Support flatpak

[baimafeima]

The best solution is obviously to have mullvadvpvn-app included in the repositories of an operating system. But as this will take lots of time and people use different operating systems, could you make an additional flatpak release for easier cross-platform installation? This would also allow to have it hosted on Flathub and attract more potential users. When making a Flatpak release, keep in mind that the security will depend on how well it is packaged by the vendor.

[thomhoess]

Please! I'm on Solus and it's a hassle to get up and running, if not Flatpak maybe Appimage (#1123 ) or Snap (#847 ) - one of them would be sufficient, it would be great to have it in an format in which it can run everywhere - my personal taste would say to make a flatpak. Thank you!

[encryptophile]

+1 for this. I've been a Mullvad user years, and strongly support the project. Offering a universial installation package (Flatpak, Appimage, etc) would be extremely helpful.

[joffaMac]

Please, make a flatpak of your great product. Please. Thank you.

[Ramblurr]

The Silverblue team at Fedora offered to help do this.. https://twitter.com/teamsilverblue/status/1273212527137165313

Did anyone at mullvad ever followup? The Silverblue team would be a great resource to tap to create a flatpak.

[joffaMac]

Thanks for following up but alas no, Mullvad seem to have absolutely no interest in making a flatpak. Back on 1Nov2020 I sent an email asking and got this reply:

 We currently don't offer any flatpack. We do only offer a rpm and .deb package currently.
 I will forward the information to our developers but I don't think we currently will add any flatpack.

I've done a couple of reply tweets to some of the Mullvad news updates since that email, trying to suggest they make a flatpak, but never had a comment/reply back.

As I'm just a user and not a developer, I've decided Mullvad clearly have no interest in flatpak, so I use the CLI on my 2 Fedora Silverblue machines (as per this url - https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/) and their app on my Android phone.

[1player]

Any update? This has been open for 3 years, and Flatpaks are here to stay. Can the community help in any way?

[joffaMac]

Any update? This has been open for 3 years, and Flatpaks are here to stay. Can the community help in any way?

No update from me as I read somewhere recently that Mullvad don't have the resources/time to look at a flatpak version - if the community can help, then please go for it.

[poperigby]

Still no update?

[ghost]

Any update? This has been open for 3 years, and Flatpaks are here to stay. Can the community help in any way?

No update from me as I read somewhere recently that Mullvad don't have the resources/time to look at a flatpak version - if the community can help, then please go for it.

Still no update?

Any update why not drop Snap one and do Flatpak instead ? Snap is used exclusivly on ubuntu, so dropping it for flatpak (any distribution is better).

[faern]

We don't have any Snap support to drop. Any Snap package you find is a third party package. We only distribute the Linux app via the RPM and DEB files we upload to our website and Github. ANY other distribution method is an unofficial third party distribution of our app on Linux.

[Kabouik]

This is not a great long term solution, but you might be interested in this: #3412

https://user-images.githubusercontent.com/7107523/157864056-0fe96f81-499e-46e6-9c4e-d7eae0bbaddd.mp4

[ghost]

I wish for an official flatpak support as well. I've been using Mullvad for months, but I recently moved to Linux and decided to use Arch distro, and while the GUI client is available through AUR, it's not maintained by Mullvad, is it?

The installation instructions for Linux on Mullvad website mentions AUR package here: https://aur.archlinux.org/packages/mullvad-vpn-bin The arch wiki mentions this one instead: https://aur.archlinux.org/packages/mullvad-vpn

Both are maintained by the same maintainer.

Might be unrelated, but the package requires importing GPG key from Mullvad itself during installation, which enhances security. I have checked the PKGBUILDS, and while they don't have malicious code in them, does Mullvad trust this maintainer, and can I trust this them too? Having unofficial maintainer of a sensitive application gives me slight concern. Of course, I can always use wireguard, but I just want to be sure.

[faern]

Arch distro, and while the GUI client is available through AUR, it's not maintained by Mullvad, is it?

Correct. The AUR packages are not maintained by us!

Regarding mullvad-vpn-bin vs mullvad-vpn. The former just unpacks a prebuilt package. The latter builds the app from source. If packaged correctly both should yield the same app.

I have checked the PKGBUILDS, and while they don't have malicious code in them, does Mullvad trust this maintainer, and can I trust this them too?

We don't endorse the usage of this third party package. We have also not seen any malicious code in that package. But since we are not in control of the package we can't give any guarantees as to how it will behave in the future. You are correct to be concerned. If you want to be careful, check out the PKGBUILDS before each upgrade, or use vanilla WireGuard IMO.

[dginovker]

I've posted a Request on Flathub's Discourse, if everyone can go show support over there we might get the attention of someone in the community with the talent to do this :tada:! https://discourse.flathub.org/t/vpn-mullvad-vpn/2594

[who-biz]

@thomhoess

Please! I'm on Solus and it's a hassle to get up and running, if not Flatpak maybe Appimage (#1123 ) or Snap (#847 ) - one of them would be sufficient, it would be great to have it in an format in which it can run everywhere - my personal taste would say to make a flatpak. Thank you!

