Any luck with Perimeter81?

Hi all! My client uses Perimeter81 for VPN, and their idea of “Linux support” is “here’s a deb package for Ubuntu”.

Right now, I am using an Ubuntu VM to do the few things that are necessary for me to be on a VPN for.

Has anyone managed to get the Perimeter81 app running on NixOS?

1 Like

Here’s an example of someone repackaging a deb for nix: TablePlus *.deb package

I’d try doing the same and seeing if it blows up.

3 Likes

I use tailscale myself, and had good results. Seems there are few nixers over at tailscale as well, which is always nice.

Nix/OS really really likes source code, patching binaries is not the way.

Can you get the source code , is it something that is closed source running on an opensource operating system, something i could never understand myself.

I’ve got the same problem with parsec…it’s super top secret compression for some reason, no source allowed…again, are these companies living in 1822?

I’m on the same boat, recently forced to use Perimeter81 to access some DBs, my workaround for now was spinning a VM with ubuntu, and having the connection open there, then creating a ssh tunnel to access the resources.

I’ll try TTLATER suggestion to repackage a .deb

Here’s what I have tried so far (mostly inspired by how balena etcher derivation is defined in nixpkgs):

{ stdenv, dpkg }:

let version = "8.0.3.654";
in stdenv.mkDerivation {
  pname = "perimeter81";
  inherit version;
  src = builtins.fetchurl {
    url =
      "https://static.perimeter81.com/agents/linux/Perimeter81_${version}.deb";
    sha256 = "0m1fyvvkdjvcs09aizvqpzr2xcybffqmpgdymwa4lwz7rizyxy81";
  };
  nativeBuildInputs = [ dpkg ];
  unpackPhase = ''
    dpkg-deb -x $src .
  '';
  installPhase = ''
    mkdir -p $out/{bin,opt/share}
    cp -r opt $out/
    cp -r usr/share $out/

    substituteInPlace $out/share/applications/perimeter81.desktop \
      --replace "/opt/Perimeter81/perimeter81" $out/opt/Perimeter81/perimeter81
  '';
}

It unpacks the .deb just fine

$ tree result

result
├── bin
├── opt
│   ├── Perimeter81
│   │   ├── artifacts
│   │   ├── binaries
│   │   │   ├── openvpn
│   │   │   │   └── linux
│   │   │   ├── osquery
│   │   │   │   └── linux
│   │   │   ├── strongswan
│   │   │   │   └── linux
│   │   │   └── wireguard
│   │   │       └── linux
│   │   ├── locales
│   │   ├── resources
│   │   ├── swiftshader
│   │   └── upstream
│   │       ├── 3.10.0-1160.el7.x86_64
│   │       │   └── extra
│   │       │       └── wireguard
│   │       ├── 4.18.0-240.el8.x86_64
│   │       │   └── extra
│   │       │       └── wireguard
│   │       ├── 4.18.0-305.el8.x86_64
│   │       │   └── extra
│   │       │       └── wireguard
│   │       ├── 4.18.0-348.el8.x86_64
│   │       │   └── extra
│   │       │       └── wireguard
│   │       └── wireguard-1.0.20200429
│   │           ├── compat
│   │           │   ├── checksum
│   │           │   ├── dst_cache
│   │           │   │   └── include
│   │           │   │       └── net
│   │           │   ├── fpu-x86
│   │           │   │   └── include
│   │           │   │       └── asm
│   │           │   │           └── fpu
│   │           │   ├── intel-family-x86
│   │           │   │   └── include
│   │           │   │       └── asm
│   │           │   ├── memneq
│   │           │   ├── neon-arm
│   │           │   │   └── include
│   │           │   │       └── asm
│   │           │   ├── ptr_ring
│   │           │   │   └── include
│   │           │   │       └── linux
│   │           │   ├── simd
│   │           │   │   └── include
│   │           │   │       └── linux
│   │           │   ├── simd-asm
│   │           │   │   └── include
│   │           │   │       └── asm
│   │           │   ├── siphash
│   │           │   │   └── include
│   │           │   │       └── linux
│   │           │   └── udp_tunnel
│   │           │       └── include
│   │           │           └── net
│   │           ├── crypto
│   │           │   ├── include
│   │           │   │   └── zinc
│   │           │   └── zinc
│   │           │       ├── blake2s
│   │           │       ├── chacha20
│   │           │       ├── curve25519
│   │           │       ├── poly1305
│   │           │       └── selftest
│   │           ├── selftest
│   │           └── uapi
│   └── share
└── share
    ├── applications
    ├── doc
    │   └── perimeter81
    └── icons
        └── hicolor
            ├── 128x128
            │   └── apps
            ├── 16x16
            │   └── apps
            ├── 256x256
            │   └── apps
            ├── 32x32
            │   └── apps
            ├── 48x48
            │   └── apps
            ├── 512x512
            │   └── apps
            └── 64x64
                └── apps

93 directories

Here’s the repo with a flake if you want to try: https://github.com/portothree/p81.nix

1 Like

I’ll keep you posted if I figure out how to run it. Any help/suggestions would be nice :smile:

Could you share your SSH tunnel setup?
It’s not the end goal, but it would definitely improve my current setup.

I’ll give your nix expression a try. Thanks for kickstarting this.

Erm. Is that a bunch of binaries redistributed without their licenses? Pretty sure at least openvpn is gplv2. Guess they have a commercial license? Still makes me double take…

Really looks like they’re just internally launching wireguard. Wonder if you can get the config out and just run wireguard yourself. Presumably it’s passed via the command line, maybe a ps can give you the args?

Also possibly worth talking to their support.

1 Like

I tried this and it didn’t take me very far. Maybe my bad luck.

This was my first failed attempt. I will give it another try, cause if it works, I’ll be way better off than with their GUI.

I’ll try to put something together as this is currently in a private repo.

Yes, it’s just a fancy wrapper for wireguard. The main argument to use p81 in my project was to integrate with the single-sign on tool (onelogin) so managing access is done in a single place, but good shout, I’ll try to see if I can get to export the authentication keys and use it directly on wireguard as a workaround.