search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
6.72k stars 331 forks source link

Feature request: Support for Wireguard #134

Open qdm12 opened 4 years ago

qdm12 commented 4 years ago

VPN providers support

Natively

Using provider custom

Supported since 8645d978ba84b68a012356a0e5d40a770d487803 using VPN_SERVICE_PROVIDER=custom

Requires API

This is not done, and requires API communication to get the Wireguard keys etc.

Wireguard not supported

Extraction needed

This requires to extract the wireguard config from their proprietary app. Let's face it, this is a lot of work for little result, and I might never get to it. But here is the list still:

Extra todos

cardimajs commented 2 years ago
  1. I copy from windows...only works if use this address
  2. I generate my private key
  3. response of https://api.surfshark.com/v1/account/users/public-keys 
    {
"expiresAt": "2021-10-01T01:42:09+00:00",
"pubKey": "uIePn82CDAhyZ40vCfDoGSqv8tJOiJSHhiJsdni9u3o=",
"id": "926a72f4-2e62-45fd-b96f-95f785b10dbf"
}

    They also have https://api.surfshark.com/v1/account/users/public-keys/validate, work in the same way as described above, same body, same response

qdm12 commented 2 years ago

Thanks @cardimajs

Two more follow-up questions please:

  1. For the interface address: do you copy it from the logs of the app? How do you get it on windows? That way I can add documentation on how to get it.
  2. Is it the same interface address for all servers??

Now seeing the keypair registration expires, the gluetun unhealthy mechanism can probably take care of re-registering a new key when wireguard stops working (aka the lazy way).

CallMeTerdFerguson commented 2 years ago

ProtonVPN has added wireguard support to their offering. I can't find any good doc on their site for manual configuration, unfortunately, but was curious if it can be added to the supported wireguard providers for gluetun?

qdm12 commented 2 years ago

@agrider Yes I saw that a few weeks ago but I can't find their Wireguard setup guide sadly. Maybe ping their support about it? If it's only possible via their apps, I'll put them in the same 'unknown eta' basket since it's rather cumbersome for me to support it and use their app, and they are more pressing issues for now.

CallMeTerdFerguson commented 2 years ago

@qdm12 Support got back to me. As of now I didn't realize, it's not only "app only" but not supported on the Linux app either. So as of this moment, there's no option to add it to the container. They said both manual configurations and Linux app were both on their roadmap though, so I'll circle back around once the manual configuration option is available.

cardimajs commented 2 years ago

Thanks @cardimajs

Two more follow-up questions please:

  1. For the interface address: do you copy it from the logs of the app? How do you get it on windows? That way I can add documentation on how to get it.
  2. Is it the same interface address for all servers??

Now seeing the keypair registration expires, the gluetun unhealthy mechanism can probably take care of re-registering a new key when wireguard stops working (aka the lazy way).

Hi,

1) For interface address, i just get from windows network interface 2) Yes, same interface address for all servers

I have surfshark and wireguard working on my docker container: https://github.com/cardimajs/surfshark-wireguard

qdm12 commented 2 years ago

Interesting @cardimajs I'll link up your repo to add support for Surfshark, since it looks you figured out how to integrate with their API. Also I'm current travelling/starting a new job so I'm rather swamped unfortunately, so sorry in advance for the implementation delays!

chbachman commented 2 years ago

Hey, love the program. I'm trying to setup the kernel level Wireguard and I'd love to know which Wireguard implementation the container is using in the logs. Is it possible to have in the startup logs something like "Started userspace Wireguard" or "Connected to kernel Wireguard"?

If you point me to how that decision is made I can also make the PR to actually add this.

Thanks again.

qdm12 commented 2 years ago

Ok so I went down a long rabbit hole to find the Wireguard library I was using did not automagically use the Kernelspace implementation if it was available.

HOWEVER, I implemented an 'opportunistic' kernel space usage in cfa3bb3b64c73b0525ed71d75c65125703cac069 (latest image) where the kernelspace implementation is used if it is available; otherwise it fallsback on the (previously existing) userspace Go implementation. My apologies for the false claims, I was mistaken. At least it's fixed now :+1:

Gluetun will now also log out the implementation it's using (userspace or kernelspace).

