more important things. Light at the horizon is that the WireGuard developers are working on an internal dynamic IP implementation already. Not sure what state it is, but with that it should be possible for providers to ship a native WireGuard client config file, which can then be reasonable natively integrated into DietPi-VPN 😃. - Official idea: https://github.com/WireGuard/wg-dynamic/blob/master/docs/idea.md - Last commit, 8 months ago 🤔: https://github.com/WireGuard/wg-dynamic/branches/all — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4180 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJ6UZ4AB7RMG7OO5P2UBS5DTHNL2HANCNFSM4YX4F5VQ> .

[Joulinar]

@ravenclaw900
@MichaIng
can someone of you have a look to the forum https://dietpi.com/phpbb/viewtopic.php?t=8997

There is a user having issues using IPv6 while NordVPN is enabled. If I understood correctly, it has been disabled by design #4180 (comment)

[MichaIng]

If I understood correctly, it has been disabled by design

Exactly. Otherwise IPv6 requests would bypass the VPN. NordVPN and ProtonVPN both do not support IPv6.