🎉 New Features 🎉
- Drops OpenVPN support and use WireGuard 🎉 (Closes #72)
- Ability to provide private key via podman secrets, systemd credentials and env variable.
This should (also close #182). - Adds support for
systemd-resolved
integration. - Adds systemd status, watchdog and notify support. (Closes #111)
- New option to disable healthchecks via cli flag and environment variable.
🔥 New Experimental Features 🔥
Warning
Experimental features are not covered by semver compatibility guarantees.
- Add kill-switch support via ip routing rules. This does not make use
of ufw/iptable/nftables. This uses routing policy to create a sinkhole routing table which blocks all
internet bound outgoing connections. More specifically, this blocks all subnets specified via
PROTONVPN_ALLOWED_SUBNETS_IPV4
andPROTONVPN_ALLOWED_SUBNETS_IPV6
You don't need to tweak these two
env variables unless required, sane defaults are used if not specified. (Closes #122) - For IPv6 only networks and networks with custom routing requirements, where default excluded routes
are not suffiecient, one can overrridePROTONVPN_ALLOWED_SUBNETS_IPV4
andPROTONVPN_ALLOWED_SUBNETS_IPV6
.
Both use use comma separated list of CIDRS.
⚠️ Breaking Changes ⚠️
- Removes support for
PROTONVPN_EXCLUDE_CIDRS
as protonwire will exclude IPV4 addresses from Special-Purpose Address Registry and non-routable IPv6 addresses from being routed over VPN by default. (Closes #146, #141, #176) PROTONVPN_SERVER
no longer supports automatic server selection shortcuts.P2P
,SECURE_CORE
,RANDOM
etc. Use a server which is best suitable for you. You can perform client side validations whether a server supports a required features like secure core
via set of flags documented in README. SetPROTONVPN_SERVER
to server name likeNL#1
or DNS namenl-free-127.protonvpn.net
- Drops upstream protonvpn cli from docker images.
- Due to changes introduced by ProtonVPN API automatic server selection
is no longer supported. You can add--p2p
,--streaming
,--tor
--country
flag to enable client side validation of server features, but
client can no longer select the "best" server as its variable and non-deterministic, depending on
like server load, client IP and client latency and this cannot be supported.
This closes #174, and also #161 as partially resolved. - Uses smaller alpine base image. (This also Closes #109 as ping is now included via busybox)
🐛 Bug Fixes 🐛
- Document ability to disable healthchecks. (Closes #104)
- Document healthcheck command (Closes #152).
- Add ping command to docker images. This is more of a side effect due to busybox bundling ping command,
nevertheless closes #109. - Document usage with podman. (Closes #111)
- Use custom API for fetching server metadata. (Should close #126,)
- Change docs to use
port
instead ofexpose
. (Closes #146, #105).
🚧 Known Issues 🚧
- Port forwarding is unsupported.
Reverts #179, as static port forwarding is not supported by ProtonVPN and alpine
repositories do not contain natpmpc. Thus, #125 (and its duplicate #142), is still unresolved.
(@Ludofloria, if there are alternatives fornatpmpc
on alipine feel free to submit a PR!) - If you assigned routes manually via
ip route
, those routes may bypass killswitch!