For everyone not having Wireguard in their kernel, please let me know if it detects correctly wireguard is not there (it should) and fallsback on the userspace implementation. Thanks!

chbachman commented 2 years ago

Just wanted to come back and say that it worked well for me. I now have it working at the kernel level. Thanks!

d51r3verse commented 2 years ago

Anyone succeeded 2FA enabled login?

$curl -sS -i -w '###REMOTE_IP:%{remote_ip}\n###BENCHMARK:%{time_total}s\n' --data-raw '{"username":"my@email.address", "password":"mypassword"}' -H 'Content-Type: application/json' -X POST -A '' --url 'https://api.surfshark.com/v1/auth/login'
HTTP/2 429
date: Thu, 10 Feb 2022 09:28:42 GMT
content-type: text/plain; charset=UTF-8
content-length: 16
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
set-cookie: __cf_bm=snip.snip.snip.snip; path=/; expires=Thu, 10-Feb-22 09:58:42 GMT; domain=.surfshark.com; HttpOnly; Secure
server: cloudflare
cf-ray: snip.snip.snip.snip

error code: 1015###REMOTE_IP:104.18.121.34
###BENCHMARK:0.045280s
queeup commented 2 years ago

@d51r3verse, Error 1015: You are being rate limited from cloudflare.

d51r3verse commented 2 years ago

@queeup, Thanks 😀 I tried to test newly assigned IP address now. I confirmed that token received even if 2FA activated.

JBtje commented 2 years ago

I would like to point out that pureVPN does support wireguard (now). Would love to see support for it as well! (let me know if/how I can help)

leo15dev commented 2 years ago

WireGuard configuration files are now available for download from the ProtonVPN website.

https://twitter.com/ProtonVPN/status/1513487220636028935

CallMeTerdFerguson commented 1 year ago

Anyone been able to get ProtonVPN wireguard working using their configuration files and the custom provider? Or now that the config files are available is official support able to be added?

npawelek commented 1 year ago

Anyone been able to get ProtonVPN wireguard working using their configuration files and the custom provider? Or now that the config files are available is official support able to be added?

I've had it up and working since config files were released with a custom provider.

CallMeTerdFerguson commented 1 year ago

Anyone been able to get ProtonVPN wireguard working using their configuration files and the custom provider? Or now that the config files are available is official support able to be added?

I've had it up and working since config files were released with a custom provider.

Any chance you can share your config sans keys? I keep getting stuck in a healthy/unhealthy boot loop where I successfully connect to the vpn server but then the container can't get out to the internet, detects it's unhealthy and restarts.

npawelek commented 1 year ago

To use as a custom provider, you need to extract the following from your wireguard config in protonvpn:

AndrewRichardson2 commented 1 year ago

Hi all,

I have just changed my config to use wireguard instead of openVPN for ProtonVPN. In the docs it says:

It should be using the Kernel wireguard module if it is present and fallback to a Go user space Wireguard implementation otherwise, to maximize compatibility and performance.

I am running this on a Synology NAS and installed the runfalk kernel module (I was previously trying to use the linuxserver/wireguard container but couldn't make traffic flow). Do I need to provide the /lib/modules:/lib/modules:ro to enable gluetun to use the kernel module? Thanks!

Edit: Do I also need the following settings to use the kernel module, which are described in the linuxserver/wireguard docs? cap_add: - NET_ADMIN <- this is already provided for gluetun - SYS_MODULE sysctls: - net.ipv4.conf.all.src_valid_mark=1

@CallMeTerdFerguson FYI I also had to provide DNS_ADDRESS=<Address from ProtonVPN WG Config> in order to get DNS resolution working from gluetun and other containers running behind it.

qdm12 commented 1 year ago

Indeed Protonvpn now supports Wireguard so you can use it with gluetun through the custom provider (not natively supported since private key + peer address changes for each server, so there is no point). I have updated the list above.

