VPN Sentinel

UUID: VPN-Sentinel@claudiux
Last edited:
6 days ago 2024-12-15, 07:59
Last commit: [5822f6b8] v2.3.0: Proper shutdown of flatpak internet applications when VPN is closed (#6687)

VPN Sentinel is a powerful applet that monitors the VPN (or Wireguard) link, displays its status, can automatically connect to the last used VPN, reconnect the VPN link in case of unexpected disconnection, and start or stop certain Internet applications depending on the VPN status.

README

Close

VPN-Sentinel

Summary

This VPN-Sentinel@claudiux applet aims to replace the VPN Look-Out applet which I am also the author.

This is a simple applet that I wrote because I often saw too late that my VPN (Virtual Private Network) was shut down.

This applet shows the state of the VPN (connected or disconnected) using colored icons. It can be used on horizontal or vertical panel.

But also, it can:

  • show VPN server country flag,

  • try to restart the VPN link when it shuts down incidentally,

  • close the VPN-related apps (like Transmission, qBittorrent, Deluge..., also flakpak ones) when your VPN shuts down, and restart them when your VPN link becomes active again,

  • quickly close a VPN-related app if it is started when the VPN is idle.

  • bypass VPN for domains specified by user.

VPN types supported

  • OpenVPN (IPv4 and IPv6)
  • PPTP/L2TP
  • IPsec
  • WireGuard©

Please look at your VPN provider documentation to configure your connection with NetworkManager.

This applet uses nmcli (NetworkManager client) to start and stop connections. So if your connection doesn't work with NetworkManager, it won't work with this applet.

Features

The VPN Look-Out Applet normally shows an icon that changes color depending on the state of the VPN connection. You can modify these colors. By default these are:

  • Green: the VPN is connected.
  • Red: the VPN is disconnected.
  • Grey: waiting for VPN status (only when the applet starts, for a few seconds, or if it is misconfigured).

When hovering over or click on the icon, are displayed:

  • the status of the VPN,
  • the name of the connection,
  • the network interface used,
  • the time the VPN was connected.

    For example:

    VPN: Copenhagen (IPv6)
    Device: enp2s0
    Since: 11:09:02

The most important settings are accessible by the menu (clicking on applet icon) ; they are shown in bold in the list below. For access to all of them, use the Configure... option in the Right Click Menu.

WireGuard© (optional)

To use Wireguard© with VPN-Sentinel, you must have:

  • NetworkManager and nmcli (version >= 1.16) - Check it with the command: nmcli --version
  • a VPN-provider that offers Wireguard connections
  • a private key, a public key (optionally a pre-shared key) and various other data given by this provider (ip address, server url and port...)
  • at least one .conf file that looks like:
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = YOUR_IP_ADDRESS
DNS = 8.8.8.8

[Peer]
PublicKey = YOUR_PUBLIC_KEY
Endpoint = SERVER_URL:PORT
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

Create in your home directory a directory named WIREGUARD and its subdirectory wireguard-configs:

mkdir -p ~/WIREGUARD/wireguard-configs

Install Wireguard

On Linux Mint: apt install wireguard wireguard-tools openresolv

Or on other distros.

Create your private and public keys

Use the following commands:

cd ~/WIREGUARD

wg genkey | tee privatekey | wg pubkey > publickey

chown 600 privatekey publickey

To know your keys:

cat publickey

cat privatekey

Enter your public key (and only this one!) in your account on your Wireguard service provider's website.

Your private key is...private! Only you should own it; your provider does not need it.

Complete your config files

Your provider gave you at least one configuration file with the extension .conf.

Put all these .conf files into ~/WIREGUARD/wireguard-configs. No file name should contain spaces. The file name (before .conf) must not contain more than 15 characters.

In the directory ~/WIREGUARD/, create a bash script modify-conf.sh like this:

#!/bin/sh
PUBLICKEY="here your public key"
PRIVATEKEY="here your private key"
IPADDRESS="here the IP of the Wireguard server"
for f in $(ls -1A wireguard-configs/*.conf); do {
    echo "\n\n\tProcessing $f"
    chmod 600 $f
    sed "s/YOUR_PRIVATE_KEY/${PRIVATEKEY}/" $f > $f.temp
    sed "s/YOUR_IP_ADDRESS/${IPADDRESS}/" $f.temp > $f.temp2
    sed "/PresharedKey.*/d" $f.temp2 > $f
    rm -f $f.temp*
}; done

Make this script executable: chmod +x modify-conf.sh

N.B.

