Open qdm12 opened 4 years ago
{
"expiresAt": "2021-10-01T01:42:09+00:00",
"pubKey": "uIePn82CDAhyZ40vCfDoGSqv8tJOiJSHhiJsdni9u3o=",
"id": "926a72f4-2e62-45fd-b96f-95f785b10dbf"
}
They also have https://api.surfshark.com/v1/account/users/public-keys/validate, work in the same way as described above, same body, same response
Thanks @cardimajs
Two more follow-up questions please:
Now seeing the keypair registration expires, the gluetun unhealthy mechanism can probably take care of re-registering a new key when wireguard stops working (aka the lazy way).
ProtonVPN has added wireguard support to their offering. I can't find any good doc on their site for manual configuration, unfortunately, but was curious if it can be added to the supported wireguard providers for gluetun?
@agrider Yes I saw that a few weeks ago but I can't find their Wireguard setup guide sadly. Maybe ping their support about it? If it's only possible via their apps, I'll put them in the same 'unknown eta' basket since it's rather cumbersome for me to support it and use their app, and they are more pressing issues for now.
@qdm12 Support got back to me. As of now I didn't realize, it's not only "app only" but not supported on the Linux app either. So as of this moment, there's no option to add it to the container. They said both manual configurations and Linux app were both on their roadmap though, so I'll circle back around once the manual configuration option is available.
Thanks @cardimajs
Two more follow-up questions please:
- For the interface address: do you copy it from the logs of the app? How do you get it on windows? That way I can add documentation on how to get it.
- Is it the same interface address for all servers??
Now seeing the keypair registration expires, the gluetun unhealthy mechanism can probably take care of re-registering a new key when wireguard stops working (aka the lazy way).
Hi,
1) For interface address, i just get from windows network interface 2) Yes, same interface address for all servers
I have surfshark and wireguard working on my docker container: https://github.com/cardimajs/surfshark-wireguard
Interesting @cardimajs I'll link up your repo to add support for Surfshark, since it looks you figured out how to integrate with their API. Also I'm current travelling/starting a new job so I'm rather swamped unfortunately, so sorry in advance for the implementation delays!
Hey, love the program. I'm trying to setup the kernel level Wireguard and I'd love to know which Wireguard implementation the container is using in the logs. Is it possible to have in the startup logs something like "Started userspace Wireguard" or "Connected to kernel Wireguard"?
If you point me to how that decision is made I can also make the PR to actually add this.
Thanks again.
Ok so I went down a long rabbit hole to find the Wireguard library I was using did not automagically use the Kernelspace implementation if it was available.
HOWEVER, I implemented an 'opportunistic' kernel space usage in cfa3bb3b64c73b0525ed71d75c65125703cac069 (latest image) where the kernelspace implementation is used if it is available; otherwise it fallsback on the (previously existing) userspace Go implementation. My apologies for the false claims, I was mistaken. At least it's fixed now :+1:
Gluetun will now also log out the implementation it's using (userspace or kernelspace).
For everyone not having Wireguard in their kernel, please let me know if it detects correctly wireguard is not there (it should) and fallsback on the userspace implementation. Thanks!
Just wanted to come back and say that it worked well for me. I now have it working at the kernel level. Thanks!
Anyone succeeded 2FA enabled login?
$curl -sS -i -w '###REMOTE_IP:%{remote_ip}\n###BENCHMARK:%{time_total}s\n' --data-raw '{"username":"my@email.address", "password":"mypassword"}' -H 'Content-Type: application/json' -X POST -A '' --url 'https://api.surfshark.com/v1/auth/login'
HTTP/2 429
date: Thu, 10 Feb 2022 09:28:42 GMT
content-type: text/plain; charset=UTF-8
content-length: 16
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __cf_bm=snip.snip.snip.snip; path=/; expires=Thu, 10-Feb-22 09:58:42 GMT; domain=.surfshark.com; HttpOnly; Secure
server: cloudflare
cf-ray: snip.snip.snip.snip
error code: 1015###REMOTE_IP:104.18.121.34
###BENCHMARK:0.045280s
@d51r3verse, Error 1015: You are being rate limited from cloudflare.
@queeup, Thanks 😀 I tried to test newly assigned IP address now. I confirmed that token received even if 2FA activated.
I would like to point out that pureVPN does support wireguard (now). Would love to see support for it as well! (let me know if/how I can help)
WireGuard configuration files are now available for download from the ProtonVPN website.
