tprasadtp/protonvpn-docker 7.0.0-beta1

on GitHub

🎉 New client written from scratch. Please try rc/beta tags and report bugs if any.
To see docs for OpenVPN based container, see https://github.com/tprasadtp/protonvpn-docker/tree/release/v5.

To try the docker image use ghcr.io/tprasadtp/protonwire:unstable

🎉 New Features 🎉

• Drops OpenVPN support and uses WireGuard 🎉 (Closes #72)
• Ability to provide private key via podman secrets, systemd credentials and env variable.
  This should (also close #182).
• Adds support for systemd-resolved integration.
• Adds systemd status, watchdog and notify support. (Closes #111)
• New option to disable healthchecks via cli flag and environment variable.

🔥 New Experimental Features 🔥

Warning

Experimental features are not covered by semver compatibility guarantees.

• Add kill-switch support via ip routing rules. This does not make use
  of ufw/iptable/nftables. This uses ip rules to create a sinkhole routing table which blocks all
  internet bound outgoing connections. More specifically, this blocks all subnets specified via
  PROTONVPN_ALLOWED_SUBNETS_IPV4 and PROTONVPN_ALLOWED_SUBNETS_IPV6 You don't need to tweak these two
  env variables unless required, sane defaults are used if not specified. (Closes #122)
• For IPv6 only networks and networks with custom routing requirements, where default excluded routes
  are not suffiecient, one can overrride PROTONVPN_ALLOWED_SUBNETS_IPV4 and PROTONVPN_ALLOWED_SUBNETS_IPV6.
  Both use use comma separated list of CIDRS.

⚠️ Breaking Changes ⚠️

• Removes support for PROTONVPN_EXCLUDE_CIDRS as protonwire will exclude IPV4 addresses from Special-Purpose Address Registry and non-routable IPv6 addresses from being routed over VPN by default. (Closes #146, #141, #176)
• Drops upstream protonvpn cli from docker images. This is not covered by semver
• Due to changes introduced by ProtonVPN API automatic server selection
  is no longer supported. You can add --p2p, --streaming, --tor
--country flag to enable client side validation of server features, but
  client can no longer select the "best" server as its variable and non-deterministic, depending on
  like server load, client IP and client latency and this cannot be supported.
  This closes #174, and also #161 as partially resolved.
• Uses smaller alpine base image. (This also Closes #109 as ping is now included via busybox)

🐛 Bug Fixes 🐛

• Document ability to disable healthchecks. (Closes #104)
• Document healthcheck command (Closes #152).
• Add ping command to docker images. This is more of a side effect due to busybox
  bundling ping command, nevertheless closes #109.
• Document usage with podman. (Closes #111)
• Use custom API for fetching server metadata. (Closes #126, #104)
• Change docs to use port instead of expose. expose was used as port
  publishes the port and can potentially bypass firewall rules. (Closes #146, #105).

🚧 Known Issues 🚧

• Port forwarding is unsupported.
  Reverts #179, as static port forwarding is not supported by ProtonVPN (for now) and alpine
  repositories do not contain natpmpc. Thus, #125 (and its duplicate #142), is still unresolved.
• If you assigned routes manually via ip route, those routes may bypass killswitch!