  • If your provider gave you a preshared key, add a line PRESHAREDKEY="..." before for and replace the last line beginning by sed by this one: sed "s/YOUR_PRESHARED_KEY/${PRESHAREDKEY}/" $f.temp2 > $f
  • Adapt the content of this script to that of your configuration files, replacing YOUR_PRIVATE_KEY etc with the words you find there.
  • If you only have a few configuration files, don't complicate your life with a script, but rather use the good old copy/paste.

Using these .conf files

Create in the ~/WIREGUARD/ directory this executable script named installall containing:

#!/bin/bash
configs="AuSydney.conf|Au-Sydney(W) BrRiodeJaneiro.conf|Br-RiodeJan(W) CaEast.conf|Ca-East(W)"

wgpath="$HOME/WIREGUARD/wireguard-configs"

for c in $configs
do
    IFS='|'
    set -- $c
    echo "Importing ${wgpath}/$1 ... "
    sudo nmcli connection import type wireguard file "${wgpath}/$1"
    echo "Renaming ${1%%.conf} as $2 ..."
    nmcli connection modify "${1%%.conf}" connection.id "$2"
    nmcli connection modify "$2" connection.autoconnect no
    nmcli connection modify "$2" connection.interface-name "$2"
    nmcli connection down "$2"
done

The configs and wgpath lines must be adapted to your own configuration.

configs is a string where each space separates 2 connections. Each connection is defined by a .conf file and a name separated by the pipe character (|). Do not use spaces in names!

Once it is ready, execute this script.

Translations

Status of translations

CHANGELOG

Open

Log In To Comment!

13 Comments

gbakeman
gbakeman-3 days ago
Hi @claudiux, thanks for maintaining this and the previous VPN Look Out applet. IMHO this is essential functionality when using a VPN. With your last app, I thought it had the functionality to block network traffic if the VPN ever goes down (but the applet remains active.) Is this functionality possible in your current applet?
claudiux
claudiux-3 days ago
Hi @gbakeman, I've never blocked all network traffic with these applets. I can do it (if the user is a sudoer), but it seems dangerous.
gbakeman
gbakeman-3 days ago
Oh, sorry, I'm not sure why I thought it did that! I've been looking for a VPN firewall, or whatever applications call it these days so that a dropped VPN connection doesn't suddenly start sending traffic over my main connection.
claudiux
claudiux-3 days ago
With VPN-Sentinel, you can stop your network applications when the VPN becomes inactive. See “Internet Apps Manager” in this applet's menu.
claudiux
claudiux-6 days ago
VPN-Sentinel v2.3.0: Proper shutdown of flatpak internet applications (like qBittorrent) when VPN is closed.
Midnight-Starseed
I've started having a problem where the flag shown is wrong. I only use one vpn server and it's a GB one. The flag was verified in the app as correct and everything was fine for ages. For the last two or three days since around 14th Dec the flag for Grenada has been shown. I looked though every file on my system called vpn-sentinel and the grenada flag is next to the GB flag in the csv file. I could not find where the program chooses the flag to put on screen. I fixed it on one system by completely removing the app, deleting all files and reinstalling. Which fixed it. But two other systems are showing the same grenada flag in place of the GB flag. Uninstalling and reinstalling has not fixed it.
claudiux
claudiux-1 year ago
This applet uses several services to geolocate the VPN server. Perhaps one of them has made an error? Please use the menu option to check the flag. Once the correct flag is displayed, confirm it.
XSAkos
XSAkos-1 year ago
Can you add support for "Fortinet SSLVPN"?
claudiux
claudiux-1 year ago
Did you install network-manager-fortisslvpn?
claudiux
claudiux-1 year ago
v2.1.1 is here. It fixes a dependency for Archlinux.
claudiux
claudiux-1 year ago
VPN-Sentinel v2.1.0 is here. It is ready for Cinnamon 5.8 and some bugs are fixed. Enjoy it!
claudiux
claudiux-1 year ago
v2.0.0 of VPN-Sentinel is here! It avoids some problems during installation. Enjoy it!