Merge pull request #50 from tmknight/develop

Prepare for 3.16.0-2.4.0

.github/workflows/github-package.yml

@@ -1,14 +1,14 @@
-# for NordVPN
+## for NordVPN
 name: GitHub Package
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+## This workflow uses actions that are not certified by GitHub.
+## They are provided by a third-party and are governed by
+## separate terms of service, privacy policy, and support
+## documentation.
 
 on:
   workflow_dispatch:
-  # schedule:
+  ## schedule:
     # - cron: '00 23 * * *'
   release:
     types: [published]
@@ -22,15 +22,15 @@ on:
   #   branches: [ "main", "develop" ]
 
 env:
-  # Use docker.io for Docker Hub if empty
+  ## Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # name of image
+  ## name of image
   IMAGE: nordvpn
-  # github.repository as <account>/<repo>
+  ## github.repository as <account>/<repo>
   IMAGE_NAME: tmknight/nordvpn
-  # cosign version
+  ## cosign version
   COSIGN_VER: 'v1.13.1'
-  # Build args
+  ## Build args
   BUILD_ARGS: |
     "UBUNTU_VER=${{ vars.UBUNTU_VER }}"
     "NORDVPN_VERSION=${{ vars.NORDVPN_VERSION }}"
@@ -42,36 +42,36 @@ jobs:
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
+      ## This is used to complete the identity challenge
+      ## with sigstore/fulcio when running outside of PRs.
       id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
+      ## Install the cosign tool except on PR
+      ## https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@v3
         with:
           ## cosign-release: 'v1.11.0'
-          # cosign-release: 'v1.13.1'
+          ## cosign-release: 'v1.13.1'
           cosign-release: ${{ env.COSIGN_VER }}
 
-      # Setup QEMU for multi-arch
+      ## Setup QEMU for multi-arch
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
         with:
           platforms: amd64,arm64
 
-      # Workaround: https://github.com/docker/build-push-action/issues/461
+      ## Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v2
 
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
+      ## Login against a Docker registry except on PR
+      ## https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
         uses: docker/login-action@v2
@@ -80,16 +80,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
+      ## Extract metadata (tags, labels) for Docker
+      ## https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
+      ## Build and push Docker image with Buildx (don't push on PR)
+      ## https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
         uses: docker/build-push-action@v4
@@ -105,11 +105,11 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      # Sign the resulting Docker image digest except on PRs.
-      # This will only write to the public Rekor transparency log when the Docker
-      # repository is public to avoid leaking data.  If you would like to publish
-      # transparency data even for private images, pass --force to cosign below.
-      # https://github.com/sigstore/cosign
+      ## Sign the resulting Docker image digest except on PRs.
+      ## This will only write to the public Rekor transparency log when the Docker
+      ## repository is public to avoid leaking data.  If you would like to publish
+      ## transparency data even for private images, pass --force to cosign below.
+      ## https://github.com/sigstore/cosign
       - name: Write signing key to disk
         shell: bash
         env:
@@ -121,6 +121,6 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: "false"
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-        # This step uses the identity token to provision an ephemeral certificate
-        # against the sigstore community Fulcio instance.
+        ## This step uses the identity token to provision an ephemeral certificate
+        ## against the sigstore community Fulcio instance.
         run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --key cosign.key {}@${{ steps.build-and-push.outputs.digest }}

README.md

@@ -13,7 +13,7 @@ Leveraging the latest native NordVPN client, iptables and the Nord API to create
 
 Build based on:
 
-- NordVPN `3.15.5`
+- NordVPN `3.16.0`
 - Ubuntu `22.04`
 
 Examples of use:
@@ -42,7 +42,8 @@ Environment
 
 - [TOKEN](#env-token)
 
-  - Or `USER` & `PASS`/`PASSFILE` if you, for some reason, decide to use these instead
+  - **ONLY TOKENS ARE VIABLE IN A CONTAINER**
+  - The use of USERNAME and PASSWORD has been deprecated wherein only TOKEN or login via browser are accepted with the Linux client
 
 - [NET_LOCAL](#env-netlocal)
 
