Skip to content

Commit

Permalink
feat: systemd-notify improve notification msg on disconnect and errors
Browse files Browse the repository at this point in the history
  • Loading branch information
tprasadtp committed Mar 17, 2024
1 parent 236f871 commit d700309
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 28 deletions.
24 changes: 15 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

> [!WARNING]
>
> [gVisor](https://gvisor.dev) and cgroup v1 runtime is **NOT** supported!
> [gVisor](https://gvisor.dev) and cgroup v1 are **NOT** supported!
Images are published at [ghcr.io/tprasadtp/protonwire][ghcr].

Expand Down Expand Up @@ -65,7 +65,7 @@ Images are published at [ghcr.io/tprasadtp/protonwire][ghcr].
AllowedIPs = 0.0.0.0/0
Endpoint = 91.229.23.180:51820
```
- Only thing needed from the above config is `PrivateKey`.
- You will `PrivateKey` and optionally `Endpoint`(without port part) from the above config.
- See https://protonvpn.com/support/wireguard-configurations/ for more info.

## Environment Variables & Config
Expand All @@ -78,6 +78,12 @@ in following locations.
- `/run/secrets/protonwire-private-key`
- `/run/secrets/protonwire/private-key`
- `${CREDENTIALS_DIRECTORY}/private-key` (Only if `$CREDENTIALS_DIRECTORY` is set)
- `${CREDENTIALS_DIRECTORY}/protonwire-private-key` (Only if `$CREDENTIALS_DIRECTORY` is set)

> [!IMPORTANT]
>
> Private key file **MUST NOT** be world-readable.


| Name | Default/Required | Description
|---|---|---
Expand All @@ -86,7 +92,7 @@ in following locations.
| `IPCHECK_URL` | https://protonwire-api.vercel.app/v1/client/ip | (String) URL to check client IP.
| `IPCHECK_INTERVAL` | `60` | (Integer) Interval between internal health-checks in seconds. Set this to `0` to disable IP checks.
| `SKIP_DNS_CONFIG` | false | (Boolean) Set this to `1` or `true` to skip configuring DNS.
| `KILL_SWITCH` | false | (Boolean) Enable KillSwitch (Experimental and can cause issues)
| `KILL_SWITCH` | false | (Boolean) Enable KillSwitch (Experimental)

## PROTONVPN_SERVER

Expand Down Expand Up @@ -260,19 +266,20 @@ This section covers running containers via podman. But for deployments use
- Create a podman secret for private key
```console
sudo podman secret create protonwire-private-key <PRIVATE_KEY|PATH_TO_PRIVATE_KEY>
podman secret create protonwire-private-key <PRIVATE_KEY|PATH_TO_PRIVATE_KEY>
```
- Run _protonwire_ container.
```console
sudo podman run \
podman run \
-it \
--rm \
--init \
--replace \
--tz=local \
--tmpfs=/tmp \
--name=protonwire-demo \
--name=protonwire \
--secret="protonwire-private-key,mode=600" \
--env=PROTONVPN_SERVER="nl-free-127.protonvpn.net" \
--env=DEBUG=0 \
Expand All @@ -293,12 +300,12 @@ we are using caddy to proxy website which shows IP info. Replace these with your
container(s) like [pyload](https://github.com/pyload/pyload#docker-images), [firefox](https://docs.linuxserver.io/images/docker-firefox) etc.
```console
sudo podman run \
podman run \
-it \
--rm \
--tz=local \
--name=protonwire-demo-app \
--network=container:protonwire-demo \
--network=container:protonwire \
docker.io/library/caddy:latest \
caddy reverse-proxy --change-host-header --from :8000 --to https://ip.me:443
```
Expand Down Expand Up @@ -355,7 +362,6 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/
-it \
--rm \
--net=container:protonwire \
--name=protonwire-demo \
caddy:latest \
caddy reverse-proxy \
--change-host-header \
Expand Down
2 changes: 1 addition & 1 deletion Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ Vagrant.configure("2") do |config|

