VPN connection sharing with a Raspberry Pi Zero

taylorkh · 03-11-2019, 07:41 AM

I prepared this write-up at the request of a member on the ProtonVPN reddit forum. After all that effort the post was removed. Too long or what I have no idea. I though I might share it here for what it is worth...

In response to a comment in another thread I am posting a description of how I am using a Raspberry Pi Zero as a gateway/firewall/router and vpn sharing box to connect my LAN to the Internet via ProtonVPN. This is the latest iteration of my less is more progression. I started with a small Intel based PC, then migrated to a Pi 3B and now to the Zero. I will be brief about how to setup the Pi in general as that is well documented elsewhere. However, if I can answer a question, please ask. Please feel free to make use of my script, systemctl job etc. Comments are appreciated as I may have made some typos in this monograph :-)

The Pi Zero has some limitations. No network connectivity built in, a single USB port with minimal power capability and Raspbian as the only practicable OS. The Intel PC used CentOS 7 and the Pi 3B Ubuntu Mate. Those made the setup a breeze. As to Raspbian, more on that as we go...

The hardware setup is as follows:

Pi Zero
a USB hub
two USB to 10/100 Ethernet dongles
a 16 GB MicroSD card with the offical Raspbian image
a Pi power supply
some Ethernet cables
keyboard, mouse, monitor (only for initial setup)

The installation process:

Connect a monitor to the Pi and plug in a keyboard, mouse and the two Ethernet dongles to the hub. Caution: do not plug in an Ethernet dongle after the Pi is booted. I have found that doing so will cause a voltage dip on the USB port and cause the Pi to reboot. Label one of the dongles wan (for wide area network i.e. Internet). Connect an Ethernet cable from the wan dongle to your Internet source (modem/router etc.) Do NOT connect anything to the second dongle for now.

Boot the Pi for the first time. It will expand the file system to fill the SD card, create a swap file, connect to the Internet, update packages as necessary etc. You will be automatically logged in as user "pi" when this completes.

The next step is to install the ProtonVPN Linux client. This is documented on the Proton web site. Just a couple of notes...

Execute "sudo su -" (no quotes) in the terminal before starting the installation. This SHOULD cause the ProtonVPN configuration files to land in /root/.protonvpn-cli/ Check this afte the installaton ls -a /root/.protonvpn-cli should show a bunch of stuff. If this lands in /home/pi/.protonvpn.cli you will need to move the directory and contents to /root/ in order for the script to execute the connection as root.

While logged on as root (sudo su -) try accessing the ProtonVPN client pvpn -c, pvpn -d, pvpn --cc US etc. Provided this works we can now proceed to setting up the second Ethernet dongle. It will be shared to the other computers on the LAN.

The Raspbian OS uses the LXDE desktop which is light weight but lacks the tools I am familiar with in my preferred OS, CentOS. I therefore insalled network-manager-gnome firewalld and firewall-cmd. I uninstalled ufw just to be safe. The firewall configuration can be done with either tool - your preference.

The utility nm-connection-editor make quick work of setting up the two network connections. There should be a menu item under Configuration as I recall. Launch the utility and look for the active ethernet connection. There SHOULD only be one as the second dongle is not connected on the Ethernet side.

Select the connection and double click or press the gear like edit button. A 7 tab dialog will apppear. You should be on the second tab (Ethernet). Change Connection name: to "wan". Make not of the Device: identification as it may come in handy later.

Select the IPv4 Settings tab. The Method: should be "Automatic (DHCP)" On the IPv6 Settings tab I generally set the Method: to "Ignore" as I am not using IPv6 (yet). When everything looks good press Save. Close the utility.

Next connect the second (LAN side) dongle to another PC or a switch or hub so it is eletrically "alive". Call up the utility again and select the new connection and edit it. Check the Device identifier to make sure you have the correct one. Change the Connection name: to "lan". Again you may set IPv6 to Ignore. The real magic occurs on the IPv4 Settings tab. Change the Method to "Shared with other computers" Save and close the utility.

