Jump to content
Not connected, Your IP: 3.145.38.67
princesskenny

Hummingbird unofficial Docker image

Recommended Posts

Posted ... (edited)

This OpenVPN client Docker image (below) seems great to me and I use it for AirVPN to attach other containers to. What I would love is an AirVPN fork of it with OpenVPN3. I was looking through the forks and Nord has an official fork of it.
I realize that maybe AirVPNs ovpn3 fork would be better suited for a Debian base than Alpine, and maybe I'm oversimplifying this. I would love a working Docker image like this, but with AirVPN's suite.
I've searched the forum here and it seems that nobody had the AirVPN Suite working in a container yet. If so, I'd love some help.
As an example: https://github.com/dperson/openvpn-client
Nord fork (uses Ubuntu base instead of Alpine): https://github.com/bubuntux/nordvpn

Edited ... by OpenSourcerer
Giving the thread some more visibility

Share this post


Link to post

The AirVPN Suite installer relies on systemd and I guess that would be redundant inside a container? I started with an Ubuntu image and got, "This system is not running either systemd or SysV-style init." Tried to install a systemd package just to see if it would work, and it did not.
Wouldn't a lot of people use this? Am I missing an alternative? Docker makes it so much easier for me to control which services are on VPN and which are not. It also has completely stopped me from borking my linux hosts while installing software, tinkering and learning. I just want better performance than I'm getting from the image I'm using (linked in OP).

Share this post


Link to post
Posted ... (edited)
6 hours ago, flat4 said:

So you want a docker container so other docker containers can use it and send data via the tunnel?

Exactly! With built in network lock and AirVPN's ovpn3.
You would name it "airvpn", then with containers you want to attach, you would use "--net=container:airvpn" in the start command.
I prefer for it to be JUST OpenVPN and not include Deluge or anything. You can attach any container to it.
The example I linked in Github has 10M+ pulls from Docker Hub, it's pretty popular.
My use case is, I put Plex and Emby directly on my host network because I only share with family. P2P, Sonarr, etc are all attached to the VPN container. This setup makes it easy to separate the networks. If someone smarter than me sets up the VPN container securely, there's no chance of me doing something to cause a leak or an unreliable network lock.

Of note maybe, the 'dperson' container uses this in the Docker start command:
--cap-add=NET_ADMIN --device /dev/net/tun
Edited ... by princesskenny

Share this post


Link to post

Actually no, that looks like OpenVPN 2.4.11-r0 and I doubt that would be an upgrade in performance from 2.5.3-r0.
The issue I have with 2.5.3-r0 and AirVPN is that streaming IPTV through it drops too many packets to be reliable and forces me to use TCP. I was hoping we would get better UDP performance from AirVPN's own OVPN3 build.

Having a dockerized version of it would actually promote AirVPN when people search for an OpenVPN3 Docker Image. That's actually how I found AirVPN, it was referenced in the readme of an OVPN docker container. My point being, the amount of work to make this happen will have a good ROI for AirVPN, in my opinion.

Share this post


Link to post

For systemd inside a container, this guide here was among the newest a quick search dug out, so it's got a high probability of making systemd work. This does not imply that Bluetit will be in perfect harmony with the cage you want to put it into. :)
What you seem to be missing are mounts to cgroups, /tmp and /run.
 

On 8/10/2021 at 7:23 PM, princesskenny said:

Wouldn't a lot of people use this?


I doubt it. Docker was primarily made for hosting server applications, and is still widely used as such in connection with techs like Kubernetes. Which doesn't mean the applications on a PC aren't there, but it's rare for someone to use Docker like this. The bigger source of people "messing up their systems" is package managers and the dependency hell they can cause, to which the solution is using AppImage, Flatpak or Snap.
Also be advised that OpenVPN is both a server and client implementation in the same binary, so it's perfectly possible that the majority of those 10 million pulls were made with the intention to host an OpenVPN server in a container.
 
5 hours ago, princesskenny said:

Having a dockerized version of it would actually promote AirVPN when people search for an OpenVPN3 Docker Image. That's actually how I found AirVPN, it was referenced in the readme of an OVPN docker container. My point being, the amount of work to make this happen will have a good ROI for AirVPN, in my opinion.


