v4.6.0: The end

[coolapso]

Hi everyone,

It's time to say goodbye.

This is the final official release of PiVPN.

I inherited this project from @0-kaladin and @redfast00, who moved on with their lives. I maintained it as my own with the great help of @orazioedoardo, to whom I'm immensely grateful. He held the boat and kept it floating while I could not be present, and he too gave a lot of himself to this project!

But now it's time for me too to move on!

I've been giving less and less attention to PiVPN, and the desire to keep up with it is no longer what it once was. When PiVPN was created, it filled a big void and had a clear mission and purpose, which I feel has been fulfilled! We went from OpenVPN being something hard to set up and complicated to manage, to WireGuard being able to run on any toaster and easy to set up. There are so many tools out there that do the job much better than PiVPN does, and I genuinely believe PiVPN's mission in life was accomplished and is no longer relevant. Just as everything in nature has a start, there's also an end, and this is how PiVPN ends its journey.

PiVPN has been home for so many of you, starting with Linux, bash, open-source, and everyone was always very welcomed, just like it was for me 7 years ago. I cannot express how grateful I am to all the 84 Contributors for this amazing project.

It has been a wild ride, and I've learned so much from PiVPN and from every single one of you!

THANK YOU!!

PiVPN repositories will be archived and set to read-only, and will no longer be maintained. Unless @0-kaladin rises back again and decides otherwise.

The PiVPN Website and its documentation are hosted on GitHub, therefore it will remain accessible under the pivpn.io domain for as long as @0-kaladin keeps paying the bills, just the same way I will keep hosting the redirection for the installation for as long as possible. I will still make a few commits to update the documentation about the project's state, but that will be it.

I will maintain ownership of the repository, but I won't pass it down to anyone else. First, because I feel it's not up to me to decide who to pass the project down to, and second, because there is no one else to pass the project to.

"But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!

About this release, here's what it brings:

New Features

• Add possibility to use Pi-hole in unattended install (feat(install) Add possibility to use Pi-hole in unattended install #1825)

Bugfixes and Refactors

• Updates to subnet generation and client creation
  • refactor(core): allow any subnet and netmask
  • fix(scripts): prevent adding more clients than the subnet allows
  • fix(scripts): correctly remove leading zeros from ipv6 quartets
  • refactor(core): new probabilistic subnet generation with fallback to other RFC1918 subnets

Full Changelog: v4.5.0...v4.6.0

Once again, Thank you all so much for everything! See you around!
4s3ti

---

This discussion was created from the release v4.6.0: The end.

[FloTheSysadmin]

Hi, thank you very much for the honesty. What are some of the alternatives you mentioned?

[orazioedoardo]

A great easy to use VPN is Tailscale for sure.

[coolapso]

+1 for tailscale,
Also any modern router can probably run wireguard on it,
Ubiquity routers have wireguard and their own proprietary solution, there's wireguard ui to help with managing wireguard,
there's also wireguard-manager,
There's plenty of solutions around to use wireguard with docker with a ui, which we never quite crackdown. a few minutes of googling there's plenty of alternatives and the void pivpn once filled is now a world full of solutions.

[coolapso]

Home assistant can also provide you with a wireguard installation. Wireguard and its inclusion in the Linux Kernel was indeed a game changer and made everything much better and easier!

[orazioedoardo]

Hi @4s3ti thank you very much for your involvement and thank you for the kind words. I have to admit I myself was also busy IRL and don’t have much time to invest in significant changes, however from time to time I check in issues and discussions helping users here and there. Sill, there are important features like nftables and ACLs that I’d like to have, either done by me or (better) someone stepping up and tagging me for review, which is easier to manage.

Regarding archiving the repo, I would say we don’t have to. According to GitHub traffic stats there are 1000+ git clones, (which are likely PiVPN installations since the install script does git clone) and 6,7k stars (growing) so I believe it’s still relatively popular. If you want to leave the organization you might add me as owner so that I can make changes as needed, perhaps adding a disclaimer on the site/script/readme informing that the project may be turned in maintenance only.

[orazioedoardo]

If you disable issues and pull requests, you may as well archive the repo. Middle ground would be keeping pull requests open, disable issues or lock issues (limited to collaborators) with one pinned issue directing users to discussions.

[coolapso]

Archiving per se is not bad, it just keeps it in read only mode, but disables all issues and Pull requests not making them available for searching. Also disables discussions which I'd like to still leave accessible for everyone.

I have added a workflow that automatically closes both issues and pull requests.
And added a note on the readme, this should do the trick.

[orazioedoardo]

Why closing pull request though? If someone wants to contribute, it’s fine.