Anyone been able to get ProtonVPN wireguard working using their configuration files and the custom provider? Or now that the config files are available is official support able to be added?
Anyone been able to get ProtonVPN wireguard working using their configuration files and the custom provider? Or now that the config files are available is official support able to be added?
I've had it up and working since config files were released with a custom provider.
Anyone been able to get ProtonVPN wireguard working using their configuration files and the custom provider? Or now that the config files are available is official support able to be added?
I've had it up and working since config files were released with a custom provider.
Any chance you can share your config sans keys? I keep getting stuck in a healthy/unhealthy boot loop where I successfully connect to the vpn server but then the container can't get out to the internet, detects it's unhealthy and restarts.
To use as a custom provider, you need to extract the following from your wireguard config in protonvpn:
Endpoint
as VPN_ENDPOINT_IP
and VPN_ENDPOINT_PORT
, respectivelyPublicKey
as WIREGUARD_PUBLIC_KEY
PrivateKey
as WIREGUARD_PRIVATE_KEY
Address
as WIREGUARD_ADDRESSES
Hi all,
I have just changed my config to use wireguard instead of openVPN for ProtonVPN. In the docs it says:
It should be using the Kernel wireguard module if it is present and fallback to a Go user space Wireguard implementation otherwise, to maximize compatibility and performance.
I am running this on a Synology NAS and installed the runfalk kernel module (I was previously trying to use the linuxserver/wireguard container but couldn't make traffic flow). Do I need to provide the /lib/modules:/lib/modules:ro to enable gluetun to use the kernel module? Thanks!
Edit: Do I also need the following settings to use the kernel module, which are described in the linuxserver/wireguard docs?
cap_add:
- NET_ADMIN <- this is already provided for gluetun
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
@CallMeTerdFerguson FYI I also had to provide DNS_ADDRESS=<Address from ProtonVPN WG Config>
in order to get DNS resolution working from gluetun and other containers running behind it.
Indeed Protonvpn now supports Wireguard so you can use it with gluetun through the custom provider (not natively supported since private key + peer address changes for each server, so there is no point). I have updated the list above.
@AndrewRichardson2 you should not have to add any cap or sysctls AFAIK, gluetun should automatically pick it up if available. Also note the userspace implementation should be almost as fast as the kernelspace one, so don't worry too much if your kernel doesn't have it, since Gluetun comes with the userspace one built-in.
Surfshark natively supported since 5989f29035da1770d1d8ba290a0b3ed942b24ad8 (gentle reminder to not spam this issue to ask for status for other providers)
@JBtje in your Wireguard config files, is the interface private key and the interface address always the same for all servers?
If it isn't you're better off using the custom
provider. On the other hand if they are, would you know where I can find the list of all server (hostname/ip + wireguard public key)? Thanks!
I'm also working on adding support to read Wireguard ini files, does anyone have a suggestion for a file name (please reply on #610)? Right now I've set it to wg.conf
(I'll add support for multiple files later). Thanks 👍
You can set to wg.conf as a default but configurable via an environment variable?
@JBtje in your Wireguard config files, is the interface private key and the interface address always the same for all servers? If it isn't you're better off using the
custom
provider. On the other hand if they are, would you know where I can find the list of all server (hostname/ip + wireguard public key)? Thanks!
I looked around in the application folder, only to find 183 URL's to WireGuard server, no keys. Support was kind enough to provide me the correct link to setup WG yourself:
https://support.purevpn.com/setup-wireguard-on-linux
Do however note the message: Please make sure to copy the file and activate the connection within 2 minutes once the profile is downloaded, otherwise the configuration will expire and you will have to redownload a fresh configuration file. at the bottom of the page. My guess: the keys are unique for each server and each user and each session.
This might even mean that if the connection is lost for 2 minutes (e.g. long reboot of the system), that you no longer can connect. I would have to do some testing. However, currently I can't download the files because my account has not yet been migrated to the new dashboard/system. (hopefully the new dashboard uses an easy API that can be automated).
The PureVPN client is able to use WG as well, thus there must be an API. The software isn't open source unfortunately. I was able to capture the Ephemeral in the WG handshake (i assume this is the private key?) and for each connection, this value changes.
@qdm12 wg.conf
sounds good, configurable via env even better
@ksurl @JBtje I replied regarding wg.conf at https://github.com/qdm12/gluetun/issues/610#issuecomment-1229259825
@JBtje bummer, ok just use the custom
provider for wireguard then. I've updated the readme/this issue about this. I added PureVPN to the list of API-required providers in this issue.