Reboot the Pi. When it comes back up we need to see what sort of network mess we have. CentOS and Ubuntu are reasonably well behaved. Raspbian... Modern Linux distros try to make networking easy by automagically connecting to the network/Internet. That is fine unless it is desired to do something specific. Open a terminal and check things out. Here is an example from my Pi

Code:

ken@taylor27:~ $ nmcli conn
NAME  UUID                                  TYPE            DEVICE 
lan   e9b71f92-a15d-4453-a1ff-439522c2fdf8  802-3-ethernet  eth1   
tun0  0bbf891e-92fc-424a-addc-ec403d28a72c  tun             tun0   
wan   349104ac-00aa-486d-81bd-adf627646cdf  802-3-ethernet  eth0   

ken@taylor27:~ $ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.66.5/24 brd 192.168.66.255 scope global dynamic eth0
       valid_lft 233644sec preferred_lft 233644sec
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 10.42.0.1/24 brd 10.42.0.255 scope global eth1
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.3.3/24 brd 10.8.3.255 scope global tun0
       valid_lft forever preferred_lft forever

Things to note:

tun0 is my VPN tunnel. It will appear after the ProtonVPN is connected. Ignore for now.

The wan connection is on device eth0 and has an IP address of 192.168.66.5 (from my DSL modem/router).

The lan connection is on device eth1 and has an address of 10.42.0.1. This is the default for a shared connection. Devices which connect to the shared connection will receive a DHCP address in the 10.42.0.xxx range from DHCP on the Pi.

If you have a second PC connected to the Ethernet side of the lan dongle disconnect and reconnect it. It should pickup an IP address. If you have a hub connected to the Ethernet side of the dongle plug a PC into it and see that it picks up an IP address. If all has gone to plan you will have the Pi functioning as a gateway between the Internet and your (small one device) LAN. Open a web browser on the LAN PC and access a site such as ipaddress.com. You should see an Internet address corresponding to the one provided by your ISP.

The next step is I guess optional. Configure the firewall using the tool of your choice thus:

Make the "drop" zone the default zone.

Pick a second zone, I use "internel" and limit it to ssh only. Enable vnc if you wish to access the Pi in gui mode (not necessary).

put the wan connection in the drop zone

put the lan connection in the internal zone

Be sure to enable the firewall (sudo systemctl enable firewalld in my case)

Now onto my soapbox for a minute... You will probably notice that Raspbian has created other connection such as "Wired connection 1", "Wired connection 2". You can delete them with the utility used earlier but they tend to reappar on a reboot. I have no idea where they come from so I have used a big hammer approach in my script to deal with them. For now just delete them and make sure wan and lan are running.

It is time to fire up the ProtonVPN. sudo su - and then pvpn -c. When this connects execute nmcli conn and ip -4 addr as shown earlier. You should now see your tunnel tun0. Check the Internet IP address on the LAN test PC using ipaddress.com or similar. It should correspond to the ProtonVPN assigned address.

If things have progresses successfully to this point you could turn off the gui on the Pi (sudo systemctl set-default multi-user.target) and access it remotely with ssh. (Make sure you have ssh running. There is an option on the Pi configuration tool.) Simply connect to the Pi, start the vpn and disconnect the ssh session. This works with CentOS and Ubuntu but with the whack-a-mole connection naming it may be problematic on Raspbian. So for my next trick...

I created this script /usr/local/sbin/protonvpn.sh

Code:

superseded - see post #3 in this thread

A few notes about the script...

The idea of the script is to launch a connection to ProtonVPN and then monitor it every few seconds. If the VPN drops the script will restart it.

If I am running on Raspbian I use the whack-a-mole technque to shut down all network connections and only bring up wan and lan. I know that these are in the correct firewall zones.