I have made an AppImage-compiling source available here: https://github.com/who-biz/mullvadvpn-app-appimage. I am running it on Solus. See README for additional information, and use these steps as support if you get confused: https://discuss.getsol.us/d/7853-mullvad-client-20215.

Converting the build config in gui/tasks/distribution.js should not be difficult if you'd like to modify it further to generate a Flatpak instead.

[1player]

That AppImage is cool, but sadly still requires modifying the system files, which defeats the purpose IMHO.

There doesn't seem to be a way of neatly packaging Mullvad because it's a monolithic package that both ships a GUI and all the system files, while the correct approach would be to, at least on Linux, have it split between the system daemon part that needs root privileges are require to be installed with your regular package manager, and the standalone GUI part that can be distributed as Flatpak, AppImage, etc.

One example of this in the Flatpak world is Piper, a GUI to control your mouse configuration. It depends on the ratbagd daemon, which has to be installed with apt/dnf/what have you, while the Flatpak only provides the unprivileged GUI.

@faern Are there any plans on splitting the application accordingly, instead of putting everything into a single package? In other words, splitting the daemon which needs root access, and the UI in two separate packages that can be distributed separately (with the latter being shipped as Flatpak, Snap, AppImage, etc.)

[who-biz]

For users of distributions with custom package management systems (non-rpm-based), above solves the "I can't run mullvad except through NetworkManager and OpenVPN"... That repo is not meant to be ready-to-distribute, but rather a get-this-working.

Killswitch, Wireguard, other things that do not exist or work poorly, in NetworkManager, are at least functional if compiled this way.

[kinghat]

ivpn has a snap package but forego split tunneling as a tradeoff: https://www.ivpn.net/apps-linux/#snap

[Kabouik]

For unsupported distributions using systemd, there is also https://github.com/mullvad/mullvadvpn-app/issues/3412. It is not a great solution, and it uses opinionated folders, but it works great for me on Solus with very little to do to install or update. I'm very glad to see an AppImage too, surely this will be used by a wider audience.

However, I have moved recently to Guix, which is more like NixOS than regular distributions, and there neither the installer script nor the AppImage would work. A Flatpak would work, though, so I'd be happy if Mullvad could release one one day. In the mean time, I use this: https://gitlab.com/emacsomancer/volemad

[faern]

@faern Are there any plans on splitting the application accordingly, instead of putting everything into a single package? In other words, splitting the daemon which needs root access, and the UI in two separate packages that can be distributed separately (with the latter being shipped as Flatpak, Snap, AppImage, etc.)

We have been discussing it a little bit. But no concrete plans. We have discussed it only in terms of allowing users who prefer the CLI and/or want to use it on a headless server etc to install just the daemon + cli with a smaller package.

How is for example the solus problem solved by splitting the packages? As you write, you need to install the system service anyway, and that has to be done via the system package manager.

We have not research flatpak a whole lot. But it seems like the wrong type of package for this type of software. Flatpak is designed to isolate and sandbox your application. To protect your system from the application. Our software is kind of the other way around. We need to take control over the system to protect the user and other software. We need full access to the firewall, setting DNS, editing the routing table etc.

[1player]

Flatpak is designed to isolate and sandbox your application.

Yes and no. Flatpak is designed to simplify distribution. But your confusion is valid, as a VPN is a very particular application that requires privileged access to the host, so it doesn't map perfectly to this model.

The problem is that the regular distribution methods, such as deb/rpm/etc. have their own massive drawbacks as well, and the reason many distributions are moving to Flatpak is to reduce the maintenance and security burden of packaging and distributing everything via deb, but, if possible, to let the upstream developer package once and distribute to all Linux users, whatever their distro. Since it runs on a Linux namespace (i.e. container), it solves the "works on my machine" issue, as the only hard dependency is the kernel.

So I understand your reluctance to see how Flatpak solves the Mullvad problem. It doesn't, but solves many other problems with simpler GUI applications, and if this program were split into Flatpak GUI and deb/rpm privileged core, it would fit neatly in this "new world order", if you will :)

Also, the problem with the current monolitic rpm/deb is that immutable distributions (such as Silverblue, or even the Steam Deck OS), have a read only /, except /etc, /home and /var, and Mullvad's packages write stuff outside of these read-write mounts, which of course breaks. These distribution models are quite niche but they're the direction the Linux userspace is going, such as Fedora or indeed what Valve has chosen to use for the Deck. I use Silverblue on my workstation, and sadly mullvad is the only application I cannot install because it doesn't play nice with this read-only root model, so I had to create a script to connect manually via wireguard-tools.

Hope this answers some of your questions.

[faern]

How/where do you suggest we install the mullvad-daemon part of our application on a system with read-only root?