$libvirt_provision = <<-SCRIPT
echo "---------------------------------"
echo "Installing qemu daemon"
echo "Installing qemu-guest-agent"
echo "---------------------------------"
apt-get update
apt-get install -y qemu-guest-agent
Expand Down
56 changes: 38 additions & 18 deletions protonwire
Original file line number Diff line number Diff line change
Expand Up @@ -640,13 +640,13 @@ function protonvpn_looper_cmd() {
log_warning "Not verifying connection, as healthchecks are disabled"
fi
else
log_error "Failed to connect to ${PROTONVPN_SERVER}"
log_error "Failed to connect to ${PROTONVPN_SERVER:-NA}"
if [[ -z $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then
log_debug "Wireguard interface for protonwire is not present."
return 1
fi
if __has_notify_socket; then
__systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER}"
__systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER:-NA}"
fi
__protonvpn_disconnect
return 1
Expand Down Expand Up @@ -696,17 +696,29 @@ function protonvpn_looper_cmd() {
fi

if [[ $__PROTONWIRE_HC_ERRORS -ge ${max_verify_attemps} ]]; then
log_error "Connection verification ($((__PROTONWIRE_HC_ERRORS))/${IPCHECK_THRESHOLD:-5}) failed"
log_error "Connection verification (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) failed"
if __has_notify_socket; then
__systemd_notify "Connection verification failed (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) "
else
log_debug "No systemd notify socket found, skiping reconnect notification"
fi
break
fi

sleep "${sleep_int:-120}" &
wait $!

if ! __protonvpn_verify_connection; then
log_error "Failed to verify connection ($((__PROTONWIRE_HC_ERRORS + 1))/${IPCHECK_THRESHOLD:-5})"
local xt=$((__PROTONWIRE_HC_ERRORS + 1))
log_error "Failed to verify connection (${xt}/${max_verify_attemps})"
((++__PROTONWIRE_HC_ERRORS))
log_warning "Attempting to re-connect to ${PROTONVPN_SERVER}"
if __has_notify_socket; then
__systemd_notify "Attempting to re-connect to ${PROTONVPN_SERVER} (${xt}/${max_verify_attemps})"
else
log_debug "No systemd notify socket found, skiping reconnect notification"
fi

if __protonvpn_connect; then
sleep 2 & # avoid transient errors
wait $!
Expand Down Expand Up @@ -1732,32 +1744,30 @@ function __protonvpn_connect() {
else
log_debug "WIREGUARD_PRIVATE_KEY is not set"
declare -a lookup_paths=(
"/etc/protonwire/private-key"
"/etc/protonwire/protonwire-private-key"
"/etc/protonwire/protonvpn-private-key"
"/etc/protonwire/wireguard-private-key"
"/etc/protonwire/private-key"

"/run/secrets/private-key"
"/run/secrets/protonwire-private-key"
"/run/secrets/protonvpn-private-key"
"/run/secrets/wireguard-private-key"
"/run/secrets/private-key"

"/run/secrets/protonwire/private-key"
"/run/secrets/protonwire/protonwire-private-key"
"/run/secrets/protonwire/protonvpn-private-key"
"/run/secrets/protonwire/protonvpn-private-key"

"/run/credentials/private-key"
"/run/credentials/protonwire-private-key"
"/run/credentials/protonvpn-private-key"
"/run/credentials/protonvpn-private-key"

"/run/credentials/protonwire/private-key"
"/run/credentials/protonwire/protonwire-private-key"
"/run/credentials/protonwire/protonvpn-private-key"
"/run/credentials/protonwire/protonvpn-private-key"
"/run/secrets/protonwire/wireguard-private-key"
"/run/secrets/protonwire/private-key"
)

# If CREDENTIALS_DIRECTORY is defined, use it (for systemd-creds)
if [[ -n $CREDENTIALS_DIRECTORY ]]; then
lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonwire-private-key")
lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonvpn-private-key")
lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/wireguard-private-key")
lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/private-key")
fi

for lookup_path in "${lookup_paths[@]}"; do
if [[ -f ${lookup_path} ]]; then
if __is_usable_keyfile "${lookup_path}"; then
Expand Down Expand Up @@ -2140,6 +2150,7 @@ function __protonvpn_disconnect() {

if __has_notify_socket; then
log_debug "Notify to systemd that vpn is disconnecting"
__systemd_notify "Disconnecting from ${PROTONVPN_SERVER:-NA}"
__systemd_notify "STOPPING=1"
else
log_debug "No systemd notify socket found, skiping stopping notification"
Expand Down Expand Up @@ -2197,8 +2208,17 @@ function __protonvpn_disconnect() {
fi

if [[ $errs -eq 0 ]]; then
if __has_notify_socket; then
log_debug "Notify to systemd that vpn has disconnected"
__systemd_notify "Disconnected"
fi
return 0
fi

if __has_notify_socket; then
log_debug "Notify to systemd that vpn disconnection errored"
__systemd_notify "Failed to disconnect"
fi
return 1
}

Expand Down

0 comments on commit d700309

Please sign in to comment.