I like some formatting in my logs so I tend to put in blank lines :-)
echo >> /var/log/protonvpn.log
echo >> /var/log/protonvpn.log

I have tried several methods to make sure the VPN connection is running. The presence of the tun0 network connection is a good indication. On rare occasions I have tound the tunnel connected but with no DNS response. To check this I do a ping (I will not say to whom :-) every so often. And I ping twice as sometimes the first single ping does not come back. This has been 100% effective in detecting a dropped VPN connection over the past couple of months and has reconnected quite reliably and silently (until yesterday.)

pvpn --cc US is supposed to connect to the fastest server in country code US. In my case that is normally a server in the state of VA. Last evening several of the VA servers went down for maintenance. The ProtonVPN client "sees" that the servers (or at least their IP addresses) are present and responding with a low latency and decides that one of them is the "fastest" even though it is not available for connection. I added a work around to allow me to force connection to a specified server. See the comments in the script.

If you want to try the script, copy the text into a script file in the location I specified (so the systemctl job below can invoke it) and make it executible. Remember to put the ping target of your choice in the script where indicated. You can change the check frequencies if you like. Try running it with root (sudo su -) and make sure it works. Note that the script contains an endless loop and will tie up your terminal while running. I guess your could add & at the end or run it in a screen session but I decided to run it as a service.

The last trick is to create a systemctl .service file "/etc/systemd/system/protonvpn.service" which looks like

Code:

[Unit]
Description=Connect to ProtonVPN
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/sbin/protonvpn.sh 

[Install]
WantedBy=multi-user.target

I cannot say that the After and Wants are the best choices but it works. The job can be enabled by "sudo systemctl enable proton.vpn" and will run at boot time.

Here is a link to a picture of my Pi Zero installation https://mega.nz/#!gw9gVYKQ!AFIV21kLT...yhmYN_pQkz_CzI Hope you don't mind my using mega. My box.net image sharing account does not seem to be working at the moment.

Again, please feel free to use any of this material which might be helpful. I would be glad to hear comments and suggestions.

Thanks,

Ken

taylorkh · 03-15-2019, 08:13 AM

Update...

I came across an unhandled exception in my process. When ProtonVPN's Linux client connects, one of the things it does is to make a backup of /etc/resolv.conf. When the client disconnects it restores /etc/resolv.conf. This SHOULD restore DNS resolution on the computer. As a further step the client checks the Internet address of the computer. Sometimes for some reason DNS does not respond and it displays the message

Quote:

[#] Current IP: Error.

I have noticed this when manually using the client and recently noticed the message in the log from my script. If DNS is not resolving then the client will not be able to connect as it needs to pull a list of ProtonVPN servers. I determined that by cycling the Internet side connection (lan) I could get DNS working again. I have modified my script to address this condition.

Code:

superseded - see post #3 in this thread

taylorkh · 03-20-2019, 07:10 AM

Update - final I hope...

I noticed that the Pi Zero seemed to be rather slow in connecting to the VPN. Once it was connected it was able to handle my tremendous (pathetic) DSL bandwidth. I modified the script to write some more timestamps into the log file. I determined that the first connection after a reboot was taking 5 - 6 MINUTES

If I booted the thing with my service disabled and manually attempted to connect or even get the status from the ProtonVPN utility I found minutes of delay. Once I had done SOMETHING with the ProtonVPN client I could perform other tasks (disconnect, reconnect, get status etc.) at a reasonable speed. After some hours spent testing and investigating I junked the Pi Zero and Raspbian and moved my VPN process back to a Pi 3B with Ubuntu. It now runs great, detects and reconnects dropped connections promptly etc.

Here is my latest script iteration. I found an error in the prior one. I had failed to escape a couple of characters in a grep regex "[" and "]" to be precise

I have done considerable testing on this version of the script and it seems to be working as desired. Please feel free to make use of it as suits your needs.