[coolapso]

is there a point to open a pull request if its not going to be accepted reviewed and leave it open forever? I am not going just throw the hot potato in your lap, but if you are happy to continue and look at the pull requests please feel free to change the behavior of the github action :)

[orazioedoardo]

if you are happy to continue and look at the pull requests

Yes, that’s what I said.

[redfast00]

Ah, the memories :) good luck with whatever you undertake next @4s3ti!

[coolapso]

howdy! nice to see you around, and hope your doing well! Thank you a lot! :)

[OhaDerErste]

Thank you for helping me get into the magical worlds of vpns! Gonna finally make the switch to Opnsense's built in wireguard

[JonnyMe]

Thank you for your work and good luck @4s3ti !

[SsNiPeR1]

Thank you very much for all @4s3ti! You've really inspired us to make our own VPN solution, based on WireGuard. We couldn't have been more grateful to you! ❤️

[yuukiAme]

I started using PiVPN less than a week ago and already in love with PiVPN. So sad to see this project goes away.

Thank you for your work @4s3ti

[orazioedoardo]

Nowadays I run my own Ansible scripts to install and manage WireGuard, but me too started with VPNs via PiVPN: worked great and made OpenVPN much less intimidating. PiVPN was also the first project I contributed too. I didn’t even know how to open a pull request back then 😆 #470

[dffvb]

I will always remember how I fiddled around for so long and nothwing worked, and I came accros pivpn and it worked within seconds, adn there were imaginary tears of joy on my cheek - thank you for the project

[shelleycat485]

Thanks for the opportunity to contribute to this project. It worked for 2 years during lockdown giving acess to our Church office from home. All the best to the originators.

[okms]

Thank you for all your hard work! I've used pivpn for at least 3-4 years now and it has served me very well. I'm sad to see it go, but I appreciate the honesty! Thank you for the ride and good luck in your future endeavors!

[MicroPanda123]

🫡

[tellermine]

Thanks for the project! PiVPN is what allowed a noob like me to set up their own VPN server all those years ago. Guided installation scripts rule and you made the world a better place!

[MichaIng]

Thank you very much for all the time and efforts you put into PiVPN all these years. It is a very popular software option in our little distro, more popular than our plain OpenVPN and WireGuard server implementations: https://dietpi.com/survey/#software

• Scaling up the 893 reported active installations to the actual number of DietPi systems (up from those who share system info via our survey), it is about 6300 instances, i.e. installed on ~4.5% of all DietPi systems, ~40% more than plain WireGuard and 3 to 4 times more than plain OpenVPN. We are a very small distro, hence not representative, but I think one can get from these numbers that PiVPN has become the de facto VPN server solution for many, at least on Raspberry Pi. I see it often named as first suggestion on RPi/SBC related forums, when someone asks about VPN server solutions. Hence I do not believe that "PiVPN's mission in life was accomplished", if meant that it is not needed anymore.

Wouldn't be @orazioedoardo an obvious choice to add as owner for the organisation, if he is open for that? Also keeping issues and PRs open and possible, to allow users helping each others, and in case there are people who want to contribute e.g. smaller fixes for upcoming distro changes and such? It is possible to unsubscribe from any email or web notifications from a repo 😉. I did in the past and would surely offer smaller fixes, when our users bring issues to us. It makes sense to leave some info/note that there is no very active project maintainer, and hence review/merge of commits can take long/are not assured. But as long as there is still a major long-term code contributor around, at least by times, archiving the repo or even closing issues and PRs would be a sad blocker, IMO.

[coolapso]

Thank you for your words, Its really interesting to see those numbers, but look at tailscale right above,
It is only natural that people opt for tools that make the job easier rather than vanilla installations.

When I talk about PiVPN mission to have been accomplished I mean that, when it was created there was no easy way to have a VPN at home and it filled that void, now there are TONS of ways of doing that and even easier.

PiVPN has accumulated quite a bit of tech debt over the years and no one really has the time or will to spend with it. Adding a UI, Be able to run it on docker, kubernetes, add the ability to use ACLs. I believe pivpn really contributed to democratizing VPNs and privacy, but now there are so many others that can continue pivpn job, that I believe we should just let pivpn retired.

I can certainly promote @orazioedoardo as organization owner if he wishes so, however he is the first one to admit to not have as much time for this as well.

In Any case, I am not archiving the Main project, when I mentioned archiving it, I assumed it was only setting it to read only mode I am but keeping the issues / pr searchable and discussions active, but it I was wrong and it locks it down too much.