For NordVPN / NordLynx maybe this piece of code will help.
`#!/bin/bash my_interface=$(sudo wg show | grep interface | cut -d" " -f2) my_privkey=$(sudo wg show $my_interface private-key) my_ip=$(ip -f inet addr show $my_interface | awk '/inet/ {print $2}')
read host ip city country serv_pubkey < <( echo $(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1" | jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value)'))
sid=$(echo $host | cut -d. -f1) fn="nvpn_"$sid".conf" echo Server: $host ($ip) has pubkey $serv_pubkey
echo writing config to $fn echo "#config for nordvpn server $sid" > $fn echo "[Interface]" >> $fn echo "Address = $my_ip" >> $fn echo "PrivateKey = $my_privkey" >> $fn echo "" >> $fn echo "[Peer]" >> $fn echo "PublicKey = $serv_pubkey" >> $fn echo "AllowedIPs = 0.0.0.0/0" >> $fn echo "Endpoint = $host:51820" >> $fn
echo "" echo "Content of $fn:" cat $fn
qrencode -t ansiutf8 < $fn
`
Perhaps useful for PIA Wireguard support: https://github.com/pia-foss/manual-connections https://spad.uk/wireguard-as-a-vpn-client-in-docker-using-pia/
Referring to the use of the runfalk Wireguard kernel modules and this reply:
@AndrewRichardson2 [...] note the userspace implementation should be almost as fast as the kernelspace one, so don't worry too much if your kernel doesn't have it, since Gluetun comes with the userspace one built-in.
I've been running gluetun on a Synology DS220+ (DSM 7.1) with PIA wireguard for a few months now. I adapted the pia-foss/manual-connections scripts to generate valid wireguard config files.
In general, it's been pretty good, but I found that my wireguard speeds through gluetun were choppy. I have a 400/50 cable connection that usually hits 440/55 when not on a VPN connection (multithreaded speedtests). But through gluetun I was only getting 100-200 down / 45-ish up, usually, but varying wildly.
Then a few days ago I installed the Blackvoid wireguard kernel modules, which are based on Andreas Runfalk's work. Gluetun detects and uses these modules, as shown in the log:
2023-04-08T14:56:45-04:00 INFO [wireguard] Using available kernelspace implementation
Now I'm getting rock-solid 400+ down (sometimes up to 420+) and 50+ up through gluetun. Quite a difference.
I am guessing that it would be difficult to include such modules in gluetun and that the real solution would be that Synology include kernelspace wireguard support. But I thought I'd share my results here.
(I am not promoting the use of these modules and all the usual disclaimers apply: ymmv, you may destroy your NAS, etc. etc.)
For NordVPN users, do you use the same private key and interface address for all Wireguard servers? I'm working on #1380 which would allow native support if this is the case.
If so, can someone please try qmcgaw/gluetun:pr-1598
setting VPN_TYPE=wireguard
, VPN_PROVIDER=nordvpn
, WIREGUARD_PRIVATE_KEY=xxx
and WIREGUARD_ADDRESS=yyy
to see how it goes?
EDIT: NOT pr-1398, use qmcgaw/gluetun:pr-1598
@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).
@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).
ERROR VPN settings: provider settings: VPN provider name is not valid: "nordvpn" can only be one of airvpn, custom, ivpn, mullvad, surfshark or windscribe
I selected nordvpn and wireguard from the list in Unraid. Should be supported but get the error above.
@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).
ERROR VPN settings: provider settings: VPN provider name is not valid: "nordvpn" can only be one of airvpn, custom, ivpn, mullvad, surfshark or windscribe
I selected nordvpn and wireguard from the list in Unraid. Should be supported but get the error above.
I'm having the same issue. They are there in the servers.json file.
Can anyone tell Duncan or I what we might be doing wrong, or is this a defect?
I am considering switching to the WireGuard implementation....I am at a loss to see the gains tho, anyone care to elaborate why you would want to switch?
@Zachary - well, when I shifted to wireguard on NordVPN, my download speed more than doubled.
So there's that...
On Fri, Jun 30, 2023 at 8:25 AM Zachary Laughlin @.***> wrote:
I am considering switching to the WireGuard implementation....I am at a loss to see the gains tho, anyone care to elaborate why you would want to switch?
— Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/134#issuecomment-1614187512, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFHXQC4MHCQPLHHQB76BN6DXNZWPDANCNFSM4MGNIPWA . You are receiving this because you were mentioned.Message ID: @.***>
@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).
ERROR VPN settings: provider settings: VPN provider name is not valid: "nordvpn" can only be one of airvpn, custom, ivpn, mullvad, surfshark or windscribe
I selected nordvpn and wireguard from the list in Unraid. Should be supported but get the error above.
I solved my problem in five minutes with fresh eyes - it was a huge PEBKAC issue.
I inherited the container definition and it was set to an old version instead of :latest. image: qmcgaw/gluetun:pr-1268
I changed it to the following, but latest would work too. image: qmcgaw/gluetun:v3.35.0
Hope this finds you and helps Duncan!
Note you can now use /gluetun/wireguard/wg0.conf to set fields (with all VPN providers), see this wiki section
@macdis
I've been running gluetun on a Synology DS220+ (DSM 7.1) with PIA wireguard for a few months now. I adapted the pia-foss/manual-connections scripts to generate valid wireguard config files.
Would you be able to share how you were able to do this? I'm also wondering if you are able to issue commands to change regions on the fly with this configuration?
@macdis
I've been running gluetun on a Synology DS220+ (DSM 7.1) with PIA wireguard for a few months now. I adapted the pia-foss/manual-connections scripts to generate valid wireguard config files.
Would you be able to share how you were able to do this? I'm also wondering if you are able to issue commands to change regions on the fly with this configuration?
I just butchered the pia-foss/manual-connections scripts in order to do things exactly how I wanted them done, putting everything into one script. It basically depends on your setup and needs. Everything you need is in the scripts except for how you use the output in gluetun.
Regarding gluetun integration, I just use sed
to update the environment variables for my gluetun service in my docker-compose.yml file. (Don't forget to recreate the container and restart dependent services, if required.) I change these:
- FIREWALL_VPN_INPUT_PORTS=xxxxx
- VPN_ENDPOINT_IP=xx.xx.xx.xx
- VPN_ENDPOINT_PORT=1337 # For PIA you don't need to change this at the moment as it's always the same port
- WIREGUARD_PRIVATE_KEY=xxxxx
- WIREGUARD_PUBLIC_KEY=xxxxx
- WIREGUARD_ADDRESSES=xx.xx.xx.xx/32
HOWEVER, now that wg0.conf files are supported by gluetun (see here and here), you can presumably use the pia-foss scripts to generate a wg0.conf file and just use that (set PIA_CONNECT=false
and PIA_CONF_PATH=/your/path/wg0.conf
in the pia-foss scripts). If you need port forwarding, though, you may need to fiddle with your docker-compose.yml environment variables anyway (FIREWALL_VPN_INPUT_PORTS
). But I haven't got round to trying wg0.conf files yet.
As for region switching, look at the PREFERRED_REGION
environment variable in the pia-foss scripts.
Can this be use to configure PrivadoVPN wireguard in Gluetun?
I wonder if this will have support for AdguardVPN
Will Wireguard support for FastestVPN be added? Either by native support or custom? Or does anyone have that working? I spent a few hours on this before I realized that the original post above shows that FastestVPN is not supported with Wireguard.
Will Wireguard support for FastestVPN be added? Either by native support or custom? Or does anyone have that working? I spent a few hours on this before I realized that the original post above shows that FastestVPN is not supported with Wireguard.
Are you sure that FastestVPN supports Wireguard? It has to be available on their end-points first.
Will Wireguard support for FastestVPN be added? Either by native support or custom? Or does anyone have that working? I spent a few hours on this before I realized that the original post above shows that FastestVPN is not supported with Wireguard.
Are you sure that FastestVPN supports Wireguard? It has to be available on their end-points first.
Yes, it does. They recently added support. See image. They also provided me with a Wireguard config file.
VPN providers support
Natively
Using provider
custom
Supported since 8645d978ba84b68a012356a0e5d40a770d487803 using
VPN_SERVICE_PROVIDER=custom
Requires API
This is not done, and requires API communication to get the Wireguard keys etc.
Wireguard not supported
Extraction needed
This requires to extract the wireguard config from their proprietary app. Let's face it, this is a lot of work for little result, and I might never get to it. But here is the list still:
following supported devices using VyprVPN version 4.0 and higher and Wireguard is not available to configure with Manual setup
Extra todos
openvpn
orwireguard
depending on VPN chosen instead ofvpn