Ken

Code:

#!/bin/bash
#
# This script will launch the Proton VPN and relaunch if it drops
# version 0.8 03/17/19
# This version adds a check for the Raspbian OS which creates 
# spurious network connections at boot
# Also add a second ping as a single ping has been producing false
# failures (I think)
#
# Time to address an unhandled exception.  Sometimes the connect/reconnect 
# action fails because the Proton script cannot resolve wherever it gets the
# list of servers from.  This results in a message "[#] Current IP: Error."
# I think that cycling the wan connecection will cause DNS to start working
# again.  
#
# Added a few more time stamps to the log
#
# Added the "[#] Current IP: Error." check after disconnect. Found this situation on the
# Pi Zero which has gone flaky and is back in test mode.
#
echo >> /var/log/protonvpn.log
echo ======================================== >> /var/log/protonvpn.log
echo launching vpn  `date` " (ver 0.8)" >> /var/log/protonvpn.log

grep raspbian /etc/os-release >/dev/null

if [ $? -eq 0 ]
then

  echo `date` " Running Rapsbian - setting correct connections" >> /var/log/protonvpn.log	
  con_list=`nmcli -t --fields UUID con`

  for con2zap in $con_list 
  do
    nmcli con down $con2zap
  done
 
  nmcli conn up wan
  nmcli conn up lan

fi

loopcount=0
vpnon=n

while [ 0 -lt 1 ]
  do

  if [ "$vpnon" = "n" ]
  then
    echo `date` " Disconnecting VPN" >> /var/log/protonvpn.log	
    pvpn -d  | tee -a /var/log/protonvpn.log
#
# A new check to make sure the DISCONNECT attempt did not fail due to "[#] Current IP: Error." 
# If so, cycle the wan connection and let it try again
# This was added below for CONNECT attempt errors but it can occur when disconnecting.
#
    tail /var/log/protonvpn.log | grep "\[#\] Current IP: Error." > /dev/null
    if [ $? -eq 0 ]
    then
      echo `date` " Current IP error - cycling wan"  >> /var/log/protonvpn.log
      nmcli conn down wan
      nmcli conn up wan
    fi
# 
# Choose fastest server fails if the fastest server (by latency) is down for maintenance.
# Allow a designated server to be forced
#  
    if [ -f /etc/protonvpn/server ]
    then 
      vpnserver=`cat /etc/protonvpn/server`
      echo `date` " Forcing server " $vpnserver >> /var/log/protonvpn.log
      pvpn -c "$vpnserver" udp  | tee -a /var/log/protonvpn.log
    else
      echo `date` " Connecting fastest VPN server" >> /var/log/protonvpn.log	
      pvpn --cc US  | tee -a /var/log/protonvpn.log
    fi
#
# A new check to make sure the connection attempt did not fail due to "[!] Error: There is an internet connection issue." 
# If so, cycle the wan connection and let it try again
#  
    tail /var/log/protonvpn.log | grep "\[#\] Error: There is an internet connection issue." > /dev/null
    if [ $? -eq 0 ]
    then
      echo `date` " Internet connection error - cycling wan"  >> /var/log/protonvpn.log
      nmcli conn down wan
      nmcli conn up wan
    fi
    loopcount=0
  fi

    if [ $loopcount -le 11 ]
    then
      nmcli c show tun0 > /dev/null 2>/dev/null
      if [ $? -eq 0 ]
        then
        vpnon=y
        loopcount=$(($loopcount+1))
        sleep 5
      else
        vpnon=n
        echo `date` " vpn down, restarting" >> /var/log/protonvpn.log	   
      fi
    fi

    if [ $loopcount -eq 11 ]
  then
    ping -c1 www.google.com > /dev/null
    if [ $? -eq 0 ]
    then
      vpnon=y
      loopcount=0
    else
    # second chance ping
      sleep 2
      ping -c1 www.google.com > /dev/null
      if [ $? -eq 0 ]
        then
        vpnon=y
        loopcount=0
      else
        vpnon=n
        echo `date` " bad ping, restarting" >> /var/log/protonvpn.log	
      fi
    fi
  fi 
done

juppzupp · 07-15-2019, 09:06 AM

Hi Ken,
great little tutorial and I got it to work ok, the script also works fine. Only one question, I did put in the systemd service, but when it runs at boot, it goes into a loop because it says the profile is not initialised, see below. Well, it is. When i run the script directly in the shell, it works fine and connects ok. Any ideas why?

