Windscribe VPN on openSUSE

With all the talk of VPN (Virtual Private Network) services to keep you safe and my general lack of interest in the subject, I was talking to Eric Adams, my co-host on the DLN Xtend podcast about the subject. He was telling me that he was hesitant to recommend any service so he gave me some option to try out. The one I chose, after doing a little reading was Windscribe.

I am new to the VPN game so I want to be careful in saying, I am recommending this as the perfect solution but rather demonstrating how I set it up and how I am using it on my openSUSE Tumbleweed system. Much in the same way Eric informed me about it.

Installation

For starters, I navigated to the Windscribe website, https://windscribe.com/

It’s a nice looking site and I like they have, front and center a Download Windscribe button. I am always annoyed when you have to go digging around to download anything. I give a resounding, “boo” when I am forced to play a scavenger hunt game to find the download link. Thank you Windscribe for not making this part difficult.

Another well presented download for Linux button. No hunting here either. Although, I did notice that there was a lack of definition of my favorite Linux distribution. They have left out openSUSE and that makes me just a bit frowny faced. No matter, I am not a complete “noob” to the Linux-ing and since Fedora and openSUSE packages are like close cousins (in my experience, but I am often wrong), setting this up for openSUSE was pretty darn straight forward.

These instructions are easily adapted to the fantastic Zypper package manager. This is my adaptation of their instructions for openSUSE and is well tested on Tumbleweed.

1. Get a Windscribe Account

Create a free account if you don’t have one already

2. Download and Install the repo as root

zypper ar https://repo.windscribe.com/fedora/ windscribe

This is telling zypper to add the repository (ar) https://repo.windscribe.com/fedora and naming it “windscribe”.

3. Update Zypper

zypper refresh

4. Install Windscribe-CLI

zypper install windscribe-cli

5. Switch to non-root user

exit

6. Login to Windscribe

windscribe login

Follow the steps with your newly created account

7. Connect to Windscribe

windscribe connect

And that is all there is to it. You will be connected and ready to be part of the cool-kid VPN club.

Side Note

If you need further help about how to use the different functions of Windscribe.

windscribe --help

If you need further information on how to use these other features, please visit the windscribe.com site as I am just using the basic functionality of it here.

If the windscribe daemon service does not automatically start up, you may have to start it manually as root.

systemctl start windscribe

and if you want to have it enabled at startup

systemctl enable windscribe

Those may or may not be necessary for you, but just in case, there you go and your welcome!

First Run and Impressions

There currently isn’t a graphical tool for using windscribe in Linux, or at least openSUSE. Chances are, if you are using openSUSE and are hyper concerned about protecting your traffic, using the terminal is not exactly going to cause you to have heartburn. Installation to execution is truly as simple as I have outlined above.

You can take it one step further in the cool, fun, I am a hacker-poser-type if you run it in a terminal emulator called Yakuake. This is a drop-down terminal that is invoked, on my machine with Meta+F12. It looks cool and very convenient to drop it down whenever I need it.

For the free account, you are limited to 10 GiB of data. To check the status of your account usage, in the terminal type

windscribe account

That will give you an output, something like this:

——- My Account ——-  
Username: CubicleNate
Data Usage: 80.02 MB / 10 GB
Plan: 10 GB Free

There is a paid option, which, in my opinion is very reasonable, if you buy a year at a time and I think, if you travel a lot, this may be of great interest to you to protect your data.

If you buy a one year subscription for $49, you are benefited by Unlimited Data, Access to all their locations which they boast as over 60 countries and 110 cities, a Config Generator for OpenVPN IKEv2 SOCKSS which, to my understanding will allow me to use NetworkManager to access the service, and R.O.B.E.R.T. to block ads, trackers and malware. If that is all up your ally, and you like the free service, it all seems pretty well worth it to me.

What I Like

The installation was simple, using it is simple (so long as you are good with the command line) and the performance is very acceptable. Since I am using this when I am away from home, I don’t expect any break-neck speeds out of it, I just prefer that my traffic is at least somewhat protected. After listening to this episode of Destination Linux, I felt like it was a good idea to intact some sort of VPN when I’m out and about.

What I Don’t Like

There isn’t a graphical interface for the terminal-phobic folks. Not a problem for me or likely most Linux users, but there are some that just won’t use it. That’s just the way it goes.

I don’t like that I am not quite familiar with Windscribe. That is not a fault of the service, just the fact that I know so little about them. I will tell you that every email interaction with Windscribe has been amusing so that bodes well for what I think of them.

Final Thoughts

I know that my employer requires me to VPN in to do any real work so even they recognize the value of a good VPN, so maybe I should too. How often do I plan to use it? Not all that often, really. Maybe a few times a month, specifically when I am using an internet access point that I do not trust. I will especially use it if the access point is has “xfinity” in the SSID as I have little to no trust for them.

