Forem: Archer Allstars

Install Windscribe VPN Client in a Distrobox Container on Any Linux Distro!

Archer Allstars — Sun, 22 Mar 2026 06:33:26 +0000

Windscribe is a legitimate, privacy-focused VPN service with strong security features. It's regarded as one of the top VPN providers among enthusiasts in privacy-focused communities.

Moreover, you can see miles away from the download page that it takes Linux users seriously. From my personal experience with the client, this is, by far, the best Linux compatible VPN client in the market!

The client also works flawlessly inside a container, eliminating the need of layering the client on an immutable OS like Fedora Silverblue.

Here are reasons why you should consider Windscribe:

There are many connection protocols available, WireGuard, Stealth, WStunnel, OpenVPN, IKEv2 (on mobile). The differences between them depend on your use case
- WireGuard is the fastest.
- Stealth is a censorship circumvention (China, Russia, Iran), restrictive networks.
- WStunnel is a last-resort option for the toughest firewalls or corporate networks.
If that's not enough, there are more to circumvent censorship, decoy traffic, MAC spoofing, and GPS spoofing.
Port forwarding is supported 🤫
Split tunneling is supported.
CLI client for those on headless servers
Many DNS resolver profiles, blocking malware, ads, and trackers by default.
Static IP is available, along with static port for port forwarding. This is a killing feature for your remote home projects 🧰
Config files for OpenVPN, IKEv2 and WireGuard are available.
Arcade sound for the connection! 👾🕹️ This feature sealed the deal for me 😆
And many more, see all features!

Install Windscribe in a Container

👉️ Table of contents:

Install distrobox 🪩, podman 💊, and screen 📺️
Configure distrobox to use podman
Create a Container 📦️
Install Windscribe client in the Container
Enable the Client's Helper
Create a Launcher Script 🚀 and a Desktop File 🖥️ on the Host
Make the Container Update Itself Automatically, Zero Maintenance! 😍

🧧 And More:

Config Your Firewall 🔥 to Have Port Forwarding 🔌 Working Correctly
- For ufw System
- For firewalld System
Check the Reach-ability of Your Opened Port 🔍️
- GUI way
- CLI way

😱 Limitations

App-based Split Tunneling 🪓
- Solution ✅️
A Container-safe 👷 Startup Delay
- Solution ✅️

1. Install `distrobox` 🪩, `podman` 💊, and `screen` 📺️

The command will be differ based on your specific package manager. Refer to your distro's docs. For example, on Fedora Silverblue:

sudo rpm-ostree install distrobox podman screen

After the installation, reboot your system to activate the new layer. For other mutable distros, there's no need to reboot.

2. Configure `distrobox` to use `podman`

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

3. Create a Container 📦️

I use the official container image from Ubuntu, as I also use the image for ZeroTier and Cloudflare WARP. Otherwise, you could use openSUSE image instead:

registry.opensuse.org/opensuse/distrobox:latest

Because:

It's easier to maintain as it uses a rolling release model, no need to worry about the EOL date of the image/OS.
It offers some x86-64-v3 packages, free performance boost!, just by installing the patterns-glibc-hwcaps-x86_64_v3 package.

⚠️ Do NOT create a rootful init container, as it can cause ownership/permission conflicts on shared volumes between the host and other containers.

Creating a Container for Windscribe (Ubuntu Image)

distrobox create -i docker.io/library/ubuntu:latest -n vpn-dbx--root -H ~/distrobox/vpn-dbx--root --additional-packages "pipewire libxcb-shape0 libnl-genl-3-200" --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket --additional-flags "--device=/dev/net/tun --cap-add=NET_ADMIN --cap-add=SYS_ADMIN" -r

I add the pipewire package to have the audio working for the arcade sound in the client 👾🕹️
libxcb-shape0 and libnl-genl-3-200 are used by the client.
/run/dbus/system_bus_socket, /dev/net/tun, along with --cap-add=NET_ADMIN --cap-add=SYS_ADMIN are universally necessary for any app that wants to modify the state of your network.
-r is used to create a rootful container, for obvious reason.

4. Install Windscribe client in the Container

Please refer to Windscribe's official download page.

Update All Packages in the Container

sudo apt update

Install the Official Client You Downloaded

For example:

sudo apt install ./windscribe_2.20.7_amd64.deb

5. Enable the Client's Helper

The client requires its helper running to function. Normally, if you install/layer the client directly on the system, the installer script will create a systemd unit for the helper automatically. But no worry, it can be done easily.

Create a Service Running the Helper

sudo nano /etc/systemd/system/windscribe-helper.service

Inside the file:

[Unit]
Description=Start Windscribe VPN Helper
After=network-online.target
Wants=network-online.target
RequiresMountsFor=%t/containers
StartLimitIntervalSec=30
StartLimitBurst=5

[Service]
Type=exec
ExecStartPre=/bin/podman start vpn-dbx--root
ExecStart=/bin/podman exec vpn-dbx--root bash -c "/opt/windscribe/helper"
Restart=on-failure
RestartSec=5
RemainAfterExit=yes

Create a Timer Triggering the Helper Service

sudo nano /etc/systemd/system/windscribe-helper.timer

Inside the file:

[Unit]
Description=A trigger to start Windscribe's helper on startup

[Timer]
OnBootSec=25
RandomizedDelaySec=10

[Install]
WantedBy=timers.target

Reload and Enable the Timer

sudo systemctl daemon-reload && sudo systemctl enable --now windscribe-helper.timer

The helper is now running in the background 👟

6. Create a Launcher Script 🚀 and a Desktop File 🖥️ on the Host

It wouldn't be practical if you have to manually type a lengthy command in the terminal just to open a VPN client 😆

There are extra steps we will have to do to circumvent the security of our rootful container. But no worry, I will NOT do it in a way that compromises the security, as it's there for a reason.

I will simply use a wrapper script to launch the client. Then, put the script in a desktop file, so we can launch the app by clicking at a beautiful app icon like any other apps on your system.

The Wrapper Script

nano ~/.local/bin/windscribe-launcher.sh

Inside the file:

#!/bin/bash

# Define container name and flag file
CONTAINER_NAME="vpn-dbx--root"
READY_FLAG="/tmp/${CONTAINER_NAME}-ready.flag"

# Define the app's binary path and its StartupWMClass name
# The StartupWMClass has to be set up correctly. On GNOME, use Alt+F2 then lg to check the correct StartupWMClass of any app
APP_BINARY_PATH="/opt/windscribe/Windscribe"
APP_STARTUP_WM_CLASS_NAME="Windscribe"

: <<'SYSTEM_SERVICE_FILE_SECTION'
If you don't use/enable the system service file,
or you don't want to check whether it's running,
you can safely remove this whole section.
SYSTEM_SERVICE_FILE_SECTION

APP_HELPER_SERVICE_NAME="windscribe-helper.service"