[1player]

It can be installed anywhere in the read-only root (the system package manager has a way to access the read-only root as read-write when installing a package), but it should not write anything unless it's in /etc, /home or /var.

Sorry, I forget the specifics since it's been a few months since I've tried the rpm on my machine, but IIRC mullvad creates a log file under its /opt/Mullvad VPN root and that causes problems on that kind of systems (https://github.com/mullvad/mullvadvpn-app/issues/1570). But that's a separate issue.

[faern]

Hmm. We keep our daemon logs in /var/log/mullvad-vpn. Maybe something with electron-builder causes unexpected files to be spread out? After install we really should not write to anything except /etc/mullvad-vpn, /var/log/mullvad-vpn and /var/cache/mullvad-vpn. Please file anything other than that as separate issue if you have information about it.

[the-spyke]

If Flatpak doesn't support something required for a VPN client, then it's a good reason to open a discussion on Flatpak/XDG if a new portal or protocol is required.

[CaptainMuskrat]

There is a strong need for a Flatpak and/or Appimage release. It's strange that the Mullvad browser has a flatpak yet the actual VPN it's supposed to complement does not.

[faern]

I'm going to cite my own post from earlier in this thread:

We have not research flatpak a whole lot. But it seems like the wrong type of package for this type of software. Flatpak is designed to isolate and sandbox your application. To protect your system from the application. Our software is kind of the other way around. We need to take control over the system to protect the user and other software. We need full access to the firewall, setting DNS, editing the routing table etc.

The way our app is designed is that it takes control over the system (in certain areas). You as a user rely on us to guarantee security and anonomity. We feel like doing this from within a sandbox is backwards. I'm not saying Flatpak can't do this, we have not researched it yet. So it's bath a question of it feeling wrong, and a question of not had the time to investigate this yet.

[the-spyke]

@faern Even if it seems backward, Flatpak is the way to distribute apps today. And Flathub is the way to discover software.

BTW, Ubuntu will soon have Desktop Core edition where drivers and the kernel are distributed as snaps. So, a VPN client is not a problem. Your iOS app is already sandboxed.

[sonnyp]

Hello, I'm involved with GNOME, Flatpak and Flathub.

We are interested in supporting Flatpak clients such as the Mullvad VPN app. I'd be happy to talk about the philosophy of Flatpak and the constraints/requirements.

You can contact me at {my-github-username}@gnome.org

[robke96]

+1 for Flatpak support!

[spipau]

Please make this happen, I'm annoyed by manually downloading .deb files to update my VPN and I don't want to add a new repository to apt

[sunjam]

Considering deb support has existed only for months, maybe calm it way down on feeling annoyed. Instead, be grateful.

[spipau]

@sunjam I am super calm, just want to keep my software updated in the most modern and easiest way. I am a paying customer and I just share my frustration with the company so they can improve their service. If this would an open source software free to use, then I'd be happy to compile it myself and be endlessly thankful without any frustration. Just as I am thankful for the great work of Mullvad but I see some room for improvement on the Linux side as .debs to be downloaded or custom repos are simply not the Linux way. Every time my Mullvad VPN statusbar icon has a yellow dot I have to manually download a deb file, then search online for the terminal command as I always forget it because Mullvad VPN is the only software I use which is handling their updates in such a way. Therefore, hope to see flatpak support very soon :slightly_smiling_face:

[Kabouik]

While the hassle of manually downloading .deb files at every update is real, I think the real issue is .deb files are not distro-agnostic. There are many Linux users left behind when the company just provides .deb files for Linux support and call it a day.

Ideally, a distro-agnostic package, such as Flatpak, Guix, or even Appimage (though Appimages won't work on all distributions either) would be very welcome, as well as builds for x86_64 and aarch64 architectures.

On 2024-08-16 08:41 Paul Spiesberger @.***> wrote:

@sunjam I am super calm, just want to keep my software updated in the most modern and easiest way. I am a paying customer and I just share my frustration with the company so they can improve their service. If this would an open source software free to use, then I'd be happy to compile it myself and be endlessly thankful without any frustration. Just as I am thankful for the great work of Mullvad but I see some room for improvement on the Linux side as .debs to be downloaded or custom repos are simply not the Linux way. Every time my Mullvad VPN statusbar icon has a yellow dot I have to manually download a deb file, then search online for the terminal command as I always forget it because Mullvad VPN is the only software I use which is handling their updates in such a way. Therefore, hope to see flatpak support very soon :slightly_smiling_face:

--
Reply to this email directly or view it on GitHub: https://github.com/mullvad/mullvadvpn-app/issues/524#issuecomment-2292 915921 You are receiving this because you commented.

Message ID: @.***>

[sunjam]

Every time my Mullvad VPN statusbar icon has a yellow dot I have to manually download a deb file, then search online for the terminal command

Try adding the repository to your sources list. That will make it part of the regular system update process on Debian, Ubuntu, Fedora. This is will assuage the need for any searching or additional commands.