Issues and pull requests are automatically closed by a github acction, and even without being owner @orazioedoardo has the permissions to disable that action and keep the boat floating if he wishes to do so.

I'd be glad to give you and @TinCanTech maintainer status as well if you wish.

[MichaIng]

but look at tailscale right above,
It is only natural that people opt for tools that make the job easier rather than vanilla installations.

Ah right, though with Tailscale, same as ZeroTier and similar, one relies on external services/infrastructure, hence it is IMO not comparable with a classic server<>client VPN and can only cover some of its use cases.

now there are TONS of ways of doing that and even easier.

Not sure whether I agree, in regards to how I see Tailscale and ZeroTier to be not the same. There are ways to install OpenVPN and WireGuard easily, our distribution provides CLI and whiptail UI based installs with basic setup (at least a single client cert/config to start with). But for a CLI to manage multiple clients, revoke/add/edit client certs/configs, for OpenVPN as well as WireGuard, there is no as prominent alternative, AFAIK. There is https://github.com/wg-easy/wg-easy, but it comes with the overhead of the Docker engine and a web interface (which is of course nice as well, but also not suitable for everyone's use case). For me personally, a good slim CLI for monitoring and managing server software via SSH, is the non plus ultra 😃.

I guess the main message I wanted to transfer is something like "let the users decide whether PiVPN has still a value over other solutions or not" instead of deciding for them that it should be retired. I am glad that you consider it. Sooner or later it requires more participation/contributions, at best by someone(s) to build up some trust, to remain relevant, that's true. Probably this topic triggered some users to become contributors to keep PiVPN alive. Fingers crossed 🙂.

[coolapso]

Ah right, though with Tailscale, same as ZeroTier and similar, one relies on external services/infrastructure, hence it is IMO not comparable with a classic server<>client VPN and can only cover some of its use cases.

tailscale subnet router or tailscale exit nodes make the job of traditional VPN also you can even set the Exit node to go through another VPN provider, they mention mullvad, but I suspect that any wg based comercial VPN will do, which has been also a functionality that has been highly requested on PiVPN over time, which was never implemented.

but anyhow, if someone that already has the trust wants to keep it going, by all means keep it going. I am also always reachable if for any reason anyone needs something to be done that requires "ownership" privileges. I am not going anywhere nor disappear (unless .. Bus factor), still going to be around just not maintaining PiVPN anymore.

The behavior of the "Pull request auto close" can also be tweaked to not close any specific tags and so on and that can be done by anyone with access to the repository.

[MichaIng]

tailscale subnet router or tailscale exit nodes make the job of traditional VPN

But that is not all all easy to setup anymore, and you still rely on the Tailscale infrastructure/account. As far as I can see (from the Tailscale docs), forcing VPN client traffic from an own server/node through a public provider with an existing OpenVPN or WireGuard server setup, is much easier than doing this via Tailscale 🙂. Tailscale is great, for sure, but it is an overlay/infrastructure on top of WireGuard, which naturally means more external dependencies, more complexity, more points of failures and naturally less flexibility (or the same flexibility requires more efforts to archive through the overlay). It's main purpose, where it has its main benefits, is the server-less connection of multiple nodes. But if you do have a server (static node which is publicly reachable), then IMO it looses most of its benefits, at least when you know how to setup a classic VPN, or have a good project like PiVPN which does the major work for you.

[coolapso]

to be clear I am not advocating for tailscale or saying that everyone should use it :D just stating alternatives. Of course like everything it has its trade-offs :)

I haven't used pivpn myself for years and currently my vpn home is baked into the router. Its hard keep maintaining a project you don't use yourself anymore :)

[TinCanTech]

I will maintain ownership of the repository, but I won't pass it down to anyone else. First, because I feel it's not up to me to decide who to pass the project down to, and second, because there is no one else to pass the project to.

@4s3ti Please, give your community time to advocate a successor.

My vote is for @orazioedoardo

That is only a vote not an obligation or demand.

"But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!

This is a very harsh decision.

With trust, a new branch could be established (eg. pivpn/pivpn-community), in which work could continue, with only minimal commitment.

pivpn has achieved so much that early fore-closure seems to be counter-intuitive and a little reckless.

my2c

[coolapso]

Howdy.
I briefly touched some of those points in this one.

"But I want and can maintain it, can I take it over?" Let me put it plain and simple: No! I don't know you, I don't trust you! Fork it and carry on!

About this, I have been around for long enough to know that ta few john does that never did anything for the project will gladly com out and say they want to keep maintaining it. that's just how it works and people will do anything they can for visibility or to snatch a popular opensource project.