# If invoked with "launch" argument, skip service start and proceed
if [ "$1" = "launch" ]; then
    shift
else
    # Check if the service is active (system service)
    if ! systemctl is-active -q ${APP_HELPER_SERVICE_NAME}; then
        echo "$APP_HELPER_SERVICE_NAME is not active. Attempting to start it..."
        if [ "$(id -u)" -eq 0 ]; then
            # Start directly
            if systemctl start ${APP_HELPER_SERVICE_NAME}; then
                echo "$APP_HELPER_SERVICE_NAME started successfully (as root)."
            else
                echo "Failed to start $APP_HELPER_SERVICE_NAME (as root)."
                exit 1
            fi
            # Drop back to original user and re-run
            exec runuser -u "${SUDO_USER:-$USER}" -- "$0" launch
        else
            # Use pkexec with retries
            MAX_RETRIES=3
            ATTEMPT=1
            while [ $ATTEMPT -le $MAX_RETRIES ]; do
                if pkexec systemctl start ${APP_HELPER_SERVICE_NAME}; then
                    echo "$APP_HELPER_SERVICE_NAME started successfully."
                    break
                else
                    echo "Failed to start $APP_HELPER_SERVICE_NAME (attempt $ATTEMPT/$MAX_RETRIES)."
                    ATTEMPT=$((ATTEMPT + 1))
                fi
            done
            if [ $ATTEMPT -gt $MAX_RETRIES ]; then
                echo "Exceeded maximum retries. Exiting."
                exit 1
            fi
        fi
        # Re-execute to separate pkexec calls
        exec "$0" launch
    fi
fi

### End of SYSTEM_SERVICE_FILE_SECTION

# Check if the systemd scope is active (indicating the app is running)
if systemctl --user is-active -q ${APP_STARTUP_WM_CLASS_NAME}.scope; then
    # Check if there's an existing app's window
    exists=$(gdbus call --session --dest org.gnome.Shell --object-path /org/gnome/Shell --method org.gnome.Shell.Eval "
    global.get_window_actors()
        .map(a => a.meta_window)
        .some(w => w.get_wm_class() === '$APP_STARTUP_WM_CLASS_NAME');" | grep -o 'true')

    if [ "$exists" = "true" ]; then
        # Activate the existing window
        gdbus call --session --dest org.gnome.Shell --object-path /org/gnome/Shell --method org.gnome.Shell.Eval "
        const window = global.get_window_actors()
            .map(a => a.meta_window)
            .find(w => w.get_wm_class() === '$APP_STARTUP_WM_CLASS_NAME');
        if (window) {
            window.activate(global.get_current_time());
        }"
    else
        # No window but scope active: Send resume command to persistent screen session (no prompt)
        screen -S ${APP_STARTUP_WM_CLASS_NAME}-dbx -p 0 -X stuff "${APP_BINARY_PATH}\r"
    fi
    exit 0
fi

# If scope not active, ensure persistent screen session for container entry
if ! screen -ls | grep -q "${APP_STARTUP_WM_CLASS_NAME}-dbx"; then
    # Clean up any old flag (optional, for safety)
    rm -f "$READY_FLAG"

    # Start detached screen session that enters the container and signals readiness (pkexec prompt for graphically auth)
    # The command runs ONLY after the container is ready: touch the flag, then keep the session open with bash
    screen -dmS ${APP_STARTUP_WM_CLASS_NAME}-dbx sh -c "DBX_SUDO_PROGRAM=pkexec distrobox-enter -r $CONTAINER_NAME -- bash -c 'touch $READY_FLAG && bash'"

    # Wait for the flag file to appear (poll with a timeout for safety)
    TIMEOUT=60 # Max seconds to wait
    ELAPSED=0
    while [ ! -f "$READY_FLAG" ]; do
        if [ "$ELAPSED" -ge "$TIMEOUT" ]; then
            echo "Timeout: Container did not become ready in $TIMEOUT seconds."
            # Optional: Kill the screen session if timed out
            screen -S ${APP_STARTUP_WM_CLASS_NAME}-dbx -X quit
            exit 1
        fi
        sleep 1
        ELAPSED=$((ELAPSED + 1))
    done

    # Container is ready! Clean up the flag and proceed
    rm -f "$READY_FLAG"
    echo "Container is ready. Running next command..."
fi

# Send the initial launch command to the screen session
screen -S ${APP_STARTUP_WM_CLASS_NAME}-dbx -p 0 -X stuff "systemd-run --scope --user --unit=${APP_STARTUP_WM_CLASS_NAME}.scope $APP_BINARY_PATH &\r"

exit 0

Explanation 🤓

If you need it, this script works with any app in a rootful container. Here are all the variables you can change at the top of the script:

CONTAINER_NAME, as the name suggests.
READY_FLAG is used to check the readiness of the container.
APP_BINARY_PATH is the binary path of the app you want to use. In this case, it's /opt/windscribe/Windscribe.
APP_STARTUP_WM_CLASS_NAME is the StartupWMClass of the app. It has to be set up correctly. On GNOME, use Alt+F2 then lg to check the correct StartupWMClass of any app.
APP_HELPER_SERVICE_NAME is the file name of the helper service we have created in the previous step. You don't have to wait for the helper to start, if you're in such a hurry, you can launch the app whenever you want, the script will help you launch the helper too if it's not already running!

Thanks to systemd-run and its scope unit, we can check easily whether the app's running, then use different commands to activate the app's window. I would say, not only this is native, but cleaner and more reliable than any other methods.

Then, I use gdbus to manipulate the state of the app's window. This is a native way on GNOME, so it works seamlessly on GNOME, but I don't know about the compatibility with other desktop environments.

But as I don't use other DEs, I wouldn't dare to publish the code that I didn't test or have any idea of. Therefore, if any of you have any idea on how to make it work with other DEs like KDE, COSMIC DE, or even tiling window managers like Hyprland, Niri, etc., please comment down below with a working script.

I also use screen to have a persistent session for distrobox-enter -r to our rootful container, so we don't have to enter our sudo password every single time we click on the app's icon 😂

The Desktop File

nano ~/.local/share/applications/windscribe.desktop

Inside the file:

[Desktop Entry]
Type=Application
Icon=/var/home/archerallstars/.local/share/icons/windscribe.png
Name=Windscribe
Comment=Start Windscribe VPN
Keywords=vpn;windscribe
Exec=/bin/bash /var/home/archerallstars/.local/bin/windscribe-launcher.sh
StartupWMClass=Windscribe
Terminal=false

⚠️ Replace /var/home/archerallstars with your host system's $HOME absolute path (the path without ~).

💡 You can download the app icon easily from the Play Store 🛍️ Then, replace the icon's path on the above with your icon's absolute path.

Now, you have the client 100% fully working!

You can check your public IP address and DNS resolver to see if they're matched with the ones showing in your Windscribe client, and also to see if there's any DNS leak by using https://dnscheck.tools/

For what it's worth, you might want to change your systemd-resolved's DNS over TLS setting to opportunistic, so it won't interfere with your VPN's DNS setup.

sudo nano /etc/systemd/resolved.conf

Then, in the file:

[Resolve]
DNSOverTLS=opportunistic

Lastly, restart systemd-resolved:

sudo systemctl restart systemd-resolved

7. Make the Container Update Itself Automatically, Zero Maintenance! 😍

Create a Service File

sudo nano /etc/systemd/system/vpn-dbx-upgrade.service

In the file:

[Unit]
Description=Upgrade vpn-dbx--root
After=network-online.target
Wants=network-online.target
RequiresMountsFor=%t/containers
StartLimitIntervalSec=600
StartLimitBurst=5

[Service]
Type=exec
ExecStartPre=/bin/podman start vpn-dbx--root
ExecStart=/bin/podman exec vpn-dbx--root bash -c "apt update -y && apt full-upgrade -y"
Restart=on-failure
RestartSec=60
RemainAfterExit=yes

Create a Timer File

sudo nano /etc/systemd/system/vpn-dbx-upgrade.timer

In the file:

[Unit]
Description=Upgrade vpn-dbx--root daily.