@AndrewRichardson2 you should not have to add any cap or sysctls AFAIK, gluetun should automatically pick it up if available. Also note the userspace implementation should be almost as fast as the kernelspace one, so don't worry too much if your kernel doesn't have it, since Gluetun comes with the userspace one built-in.

qdm12 commented 1 year ago

Surfshark natively supported since 5989f29035da1770d1d8ba290a0b3ed942b24ad8 (gentle reminder to not spam this issue to ask for status for other providers)

qdm12 commented 1 year ago

@JBtje in your Wireguard config files, is the interface private key and the interface address always the same for all servers? If it isn't you're better off using the custom provider. On the other hand if they are, would you know where I can find the list of all server (hostname/ip + wireguard public key)? Thanks!

qdm12 commented 1 year ago

I'm also working on adding support to read Wireguard ini files, does anyone have a suggestion for a file name (please reply on #610)? Right now I've set it to wg.conf (I'll add support for multiple files later). Thanks 👍

ksurl commented 1 year ago

You can set to wg.conf as a default but configurable via an environment variable?

JBtje commented 1 year ago

@JBtje in your Wireguard config files, is the interface private key and the interface address always the same for all servers? If it isn't you're better off using the custom provider. On the other hand if they are, would you know where I can find the list of all server (hostname/ip + wireguard public key)? Thanks!

I looked around in the application folder, only to find 183 URL's to WireGuard server, no keys. Support was kind enough to provide me the correct link to setup WG yourself:

https://support.purevpn.com/setup-wireguard-on-linux

Do however note the message: Please make sure to copy the file and activate the connection within 2 minutes once the profile is downloaded, otherwise the configuration will expire and you will have to redownload a fresh configuration file. at the bottom of the page. My guess: the keys are unique for each server and each user and each session.

This might even mean that if the connection is lost for 2 minutes (e.g. long reboot of the system), that you no longer can connect. I would have to do some testing. However, currently I can't download the files because my account has not yet been migrated to the new dashboard/system. (hopefully the new dashboard uses an easy API that can be automated).

The PureVPN client is able to use WG as well, thus there must be an API. The software isn't open source unfortunately. I was able to capture the Ephemeral in the WG handshake (i assume this is the private key?) and for each connection, this value changes.

@qdm12 wg.conf sounds good, configurable via env even better

qdm12 commented 1 year ago

@ksurl @JBtje I replied regarding wg.conf at https://github.com/qdm12/gluetun/issues/610#issuecomment-1229259825

@JBtje bummer, ok just use the custom provider for wireguard then. I've updated the readme/this issue about this. I added PureVPN to the list of API-required providers in this issue.

DuncanTheFox commented 1 year ago

For NordVPN / NordLynx maybe this piece of code will help.

`#!/bin/bash my_interface=$(sudo wg show | grep interface | cut -d" " -f2) my_privkey=$(sudo wg show $my_interface private-key) my_ip=$(ip -f inet addr show $my_interface | awk '/inet/ {print $2}')

read host ip city country serv_pubkey < <( echo $(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1" | jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value)'))

sid=$(echo $host | cut -d. -f1) fn="nvpn_"$sid".conf" echo Server: $host ($ip) has pubkey $serv_pubkey

echo writing config to $fn echo "#config for nordvpn server $sid" > $fn echo "[Interface]" >> $fn echo "Address = $my_ip" >> $fn echo "PrivateKey = $my_privkey" >> $fn echo "" >> $fn echo "[Peer]" >> $fn echo "PublicKey = $serv_pubkey" >> $fn echo "AllowedIPs = 0.0.0.0/0" >> $fn echo "Endpoint = $host:51820" >> $fn

echo "" echo "Content of $fn:" cat $fn

qrencode -t ansiutf8 < $fn

uncomment this line to automatically copy the .conf to the wg directory, then you can use it directly with "wg-quick up nvpn_xy1234"

sudo mv $fn /etc/wireguard && sudo chmod 600 /etc/wireguard/$fn

`

SimplicityGuy commented 1 year ago

Perhaps useful for PIA Wireguard support: https://github.com/pia-foss/manual-connections https://spad.uk/wireguard-as-a-vpn-client-in-docker-using-pia/

macdis commented 1 year ago

Referring to the use of the runfalk Wireguard kernel modules and this reply:

@AndrewRichardson2 [...] note the userspace implementation should be almost as fast as the kernelspace one, so don't worry too much if your kernel doesn't have it, since Gluetun comes with the userspace one built-in.

