Install Windscribe VPN Client in a Distrobox Container on Any Linux Distro!

Windscribe is a legitimate, privacy-focused VPN service with strong security features. It's regarded as one of the top VPN providers among enthusiasts in privacy-focused communities.

Moreover, you can see miles away from the download page that it takes Linux users seriously. From my personal experience with the client, this is, by far, the best Linux compatible VPN client in the market!

The client also works flawlessly inside a container, eliminating the need of layering the client on an immutable OS like Fedora Silverblue.

Here are reasons why you should consider Windscribe:

• There are many connection protocols available, WireGuard, Stealth, WStunnel, OpenVPN, IKEv2 (on mobile). The differences between them depend on your use case
  • WireGuard is the fastest.
  • Stealth is a censorship circumvention (China, Russia, Iran), restrictive networks.
  • WStunnel is a last-resort option for the toughest firewalls or corporate networks.
• If that's not enough, there are more to circumvent censorship, decoy traffic, MAC spoofing, and GPS spoofing.
• Port forwarding is supported 🤫
• Split tunneling is supported.
• CLI client for those on headless servers
• Many DNS resolver profiles, blocking malware, ads, and trackers by default.
• Static IP is available, along with static port for port forwarding. This is a killing feature for your remote home projects 🧰
• Config files for OpenVPN, IKEv2 and WireGuard are available.
• Arcade sound for the connection! 👾🕹️ This feature sealed the deal for me 😆
• And many more, see all features!

---

Install Windscribe in a Container

👉️ Table of contents:

1. Install Distrobox
2. Configure Distrobox to use Podman
3. Create a Container 📦️
4. Install Windscribe client in the Container
5. Enable the Client's Helper
6. Create a Desktop File on the Host
7. Make the Container Update Itself Automatically, Zero Maintenance!

---

1. Install Distrobox

The command will be differ based on your specific package manager. Refer to your distro's docs. For example, on Fedora Silverblue:

sudo rpm-ostree install distrobox

After the installation, reboot your system to activate the new layer. For other mutable distros, there's no need to reboot.

---

2. Configure Distrobox to use Podman

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

---

3. Create a Container 📦️

I use the official container image from Ubuntu, as I also use the image for ZeroTier and Cloudflare WARP. Otherwise, you could use openSUSE image instead:

registry.opensuse.org/opensuse/distrobox:latest

Because:

• It's easier to maintain as it uses a rolling release model, no need to worry about the EOL date of the image/OS.
• It offers some x86-64-v3 packages, free performance boost!, just by installing the patterns-glibc-hwcaps-x86_64_v3 package.

Do NOT create a rootful init container, as it can cause ownership/permission conflicts on shared volumes between the host and other containers.

Creating a Container for Windscribe (Ubuntu Image)

distrobox create -i docker.io/library/ubuntu:latest -n vpn-dbx--root -H ~/distrobox/vpn-dbx--root --additional-packages "pipewire libxcb-shape0 libnl-genl-3-200" --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket --additional-flags "--device=/dev/net/tun --cap-add=NET_ADMIN --cap-add=SYS_ADMIN" -r

• I add the pipewire package to have the audio working for the arcade sound in the client 👾🕹️
• libxcb-shape0 and libnl-genl-3-200 are used by the client.
• /run/dbus/system_bus_socket, /dev/net/tun, along with --cap-add=NET_ADMIN --cap-add=SYS_ADMIN are universally necessary for any app that wants to modify the state of your network.
• -r is used to create a rootful container, for obvious reason.

---

4. Install Windscribe client in the Container

Please refer to Windscribe's official download page.

Update All Packages in the Container

sudo apt update

Install the Official Client You Downloaded

For example:

sudo apt install ./windscribe_2.20.7_amd64.deb

---

5. Enable the Client's Helper

The client required its helper running to function. Normally, if you install/layer the client directly on the system, the installer script will create a systemd unit for the helper automatically. But no worry, it can be done easily.

Create a Service Running the Helper

sudo nano /etc/systemd/system/windscribe-helper.service

Inside the file:

[Unit]
Description=Start Windscribe VPN Helper
After=network-online.target
Wants=network-online.target
RequiresMountsFor=%t/containers
StartLimitIntervalSec=30
StartLimitBurst=5

[Service]
Type=exec
ExecStartPre=/bin/podman start vpn-dbx--root
ExecStart=/bin/podman exec vpn-dbx--root bash -c "/opt/windscribe/helper"
Restart=on-failure
RestartSec=5
RemainAfterExit=yes

Create a Timer Triggering the Helper Service

sudo nano /etc/systemd/system/windscribe-helper.timer

Inside the file:

[Unit]
Description=A trigger to start Windscribe's helper on startup

[Timer]
OnBootSec=25
RandomizedDelaySec=10

[Install]
WantedBy=timers.target

Reload and Enable the Timer

sudo systemctl daemon-reload && sudo systemctl enable --now windscribe-helper.timer

The helper is now running in the background 👟

---

6. Create a Desktop File on the Host

So, you don't have to manually type a lengthy command in the terminal just to open a VPN client 😆

nano ~/.local/share/applications/windscribe.desktop

Inside the file:

[Desktop Entry]
Type=Application
Icon=/var/home/archerallstars/.local/share/icons/windscribe.png
Name=Windscribe
Comment=Start Windscribe VPN
Keywords=vpn;windscribe
Exec=distrobox-enter -r vpn-dbx--root -- /opt/windscribe/Windscribe
StartupWMClass=Windscribe
Terminal=true

You can download the app icon easily from Play Store 🛍️

Replace the path on the above with your icon's absolute path.