[Timer]
OnCalendar=daily
Persistent=true
RandomizedDelaySec=5min

[Install]
WantedBy=timers.target

Reload and Enable the Timer

sudo systemctl daemon-reload && sudo systemctl enable vpn-dbx-upgrade.timer

Config Your Firewall 🔥 to Have Port Forwarding 🔌 Working Correctly

It depends on your host's firewall. For example, Ubuntu uses ufw, Fedora uses firewalld.

For `ufw` System

Check your firewall status:

sudo ufw status verbose

If it's enabled, you will need to open the correct port that you've opened in your Windscribe account's port forwarding page:

sudo ufw allow <port>/tcp && sudo ufw allow <port>/udp

⚠️ Change to your desired port number.

For `firewalld` System

1. Create a New Zone in `firewalld`

List all the available zones:

firewall-cmd --get-zones

We will create a new zone called vpn, if it's not presented yet, create a new one:

sudo firewall-cmd --permanent --new-zone=vpn

Reload firewalld for it to take effect:

sudo firewall-cmd --reload

Check all the available zones again:

firewall-cmd --get-zones

Now, vpn should be listed as one of the zones.

2. Finding the Interface's Name Using Network Manager

⚠️ It's possible to add a new interface to firewalld's zones using the Network Manager, but it'll be conflicted with how Windscribe's client manages the network. Therefore, you should use firewalld to manage its firewall's rules. Never use the Network Manager to manage your firewall rules!

firewalld, however, only knows and manages the interfaces that are bound to one of its zones. It cannot see any newly created interfaces that have never been introduced to it. Therefore, we use the Network Manager to list all the active interfaces on our system instead.

Finding your active connection name first:

nmcli connection show --active

It will return something like:

NAME                UUID                           TYPE  DEVICE 
YourConnectionName  xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  wifi  xxxxxx

Note down your connection name. Usually, it will be something that has tun it its name. If you have connected to the VPN network, you can use an app like Resources to know the name for sure.

3. Adding the Interface to `firewalld` Permanently

sudo firewall-cmd --zone=vpn --change-interface='YourConnectionName' --permanent

Reload the firewall (to apply the change):

sudo firewall-cmd --reload

Also, check whether the interface is already in firewalld's zone (it should):

firewall-cmd --zone=vpn --list-interfaces

4. Adding the Required Ports to `firewalld`'s Zone Permanently

List all the rules in vpn zone:

firewall-cmd --zone=vpn --list-all

💡 If it doesn't show any port number after the ports: entry, this means firewalld is blocking all incoming ports in this zone (vpn).

You can add your port like this:

sudo firewall-cmd --permanent --zone=vpn --add-port=<yourport>/tcp
sudo firewall-cmd --permanent --zone=vpn --add-port=<yourport>/udp

⚠️ Replace <yourport> with the port you want to allow in the firewall.

Reload the firewall (to apply the change):

sudo firewall-cmd --reload

If you want to remove the port, since most of you would use an ephemeral port anyway:

sudo firewall-cmd --zone=public --remove-port=<yourport>/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=<yourport>/udp --permanent

⚠️ Replace <yourport> with the port you want to allow in the firewall.

😅 firewalld is very complicate. If you can't connect with your local devices, you need to add mDNS and process forwarded traffic into this new vpn zone. It's the default public zone settings in Fedora that works for me with an app like LocalSend, for example.

sudo firewall-cmd --permanent --zone=vpn --add-service=mdns

sudo firewall-cmd --permanent --zone=vpn --add-forward

sudo firewall-cmd --reload

Check the Reach-ability of Your Opened Port 🔍️

First, please don't use any of the online port checkers like portchecker.co, for example. It never works for me...

The reliable way to test the reach-ability of your opened port is through torrent clients like Fragments, for example:

For Headless Folks

You can use this command to check the reach-ability of your opened port in the terminal like this:

p=<port_number>; curl -s https://portcheck.transmissionbt.com/$p | grep -q '^1' && echo -e "\033[1;32m✅ Port $p is OPEN\033[0m" || echo -e "\033[1;31m❌ Port $p is CLOSED\033[0m"

⚠️ Please change the <port_number> to the one you want to check.

This will return:

✅ Port XXXXX is OPEN

Or:

❌ Port XXXXX is CLOSED

😱 Limitations

App-based Split Tunneling 🪓

💡 It should be noted that while we need to work around the app-based split tunneling, IP-based split tunneling is fully working. You can check your current IP routing table with ip route show command. The client's GUI simply routes your desired IPs using the routing table.

The issue with the app-based split tunneling is expected, as we install the client in a container, so there's a layer of separation, even for a rootful container. Therefore, the client doesn't see any of your apps on the host or in other containers.

But no worry! This is a soft limitation, not a hard one or a blocker.

Solution ✅️

If you really need this functionality, you can install the client in a rootless container with distrobox-create command's --unshare-netns option.

Basically, all routing, interfaces, and VPN tunnels stay confined to the container's network, so the VPN connection stay inside the container and won't be routed on the host, as the container simply lacks the capability/permission to do so.

You can create a container for the apps that you want to connect through the VPN, while leaving your host's connection outside the VPN tunnel. This behavior is exactly the same with Windscribe client's split tunneling in the inclusive mode:

⚠️ Please enable your Windscribe's VPN connection before creating a container. Because pasta, the new podman (v5.3+) container's network interface, even though it's a lot faster than before, it will only capture your host's current DNS addresses into the container.

💡 You can also specify multiple DNS addresses using distrobox-create's --additional-flags "--dns 1.1.1.1 --dns 9.9.9.9", for example. If you use this flag, remember to also include at least one public DNS resolver, so you always have the connection.

✍️ Without the --dns flag, pasta will create a DNS forwarding entry, so whatever your host DNS is, it will be used in the container dynamically.

⚠️ The VPN client can only use the DNS as per pasta's snapshot inside the container in /etc/resolv.conf (changing this later on won't have any effects). Therefore, if the VPN's DNS address wasn't there from the start, it would regress back to your current DNS resolver on the host (through pasta's DNS forwarding entry), hence leaking. In that case, please re-create the container again when you have the VPN connection up on the host 😅

✍️ Otherwise, you can create an init container with its own systemd-resolved and all, but it won't integrate well with the host. Therefore, I don't recommend this route.

Now, finally, we can create a VPN only container:

distrobox-create -i registry.opensuse.org/opensuse/distrobox:latest -n vpn-apps-dbx -H ~/distrobox/vpn-apps-dbx --unshare-netns --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket --additional-packages "libnl3-200 libxkbcommon-x11-0 libxcb-icccm4 libxcb-keysyms1 NetworkManager" --additional-flags "-p 127.0.0.1::57383"

Now, I use the openSUSE image instead of Ubuntu image, as a rolling release container is much easier to maintain, or rather, to not having to maintain anything 😂
--unshare-netns so we use the container's network interface instead of the host's network interface (--network=host).
-p 127.0.0.1::57383 is basically tell podman that only your host can talk to the container directly. Otherwise, others on the internet can bypass your host's firewall and talk to your container directly, hence a significant security risk. This is something you'll have to be careful when using the container's network interface (pasta) instead of --network=host. You can use any port number with -p 127.0.0.1::<container-port>.