Thanks

Code:

Mon 15 Jul 2019 11:57:00 PM AEST  Connecting fastest VPN server
[!] Profile is not initialized.
Initialize your profile using: 
    pvpn --init
Mon 15 Jul 2019 11:57:00 PM AEST  vpn down, restarting
Mon 15 Jul 2019 11:57:00 PM AEST  Disconnecting VPN
Disconnecting...
[#] Disconnected.
[#] Current IP: xxx.xxx.xxx.xxx
Mon 15 Jul 2019 11:57:02 PM AEST  Connecting fastest VPN server
[!] Profile is not initialized.
Initialize your profile using: 
    pvpn --init
Mon 15 Jul 2019 11:57:03 PM AEST  vpn down, restarting
Mon 15 Jul 2019 11:57:03 PM AEST  Disconnecting VPN

taylorkh · 07-15-2019, 09:44 AM

Hello juppzupp,

Not sure what is causing the issue. I have tweaked the pieces and parts of this since the original post. Let me update the component files. Try updating your Pi and see if that works. It not, let me know. I just got through fighting with a Proton VPN issue a few minutes ago. The "fastest" server was down for maintenance but still showed on-line. Thus the client kept trying to connect to it. I had this issue some time ago and contacted Proton support. Nothing they could do. It cleared itself up this time.

I added code to allow me to specify the server I wanted to connect to by creating a file: /etc/protonvpn/server which contains the server name. I forget the format of the server name and I do not have a sample file handy

I will figure that out and add a note to the post later.

EDIT: Looks like the format US-TX#2 in the file will do the trick.

I did give up on the Pi Zero due to issues with the way it kept renaming the network interfaces. I am running on a 3B+ with Ubuntu Mate 18.04.

You do need to do a sudo su - and then initialize the Proton VPN client so that the configuration files live in /root/.proton-cli in order that they are accessed by the service - which runs as root.

Ken

The service file

Code:

root@t25-magic:~# cat /etc/systemd/system/protonvpn.service 
[Unit]
Description=Connect to ProtonVPN
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/sbin/protonvpn.sh 

[Install]
WantedBy=multi-user.target

The script

Code:

root@t25-magic:~# cat /usr/local/sbin/protonvpn.sh 
#!/bin/bash
#
# This script will launch the Proton VPN and relaunch if it drops
# version 0.9 04/11/19
# This version adds a check for the Raspbian OS which creates 
# spurious network connections at boot
# Also add a second ping as a single ping has been producing false
# failures (I think)
#
# Time to address an unhandled exception.  Sometimes the connect/reconnect 
# action fails because the Proton script cannot resolve wherever it gets the
# list of servers from.  This results in a message "[#] Current IP: Error."
# I think that cycling the wan connecection will cause DNS to start working
# again.  
#
# Added a few more time stamps to the log
#
# Added the "[#] Current IP: Error." check after disconnect. Found this situation on the
# Pi Zero which has gone flaky and is back in test mode.
#
# Added pvpn --status to log after connection
#
echo >> /var/log/protonvpn.log
echo ======================================== >> /var/log/protonvpn.log
echo launching vpn  `date` " (ver 0.9)" >> /var/log/protonvpn.log

grep raspbian /etc/os-release >/dev/null

if [ $? -eq 0 ]
then

  echo `date` " Running Rapsbian - setting correct connections" >> /var/log/protonvpn.log	
  con_list=`nmcli -t --fields UUID con`

