Hi all! My client uses Perimeter81 for VPN, and their idea of “Linux support” is “here’s a deb package for Ubuntu”.
Right now, I am using an Ubuntu VM to do the few things that are necessary for me to be on a VPN for.
Has anyone managed to get the Perimeter81 app running on NixOS?
Here’s an example of someone repackaging a deb for nix: TablePlus *.deb package
I’d try doing the same and seeing if it blows up.
I use tailscale myself, and had good results. Seems there are few nixers over at tailscale as well, which is always nice.
Nix/OS really really likes source code, patching binaries is not the way.
Can you get the source code , is it something that is closed source running on an opensource operating system, something i could never understand myself.
I’ve got the same problem with parsec…it’s super top secret compression for some reason, no source allowed…again, are these companies living in 1822?
I’m on the same boat, recently forced to use Perimeter81 to access some DBs, my workaround for now was spinning a VM with ubuntu, and having the connection open there, then creating a ssh tunnel to access the resources.
I’ll try TTLATER suggestion to repackage a .deb
Here’s what I have tried so far (mostly inspired by how balena etcher derivation is defined in nixpkgs):
{ stdenv, dpkg }:
let version = "8.0.3.654";
in stdenv.mkDerivation {
pname = "perimeter81";
inherit version;
src = builtins.fetchurl {
url =
"https://static.perimeter81.com/agents/linux/Perimeter81_${version}.deb";
sha256 = "0m1fyvvkdjvcs09aizvqpzr2xcybffqmpgdymwa4lwz7rizyxy81";
};
nativeBuildInputs = [ dpkg ];
unpackPhase = ''
dpkg-deb -x $src .
'';
installPhase = ''
mkdir -p $out/{bin,opt/share}
cp -r opt $out/
cp -r usr/share $out/
substituteInPlace $out/share/applications/perimeter81.desktop \
--replace "/opt/Perimeter81/perimeter81" $out/opt/Perimeter81/perimeter81
'';
}
It unpacks the .deb just fine
$ tree result
result
├── bin
├── opt
│ ├── Perimeter81
│ │ ├── artifacts
│ │ ├── binaries
│ │ │ ├── openvpn
│ │ │ │ └── linux
│ │ │ ├── osquery
│ │ │ │ └── linux
│ │ │ ├── strongswan
│ │ │ │ └── linux
│ │ │ └── wireguard
│ │ │ └── linux
│ │ ├── locales
│ │ ├── resources
│ │ ├── swiftshader
│ │ └── upstream
│ │ ├── 3.10.0-1160.el7.x86_64
│ │ │ └── extra
│ │ │ └── wireguard
│ │ ├── 4.18.0-240.el8.x86_64
│ │ │ └── extra
│ │ │ └── wireguard
│ │ ├── 4.18.0-305.el8.x86_64
│ │ │ └── extra
│ │ │ └── wireguard
│ │ ├── 4.18.0-348.el8.x86_64
│ │ │ └── extra
│ │ │ └── wireguard
│ │ └── wireguard-1.0.20200429
│ │ ├── compat
│ │ │ ├── checksum
│ │ │ ├── dst_cache
│ │ │ │ └── include
│ │ │ │ └── net
│ │ │ ├── fpu-x86
│ │ │ │ └── include
│ │ │ │ └── asm
│ │ │ │ └── fpu
│ │ │ ├── intel-family-x86
│ │ │ │ └── include
│ │ │ │ └── asm
│ │ │ ├── memneq
│ │ │ ├── neon-arm
│ │ │ │ └── include
│ │ │ │ └── asm
│ │ │ ├── ptr_ring
│ │ │ │ └── include
│ │ │ │ └── linux
│ │ │ ├── simd
│ │ │ │ └── include
│ │ │ │ └── linux
│ │ │ ├── simd-asm
│ │ │ │ └── include
│ │ │ │ └── asm
│ │ │ ├── siphash
│ │ │ │ └── include
│ │ │ │ └── linux
│ │ │ └── udp_tunnel
│ │ │ └── include
│ │ │ └── net
│ │ ├── crypto
│ │ │ ├── include
│ │ │ │ └── zinc
│ │ │ └── zinc
│ │ │ ├── blake2s
│ │ │ ├── chacha20
│ │ │ ├── curve25519
│ │ │ ├── poly1305
│ │ │ └── selftest
│ │ ├── selftest
│ │ └── uapi
│ └── share
└── share
├── applications
├── doc
│ └── perimeter81
└── icons
└── hicolor
├── 128x128
│ └── apps
├── 16x16
│ └── apps
├── 256x256
│ └── apps
├── 32x32
│ └── apps
├── 48x48
│ └── apps
├── 512x512
│ └── apps
└── 64x64
└── apps
93 directories
Here’s the repo with a flake if you want to try: GitHub - portothree/p81.nix: Attempt to repackage perimeter81 .deb to NixOS
I’ll keep you posted if I figure out how to run it. Any help/suggestions would be nice 
Could you share your SSH tunnel setup?
It’s not the end goal, but it would definitely improve my current setup.
I’ll give your nix expression a try. Thanks for kickstarting this.
Erm. Is that a bunch of binaries redistributed without their licenses? Pretty sure at least openvpn is gplv2. Guess they have a commercial license? Still makes me double take…
Really looks like they’re just internally launching wireguard. Wonder if you can get the config out and just run wireguard yourself. Presumably it’s passed via the command line, maybe a ps can give you the args?
Also possibly worth talking to their support.
I tried this and it didn’t take me very far. Maybe my bad luck.
This was my first failed attempt. I will give it another try, cause if it works, I’ll be way better off than with their GUI.
I’ll try to put something together as this is currently in a private repo.
Yes, it’s just a fancy wrapper for wireguard. The main argument to use p81 in my project was to integrate with the single-sign on tool (onelogin) so managing access is done in a single place, but good shout, I’ll try to see if I can get to export the authentication keys and use it directly on wireguard as a workaround.
I started with @portothree’s work as inspiration and ended up at something that generally works including a NixOS module – it’s not perfect and definitely still has some rough edges in places (especially around the FHS), but it’s enough to be able to use p81 for work on NixOS reliably.
Nice work!
I never finished the work because the company moved away from using p81, but glad the initial flake helped a bit.
Do you have any details on using your flake? I am trying to use it now, and running into some issues.
I added the flake to my inputs, and am using the overlay and I was able to install your perimeter81 derivation with that. But, when I try to run it I get these errors:
bwrap: Can't find source path /var/lib/perimeter81: No such file or directory
I tried creating that directory, assuming it is just a location it wants to store configuration of some sort, and then I got:
bwrap: Can't find source path /etc/Perimeter81: No such file or directory
So, I created that as well and now I get:
bwrap: Can't create file at /etc/resolv.conf: No such file or directory
That file does exist, and I don’t understand bwrap or the FHS bits enough to understand how to proceed any further.
Also, it looks like there is an exposed option to enable the service, and I tried to turn that on with
services.perimeter81.enable = true;
but it tells me that option doesn’t exist. From what I can see it should… But I’m still fairly new to flakes and haven’t ever tried to expose options like this from one.
It’s probably a little rough around the edges – you can see where I use it here but I also probably created some directories out of band (/etc/Perimeter81 and /var/lib/perimeter81 like you did). I probably should have added some bits to the module to create those if they didn’t exist.
Recommend using the module as it will run the daemon as root – permissions might be your issue with resolv.conf.
Ah! I didn’t realize you could use a module through a flake like that! (I’m still learning)
I’ll give that a try and experiment some more. Thank you!