desktop-app
desktop-app copied to clipboard
ivpn
Implement IVPN service for other Linux INIT systems (non-systemd)
Feature request
Description
As I hope the engineers at IVPN are aware of, the systemd init system that has been widely adopted by most Linux distros has caused huge concerns among the privacy community. There are already many distros that are centered specifically around not using systemd, which is considered a bloated, inefficient system, that loads pre-compiled blobs that are not open-source. There are many many resources online that expose the flaws of this init system that pushed onto everyone without any choice in the matter. https://thehackernews.com/2019/01/linux-systemd-exploit.html https://suckless.org/sucks/systemd/ http://judecnelson.blogspot.com/2014/09/systemd-biggest-fallacies.html https://chiefio.wordpress.com/2016/05/18/systemd-it-keeps-getting-worse/ http://without-systemd.org/wiki/index.php/Arguments_against_systemd https://www.theregister.co.uk/2019/01/31/systemd_exploit/
Some of the biggest distros that are designed to not use it are the Debian-based Devuan (my friend uses with OpenRC), and the Arch-based Artix (i use, with OpenRC init) https://artixlinux.org/index.php https://devuan.org/
So my request is that for the sake of privacy, which I'm happy that IVPN has shown so far that they are truly concerned for, that other init systems be considered for the IVPN linux app
Some notable ones are OpenRC and s6. I could also help you guys test both of these init systems, especially OpenRC, since I use it every day.
Currently I'm running IVPN on my OpenRC Artix distro with a python implementation of systemd, to get around this restriction, but honestly this defeats my goal of complete privacy, since I'm using a system that has shady code to run my vpn service.
Please let me know what your thoughts are. As I said, I would love to help test this, since it benefits me directly.
Describe the solution you'd like
Solution is described above
Describe alternatives you've considered
workaround currently described above
Hi @GentlemansKiller Thank you for your interest in our project. We will discuss such a possibility with our dev team.
Anyway, it is not easy to be able to support all amount of Linux distros that are available. Please, note that you can compile IVPN binaries yourself and use any init system you want (or do not use any at all). Here you can find some steps/requirements of how to install IVPN binaries: https://github.com/ivpn/desktop-app-cli/issues/3#issuecomment-634574309
@stenya Hey Stenya, thanks so much for the reply. Just a suggestion, maybe you could put these steps on some of the official documentation/readme for others. Either way, I will try this out :)
https://github.com/ivpn/desktop-app-cli/blob/master/README.md#manual-installation-on-linux
@stenya super cool :D And if you decide to integrate OpenRC or some other init system automatically, let me know, and i can help test
Coming back to this after several months, I finally implemented it lol. Below is my personal script that I use to update my binaries. I structured it so that it will do so without ever exposing the internet connection to the outside without a VPN connection. It is also intended to work for initial installation and for update.
Whoever comes across this, please note some things:
- Make sure you go through the script and understand what's going on before you run it. Make any necessary changes you may need
- Make sure that your service and CLI binaries are the correct path.
- Keep in mind I am using Artix Linux
- Please let me know if it doesn't work for you! maybe i can adapt it
- A few times i had a problem where the NetworkManager didnt stop correctly, and since the rest of the script continued on, technically the connection could be exposed for a split second. But it still updates the binaries like it should. It seems to work best if you close all internet-connection apps first.
- Seemingly not officially documented, OpenRC has some cool functions that you can define, like
start_postwhich will run right after the service starts. I've added this to my own script to take advantage of the firewall to turn it on during system init :) More info here as well: https://www.funtoo.org/Openrc
EDIT July 5 2021:
- Recently I reinstalled my Artix so now I actually got the experience needed to test a true initial installation, which should really work now. I also went through the AUR script that stenya made, like a smart boy :) So some updates are related to that.
- Installs all necessary dependencies unless they already are installed
- Made tweaks to the paths because IVPN has merged the CLI and desktop app repo into 1 repo
- Install CLI and Daemon service Binaries correctly now with the root option and correct permissions
- Network service name is a variable now. My recent installation of Artix uses connmand (Connection Manager) instead of NetworkManager.
- The script is good for BOTH initial install and update now, mainly because it first checks if the ivpn service exists yet.
EDIT Oct 14 2021:
- Added 'wget' to the list of packages needed to be installed. Not sure why i didn't have that before...
EDIT Nov 9 2021
- New multi-hop for Wireguard update requires installations of some wireguard and obfs4proxy files
EDIT Jan 26 2022
- New split tunneling file dependency
splittun.sh, now gets installed
EDIT March 24 2022
- from now on im just going to pull the version that the ivpn package that the Arch User Repository pulls in its build script. Always have some issue when i pull from the master branch.