  for con2zap in $con_list 
  do
    nmcli con down $con2zap
  done
 
  nmcli conn up wan
  nmcli conn up lan

fi

loopcount=0
vpnon=n

while [ 0 -lt 1 ]
  do

  if [ "$vpnon" = "n" ]
  then
    echo `date` " Disconnecting VPN" >> /var/log/protonvpn.log	
    pvpn -d  | tee -a /var/log/protonvpn.log
#
# A new check to make sure the DISCONNECT attempt did not fail due to "[#] Current IP: Error." 
# If so, cycle the wan connection and let it try again
# This was added below for CONNECT attempt errors but it can occur when disconnecting.
#
    tail /var/log/protonvpn.log | grep "\[#\] Current IP: Error." > /dev/null
    if [ $? -eq 0 ]
    then
      echo `date` " Current IP error - cycling wan"  >> /var/log/protonvpn.log
      nmcli conn down wan
      nmcli conn up wan
    fi
# 
# Choose fastest server fails if the fastest server (by latency) is down for maintenance.
# Allow a designated server to be forced - Note: must manually create the file
#  
    if [ -f /etc/protonvpn/server ]
    then 
      vpnserver=`cat /etc/protonvpn/server`
      echo `date` " Forcing server " $vpnserver >> /var/log/protonvpn.log
      pvpn -c "$vpnserver" udp  | tee -a /var/log/protonvpn.log
	  pvpn --status | tee -a /var/log/protonvpn.log
    else
      echo `date` " Connecting fastest VPN server" >> /var/log/protonvpn.log	
      pvpn --cc US  | tee -a /var/log/protonvpn.log
  	  pvpn --status | tee -a /var/log/protonvpn.log
    fi
#
# A new check to make sure the connection attempt did not fail due to "[!] Error: There is an internet connection issue." 
# If so, cycle the wan connection and let it try again
#  
    tail /var/log/protonvpn.log | grep "\[#\] Error: There is an internet connection issue." > /dev/null
    if [ $? -eq 0 ]
    then
      echo `date` " Internet connection error - cycling wan"  >> /var/log/protonvpn.log
      nmcli conn down wan
      nmcli conn up wan
    fi
    loopcount=0
  fi

    if [ $loopcount -le 11 ]
    then
      nmcli c show tun0 > /dev/null 2>/dev/null
      if [ $? -eq 0 ]
        then
        vpnon=y
        loopcount=$(($loopcount+1))
        sleep 5
      else
        vpnon=n
        echo `date` " vpn down, restarting" >> /var/log/protonvpn.log	   
      fi
    fi

    if [ $loopcount -eq 11 ]
  then
    ping -c1 www.google.com > /dev/null
    if [ $? -eq 0 ]
    then
      vpnon=y
      loopcount=0
    else
    # second chance ping
      sleep 2
      ping -c1 www.google.com > /dev/null
      if [ $? -eq 0 ]
        then
        vpnon=y
        loopcount=0
      else
        vpnon=n
        echo `date` " bad ping, restarting" >> /var/log/protonvpn.log	
      fi
    fi
  fi 
done

juppzupp · 07-15-2019, 08:50 PM

Thanks Ken,
I did update the script, but it still doesn't work using the systemd service... hmmm. See the tail -f of the log file below. your script runs fine as root user straight from the shell, no errors in regards to the proton script needing an init...This only happens when it goes through systemd.

I'm using a R-Pi3B+ running the latest raspbian, so not a Pi Zero.

I'm not too familiar with systemd, but it feels like the way the service file is written may not work on raspbian? Don't know...

What I might end up doing is writing a cronjob that runs every minute to check if your script is running... don't know what else to do honestly...