@@ -82,17 +83,14 @@ Generally, the default settings will provide a great experience, however, severa
 | **NET_LOCAL**<span id="env-netlocal"></span> |                          | Add a route to local IPv4 network once the VPN is up; the Docker network is automatically added; must be CIDR IPv4 format (e.g. `192.168.1.0/24`)                                                                                         |
 | **NET6_LOCAL**                  |                          | Add a route to local IPv4 network once the VPN is up; the Docker network is automatically added; must be CIDR IPv6 format (e.g. `fe00:d34d:b33f::/64`)                                                                                    |
 | **OBFUSCATE**                   | FALSE                    | Only valid when using TECHNOLOGY OpenVPN; learn more at [NordVPN](https://nordvpn.com/features/obfuscated-servers/) (TRUE/FALSE)                                                                                                          |
-| **PASS**                        |                          | Password for NordVPN account; surround in single quotes to prevent issues with special characters such as `$` (not required when using `TOKEN` or `PASSFILE`)                                                                             |
-| **PASSFILE**                    |                          | For use with `USER` and [docker secrets](https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets), this should be set to `/run/secrets/<secret_name>`; this file should contain just the account password on the first line |
 | **PORT_RANGE**                  |                          | Port range to whitelist for both UDP and TCP; (e.g. `PORT_RANGE=9091 9095`)                                                                                                                                                               |
 | **PORTS**                       |                          | Semicolon delimited list of ports to whitelist for both UDP and TCP; (e.g `PORTS=9091;9095`)                                                                                                                                              |
 | **POST_CONNECT**                |                          | Command to execute after successful connection                                                                                                                                                                                            |
 | **PRE_CONNECT**                 |                          | Command to execute before attempt to connect                                                                                                                                                                                              |
 | **PROTOCOL**                    | UDP                      | Only valid when using TECHNOLOGY OpenVPN (TCP/UDP)                                                                                                                                                                                        |
 | **REFRESH_CONNECTION_INTERVAL** | 120                      | Time in minutes to trigger VPN reconnection to help ensure best connection available (0 = disable)                                                                                                                                                      |
 | **TECHNOLOGY**<span id="env-technology"></span> | NordLynx                 | Specify the VPN Technology to use (NordLynx/OpenVPN)                                                                           |
-| **TOKEN**<span id="env-token"></span> |                          | **RECOMMENDED**; use in place of `USER` and `PASS` for NordVPN account; generated from your NordVPN account web portal                                                                                                                    |
-| **USER**                        |                          | User for NordVPN account (not required when using `TOKEN`)                                                                                                                                                                                |
+| **TOKEN**<span id="env-token"></span> |                          | Generated from your [NordVPN account web portal](https://my.nordaccount.com/dashboard/nordvpn/)                                                                                                                    |
 
 ## Additional Information
 

scripts/nord_config

@@ -13,44 +13,6 @@ fi
 nordvpn set technology "${TECHNOLOGY:-NordLynx}" | grep -Eiv -f /opt/inv-grep
 [[ -n ${PROTOCOL} && ${PROTOCOL} =~ (udp|tcp) ]] && nordvpn set protocol "${PROTOCOL}" | grep -Eiv -f /opt/inv-grep
 
-## NordVPN firewall enabled by default unless BYPASS_LIST set
-## Be warned that FIREWALL = true conflicts with BYPASS_LIST,
-## thus if BYPASS_LIST declared, FIREWALL automatically set to false
-if [[ -z ${FIREWALL} && -z ${BYPASS_LIST} ]]
-then
-  FIREWALL=true
-elif [[ -n ${BYPASS_LIST} ]]
-then
-  if [[ -n ${FIREWALL} ]]
-  then
-    ## If BYPASS_LIST, disable nord firewall, regardless if declared
-    echo -e "WARNING\tUse of BYPASS_LIST overrides FIREWALL; FIREWALL value will not be honored."
-    echo -e "INFO\tUsing iptables in place of NordVPN firewall."
-  fi
-  FIREWALL=false
-else
-## Ensure FIREWALL true/false
-  if [[ ! ${FIREWALL:-true} =~ (true|false) ]]
-  then
-    echo -e "WARNING\tNon-boolean FIREWALL value (${FIREWALL}); defaulting to 'true'."
-    FIREWALL=true
-  fi
-fi
-nordvpn set firewall "${FIREWALL:-true}" | grep -Eiv -f /opt/inv-grep
-
-## FIREWALL must be enabled to enable KILLSWITCH
-## Enabled by default
-if [[ "${FIREWALL}" == "true" ]]
-then
-## Ensure KILLSWITCH true/false
-  if [[ ! ${KILLSWITCH:-true} =~ (true|false) ]]
-  then
-    echo -e "WARNING\tNon-boolean KILLSWITCH value (${KILLSWITCH}); defaulting to 'true'."
-    KILLSWITCH=true
-  fi
-  nordvpn set killswitch "${KILLSWITCH:-true}" | grep -Eiv -f /opt/inv-grep
-fi
-
 [[ -n ${PORTS} ]] && for port in ${PORTS//[;,]/ }
 do
   nordvpn whitelist add port "${port}" | grep -Eiv -f /opt/inv-grep