- added
maketo the list of packages, recently i had an issue where i needed it on a fresh install, for some reason :/
EDIT May 5 2022
- version number is now a variable
- updated to version 3.8.7 and added DNS crypt files installation
EDIT Sept 19 2022
- version update to 3.9.32
EDIT Nov 24 2022
- version update 3.9.45
EDIT Sept 25 2023
- version update to 3.12.0.1
- added CMake and Ninja dependencies
- added KEM and V2Ray installations
- placed the
IVPN_BUILD_SKIP_GLIBC_VER_CHECK=trueandIVPN_BUILD_CAN_SKIP_DOWNLOAD_SERVERS=trueenv variables properly now, since they weren't getting recognized being at the top of the script. - I had to re-login when I built this script, you may have to also.
#!/bin/bash
# PRE-REQUISITES:
# - Internet Connectivity
# - Edit the environment variables to be sure they are all correct. For example make sure you're using the proper service for network (maybe you have NetworkManager or connmand)
#Notes:
# - If a binary is not behaving correctly you can run it with --logging.
# - When testing the service binary, you need to run with sudo
# - AUR script reference: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ivpn
# - When installing manually, or when debugging this script and seeing why failure, could be due to an update recently. this happened with the WG and obsf4proxy updates and also the split tunnel update. Check the AUR script to see if any updates
WORKING_DIR=~/.cache/ivpn-build
PROGRAM_FILES_LOCATION=/opt/ivpn/etc # additional files needed by the service daemon
PROGRAM_FILES_LOCATION_MISC=/opt/ivpn # wireguard, obfs4proxy, kem, V2Ray
SVC_BIN_LOCATION=/opt/ivpn/ivpn-service # location of the service/daemon binary
CLI_BIN_LOCATION=/usr/local/bin/ivpn # location of the CLI program
NET_SVC=connmand
VERSION=3.12.0.1
# cache the password with a random sudo command
sudo ls
# echo each command
set -x
# install dependencies
sudo pacman -Sy --needed wget git go gcc glibc lsof openvpn wireguard-tools wireless_tools curl make cmake ninja
# check to see if there is internet connection first. fail script if no connection. You can use any website
wget -q --tries=10 --timeout=20 --spider http://startpage.com
if [[ $? -eq 0 ]]; then
echo "Internet Connection Online. Proceeding..."
else
echo "Offline. Will not continue script"
exit 1
fi
# remove working dir
rm -rf ${WORKING_DIR}
# make temp dirs
mkdir -p ${WORKING_DIR}
# reclone git repos
git clone --depth 1 --branch v${VERSION} https://github.com/ivpn/desktop-app.git ${WORKING_DIR}/desktop-app
# compile cli and daemon
# env vars starting with v3.10.14 - https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=ivpn&id=cb3c4c102a97d2146e0372e98afc46a0e58f66da
IVPN_BUILD_SKIP_GLIBC_VER_CHECK=true IVPN_BUILD_CAN_SKIP_DOWNLOAD_SERVERS=true sh ${WORKING_DIR}/desktop-app/cli/References/Linux/compile-cli.sh
IVPN_BUILD_SKIP_GLIBC_VER_CHECK=true IVPN_BUILD_CAN_SKIP_DOWNLOAD_SERVERS=true sh ${WORKING_DIR}/desktop-app/daemon/References/Linux/scripts/build-all.sh
# bring down network.
while ! sudo rc-service ${NET_SVC} stop
do
echo "Trying to stop ${NET_SVC} again in 2 seconds..."
sleep 2s
done
# stop ivpn service if existing (update) or skip if not existing (fresh install)
if sudo rc-update add ivpn-service | grep 'already installed'; then
echo 'service exists, stopping the service and proceeding with upgrade...'
while ! sudo rc-service ivpn-service stop
do
echo "Trying to stop the ivpn-service again in 2 seconds..."
sleep 2s
done
else
echo 'service does not exist, proceeding with fresh install...'
