tprasadtp/protonvpn-docker 7.0.0

on GitHub

🎉 New Features 🎉

• Drops OpenVPN support and use WireGuard 🎉 (Closes #72)
• Ability to provide private key via podman secrets, systemd credentials and env variable.
  This should (also close #182).
• Adds support for systemd-resolved integration.
• Adds systemd status, watchdog and notify support. (Closes #111)
• New option to disable healthchecks via cli flag and environment variable.

🔥 New Experimental Features 🔥

Warning

Experimental features are not covered by semver compatibility guarantees.

• Add kill-switch support via ip routing rules. This does not make use
  of ufw/iptable/nftables. This uses routing policy to create a sinkhole routing table which blocks all
  internet bound outgoing connections. More specifically, this blocks all subnets specified via
  PROTONVPN_ALLOWED_SUBNETS_IPV4 and PROTONVPN_ALLOWED_SUBNETS_IPV6 You don't need to tweak these two
  env variables unless required, sane defaults are used if not specified. (Closes #122)
• For IPv6 only networks and networks with custom routing requirements, where default excluded routes
  are not suffiecient, one can overrride PROTONVPN_ALLOWED_SUBNETS_IPV4 and PROTONVPN_ALLOWED_SUBNETS_IPV6.
  Both use use comma separated list of CIDRS.

⚠️ Breaking Changes ⚠️

• Removes support for PROTONVPN_EXCLUDE_CIDRS as protonwire will exclude IPV4 addresses from Special-Purpose Address Registry and non-routable IPv6 addresses from being routed over VPN by default. (Closes #146, #141, #176)
• PROTONVPN_SERVER no longer supports automatic server selection shortcuts. P2P, SECURE_CORE, RANDOM etc. Use a server which is best suitable for you. You can perform client side validations whether a server supports a required features like secure core
  via set of flags documented in README. Set PROTONVPN_SERVER to server name like NL#1 or DNS name nl-free-127.protonvpn.net
• Drops upstream protonvpn cli from docker images.
• Due to changes introduced by ProtonVPN API automatic server selection
  is no longer supported. You can add --p2p, --streaming, --tor
--country flag to enable client side validation of server features, but
  client can no longer select the "best" server as its variable and non-deterministic, depending on
  like server load, client IP and client latency and this cannot be supported.
  This closes #174, and also #161 as partially resolved.
• Uses smaller alpine base image. (This also Closes #109 as ping is now included via busybox)

🐛 Bug Fixes 🐛

• Document ability to disable healthchecks. (Closes #104)
• Document healthcheck command (Closes #152).
• Add ping command to docker images. This is more of a side effect due to busybox bundling ping command,
  nevertheless closes #109.
• Document usage with podman. (Closes #111)
• Use custom API for fetching server metadata. (Should close #126,)
• Change docs to use port instead of expose. (Closes #146, #105).

🚧 Known Issues 🚧

• Port forwarding is unsupported.
  Reverts #179, as static port forwarding is not supported by ProtonVPN and alpine
  repositories do not contain natpmpc. Thus, #125 (and its duplicate #142), is still unresolved.
  (@Ludofloria, if there are alternatives for natpmpc on alipine feel free to submit a PR!)
• If you assigned routes manually via ip route, those routes may bypass killswitch!