I've been running gluetun on a Synology DS220+ (DSM 7.1) with PIA wireguard for a few months now. I adapted the pia-foss/manual-connections scripts to generate valid wireguard config files.

In general, it's been pretty good, but I found that my wireguard speeds through gluetun were choppy. I have a 400/50 cable connection that usually hits 440/55 when not on a VPN connection (multithreaded speedtests). But through gluetun I was only getting 100-200 down / 45-ish up, usually, but varying wildly.

Then a few days ago I installed the Blackvoid wireguard kernel modules, which are based on Andreas Runfalk's work. Gluetun detects and uses these modules, as shown in the log:

2023-04-08T14:56:45-04:00 INFO [wireguard] Using available kernelspace implementation

Now I'm getting rock-solid 400+ down (sometimes up to 420+) and 50+ up through gluetun. Quite a difference.

I am guessing that it would be difficult to include such modules in gluetun and that the real solution would be that Synology include kernelspace wireguard support. But I thought I'd share my results here.

(I am not promoting the use of these modules and all the usual disclaimers apply: ymmv, you may destroy your NAS, etc. etc.)

qdm12 commented 1 year ago

For NordVPN users, do you use the same private key and interface address for all Wireguard servers? I'm working on #1380 which would allow native support if this is the case.

If so, can someone please try qmcgaw/gluetun:pr-1598 setting VPN_TYPE=wireguard, VPN_PROVIDER=nordvpn, WIREGUARD_PRIVATE_KEY=xxx and WIREGUARD_ADDRESS=yyy to see how it goes?

EDIT: NOT pr-1398, use qmcgaw/gluetun:pr-1598

qdm12 commented 1 year ago

@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).

DuncanTheFox commented 1 year ago

@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).

ERROR VPN settings: provider settings: VPN provider name is not valid: "nordvpn" can only be one of airvpn, custom, ivpn, mullvad, surfshark or windscribe

I selected nordvpn and wireguard from the list in Unraid. Should be supported but get the error above.

mikelb63 commented 1 year ago

@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).

ERROR VPN settings: provider settings: VPN provider name is not valid: "nordvpn" can only be one of airvpn, custom, ivpn, mullvad, surfshark or windscribe

I selected nordvpn and wireguard from the list in Unraid. Should be supported but get the error above.

I'm having the same issue. They are there in the servers.json file.

Can anyone tell Duncan or I what we might be doing wrong, or is this a defect?

ZaxLofful commented 1 year ago

I am considering switching to the WireGuard implementation....I am at a loss to see the gains tho, anyone care to elaborate why you would want to switch?

lavaguy1 commented 1 year ago

@Zachary - well, when I shifted to wireguard on NordVPN, my download speed more than doubled.

So there's that...

On Fri, Jun 30, 2023 at 8:25 AM Zachary Laughlin @.***> wrote:

I am considering switching to the WireGuard implementation....I am at a loss to see the gains tho, anyone care to elaborate why you would want to switch?

— Reply to this email directly, view it on GitHub https://github.com/qdm12/gluetun/issues/134#issuecomment-1614187512, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFHXQC4MHCQPLHHQB76BN6DXNZWPDANCNFSM4MGNIPWA . You are receiving this because you were mentioned.Message ID: @.***>

mikelb63 commented 12 months ago

@vp-en @DuncanTheFox NordVPN is now natively supported in Gluetun, see https://github.com/qdm12/gluetun/wiki/NordVPN You only need to run nordlynx once to extract the Wireguard private key (which is valid for all their servers, per user).