The promotion will be effective if the Docker image is official. Unofficial community projects always raise doubts about the quality of the project, like "is it updated regularly?" or "will it work out of the box?".
I think what's more likely is someone finding that image, seeing it's tailored to AirVPN, then starting to ask people how to tailor it to their VPN service, because "I'd prefer to stay with whatsthenameVPN because I've been a user for n years and I don't really want to switch to AirVPN even though their Docker container works". :)

Building an image is also not black magic. If you're using Docker like you do, you're probably best qualified to dive into docker-build yourself, publish it and reap some internet points. :D It's also a quality contribution to the community.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
46 minutes ago, OpenSourcerer said:

For systemd inside a container, this guide here was among the newest a quick search dug out, so it's got a high probability of making systemd work. This does not imply that Bluetit will be in perfect harmony with the cage you want to put it into. :)
What you seem to be missing are mounts to cgroups, /tmp and /run.

I don't think we'd need Bluetit or any of that, the images referenced in this thread just use firewall rules to prevent leaks, I think. Maybe I'm not understanding some specific needs that OVPN3 has.
48 minutes ago, OpenSourcerer said:

Docker was primarily made for hosting server applications, and is still widely used as such in connection with techs like Kubernetes. Which doesn't mean the applications on a PC aren't there, but it's rare for someone to use Docker like this.

There's a MASSIVE community of us using Docker this way and it makes so much sense. Check it out:
https://fleet.linuxserver.io/
1 hour ago, OpenSourcerer said:

OpenVPN is both a server and client implementation in the same binary, so it's perfectly possible that the majority of those 10 million pulls were made with the intention to host an OpenVPN server in a container.

Both the image I originally linked, and the other one cheapsheep posted are specifically configured to be clients and nobody is using these as servers. I think you should have a look, we aren't talking about the same thing yet. I also use containers that are dual purpose, but this isn't the same thing.
1 hour ago, OpenSourcerer said:

The promotion will be effective if the Docker image is official. Unofficial community projects always raise doubts about the quality of the project, like "is it updated regularly?" or "will it work out of the box?".
I think what's more likely is someone finding that image, seeing it's tailored to AirVPN, then starting to ask people how to tailor it to their VPN service, because "I'd prefer to stay with whatsthenameVPN because I've been a user for n years and I don't really want to switch to AirVPN even though their Docker container works". 

The main Docker container that is specifically setup to proxy for NordVPN has 10M+ downloads, and there's a fork with over 1 million. AirVPN is missing out on this group, in my opinion.
1 hour ago, OpenSourcerer said:
Building an image is also not black magic. If you're using Docker like you do, you're probably best qualified to dive into docker-build yourself, publish it and reap some internet points. :D It's also a quality contribution to the community.
I have tried and failed which is why I made this thread, as has the other user in this thread. The NordVPN image is OpenVPN 2.5, so i expect to have the same issues with that. HOWEVER, their image also supports WireGuard which I think is worth a shot. I don't expect AirVPN to develop something just because I asked, so I think it's best for me to give WireGuard a go since I'm hitting a dead-end on my own.

Honestly, just taking the time to post about this is a contribution. This is a missed opportunity.

Share this post


Link to post
15 hours ago, princesskenny said:

I don't think we'd need Bluetit or any of that, the images referenced in this thread just use firewall rules to prevent leaks, I think. Maybe I'm not understanding some specific needs that OVPN3 has.


I don't quite understand what you're writing here. I thought you asked for help with building an AirVPN-Suite image? Which the community will certainly help you do. Bluetit is a central part of that suite.
 
15 hours ago, princesskenny said:

There's a MASSIVE community of us using Docker this way and it makes so much sense.


Your link does not support your claim. It seems to pull stats from Docker Hub, where organizations are also pulling images from. And pulls don't tell client and server usage apart. Some apps are just as ambiguous as OpenVPN, like Calibre which is not only an eBook reader but can also be configured as a networked eBook repo.
But it all doesn't really matter, the discussion will continue without any changes because at the end of the day we're all users just like you, and all we can do is help a brother in need with his effort of creating a new way of connecting to AirVPN. The more methods there are available, the merrier. :)

So if you don't mind, post your progress on the Dockerfile, outline what you tried and where you seem to be stuck.
 
23 hours ago, princesskenny said:

Actually no, that looks like OpenVPN 2.4.11-r0 and I doubt that would be an upgrade in performance from 2.5.3-r0.