With trust, a new branch could be established (eg. pivpn/pivpn-community), in which work could continue, with only minimal commitment.

pivpn has achieved so much that early fore-closure seems to be counter-intuitive and a little reckless.

It has been like that for some years now, both me and @orazioedoardo been just keeping the bare minimum, and not really much been done other than letting the community do its own magic. even unmaintained pivpn can still be relevant for years, however i do really feel that its main objective has been accomplished and now there are others than can carry on.

if you wish so I can add you to the organization and you can keep driving the project as you wish.

[AlexandreMarkus]

@4s3ti Thank you for the excellent work. I loved using PIVPN. Is there any reason to stop using PIVPN ? Is it safe to continue using it even if it is not maintained anymore?

[gerowin]

I'm not one of the devs, but since PiVPN itself was really just a set of scripts that automated the process of using your system packages, you should be totally fine. The Wireguard/OpenVPN software actually came from your distribution's package manager, so if your VPN server is already set up and functional, I would imagine you'd be totally fine to continue using it for the remaining lifespan of your distribution.

[AlexandreMarkus]

Thank you, I had the same understanding, but just wanted to be sure 😁

[gerowin]

Thank you for your years of dedication and hard work. PiVPN has been instrumental over the years in not only working on my home server when I'm not home, not just for securing my network traffic when traveling, but in keeping my kids' devices locked behind my self-hosted parental controls even when they're at school or elsewhere.

I'm just glad that now that my VPN is set up, all I really need to worry about doing is keeping the system packages updated. The end of this project does not mean that our current VPN servers are automatically vulnerable.

Honestly, I'll probably just clone the repo as it exists now so that I can use the scripts on future installs. Again, thank you for your hard work and dedication, and I wish you the best of luck in your future endeavors, :-)

[coolapso]

Current version will always be always be available no need to fork for that sake :)

[jejupods]

Thank you so much for all of the work all of you have put in over the years. PiVPN was an invaluable tool in my arsenal for many years. All the best to you. <3

[kokomo123]

Thanks so much, i was happy to contribute to this project, even a little. This script served me well and will continue on as one of the best VPN scripts out there in a pinch ❤️ Everyone did a great job 💯 👍🏻

[pchristod]

I've been using this for years, I'm immensely grateful for your and anyone's work who contributed. Thank you!

[eeandersen]

So sorry to see piVPN go.... Thanks to all who have had a hand in keeping it going.

Before you go, can you answer a question? At what point should we walk away from using piVPN? Presumably it works OK today, but when / how will we know that it is no longer prudent to rely on it?

[MichaIng]

See above discussion, that it might not stop being further developed/maintained only because the orga owner stops doing so.

Also, IMO, you can perfectly use it as long as it successfully installs and the pivpn commands or OpenVPN/WireGuard services do not throw errors. It works on Debian Trixie (at time of writing), and I do not see significant changes to be applied there (on the OpenVPN/WireGuard packages provided) which would break it. Hence you can further use it on Debian Trixie (release planned for summer 2025 with as always about 3 years regular life time), and on Debian Bookworm anyway.

Note that PiVPN itself has limited influence on the safety of the actual VPN server, as those are provided by Debian (or whichever distro you use) and updated independently via apt upgrade, even offered/suggested to be automated on a daily bases by the PiVPN installer. Within a Debian release, those packages however receive only security and bug fix patches, no actual (upstream version) updates, hence no new features or similar. This also means that the VPN server settings, like TLS version, cipher suites etc, chosen by PiVPN, remain best practice for the Debian release you use. For WireGuard those are not even defined (not sure if it is even possible), but all managed WireGuard-internally. For Unbound and OpenVPN, PiVPN chooses pretty sane hardened settings, and while there are always harder ones, and more will arise in the future, the ones currently chosen by PiVPN do not become weak from one moment to the other. I.e. even if the Unbound/OpenVPN versions shipped with Debian Trixie or future Debian versions support newer/safer cryptography algorithms, this wouldn't render PiVPN unsafe. However, in case it did not receive any commit in 3 years, I would start to watch out for alternatives, popular forks or such 😉.

Ah, of course if AI or quantum computing makes a leap and SHA256 and/or TLS1.2 are officially rendered weak/broken, then PiVPN would need to move a other algorithms in its default configs. But media/news would be full of it, and Debian packages would be patched quickly to not support those anymore (hence the VPN servers would start to fail, or just override the weak settings).

The cipher defined in https://github.com/pivpn/pivpn/blob/master/files/etc/openvpn/server_config.txt#L25C1-L25C7 (CBC) is btw indeed not very secure anymore, but this setting is anyway ignored in OpenVPN server versions from 2.6, hence from Debian Bookworm (and Bullseye backports) on.