ERROR VPN settings: provider settings: VPN provider name is not valid: "nordvpn" can only be one of airvpn, custom, ivpn, mullvad, surfshark or windscribe

I selected nordvpn and wireguard from the list in Unraid. Should be supported but get the error above.

I solved my problem in five minutes with fresh eyes - it was a huge PEBKAC issue.

I inherited the container definition and it was set to an old version instead of :latest. image: qmcgaw/gluetun:pr-1268

I changed it to the following, but latest would work too. image: qmcgaw/gluetun:v3.35.0

Hope this finds you and helps Duncan!

qdm12 commented 11 months ago

Note you can now use /gluetun/wireguard/wg0.conf to set fields (with all VPN providers), see this wiki section

parthmodi commented 11 months ago

@macdis

I've been running gluetun on a Synology DS220+ (DSM 7.1) with PIA wireguard for a few months now. I adapted the pia-foss/manual-connections scripts to generate valid wireguard config files.

Would you be able to share how you were able to do this? I'm also wondering if you are able to issue commands to change regions on the fly with this configuration?

macdis commented 11 months ago

@macdis

I've been running gluetun on a Synology DS220+ (DSM 7.1) with PIA wireguard for a few months now. I adapted the pia-foss/manual-connections scripts to generate valid wireguard config files.

Would you be able to share how you were able to do this? I'm also wondering if you are able to issue commands to change regions on the fly with this configuration?

I just butchered the pia-foss/manual-connections scripts in order to do things exactly how I wanted them done, putting everything into one script. It basically depends on your setup and needs. Everything you need is in the scripts except for how you use the output in gluetun.

Regarding gluetun integration, I just use sed to update the environment variables for my gluetun service in my docker-compose.yml file. (Don't forget to recreate the container and restart dependent services, if required.) I change these:

- FIREWALL_VPN_INPUT_PORTS=xxxxx
- VPN_ENDPOINT_IP=xx.xx.xx.xx
- VPN_ENDPOINT_PORT=1337 # For PIA you don't need to change this at the moment as it's always the same port
- WIREGUARD_PRIVATE_KEY=xxxxx
- WIREGUARD_PUBLIC_KEY=xxxxx
- WIREGUARD_ADDRESSES=xx.xx.xx.xx/32

HOWEVER, now that wg0.conf files are supported by gluetun (see here and here), you can presumably use the pia-foss scripts to generate a wg0.conf file and just use that (set PIA_CONNECT=false and PIA_CONF_PATH=/your/path/wg0.conf in the pia-foss scripts). If you need port forwarding, though, you may need to fiddle with your docker-compose.yml environment variables anyway (FIREWALL_VPN_INPUT_PORTS). But I haven't got round to trying wg0.conf files yet.

As for region switching, look at the PREFERRED_REGION environment variable in the pia-foss scripts.

goluftwaffe commented 10 months ago

Can this be use to configure PrivadoVPN wireguard in Gluetun?

https://github.com/hongkongkiwi/privado-wireguard-vpn

alx-xlx commented 5 months ago

I wonder if this will have support for AdguardVPN

Jadonr commented 1 month ago

Will Wireguard support for FastestVPN be added? Either by native support or custom? Or does anyone have that working? I spent a few hours on this before I realized that the original post above shows that FastestVPN is not supported with Wireguard.

ZaxLofful commented 1 month ago

Will Wireguard support for FastestVPN be added? Either by native support or custom? Or does anyone have that working? I spent a few hours on this before I realized that the original post above shows that FastestVPN is not supported with Wireguard.

Are you sure that FastestVPN supports Wireguard? It has to be available on their end-points first.

Jadonr commented 1 month ago

Will Wireguard support for FastestVPN be added? Either by native support or custom? Or does anyone have that working? I spent a few hours on this before I realized that the original post above shows that FastestVPN is not supported with Wireguard.

Are you sure that FastestVPN supports Wireguard? It has to be available on their end-points first.

Yes, it does. They recently added support. See image. They also provided me with a Wireguard config file.

image