Now, you have the client 100% fully working!

You can check your VPN's IP and DNS resolver to see if there's any leak using https://dnscheck.tools/

---

7. Make the Container Update Itself Automatically, Zero Maintenance!

Create a Service File

sudo nano /etc/systemd/system/vpn-dbx-upgrade.service

In the file:

[Unit]
Description=Upgrade vpn-dbx--root
After=network-online.target
Wants=network-online.target
RequiresMountsFor=%t/containers
StartLimitIntervalSec=600
StartLimitBurst=5

[Service]
Type=exec
ExecStartPre=/bin/podman start vpn-dbx--root
ExecStart=/bin/podman exec vpn-dbx--root bash -c "apt update -y && apt full-upgrade -y"
Restart=on-failure
RestartSec=60
RemainAfterExit=yes

Create a Timer File

sudo nano /etc/systemd/system/vpn-dbx-upgrade.timer

In the file:

[Unit]
Description=Upgrade vpn-dbx--root daily.

[Timer]
OnCalendar=daily
Persistent=true
RandomizeDelaySec=5min

[Install]
WantedBy=timers.target

Reload and Enable the Timer

sudo systemctl daemon-reload && sudo systemctl enable vpn-dbx-upgrade.timer

---

Config Your Firewall to Have Port Forwarding Working Correctly

It depends on your host's firewall. For example, Ubuntu uses ufw, Fedora uses firewalld.

For ufw System

Check your firewall status:

sudo ufw status verbose

If it's enabled, you will need to open the correct port that you've opened in your Windscribe account's port forwarding page:

sudo ufw allow <port>/tcp && sudo ufw allow <port>/udp

For firewalld System

1. Create a New Zone in firewalld

List all the available zones:

firewall-cmd --get-zones

We will create a new zone called vpn, if it's not presented yet, create a new one:

sudo firewall-cmd --permanent --new-zone=vpn

Reload firewalld for it to take effect:

sudo firewall-cmd --reload

Check all the available zones again:

firewall-cmd --get-zones

Now, vpn should be listed as one of the zones.

2. Finding the Interface's Name Using Network Manager

⚠️ It's possible to add the interface to the zone using the Network Manager, but it'll be conflicted with how Windscribe's client manages the network. Therefore, use firewalld to manage firewall's rules, as it's supposed to. Never use the Network Manager to mange your firewall rules!

firewalld, however, cannot list the interface that's not being in any of its zones. It only knows and manages the interfaces that are bound to one of its zones. Therefore, we use Network Manager for this instead.

Finding your active connection name first:

nmcli connection show --active

It will return something like:

NAME                UUID                           TYPE  DEVICE 
YourConnectionName  xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  wifi  xxxxxx

Note down your connection name. Usually, it will be something that has tun it its name. If you have connected to the VPN network, you can use an app like Resources to know the name for sure.

3. Adding the Interface to firewalld Permanently

sudo firewall-cmd --zone=vpn --change-interface='YourConnectionName' --permanent

Reload the firewall (to apply the change):

sudo firewall-cmd --reload

Also, check whether the interface is already in firewalld's zone (it should):

firewall-cmd --zone=vpn --list-interfaces

4. Adding the Required Ports to firewalld's Zone Permanently

List all the rules in vpn zone:

firewall-cmd --zone=vpn --list-all

If it doesn't show any port number after the ports: entry, this means firewalld is blocking all incoming ports in this zone (vpn).

You can add your port like this:

sudo firewall-cmd --permanent --zone=vpn --add-port=<yourport>/tcp
sudo firewall-cmd --permanent --zone=vpn --add-port=<yourport>/udp

Reload the firewall (to apply the change):

sudo firewall-cmd --reload

If you want to remove the port, since most of you would use an ephemeral port anyway:

sudo firewall-cmd --zone=public --remove-port=<yourport>/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=<yourport>/udp --permanent

---

Check the Reach-ability of Your Opened Port

First, please don't use any of the online port checkers like portchecker.co, for example. It never works for me...

The reliable way to test the reach-ability of your opened port is through torrent clients like Fragments, for example:

For Headless Folks

You can use this command to check the reach-ability of your opened port in the terminal like this:

p=<port_number>; curl -s https://portcheck.transmissionbt.com/$p | grep -q '^1' && echo -e "\033[1;32m✅ Port $p is OPEN\033[0m" || echo -e "\033[1;31m❌ Port $p is CLOSED\033[0m"

This will return:

✅ Port XXXXX is OPEN

Or:

❌ Port XXXXX is CLOSED

---

Thanks for reading 🤓

---

Cover Photo by Thomas Richter on Unsplash

A Container Photo by Sophie Cardinale on Unsplash

A WiFi Device Photo by Amal S on **Unsplash

A Hand Photo by Frankie Mish on Unsplash