🤩 With a rootless container, you would be able to upgrade all your containers at once by using the distrobox-upgrade --all command. Make it run daily in the background using a --user systemd service, like I wrote here, for example. Moreover, You can use Pods to manage your rootless containers beautifully:

The rest of the setup is the same as with a rootful container, except now, you don't have to circumvent the security of a rootful container. Meaning, everything works OOTB without the wrapper script.

⚠️ Remember that /opt/windscribe/helper have to be run with sudo, so when you export it with distrobox-export don't forget to add --sudo flag. And now that this is a rootless container, remember to use a systemd's --user service, not the root one (without the --user flag), to launch it on the container's start up.

After you set everything up and running, provided you set up your firewall correctly, you can check your opened port forwarding by using Transmission in the container:

A Container-safe 👷 Startup Delay

This is unfortunately, a hard limitation. There's nothing we can do about it. I put some delay in all my containers' initial process. I use 25 seconds delay for the client's helper here.

Otherwise, the system's booting process could crash entirely due to early-boot dependency race with the container runtime, storage, networking, or cgroup/setup layers.

See more here.

Solution ✅️

We can simply install all of the apps that we want to have the VPN connection at all time inside a rootless container, as shown on the above.

With this solution, there will be no leak, as you have orderly control when launching the apps inside the container using systemd's After= and Requires= directives.

Therefore, it doesn't matter if you can't have the VPN connection right away on startup.

Thanks for reading 🤓

Cover Photo by Thomas Richter on Unsplash

A Container Photo by Sophie Cardinale on Unsplash

A WiFi Device Photo by Amal S on Unsplash

A Hand Photo by Frankie Mish on Unsplash

A Workplace Photo by ryu _ on Unsplash

I've updated this walkthrough to work with the latest version of Podman, Distrobox, and "any" of your favorite Linux OS! Cloudflare WARP is the easiest way to enable IPv6 and security on your network today.

Archer Allstars — Tue, 10 Mar 2026 21:03:57 +0000

Archer Allstars

Apr 15 '24

Install Cloudflare WARP on any Linux Distro, Thanks to Distrobox!

#tutorial #linux #productivity #network

Comments 3

7 min read

Install Mailspring, the Best Free Email App on Linux, in a Distrobox Container!

Archer Allstars — Mon, 29 Dec 2025 03:48:23 +0000

From my experience, it's actually the best free, open source, and underrated email app on Linux, see its GitHub repo.

The GUI is sharp and modern.
It has an excellent built-in email language translator.
It follows the system's light/dark theme (using a plug-in system).
Many email providers are supported OOTB with single sign-on system.
Can be run in the background with the obvious --background flag.
Pro subscription is available for more features, see here!

But if you only use one email, an email client probably doesn't matter much 😂

Why Not Geary?

This is the go-to email client for many. With the adw-gtk3 theme and the Legacy (GTK3) Theme Scheme Auto Switcher GNOME extension, it blends very well with GNOME and other Adwaita apps. It also integrates with GNOME Online Accounts.

Unfortunately, its Flatpak version is plagued with a non-debuggable crashing issue (Geary issue #1679) to the point that it's unusable for me now.

And as I am on Fedora Silverblue, I am not willing to layer something like an email client... And I can't find a way to make it follow the system's light/dark theme in a container.

Therefore, I uninstalled it and never looked back.

Why not Evolution?

I don't want to use an email client with the 90s graphical interface.

Why not Thunderbird?

I want my email client to be an email client, not also a calendar client, etc.

👉️ Table of contents

Install Distrobox and Podman
Configure Distrobox to Use Podman
Create a Container 📦️
Enable x86-64-v3 Packages
Install Required Packages
[optional] Symlink fonts and fontconfig Directories on the Host
Install Mailspring
Export Mailspring to the Host
Make Mailspring Follow the System’s Light/Dark Theme
Start Mailspring in the Background on Startup
Update the Container Automatically, Zero Maintenance!

1. Install Distrobox and Podman

The command will differ based on your specific package manager. Refer to your distro's docs. For example, on Arch based distros:

sudo pacman -S distrobox podman

On Fedora Silverblue, Podman is installed by default. The rest is layering Distrobox:

sudo rpm-ostree install distrobox

You need to reboot to use the layered package.

2. Configure Distrobox to Use Podman

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

3. Create a Container 📦️

I use openSUSE container image because:

It has x86-x64-v3 packages.
It uses a rolling release model, so I don't have to worry about the EOL date of the image/OS, hence eliminated the necessarily of upgrading my container. Basically, it's the setup that you can forget about it once it's done 😁

distrobox-create -i registry.opensuse.org/opensuse/distrobox:latest -n email-dbx -H ~/distrobox/email-dbx --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

Don't forget to add --nvidia if you have NVIDIA GPU. See more here.

4. Enable x86-64-v3 Packages

Enter the container and update all the packages first:

sudo zypper dup

Enable x86-64-v3 packages:

sudo zypper install patterns-glibc-hwcaps-x86_64_v3

5. Install Required Packages

sudo zypper install zenity mozilla-nspr mozilla-nss libcanberra-gtk3-module libwebkitgtk-6_0-4 libgbm1 libtidy58 libcurl4

6. [optional] Symlink fonts and fontconfig Directories on the Host

This is usually necessary for multilingual individuals if they want to change the font for a specific language.

Make the Required Directories Inside the Container

mkdir -p ~/.local/share

mkdir -p ~/.config/fontconfig

Symlink With the Host

ln -s /var/home/archerallstars/.local/share/fonts ~/.local/share/

ln -s /var/home/archerallstars/.config/fontconfig/conf.d ~/.config/fontconfig/

Replace /var/home/archerallstars with your home directory!

7. Install Mailspring

Simply go to the official download page and download the .rpm package.

You can install any .rpm packages locally (inside the container) with:

sudo zypper install ./<package-name>.rpm

For example:

sudo zypper install ./mailspring-1.19.0-0.1.x86_64.rpm

When you're being asked about the package's signature, just ignore it (hit i).

8. Export Mailspring to the Host

distrobox-export -a mailspring

You should see the app's icon on your app drawer on the host now.

Exit the container with exit.

9. Make Mailspring Follow the System’s Light/Dark Theme

Many thanks to Andrew Minion and his Mailspring Automatic Light-Dark Mode plug-in.

Simply download or clone the repo directory, then copy the entire directory to ~/distrobox/email-dbx/.config/Mailspring/packages

Then, in the Mailspring app, from the menu bar:

Developer > Install a Plugin...

Choose the plug-in directory in ~/distrobox/email-dbx/.config/Mailspring/packages.

The plug-in works instantly without having to restart the app. You can try switching your system theme between light and dark.

After this, you can hide the ancient menu bar, as shown in the screenshot below:

Toggle the menu bar with Alt.

10. Start Mailspring in the Background on Startup

We'll use the systemd for this.

The service file:

nano ~/.config/systemd/user/mailspring.service

[Unit]
Description=Mailspring
RequiresMountsFor=/run/user/1000/containers

[Service]
Type=exec
ExecStart=/usr/bin/distrobox-enter  -n email-dbx  --   mailspring --background

The timer file:

nano ~/.config/systemd/user/mailspring.timer

[Unit]
Description=Start Mailspring service with some delay.