[orazioedoardo]

The cipher defined in https://github.com/pivpn/pivpn/blob/master/files/etc/openvpn/server_config.txt#L25C1-L25C7 (CBC) is btw indeed not very secure anymore

I believe OpenVPN 2.4 automatically upgrades to GCM

[MichaIng]

Mostly, at least. From the man page:

Before 2.4.0, this option was used to select the cipher to be configured on the data channel, however, later versions usually ignored this directive in favour of a negotiated cipher. Starting with 2.6.0, this option is always ignored in TLS mode when it comes to configuring the cipher and will only control the cipher for --secret pre-shared-key mode (note: this mode is deprecated and strictly not recommended).

... ah right, older man page states:

The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to AES-256-GCM. See --data-ciphers and --ncp-disable for more details on NCP.

To avoid confusion, this should be probably just removed from the config.

[eeandersen]

Thanks, that is reassuring. I use piVPN on 4 networks I keep.  All on Pi’s, too, I might add. I appreciate your well thought reply, thanks. Sent from my iPhoneOn Apr 8, 2024, at 1:27 PM, MichaIng ***@***.***> wrote: See above discussion, that it might not stop being further developed/maintained only because the orga owner stops doing so. Also, IMO, you can perfectly use it as long as it successfully installs and the pivpn commands or OpenVPN/WireGuard services do not throw errors. It works on Debian Trixie (at time of writing), and I do not see significant changes to be applied there (on the OpenVPN/WireGuard packages provided) which would break it. Hence you can further use it on Debian Trixie (release planned for summer 2025 with as always about 3 years regular life time), and on Debian Bookworm anyway. Note that PiVPN itself has limited influence on the safety of the actual VPN server, as those are provided by Debian (or whichever distro you use) and updated independently via apt upgrade, even offered/suggested to be automated on a daily bases by the PiVPN installer. Within a Debian release, those packages however receive only security and bug fix patches, no actual (upstream version) updates, hence no new features or similar. This also means that the VPN server settings, like TLS version, cipher suites etc, chosen by PiVPN, remain best practice for the Debian release you use. For WireGuard those are not even defined (not sure if it is even possible), but all managed WireGuard-internally. For Unbound and OpenVPN, PiVPN chooses pretty sane hardened settings, and while there are always harder ones, and more will arise in the future, the ones currently chosen by PiVPN do not become weak from one moment to the other. I.e. even if the Unbound/OpenVPN versions shipped with Debian Trixie or future Debian versions support newer/safer cryptography algorithms, this wouldn't render PiVPN unsafe. However, in case it did not receive any commit in 3 years, I would start to watch out for alternatives, popular forks or such 😉. Ah, of course if AI or quantum computing makes a leap and SHA256 and/or TLS1.2 are officially rendered weak/broken. But media/news would be full of it, and Debian packages would be patched quickly to not support those anymore. The cipher defined in https://github.com/pivpn/pivpn/blob/master/files/etc/openvpn/server_config.txt#L25C1-L25C7 (CBC) is btw indeed not very secure anymore, but this setting is anyway ignored in OpenVPN server versions from 2.6, hence from Debian Bookworm (and Bullseye backports) on. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[jlrpalomar]

Thank for all the work done, you make OpenVPN closer and easier for much more users! Hope everything goes well. My thanks also to all the contributors of the project

[TeaRex-coder]

Thank you so much for your efforts! A few years ago when I was just getting into Linux and Homelabbing, PiVPN's installation scripts are what helped me setup OpenVPN in a simple way!

[franciscoj]

Thanks a lot for maintaining PiVPN all this time!

[orazioedoardo]

@4s3ti Could you disable branch protection? I'm about to post an update but can't this way.

[coolapso]

Will do so ...

[coolapso]

Promoted you to organization owner

[coolapso]

@orazioedoardo from here on, I will probably miss anything going on here, but that doesn't mean I'm gone. if you need me please drop me an email or reach me in any of the places available here

[Appoxo]

This project was one of my first entries into linux and raspberry pi. Thabk you and everyone project contributor for the work you put into.
I wish you great success onward.

[JacobMS2020]

Thank you for your time and effort!! PiVPN has been a huge help to me in many ways 🙏

[devZer0]

@4s3ti , thanks for maintaining pivpn for so long. i can understand your move.

but one question:

There are so many tools out there that do the job much better than PiVPN does

which are the tools out there which can provide easy commandline based openvpn/wireguard setup & administration like pivpn ?