Oh, and also: You'll never know for sure if you don't try it out first… ;) Both branches support AES-256-GCM.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
1 hour ago, OpenSourcerer said:

And pulls don't tell client and server usage apart.

The images we are discussing in this thread are all client only. This is hijacking the thread though. To demonstrate that I understand what you are saying, here are two popular examples of containers that can be used as server or client:
https://github.com/kylemanna/docker-openvpn
https://hub.docker.com/r/linuxserver/openvpn-as
What we are asking for is a container specifically to use as a client with preconfigured firewall rules to prevent leaks. Even though the OpenVPN package would be capable of running as a server, the firewall rules would prevent it. Absolutely 0 people are using this as a server, hopefully we can put this to rest. ALL of the pulls are to be used as a client.
ALL of these are clients paying NordVPN -> https://hub.docker.com/search?q=nordvpn
ALL of these are clients with various VPN services including AirVPN -> https://hub.docker.com/r/dperson/openvpn-client It even says "client" in the name.
1 hour ago, OpenSourcerer said:

I thought you asked for help with building an AirVPN-Suite image

 
On 8/9/2021 at 10:58 PM, princesskenny said:

This OpenVPN client Docker image (below) seems great to me and I use it for AirVPN to attach other containers to. What I would love is an AirVPN fork of it with OpenVPN3.

I should have never mentioned the Suite, sorry for the confusion.

The thing is, the solution I'm asking for already exists. So, while I've enjoyed being an AirVPN customer so far, it doesn't make sense for me to sink more time into this when I'm not on the payroll. Also consider that it would take me hours, but whoever develops AirVPN's OVPN3 fork could probably do it with ease, obviously get paid to do it.  The existence of that Dockerfile on GitHub would produce new clients, as it has for NordVPN (ask me how I know).
 
1 hour ago, OpenSourcerer said:

So if you don't mind, post your progress on the Dockerfile, outline what you tried and where you seem to be stuck.

The Dockerfile bm9vbmUK posted above is a good starting point. Should we start with Debian? Alpine? Ubuntu? These are things that the developer of the AirVPN OVPN3 fork would probably know already.
On 8/10/2021 at 10:08 PM, bm9vbmUK said:

couldn't get network lock to work and ended up with some leaks.

I think this script is a good starting point. However this needs to be modified to work with OVPN3: https://github.com/dperson/openvpn-client/blob/master/openvpn.sh

Share this post


Link to post

… okay. Let's do it this way, then.
If you need help, continue with what I asked before: List the steps you did, post the Dockerfile if there is one and outline where you're stuck, because you wrote you tried and failed. The community can help you out of that pit, it usually does.
If you want to request an official Docker container that gets you connected to AirVPN in some way instead, please create a ticket and shower them with your arguments about customer growth and ROI. It's where you'll most likely find someone who will ask for some numbers.

If you simply want to throw links into the thread and comment them with "this needs to be rewritten" and "that needs to be changed", do that, it's not a crime. Heck, someone might even do it if he/she feels adventurous. :D But if you write "I don't want to rewrite it myself because I don't get paid", well… no one does here. It creates a feeling that you expect them to do the work for you, because Docker is oh so easy, you see?


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Thanks for the help. I didn't realize that this is community only, I assumed some staff would be here too. My mistake. I'm opening a ticket, as it's not realistic for me to develop this. Docker and scripting may be "oh so easy" for some, and that would probably be a good trait for this!

Honestly, I thought you were staff at first because your post was so dismissive, and has a gatekeeper vibe, and you have so many posts. I see that you are super helpful to some, and I'm sorry if I came off as being entitled with my pitch. I did make it down to your signature. You wet toweled this from the start, had me on the defense, and now you are painting me as demanding. I just wanted this to be discussed.

Share this post


Link to post

I was talking to an Internet friend that chose them because of the simplicity and support of that setup, and I'm very tempted myself. Not as a way to leave from here, P2P has been just fine and VPN's are pretty reasonably priced so I could live with some overlap.

Share this post


Link to post
On 8/11/2021 at 11:29 AM, princesskenny said:

Having a dockerized version of it would actually promote AirVPN when people search for an OpenVPN3 Docker Image. That's actually how I found AirVPN, it was referenced in the readme of an OVPN docker container.