scripts/nord_firewall

@@ -0,0 +1,41 @@
+#!/bin/bash
+shopt -s nocasematch
+
+## NordVPN firewall enabled by default unless BYPASS_LIST set
+## Be warned that FIREWALL = true conflicts with BYPASS_LIST,
+## thus if BYPASS_LIST declared, FIREWALL automatically set to false
+if [[ -z ${FIREWALL} && -z ${BYPASS_LIST} ]]
+then
+  FIREWALL=true
+elif [[ -n ${BYPASS_LIST} ]]
+then
+  if [[ -n ${FIREWALL} ]]
+  then
+    ## If BYPASS_LIST, disable nord firewall, regardless if declared
+    echo -e "WARNING\tUse of BYPASS_LIST overrides FIREWALL; FIREWALL value will not be honored."
+    echo -e "INFO\tUsing iptables in place of NordVPN firewall."
+  fi
+  FIREWALL=false
+else
+## Ensure FIREWALL true/false
+  if [[ ! ${FIREWALL:-true} =~ (true|false) ]]
+  then
+    echo -e "WARNING\tNon-boolean FIREWALL value (${FIREWALL}); defaulting to 'true'."
+    FIREWALL=true
+  fi
+fi
+nordvpn set firewall "${FIREWALL:-true}" | grep -Eiv -f /opt/inv-grep
+
+## FIREWALL must be enabled to enable KILLSWITCH
+## Enabled by default
+if [[ "${FIREWALL}" == "true" ]]
+then
+## Ensure KILLSWITCH true/false
+  if [[ ! ${KILLSWITCH:-true} =~ (true|false) ]]
+  then
+    echo -e "WARNING\tNon-boolean KILLSWITCH value (${KILLSWITCH}); defaulting to 'true'."
+    KILLSWITCH=true
+  fi
+  nordvpn set killswitch "${KILLSWITCH:-true}" | grep -Eiv -f /opt/inv-grep
+fi
+exit 0

scripts/nord_login

@@ -16,23 +16,17 @@ then
   done
 fi
 
-[[ -z "${PASS}" ]] && [[ -f "${PASSFILE}" ]] && PASS="$(head -n 1 "${PASSFILE}")"
-nordvpn logout > /dev/null
-
+## only token is viable in a container
+nordvpn logout --persist-token > /dev/null 2>&1
 if [[ -n ${TOKEN} ]]
 then
   nordvpn login --token "${TOKEN}" > /dev/null || {
     echo -e "$(date "+%F %T%z")\tWARNING\tInvalid token."
     exit 1
   }
 else
-  nordvpn login --legacy --username "${USER}" --password "${PASS}" > /dev/null || {
-    echo -e "$(date "+%F %T%z")\tWARNING\tInvalid Username or password."
-    exit 1
-  }
+    echo -e "$(date "+%F %T%z")\tWARNING\tA token must be provided; only tokens are supported."
 fi
 ## Clear sensitive variables
-unset TOKEN
-unset PASS
 echo "Login successful; connection now in progress..."
 exit 0

scripts/nord_start

@@ -28,27 +28,14 @@ echo -e "$(date "+%F %T%z")\tINFO\tConfiguring and connecting NordVPN..."
 echo "########################"
 ## Client information
 nordvpn version | grep -Eiv "new feature"
-
-## Disable the nordvpn firewall prior to connection if CONNECTION_FILTERS
-tmpFIREWALL=false
-if [[ -n ${CONNECTION_FILTERS} && ${FIREWALL:-true} == true ]]
-then
-    tmpFIREWALL=true
-    [[ -n ${KILLSWITCH} ]] && tmpKILLSWITCH=${KILLSWITCH}
-    export FIREWALL=false
-    export KILLSWITCH=false
-fi
+## Nord firewall always off at this step to allow for filters
+nordvpn set firewall false > /dev/null
+nordvpn set killswitch false > /dev/null
+## Apply user settings
 nord_config || exit $?
 nord_login || exit $?
 nord_connect "${CONNECT}" || exit $?
-## Reset nord firewall if CONNECTION_FILTERS
-if [[ "${tmpFIREWALL}" == true ]]
-then
-    export FIREWALL=true
-    export KILLSWITCH=${tmpKILLSWITCH:-true}
-    nordvpn set firewall ${FIREWALL} | grep -Eiv -f /opt/inv-grep
-    [[ ${KILLSWITCH} != false ]] && nordvpn set killswitch ${KILLSWITCH} | grep -Eiv -f /opt/inv-grep
-fi
+nord_firewall || exit $?
 echo "########################"
 
 ## Allow NET_LOCAL traffic
@@ -69,4 +56,6 @@ then
     nord_watch &
 fi
 wait $!
-exit $?
+CODE=$?
+nordvpn logout --persist-token > /dev/null 2>&1
+exit $CODE