I appreciate how simple this is to use and should I get to the point where I am pushing my 10 GiB per month limit, I will go all in on an annual subscription. It’s not that expensive to put up one extra line of defense, especially one as convenient as this.

References

Windscribe.com Home
openSUSE Home
Destination Linux Episode 146 on VPNs
DLN Xtend Podcast
Eric Adams at Destination Linux Network

CPU Security Mitigation on openSUSE | Tuning it for Your Case

This is a little outside of my normal blatherings format but after stumbling upon a video from Red Robbo’s YouTube channel. I wanted to investigate his claims that maybe, just maybe the security mitigations that I have chosen they are a bit excessive for my use case. Recently, openSUSE has added a feature to make this easily user adjustable. Since they made it easy, obviously, someone far smarter than I am has decided that some of the mitigations may be excessive and not worth the performance loss for all use cases. I written about the mitigations some time ago and how it is fun to see all that is being implemented. Maybe it’s time to dial it back.

This is the video that made me pause and think about the choices I’ve made.

Red Robbo made the statement, “how many people are actually impacted by this, not potentially impacted but actually…”

Fair statement, what is my actual risk. not imaginary but actual risk. So that got me thinking. My setup has been to keep the mitigations on “Auto”. That seems fair to me. Let the system decide how many mitigations I need to have in place. Then this video came out and It got me thinking…

“How many mitigations do I really need to have to protect my system?”
“What are the threats against my main machine, a laptop, that does not run any services?”
“How much of a performance improvement would I have if I switched the mitigations off?”

According to SUSE, by leaving the mitigations to Auto, “All CPU side channel mitigations are enabled as they are detected based on the CPU type. The auto-detection handles both unaffected older CPUs and unaffected newly released CPUs and transparently disables mitigations. This options leave SMT enabled.”

It was time to explore this further. Do some, self-discovery, as it were.

In reading all the CVEs on the subject, they are worded as either, “Local attacker”, “In theory”, “…a possible approach”, “could be made to leak”.

I couldn’t help but think, golly, this is all… speculative… isn’t it. I now wonder what the actual threat is. I appreciate how the fixes were very much preemptive before any attacks were made but it almost seems like building my house so that it is meteor proof, just in case of meteor strike.

What I’ve done

So I did as Red Robbo suggested, not on all my machines, just the machines that that, I shut them off. I am not on anyone’s target list. I don’t run any kind of service that has tons of people in this system and it doesn’t often face the scary internet directly as it is going through a firewall that filters most of the scary traffic away. Making the change was really quite easy and underscores the beauty of YaST. To get to the right module, I go into YaST and select the Boot Loader module under System.

Within the bootloader module, select the Kernel Parameters tab and under the CPU Mitigations, I selected the drop down and the Off option.

After selecting okay and rebooting the system I can’t say I noticed any major improvement to performance. I tested Auto vs Off and I couldn’t actually tell the difference in performance. There may be some improvement but either I am personally too slow or nothing I do on a regular basis is affected by the mitigations.

Final Thoughts

For “desktop” machines, I am pretty confident that the other security features of Linux is quite adequate to keeping you safe on the Scary Internet. This desktop machine doesn’t provide any services to anyone outside of me as I am using it. I don’t have an Internet facing web service or database that has a risk in being compromised by bad actors.

For my personal server, that really doesn’t do a lot, I am keeping the mitigations to Auto. Although it does not face the internet, it is on all the time, I am not asking too much of it and it has a great chance at getting poked by something. Though, since I am not a target, the chances of that machine being compromised is also rather slim.

Your situation is dependent on your level of paranoia. Crank up your mitigations to 11 if you think it is best. As for this particular machine and the other little laptops and netbooks I use, I don’t see it as necessary.

References

SUSE.com Centralized CPU issue Mitigation document
Red Robbo’s Workshop YouTube Video: Improve Intel CPU performance on openSUSE
CubicleNate.com Spectre and Meltdown Vulnerability Status
TID 7022512 – Security Vulnerability: “Meltdown” and “Spectre” side channel attacks against CPUs with speculative execution.
TID 7022937 – Security Vulnerability: Spectre Variant 4 (Speculative Store Bypass) aka CVE-2018-3639.
TID 7023075 – Security Vulnerability: Spectre side channel attack “Bounds Check Bypass Store” aka CVE-2018-3693.
TID 7023076 – Security Vulnerability: Spectre side channel attack “Lazy FPU Save/Restore” aka CVE-2018-3665.
TID 7023077 – Security Vulnerability: “L1 Terminal Fault” (L1TF) aka CVE-2018-3615, CVE-2018-3620 & CVE-2018-3646.