What link are you referring to exactly...on how you have found AirVPN?
Anything close to it would be this:
https://github.com/schmas/docker-openvpn-client/blob/master/README.md
Do you see AirVPN listed there?

Share this post


Link to post
10 hours ago, princesskenny said:

I didn't realize that this is community only, I assumed some staff would be here too.


They are, but nothing compels them to answer to each and every topic. Contrary to the support portal where not answering's got its own meaning. :)
They do read along, though.
 
10 hours ago, princesskenny said:

Honestly, I thought you were staff at first because your post was so dismissive, and has a gatekeeper vibe, and you have so many posts.


Well… not the first time. Also no idea how to make it even more clear to everyone that I'm my own person still, not a representative of Air. Should I change the name? @no-air-team-opensorcerer, @notairsorcerer, @myownopinion…
 
10 hours ago, princesskenny said:
I see that you are super helpful to some, and I'm sorry if I came off as being entitled with my pitch.

Apologies from my side, too. My intention was not to discredit the idea of a Docker image.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

You are one of the few who actually follow through and share something like that with the community. Thank you for following through! :)

Can you please check the sources? They seem to be wrapped after 80 characters.

1 hour ago, whiteowl3 said:
1 hour ago, whiteowl3 said:

hummingbird -p tcp --persist-tun --network-lock off /config.ovpn &> airvpn_log &

1 hour ago, whiteowl3 said:

echo "nameserver $(grep -oP "(?<=\[DNS\]\s\[)[\d\.]*" airvpn_log)" > /etc/resol>

1 hour ago, whiteowl3 said:

echo "nameserver $(grep -oP "(?<=\[DNS6\]\s\[)[a-zA-Z\d\:]*" airvpn_log)" >> /e>


Just upload the files directly or use cat to copy-paste them from the terminal. :)

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Anybody who doesn't understand how to build a docker image for themselves would do well to wind up at this personal docker repo that i stole everything from.
tons of bare-bones usable examples that people can use to teach themselves before moving on to s6.  https://github.com/rahmnathan/docker
The Hummingbird example is inside the deluge folder.  I will note for anybody trying to recreate this process that simply downloading the humminbird 1.1.2 bins currently available doesn't seem to work on debian images.  for the time being you must download the full AirVpn suite and pull out the hummingbird 1.1.0 binary as in my example.  Also, you MUST disable the network lock as per the example, as it seems to be sysd/v implementation of some kind.  If anybody figures out the no UDP problem i would love to hear it.  This client is a serious performance increase over dperson's image on a raspberry pi.
https://gitlab.com/AirVPN/AirVPN-Suite/-/tree/master/binary

Share this post


Link to post

Well… I dug into the hummingbird and NetFilter code a bit and it looks like the dependencies on systemd/sysinit for the network lock is fairly limited. I am looking into putting a remedy to those with a couple of “if docker then … else …” and see where it leads. I think the network lock is a pretty import piece of the picture and it should work well even in a docker environment.

I’ll report back here once I have anything tangible.

The out coming Dockerfile
will probably be a little more involved, but still pretty straight forward building hummingbird in one image and copying the produced binary from there into the target image with right entrypoint.sh

Share this post


Link to post

Very nice! Thanks for the contributions, y'all! That's interesting that TCP performance is still better than dperson's container on RPi.
I also got stuck on dependencies and never made it as far as even getting it connected.

The network lock is obviously important. With WireGuard being available on AirVPN now I started looking at the options for that. I have been messing with 'GlueTun' as CheapSheep suggested in this thread, but it's pretty huge compared to the dperson container. I'm afraid the size and complexity of it could make it a little less secure. Anyway that has WG support too but I haven't tested it yet.

Hummingbird in Docker with a trustworthy firewall and killswitch is still desirable to me. Looking forward to testing something. 🙂

Share this post


Link to post

i mean, some simple iptables in the container should be able to take the place of a network lock, in the short term.
the appropriate dockerific solution is to implement S6 and handle network locking with a start-up script.  even if we do get network lock working by modifying the hummingbird source code, the source of truth for the rules is still not exposed to the docker user.  thats less than ideal.
i'm not sure if dperson ever got around to implementing s6 on his image, but the nord fork uses it, for reference. Their implementation uses cont.init.d to create iptables rules. Anything else is categorically the wrong way to do it, imho.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...