fi
# install service (daemon)
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/scripts/_out_bin/ivpn-service "${SVC_BIN_LOCATION}"
# install necessary files for daemon
sudo install -Dm700 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/client.down "${PROGRAM_FILES_LOCATION}/client.down"
sudo install -Dm700 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/client.up "${PROGRAM_FILES_LOCATION}/client.up"
sudo install -Dm700 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/firewall.sh "${PROGRAM_FILES_LOCATION}/firewall.sh"
sudo install -Dm700 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/splittun.sh "${PROGRAM_FILES_LOCATION}/splittun.sh"
sudo install -Dm600 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/servers.json "${PROGRAM_FILES_LOCATION}/servers.json"
sudo install -Dm400 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/ca.crt "${PROGRAM_FILES_LOCATION}/ca.crt"
sudo install -Dm400 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/ta.key "${PROGRAM_FILES_LOCATION}/ta.key"
#install wireguard and obfs4proxy files
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/_deps/wireguard-tools_inst/wg-quick "${PROGRAM_FILES_LOCATION_MISC}/wireguard-tools/wg-quick"
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/_deps/wireguard-tools_inst/wg "${PROGRAM_FILES_LOCATION_MISC}/wireguard-tools/wg"
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/_deps/obfs4proxy_inst/obfs4proxy "${PROGRAM_FILES_LOCATION_MISC}/obfsproxy/obfs4proxy"
# install DNS Crypt related files
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/_deps/dnscryptproxy_inst/dnscrypt-proxy "${PROGRAM_FILES_LOCATION_MISC}/dnscrypt-proxy/dnscrypt-proxy"
sudo install -Dm400 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/etc/dnscrypt-proxy-template.toml "${PROGRAM_FILES_LOCATION}/dnscrypt-proxy-template.toml"
# KEM and V2Ray
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/_deps/kem-helper/kem-helper-bin/kem-helper "${PROGRAM_FILES_LOCATION_MISC}/kem/kem-helper"
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/daemon/References/Linux/_deps/v2ray_inst/v2ray "${PROGRAM_FILES_LOCATION_MISC}/v2ray/v2ray"
# install the CLI
sudo install -Dm755 -g root -o root ${WORKING_DIR}/desktop-app/cli/References/Linux/_out_bin/ivpn "${CLI_BIN_LOCATION}"
# create init script for OpenRC
cat > ${WORKING_DIR}/ivpn-service.init << EOF
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
command=${SVC_BIN_LOCATION}
command_args=
command_background=true
description="Daemon for IVPN"
pidfile=/var/run/ivpn.pid
start_post() {
echo "Turning on firewall post service start..."
while ! ivpn firewall -on
do
echo "trying firewall again in 2 seconds..."
sleep 2s
done
}
EOF
# install script
sudo install -Dm755 ${WORKING_DIR}/ivpn-service.init /etc/init.d/ivpn-service
# add service script to inits (so ivpn service will startup when the computer starts)
sudo rc-update add ivpn-service default
# start service
sudo rc-service ivpn-service start
# turn on firewall with CLI (technically should already be turned on with the init script "start_post()" function )
ivpn firewall -on
# turn on network again. Whatever service manages your network
sudo rc-service ${NET_SVC} start
# stop echo-ing each command
set -x
echo "login to your account now and/or connect to your favorite server"
info: the script above requires paths modifications (since we moved projects to monorepo)
info: the script above requires paths modifications (since we moved projects to monorepo)
I've recently been working on my Artix all day yesterday and today, new installation of the OS mostly. I will post a fresh-install script and a newer update script later today, with updated notes as well
Hello, I quickly wrote an script for OpenRC (Gentoo, Artix)
/etc/init.d/ivpn
#!/usr/bin/openrc-run
supervisor="supervise-daemon"
description="The IVPN daemon"
command="/usr/bin/ivpn-service"
command_args=""
depend() {
need localmount
use dns
provide vpn
}
then just use
/etc/init.d/ivpn start
Saw the update today that requires manual installation wg and obfs4 files. Updated the script according and tested
Congrats on Multi-hop for wireguard! IVPN continues to show me why they are The Best.
Hey, an Artix user here.
I'm using the s6 init system, and would be happy to help as well. My current solution is to just let Sway start ivpn-service. Alternatively start it in your ~/.profile or ~/.zprofile.
SysVinit: https://forum.mxlinux.org/viewtopic.php?t=70011
"OK, they do within their install scripts a suboptimal check whether the OS was booted with systemd by using this shell code:
$ [ -d "/lib/systemd/system/" -o -d "/usr/lib/systemd/system" ] && silent which systemctl
This fails in MX Linux to detect systemd is not running.
The ultimate test would be to check whether the directory /run/systemd/system/ exists. Which is done by systemd-internal function sd_booted. See https://www.freedesktop.org/software/systemd/man/sd_booted.html
To fix the ivpn installer properly, they should replace the line above with, within their respective package installer scripts by this:
$ [ -d /run/systemd/system ]
Now, to manually and temporarily fix the installation for ivpn when booted with SysVinit could be achieved by this, for example:
Create temporary helper which-script before installing , with the intention that the check which systemctl fails by doing this:
Note: This is only temporary!