Thanks again
Cheers
Frank

Code:

sudo -i
root@raspberrypi:~# tail -f /var/log/protonvpn.log 
[!] Profile is not initialized.
Initialize your profile using: 
    pvpn --init
[OpenVPN Status]: Not Running
[ProtonVPN Status]: Not Running
[Internet Status]: Online
[Public IP Address]: xxx
Tue 16 Jul 2019 11:44:04 AM AEST  vpn down, restarting
Tue 16 Jul 2019 11:44:04 AM AEST  Disconnecting VPN
Disconnecting...
[#] Disconnected.
[#] Current IP: xxx
Tue 16 Jul 2019 11:44:07 AM AEST  Connecting fastest VPN server
[!] Profile is not initialized.
Initialize your profile using: 
    pvpn --init
[OpenVPN Status]: Not Running
[ProtonVPN Status]: Not Running
[Internet Status]: Online
[Public IP Address]: xxx
Tue 16 Jul 2019 11:44:09 AM AEST  vpn down, restarting
Tue 16 Jul 2019 11:44:09 AM AEST  Disconnecting VPN
Disconnecting...
[#] Disconnected.
[#] Current IP: xxx
Tue 16 Jul 2019 11:44:20 AM AEST  Connecting fastest VPN server

juppzupp · 07-16-2019, 12:46 AM

Hi Ken,

I fixed it, the problem is that whatever user you install the proton script as, it always seems to end up in /home/pi, even when you install it as root. Thus, the .protonvp directory with all the credentials end up in the /home/pi/.protonvpn directory.
Problem is, when you run systemctl as root, the protonvpn-cli script will try to read the home directory (which is /root when systemd executes), so it won't find the credentials file. Bingo

What needs to happen is this, run it as user pi and use sudo in the ExecStart directive. Works for me. And also, I added the restart directives to make it restart 5 seconds after the process is gone...

Cheers
Frank

Code:

[Unit]
Description=Connect to ProtonVPN
After=network.target

[Service]
Type=simple
User=pi
ExecStart=sudo /usr/local/sbin/protonvpn.sh 
Restart=always
RestartSec=5


[Install]
WantedBy=multi-user.target

taylorkh · 07-16-2019, 07:24 AM

Good morning Frank.

Glad you got it working. Thanks for the update.

I started playing with Linux with Red Hat 5.2 ca. 1999. I really did not know what I was doing but I kept at it. I used the Red Hat side of the family up through Fedora Core 4 or 5. I then came across Ubuntu 6.10. I switched to Ubuntu and really stated USING Linux day to day. Due to hardware issues (and the Unity desktop) I could not use 10.04 LTS so I went back to the Hat side with CentOS 6. Now I use CentOS 7 for most major hardware and Ubuntu on the Pi's and and old 32 bit laptop.

With all that blather said... Red Hat (and HPUX and AIX which I used at work) have a REAL root account setup by default. Ubuntu (and I think all Debian based distros) use sudo by default. You can of course enable the root account on Ubuntu. Not having a root account enabled does have some security benefits. However, as you observed with this issue, there are down sides.

I have not enabled the root account on my VPN Pi. The Proton VPN profile is present under /root.

Code:

ken@t25-magic:~$ su
Password: 
su: Authentication failure
ken@t25-magic:~$ sudo su -
[sudo] password for ken: 
root@t25-magic:~# pwd
/root
root@t25-magic:~# ls -a
.   .bash_history  .cache    .protonvpn-cli    snap      .wget-hsts
..  .bashrc        .profile  protonvpn-cli.sh  .viminfo
root@t25-magic:~# cd .protonvpn-cli/
root@t25-magic:~/.protonvpn-cli# ls
connection_logs  protonvpn_openvpn_config.conf  protonvpn_tier
openvpn_cache    protonvpn_openvpn_credentials

I believe I created this by doing a sudo su - and then initializing the ProtonVPN client. It is also possible to copy the profile from another user account to /root.

From your reference to user pi I guess you are using Raspbian. If you run sudo visudo and look (do not change anything) towards the bottom of the file you will see a line which grants pi sudo permissions to run ALL commands without a password (NOPASSWD). Thus pi works sort of like a traditional root account except that privileged commands must be preceded by sudo.