[Timer]
OnStartupSec=40
RandomizedDelaySec=10
Persistent=true

[Install]
WantedBy=timers.target

Reload and enable the timer:

systemctl --user daemon-reload && systemctl --user enable mailspring.timer

11. Update the Container Automatically, Zero Maintenance!

This will automatically update all rootless Distrobox containers on your system!

Create a User `systemd` Service on the Host

nano ~/.config/systemd/user/dbx-upgrade.service

Inside the service file:

[Unit]
Description=Upgrade all Distrobox containers
RequiresMountsFor=/run/user/1000/containers
StartLimitBurst=3
StartLimitIntervalSec=600

[Service]
Type=exec
ExecStart=sh -c "distrobox-upgrade --all"
Restart=on-failure
RestartSec=60

Create a Timer

nano ~/.config/systemd/user/dbx-upgrade.timer

Inside the timer file:

[Unit]
Description=Start Distrobox containers upgrade service with some delay.

[Timer]
OnStartupSec=45
RandomizedDelaySec=15
Persistent=true

[Install]
WantedBy=timers.target

Reload and enable the timer:

systemctl --user daemon-reload && systemctl --user enable dbx-upgrade.timer

Cover Photo by Utsav Srestha on Unsplash

My Opinionated Fedora Silverblue Setup

Archer Allstars — Sat, 27 Dec 2025 23:06:08 +0000

This is intended to be my personal note of what I will do after installing Fedora Silverblue.

But why does it have to be Fedora Silverblue?

Because it's so simple to use, i.e., it's so simple to debug, since the core is immutable and the update process is atomic. Moreover, as almost everything is being layered on the base system, you can start anew easily without affecting the base system in anyway, doesn't leave any residues, etc. even the config files...

Basically, it's a system that you or your mom/grandma can't break.

Enable Transparent Disk Compression
Using a Secure DNS Resolver
Enable BBR, a Better Network Congestion Control Algorithm
Enable ptrace_scope = 1
Changing the Default ZRAM Configuration
Enable RPM Fusion for Nonfree Codecs
Removing All the Apps From Fedora’s Flatpak and Disable the Repo Entirely From the App Store
Removing All the Unused Apps From the Default Image (Base System)
Enable the System’s Auto-Update
[Bonus] GNOME Extensions That I Use

1. Enable Transparent Disk Compression

Sadly, this technology that's available natively with Btrfs file system that the system uses is not enabled by default.

As someone who wants to save his disk space whenever it's possible, so I enable it.

First, find out your current kernel boot parameters (to avoid duplicates):

rpm-ostree kargs

It should return many parameters, including rootflags=subvol=root to which is our target for enabling the compression.

You can simply append your custom parameters after the ones from the default configuration that's can't be replaced or deleted for obvious reason like this:

sudo rpm-ostree kargs --append="rootflags=subvol=root,compress=zstd:1"

Then, reboot the system for it to take effect.

I use the compression level 1 instead of the default (3), that's because it uses the least CPU time while providing a reasonable compression ratio, see more on here.

You can also add other kernel boot parameters with the same command, for example, snd-intel-dspcfg.dsp_driver=1 to use the HD Audio driver instead of the default AVS driver on some old Intel hardware, at least until this issue is sorted out.

Compress Existing Data

The above command will only compress new data. To compress existing data:

sudo btrfs filesystem defragment -r -v -f -czstd /var

2. Using a Secure DNS Resolver

I wrote about this in detail here.

Configure `/etc/systemd/resolved.conf`

sudo nano /etc/systemd/resolved.conf

Then, in the file:

[Resolve]
DNSOverTLS=opportunistic

I use DNSOverTLS=opportunistic because it's the only way currently to have both non-leaking DNS when using a VPN (with its own DNS) and to be able to configure your preferred secure DNS in the settings' GUI.

If you use DNSOverTLS=no (the default value), you have non-leaking DNS when using a VPN (with its own DNS), but you won't be able to configure any secure DNS in the GUI at all.

If you use DNSOverTLS=yes, you won't be able to use VPN with its DNS setup, hence forcing to be leaked. Also, you won't be able to configure any secure DNS in the GUI at all. This is the worst setup!

At least, this is the situation currently in Fedora Silverblue.

Just make sure to configure your preferred secure DNS in the GUI as per connection. But if you don't use VPN, you can just use DNSOverTLS=yes and have your secure DNS set up in /etc/systemd/resolved.conf globally. See more here.

Lastly, restart systemd-resolved:

sudo systemctl restart systemd-resolved

Configure Your Preferred DNS Resolver in the GUI

For example, using Cloudflare (with malware filtering) as your DNS resolver:

IPv4

1.1.1.2, 1.0.0.2

IPv6

2606:4700:4700::1112, 2606:4700:4700::1002

3. Enable BBR, a Better Network Congestion Control Algorithm

I wrote about this in detail here.

Enable the Module

Check whether the module is already enabled:

lsmod | grep bbr

If it doesn't return anything, you must enable tcp_bbr module first:

echo "tcp_bbr" | sudo tee /etc/modules-load.d/bbr.conf

Then, reboot.

Change the Congestion Control Algorithm to BBR

Edit the /etc/sysctl.conf file:

sudo nano /etc/sysctl.conf

Add these lines:

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

Reboot the system again. Then, check the current congestion control algorithm with:

sysctl net.ipv4.tcp_congestion_control

4. Enable `ptrace_scope = 1`

This is necessary to get a complete sandboxing in Chromium-base browsers. It's enabled by default in Ubuntu, Arch, and openSUSE (from my request 😄).

I wrote about this in detail here.

Check Your Current `ptrace_scope` Value

cat /proc/sys/kernel/yama/ptrace_scope

Enable `ptrace_scope = 1`

If it's not enable yet (returns 0 from the above command), copying the default config file and edit it:

sudo cp /usr/lib/sysctl.d/10-default-yama-scope.conf /etc/sysctl.d/

sudo nano /etc/sysctl.d/10-default-yama-scope.conf

Changing the last line from kernel.yama.ptrace_scope = 0 to kernel.yama.ptrace_scope = 1.

Then, reboot.

5. Changing the Default ZRAM Configuration

It's a good thing that Fedora enabled ZRAM by default, but I find it's too conservative, especially for a system that doesn't have a lot of RAM.

So, I make it 1.5x the amount of my physical RAM. And I also set the swap-priority = 100, as ZRAM doesn't use [slowish]disk as a swap medium; therefore, I want to swap (compress the data on RAM) ASAP, so it won't use a ton of CPU time all at once when the system already has very little resource left to do anything, if at all.

Creating a New Configuration File

Fedora uses zram-generator to manage its ZRAM configuration. First, we'll create a directory for a new rule that will override the default configuration:

sudo mkdir -p /etc/systemd/zram-generator.conf.d

Then, create a config file:

sudo nano /etc/systemd/zram-generator.conf.d/zram-generator.conf

Inside the file:

[zram0]
zram-size = ram * 1.5
compression-algorithm = zstd
swap-priority = 100

Adding Some Secret Sauce

Thanks to the optimization effort to improve system responsiveness under memory pressure, particularly for desktops with compressed swap in RAM by Pop!_OS, I use this secret sauce with all my Linux systems too!

Editing `/etc/sysctl.conf` File

sudo nano /etc/sysctl.conf

Adding these lines:

vm.page-cluster=0
vm.swappiness=180
vm.watermark_boost_factor=0
vm.watermark_scale_factor=125

Then, reboot the system.