-
Rename
/usr/bin/whichto/usr/bin/which.real -
Create temporary which-helper script
$ cat <<'EOF' | sudo tee /usr/bin/which && sudo chmod +x /usr/bin/which
#!/bin/sh
[ x"$1" != x"systemctl" ] && exec /usr/bin/which.real "$@"
EOF
- Install the
ivpnpackage and afterwards run this to make service start at boot:
$ sudo update-rc.d ivpn-service remove
sudo update-rc.d ivpn-service defaults
- Start manually ivpn service and check it is running
$ sudo service ivpn-service start
sudo service ivpn-service status
- Revert/remove the temporary which-helper script:
$ sudo mv /usr/bin/which.real /usr/bin/which
hey @jordan-ivpn or @stenya maybe one of you can help me with this when you get some time :)
So right now I'm running 3.8.7 and I've decided to finally stop being lazy and upgrade, to 3.9.32
The script I ran to update is the same as at the top of this issue, except with 3.9.32 as the version variable instead of the old one.
After that, I'm actually able to connect to the internet like normal through DNS/browser and pinging an IP, even though when i issue an ivpn connect command, it gives this output:
Connecting...
Disconnecting...
Error: failed to connect: connection error: failed to set manual DNS: DNS error: exit status 1
But yet im still able to connect to the internet normally as usual.
Additionally, if I run the ivpn command to get the status, I get this output:
VPN : DISCONNECTED
Split Tunnel : Disabled
Firewall : Enabled
Allow LAN : true
Allow IVPN servers : true
It's very strange. Even though it technically works fine, I'd like to fix this if possible. For now I'll keep running 3.8.7
Btw, one additional unrelated thing: I saw in the AUR script, that the permission for the ivpn-service binary was changed from Dm755 to Dm644. When I changed that in my own script, i was getting permissions erorrs for the service binary, so i had to change back to Dm755 🤷🏻
@GentlemansKiller According to your report, I see that the VPN connection failed because IVPN was not successful to configure DNS for the connection. Can you, please, try to enable old-style DNS management functionality in app settings or using CLI? Please, refer for details: https://github.com/ivpn/desktop-app/issues/191#issuecomment-1202098540 https://github.com/ivpn/desktop-app/issues/191#issuecomment-1215119056
okay i posted a comment a few minutes ago but I actually figured it out now. However simple the fix was, basically all i did was turn the firewall off, connect, then turn it back on. Works fine now. Not sure why that was a problem since I'm allowing IVPN servers through the firewall, but yeah, lol
@GentlemansKiller
Hey bro I'm kind of a newb, I just switched to Artix Linux with OpenRC and I ran your script and had an issue. I'd really appreciate any help you can give. I'll attach a screenshot of what it was -- rc-service connmand does not exist
@tonyevans75 at the top of the script i put this note:
# - Edit the environment variables to be sure they are all correct. For example make sure you're using the proper service for network (maybe you have NetworkManager or connmand)
So you likely you have NetworkManager instead
@GentlemansKiller thanks man that worked. I was able to login and connect to a vpn server. There's 1 last thing I'm trying to do, is it possible to install the gui version too? I tried doing: yay -S ivpn-ui but it's not working before running the script I was able to install ivpn-ui just fine, but the problem then was that the daemon wasn't working. now the daemon and everything is working but i can't get the gui version.
@tonyevans75 I don't actually run it with the GUI.. just the command line I recommend to just install it from the AUR, it will do it all for you https://aur.archlinux.org/packages/ivpn-ui
@GentlemansKiller that's what I did originally but I got an error saying the daemon wasn't working and that i needed to turn on the ivpn service, but there was no such service to enable. i pulled up a list of all available services and nothing relating to ivpn was on there. Your script made ivpn work, but now I don't know how to use the gui with it.
@tonyevans75 probably because the GUI is looking for a systemd service rather than a running binary, that's my only guess. by the way, in OpenRC, these are the commands to list the services
#list all running services
rc-status
#list all services
rc-status --servicelist
#check if IVPN daemon is running
rc-status | grep ivpn
@GentlemansKiller Yea I used all 3 of those to try to find anything relating to ivpn that I could enable, but I found nothing. So is the IVPN GUI just impossible then on my system? I don't want to move away from Artix or OpenRC for this.
@stenya You may or may not be able to answer, don't know if you work on the UI, but when the UI checks for the daemon, does it try to look for a binary that's running? or does it query the systemd services?
@tonyevans75 I know it's a pain, it was for me too, but i recommend to just go with it. It's not difficult to use once you get used to it. you can also create aliases in your bashrc (google how to do it). That way you can just type something like vpn or whatever your alias is and hit enter, and it will correspond to some single-hop or multi-hop command you've predefined.
Generally running linux means you need to use cmd line from time to time anyway, so it will be good practice. Otherwise i dont really have much else sorry bro :/
@GentlemansKiller it's all good man, your script got ivpn to work when nothing else did. i was looking for a solution for hours. so thanks a lot for making it bro.
@tonyevans75 not a problem man <3 im really happy it helped you just now updated the script to 3.9.45 as well, so you can test that also if you like. It works for me