Back to the service and script... I have handled the restart from within the script - which I had running before I added the service. I do need to move the restart functionality to the service some day

Ken

juppzupp · 07-16-2019, 09:52 AM

Thanks Ken, yes, i am using Raspbian. I wrote another reply this morning (I'm in Australia!) which somehow disappeared and there i said I'm using Raspbian.
I've been using Debian based systems from the start, only touched on CentOS briefly as I've been running an older SMEserver machine which I do not touch a lot.
My day to day working machine is based on Debian testing and it's been running REALLY well.
Thanks for the insights on sudo and root. Yes, somehow the Proton profile wasn't in my root account... go figure...I thought about copying it from the pi user to root but then decided to change the service file... anyhow, it works all well now.

Having the restart in the service means you can kill the script process and it restarts by itself, tested it tonight and it also works fine.

Have tried to install nginx and wanted to set up a website on the Pi, but cannot get to the address. I think it's because of the ethernet port magic that's going on due to the connection sharing... well, project for another day

Thanks again and enjoy your day
Cheers
Frank

taylorkh · 07-16-2019, 03:06 PM

Hello again Frank,

My day (I would say work day but I am retired :-) should be about over. It is 4PM. I have spent the entire day trying to re-install CentOS on my Dell Precision 3620 workstation. I decided to install it on an encrypted drive. I spent last week working on my process and "practicing" the re-install and migration onto an older PC. My goal was to do the process in less than 2 hours. It is a complicated configuration. Two monitors, several virtual machines, some stuff running under wine etc.

My first attempt last week went reasonably well until I tried to tie in my other two drives which I had already encrypted. Not sure what went wrong but I ended up restoring my Clonzilla backup. I decided to spring for a larger boot drive. I purchased a 480 GB M.2 format PCIe drive from mydigitaldiscount.com to replace the 240 GB drive from the same vendor which I have been using for 2 1/2 years. The speed and durability ratings on the thing are as good or better than the Samsung 970 Pro for less $$$.

Installing the "drive" with a 00 x 2mm screw... dropped the screw onto the motherboard once, then dropped it on the carpet while trying to tape it to the tiny screwdriver. Finally got it installed. Long story short I finally got most all the necessary packages installed and my home directory restored etc. I added my two existing encrypted drive to /etc/crypttab and /etc/fstab. Rebooted and it took for ever. No encrypted file systems shown(?) The physical drives were not even showing in the disk utility. They were not present in BIOS! Lifted the coin battery to reset the BIOS. Still no drives. I decided to put the original boot drive back in. Still no drives.

I finally determined that I had pulled the drive power cable out of the motherboard when I was hunting for the micro-screw this morning. As the M.2 drives plug directly into the motherboard I was able to install and run the OS. I am now powered on; all drives - up and running. I have some more testing to do and I have to configure my ancient Brother multi-function scanner, printer, fax and copier. It will not run on a USB3 controller even if it has USB2 ports. I worked on this forum with a fellow in New Zealand back when I first purchased the computer. Finally we figured out that it was a hardware issue. I plugged in a $5 USB2 card from ebay and was good to go.

Time for dinner now.

Cheers,

Ken

juppzupp · 07-16-2019, 09:12 PM

Yeah, haha, I can empathise with your journey.... boys with toys, hey?
Never a dull moment with computers

Thanks again for your help, much appreciated
Cheers
Frank

taylorkh · 07-17-2019, 06:52 AM

But it gets better. I had been building a laundry list script to install all of the necessary packages in one shot. As I found something missing on my test runs I added the package to the list. When I ran it for real... I ended up with a conflict between vlc player and my kmod-nvidia driver. That caused a big piece of the script to fail which I did not notice until I started testing things. I KNOW I installed LibreOffice. I uninstalled vlc, installed the nVidia package and then installed vlc again. No issues.

I hooked everything up, put the cover back on the computer and found that I have nothing but static noise from the on-board sound. I put back the original boot drive - same thing. I guess the sound card decided to die at the same time.

Ken