6. Enable RPM Fusion for Nonfree Codecs

You might have heard from some strange people telling you to use Flatpak apps.

The problem is not media consumption, which can be done through Flatpak or a Distrobox container, like I wrote here in detail, but it's the ability to browse your media files in the first place. This is your file manager's responsibility, not your media player's.

And that one piece of software is not available in Flatpak format; see GNOME Files issue #318.

Therefore, in order to have most of your media files showing their thumbnails in your file manager, like they are on our phones universally, you need to add RPM Fusion into your system. There's no other way.

To install RPM Fusion on your system, please refer to the official RPM Fusion doc specifically for OSTree system here!

7. Removing All the Apps From Fedora’s Flatpak and Disable the Repo Entirely From the App Store

This can be done through GNOME Software GUI, as shown in the screenshot above. You can reinstall these apps from Flathub if necessary.

In my honest opinion, Fedora's Flatpak is useless and has no real value for end-users. It's a painful, wasteful step that Fedora users have to do after the installation. For example, see this recent drama.

It should be noted that, contrary to Flathub, Fedora's Flatpak has the same limitation regarding proprietary codecs as Fedora's native RPM packages. Therefore, remove it from your system, it has zero benefit.

8. Removing All the Unused Apps From the Default Image (Base System)

What if you want to remove some apps from the base immutable image? For example, I don't use Firefox and don't want to support its nutjobs in any way. Here's how to remove it:

sudo rpm-ostree override remove firefox firefox-langpacks

Then, reboot the system.

Now, you can simply check your image status with:

rpm-ostree status

This one command can help you identify most issues or feature parity with other systems that use the same image. This is why it's so easy to debug.

You can also layer any packages you want if they need to be installed on the system level. You will most likely want to install distrobox for example:

sudo rpm-ostree install distrobox

Only install packages using this method when it's necessary.

9. Enable the System’s Auto-Update

Please note that enabling the automatic software updates option in GNOME Software will NOT automatically update your system.

And unfortunately, there's no mention of the automatic update anywhere on the official docs.

Here's how to make your system automatically downloads and stages updates without you ever having to do anything:

Set `AutomaticUpdatePolicy` in `/etc/rpm-ostreed.conf`

Change the policy to stage:

sudo nano /etc/rpm-ostreed.conf

AutomaticUpdatePolicy=stage

Reload `rpm-ostree`

sudo rpm-ostree reload

Enable `rpm-ostreed-automatic.timer`

sudo systemctl enable rpm-ostreed-automatic.timer --now

You can check the automatic update status with:

rpm-ostree status

If enabled correctly, it should return something like this:

AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 3h 4min ago

10. [Bonus] GNOME Extensions That I Use

These extensions that I use are not intended to change the designed GNOME experience. I like GNOME UX and UI philosophy. But I think they are necessary in my workflow.

AppIndicator and KStatusNotifierItem Support

This one adds system tray support in GNOME. It's developed by Ubuntu, so you can expect a good support and maintenance. GitHub repo

GJS OSK

One weakness of GNOME is its onscreen keyboard, even though it's designed with touch screen usage in mind 😂 It isn't even usable in all apps, e.g., non-GTK apps.

This one adds a much better onscreen keyboard to the system and can be used in all apps. GitHub repo

Legacy (GTK3) Theme Scheme Auto Switcher

It changes the GTK3 (legacy) theme variant to light/dark when the scheme is changed from Settings.

When paring with adw-gtk3 theme, all the GTK3 apps blend nicely with Adwaita apps, and they also follow your system's light/dark theme. GitHub repo

Light Style

This one adds light theme to the top bar and its panels. It's developed and maintained by GNOME, so long time support can be expected. GitLab repo

Lock Keys

This one shows numlock and capslock status on the panel. So, it's harder for you to mistype your password accidentally. GitHub repo

Unblank Lock Screen

In order to prevent my laptop from crashing when the display is blanked (it happens randomly even on Windows!), this extension allows me to use lock screen again, as it unblanks my display when my lock screen kicks in! GitHub repo

Weather O'Clock

This one is nice to have. It displays the current weather info next to the top bar's clock. GitHub repo

Cover Photo by Alexandru Acea on Unsplash

Install Steam in a Distrobox Container With x86-64-v3 Power Boost!

Archer Allstars — Sun, 21 Dec 2025 07:05:12 +0000

Like always, I prefer to install any app in a manageable way, i.e., layer on the base system without altering the base in any way or leaving a lot of residue upon uninstallation.

Moreover, you can choose to use any images you want regardless of your base system. For example, you can use the official CachyOS image that provides x86-64-v3 optimized packages, hence improving gaming performance.

1. Installing Distrobox and Podman

The command will differ based on your specific package manager. Refer to your distro's docs. For example, on Arch based distros:

sudo pacman -S distrobox podman

2. Configure Distrobox to use Podman

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

3. Create a container

distrobox-create -i docker.io/cachyos/cachyos-v3:latest -n games-dbx -H ~/distrobox/games-dbx --additional-flags "--dns=none" --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

I use the --dns=none flag because I want to go as light as possible by not using an init container (a container with its own systemd). Without this flag, Steam will try to find systemd-resolved, of which doesn't exist obviously, and won't be able to launch successfully.

Without systemd inside the container, Steam will always show UTC time instead of your local time in Big Picture Mode, see Steam issue #10057.

Note: For NVIDIA users, in order to use the GPU inside the container, you need to add --nvidia flag to the distrobox-create command. See more here.

4. Enable x86-64-v3 packages

Once the container is created, enter the container and enable x86-64-v3 packages:

sudo pacman -Syu

sudo pacman -Qqn | sudo pacman -S -

5. Generating the container's locales

First, install nano to be able to edit /etc/locale.gen:

sudo pacman -S nano

Then, editing /etc/locale.gen:

sudo nano /etc/locale.gen

Uncomment (removing #) from en_US.UTF-8 UTF-8 line. Also, if your local language is differ, uncomment your local language too. For example:

en_US.UTF-8 UTF-8
th_TH.UTF-8 UTF-8

Lastly, generating locales:

sudo locale-gen

6. Install Steam!

sudo pacman -S steam

If you're asked during the installation,...

About the font, I use Noto font.

About which Vulkan to use, use your vendor's Vulkan. It should be obvious enough, for example, vulkan-intel (or lib32-vulkan-intel).

Please use everything from CachyOS repository if being asked.

7. Export Steam inside the container to the host

Run this inside the container:

distrobox-export -a steam

With this, you will be able to launch Steam on the host, i.e., with Steam icon on the host.

If Steam fails to start occasionally, you might want to edit the execution command in the desktop file a bit:

Find Steam's desktop file in ~/.local/share/applications/ on the host, then edit the first Exec= line:

Exec=bash -c 'echo "Y" | distrobox-stop games-dbx && distrobox-enter games-dbx -- /usr/bin/steam' %U

This will stop the container first before entering it and launch Steam.

8. Auto-update the container, zero maintenance time!

Create a `systemd` service file:

nano ~/.config/systemd/user/dbx-upgrade.service

Inside the service file:

[Unit]
Description=Upgrade all Distrobox containers
RequiresMountsFor=/run/user/1000/containers
StartLimitBurst=3
StartLimitIntervalSec=600

[Service]
Type=exec
ExecStart=sh -c "distrobox-upgrade --all"
Restart=on-failure
RestartSec=60

Create a `systemd` timer file:

nano ~/.config/systemd/user/dbx-upgrade.timer

Inside the timer file:

[Unit]
Description=Start Distrobox containers upgrade service with some delay.

[Timer]
OnStartupSec=30
RandomizedDelaySec=15
Persistent=true

[Install]
WantedBy=timers.target

Reload and enable the timer:

systemctl --user daemon-reload && systemctl --user enable dbx-upgrade.timer

BONUS: Increase `vm.max_map_count`

According to Arch Wiki, it's recommended to increase the vm.max_map_count.

This one has to be done on the host and the container will follow automatically. The procedure should be the same across all distros.

Create a sysctl rule:

sudo nano /etc/sysctl.d/99-gamecompatibility.conf

Add vm.max_map_count = 2147483642 in the file.

Then, apply the change immediately with:

sudo sysctl --system

With this, you should be able to run Steam inside a container. Enjoy!

Cover Photo by Igor Saikin on Unsplash

Enable BBR, a Better Network Congestion Control Algorithm From Google on Linux

Archer Allstars — Wed, 05 Nov 2025 03:07:39 +0000

TCP BBR (Bottleneck Bandwidth and Round-trip propagation time) is a congestion control algorithm developed by Google to improve internet performance by focusing on actual network conditions rather than relying solely on packet loss as a signal to reduce transmission speed.

It can significantly improve throughput compared to traditional algorithms like CUBIC, with improvements ranging from 2 to 25 times.

BBR is also used on Google Search and YouTube servers, resulting in a 4% average global increase in YouTube network throughput and over 14% improvement in some countries. Meaning, it has been used (not only tested/experimented) on a global scale!

Therefore, it would be wised to enable BBR in your system, especially if you're on a wireless network with a lot of packet loss.

Note that you need Linux kernel version 4.9+ for BBR v1, or 5.18+ for BBR v2.

1. Enable the Module

Check whether the module is already enabled:

lsmod | grep bbr

If the module is loaded, it should return something like this:

tcp_bbr                20480  26

You can skip to the next step.

If it doesn't return anything, you must enable tcp_bbr module first:

echo "tcp_bbr" | sudo tee /etc/modules-load.d/bbr.conf

Reboot. Then, check if bbr is listed as one of the congestion control algorithms:

cat /proc/sys/net/ipv4/tcp_available_congestion_control

This should return something like:

reno cubic bbr

2. Change the Congestion Control Algorithm to BBR

You can use nano or your preferred text editor to edit the /etc/sysctl.conf file:

sudo nano /etc/sysctl.conf

Then, add these lines:

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

Reboot the system. Then, check the current congestion control algorithm:

sysctl net.ipv4.tcp_congestion_control

This should return:

net.ipv4.tcp_congestion_control = bbr

Note that even though it has ipv4 in the name, it applies to IPv6 as well.

Explanation

You can notice that I also enabled the fair queueing packet scheduler (qdisc) as well with net.core.default_qdisc = fq.

Why?

It's a match made in heaven for BBR. For example:

Without the fair queueing (traditional qdiscs like pfifo_fast):

BBR wants to send at 950 Mbps
↓
Kernel qdisc can't pace → bursts 1 Gbps for 100ms → queue builds → 200ms latency

With the fair queueing:

BBR wants to send at 950 Mbps
↓
FQ paces exactly 950 Mbps → no bursts → queue stays <1ms

Thanks for reading 🙏 God bless ✝️

Cover Photo by Shiwa ID on Unsplash

How to Manage WireGuard VPN Connection in GNOME Without the wireguard-tools

Archer Allstars — Sat, 18 Oct 2025 00:30:33 +0000

If you want to use/connect to VPN without installing the VPN client on your system, the common way to do it is through the WireGuard configuration file.

This's more preferable on an immutable OS, e.g. Fedora Silverblue, unless the VPN provider you're using has their client officially available on Flathub.

Why not `wireguard-tools`?

Because using the WireGuard configuration file in GUI (GNOME's network settings) is easier and faster.

1. Set Up `systemd-resolved`

systemd-resolved is enabled by default in Fedora Silverblue. So, you only have to set up its configure file right.

`DNSOverTLS=opportunistic` is Your Best Friend

Because it's the only way currently to have both non-leaking DNS when using a VPN (with its own DNS) and to be able to configure your preferred secure DNS in the settings' GUI.

If you use DNSOverTLS=no (the default value), you have non-leaking DNS when using a VPN (with its own DNS), but you won't be able to configure any secure DNS in the GUI at all.

If you use DNSOverTLS=yes, you won't be able to use VPN with its DNS setup, hence forcing to be leaked. Also, you won't be able to configure any secure DNS in the GUI at all. I would say, this is the worst setup!

But if you don't use VPN, you can just use DNSOverTLS=yes and have your secure DNS set up directly in /etc/systemd/resolved.conf. See more here.

In any case, I recommend DNSOverTLS=opportunistic because of its flexibility.

sudo nano /etc/systemd/resolved.conf

Then, in the file:

[Resolve]
DNSOverTLS=opportunistic

Lastly, restart systemd-resolved:

sudo systemctl restart systemd-resolved

2. Having your default DNS setup

It's extremely important to NOT using your ISP's DNS. Why? Because it's not likely going to be encrypted. Not only that, it's prone to censorship.

Please use a secure DNS from reputable providers like Cloudflare or Quad9, for example. Quad9 if you don't have Cloudflare WARP proxy setup like I wrote here. Otherwise, it's better to use Cloudflare, so you won't have a leak with WARP proxy.

Cloudflare DNS

I recommend using the Families (malware filtering) endpoint 1.1.1.2 or 1.0.0.2 instead of the usual 1.1.1.1. See more here.

Quad9

As the name suggested, 9.9.9.9. Quad9 filtered out malware by default. From many tests I've seen for years, it's leading in this regard, slightly better than Cloudflare's 1.1.1.2. See more on their website.

Make either of them your default DNS as per connection easily in GNOME settings

For example, in your Wi-Fi settings, put in the DNS's IPv4 and IPv6 accordingly:

3. Import your WireGuard configuration file

You can import WireGuard configuration files directly in GNOME's network settings, and use them at will through the quick settings panel. It's that easy, no need to go through many hoops with different VPN clients.

The process is straightforward enough that no screenshot is needed 😆

However, there are some caveats. Check your WireGuard configuration file, make sure under the [Interface] section, the DNS line should exist or not commented out. Otherwise, your VPN connection will regress back to the default DNS address in the previous step, hence leaking.

The best place to check your public IP and DNS addresses you're using is https://dnscheck.tools/

Thanks for reading 🙏 God bless ✝️

Cover Photo by Gavin Allanwood on Unsplash

Here's How to Change GNOME Fractal's Font Size

Archer Allstars — Fri, 17 Oct 2025 01:04:52 +0000

Fractal is a Matrix chat client, like Element, Cinny, and FluffyChat.

There are many good things with chatting in Matrix:

It's secure because of E2EE.
You can also use any clients you want, provided that the one you choose implemented the security features of the Matrix protocol correctly.
You can even self-host it, meaning you control your data.

You can't go wrong with any of them on the above. It depends on your needs and your preference.

If you want calling, Element and FluffyChat (experimental feature) are there for you.
I like Fractal and Cinny UIs. And both of them are easy on RAM, especially Cinny. But I go with Fractal because its cross signing process is seamless. I use Element X on mobile, so I can't verify Cinny without the recovery key. Otherwise, I would go with Cinny.

There's one major issue with Fractal, though. I can't change its tiny font size. Sadly, its devs mistakenly understand that texts in chat messages should be treated the same with texts in the OS/DE user interface with all the visual aids in place.

To tell you the truth, I already have 1.5x scaling on my setup. I can't go further than this with a FHD screen. Enable the "Large Text" mode would also break many apps' UI at 1.5x scaling. You can go with 1.25x scaling with the Large Text mode, of which will end up with the same font size as 1.5x scaling. So, I absolutely need a bigger text to keep my eyes healthy 👀

Without further ado, here is how:

1. Create a config file

Assuming you install it from Flathub which is the official channel to get the app.

First, create a directory:

mkdir -p ~/.var/app/org.gnome.Fractal/config/gtk-4.0

Then, use nano or any text editor to create a config file (CSS) there:

nano ~/.var/app/org.gnome.Fractal/config/gtk-4.0/gtk.css

2. Change the font size in the config file we previously created

Paste this content:

* {
    font-size: 16pt;
}

Change your preferred font-size as needed.

This method should work with any GTK4 apps.

Thanks for reading 🙏

Cover Photo by Parker Coffman on Unsplash

The Complete Guide to Containerize Any Chromium Browsers Using Distrobox on Any Linux Distros

Archer Allstars — Sat, 11 Oct 2025 05:57:13 +0000

UPDATE: As of Chrome/Chromium 143 or Brave 1.85, hardware video decode is enabled by default on Wayland, see Chromium issue #40225939.

However, hardware video encode is still not enabled by default, so you still need --enable-features=AcceleratedVideoEncoder.

Ever wonder how to install your web browser in a container with everything working, e.g. hardware accelerations, usable PWAs shortcuts, keyring encryption, light/dark theme scheme that follows the host, auto-update, etc.? Basically, there's zero downside plus these many benefits:

This won't pull a ton of dependencies directly on your base system. It's always very hard to keep track of those residues, you know it! Your base system (host) would also be more stable, less prone to upgrade conflicts in the process.
A clear separation of config files. You can always start anew easily. You can delete the container along with everything inside it without affecting your system in any way.
Better performance if you're running on a distro that doesn't deliver x86-64-v3 microarchitecture optimization packages (99% of all distros out there).
This setup works on all distros, without exceptions!
Probably many more, depending on your use cases.

Installing Distrobox and Podman
Configure Distrobox to use Podman
Create a container
Enable x86-64-v3 packages
Install required packages
Install GPU driver
Prepare directories for PWAs
Symlink with the user directories on the host
Install your browser
Export the browser to the host
Create a script to run the browser with hardware video acceleration flags
Modify the browser desktop file that we previously exported on the host
Fixing the PWAs issue in the container
Auto-update the container to which will also update the browser and everything inside with zero maintenance
Check the browser's keyring entry
Enhancing the sandbox in a distro that doesn't enable the ptrace_scope=1 by default

1. Installing Distrobox and Podman

The command will differ based on your specific package manager. Refer to your distro's docs. For example, on Arch based distros:

sudo pacman -S distrobox podman

2. Configure Distrobox to use Podman

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

3. Create a container

I use the official container image from CachyOS because it has x86-64-v3 repositories configured out of the box. Moreover, it doesn't have any issues with proprietary codecs, as all the codecs, free and proprietary ones, are available on the main Arch repositories.

It's also possible to use x86-64-v3 packages with openSUSE image (the Distrobox variant) if you install patterns-glibc-hwcaps-x86_64_v3 then sudo zypper dup. The only reason to use openSUSE image rather than CachyOS image is when the browser you want to use doesn't have an official build for Arch based distros, e.g. Google Chrome, Microsoft Edge.

The problem with openSUSE image is also depended on your GPU. If you're using Intel or NVIDIA GPU, it doesn't matter, as Intel relies on intel-media-driver, and NVIDIA relies on libva-nvidia-driver for VA-API.

Unfortunately, if you're with AMD, and for some reason, hurt yourself by not using Brave 😂, you will have to add PackMan repo in openSUSE image. The problem happens when you upgrade the container, it will be conflicted with the main repo from time to time, except now it will happen in your container instead of it happening directly on your system. It's in a way better, but not ideal.

Here's a summary of how to choose which container image to use:

Intel and NVIDIA users: Choose based on whether your browser has the official build for the container image, e.g. Brave users use CachyOS image, Google Chrome and Microsoft Edge users use openSUSE image.
AMD users: Use CachyOS image + Brave, and call it a day. Otherwise, use openSUSE image + PackMan repo (more on that later).

Now, it's time to actually create a container 😁

CachyOS Image

distrobox-create -i docker.io/cachyos/cachyos-v3:latest -n browser-v3-dbx -H ~/distrobox/browser-v3-dbx --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

openSUSE Image

distrobox-create -i registry.opensuse.org/opensuse/distrobox:latest -n browser-v3-dbx -H ~/distrobox/browser-v3-dbx --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

Then, enter the container with distrobox enter browser-v3-dbx and follow the next step.

Note: For NVIDIA users, in order to use the GPU inside the container, you need to add --nvidia flags to the distrobox-create command. See more here.

4. Enable x86-64-v3 packages

Depends on the container image you choose...

CachyOS Image

Update all the packages:

sudo pacman -Syu

Reinstall all the packages from CachyOS repos (this will replace x86-64 AKA x86-64-v1 packages with x86-64-v3 ones):

sudo pacman -Qqn | sudo pacman -S -

openSUSE Image

Update all the packages:

sudo zypper dup

Enable x86-64-v3 packages:

sudo zypper install patterns-glibc-hwcaps-x86_64_v3

5. Install required packages

CachyOS Image

sudo pacman -S dbus xdg-utils glib2 pipewire adwaita-icon-theme adwaita-cursors adwaita-fonts watchexec

openSUSE Image

sudo zypper install dbus-1 dbus-1-x11 xdg-utils glib2 pipewire adwaita-icon-theme adwaita-fonts watchexec

6. Install GPU driver

pacman command for CachyOS Image, zypper for openSUSE Image.

Intel

sudo pacman -S intel-media-driver libva-utils

sudo zypper install intel-media-driver libva-utils

AMD

sudo pacman -S Mesa libva libva-utils

For openSUSE image, adding PackMan repo first:

sudo zypper ar -f https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/ packman

Refresh the repos:

sudo zypper refresh && sudo zypper dup

Install the driver:

sudo zypper install --from packman Mesa-libva libva2 libva-utils

NVIDIA

sudo pacman -S libva-nvidia-driver libva-utils

sudo zypper install libva-nvidia-driver libva-utils

7. Prepare directories for PWAs

mkdir -p ~/.local/share/applications
mkdir -p ~/Desktop
mkdir -p ~/.local/share/icons

8. Symlink with the user directories on the host

ln -s /var/home/archerallstars/.local/share/icons/hicolor ~/.local/share/icons/

ln -s /var/home/archerallstars/.local/share/fonts ~/.local/share/

Note: Replace /var/home/archerallstars with your home directory's absolute path on your system (the path you can copy from your file manager, the path without ~).

(optional) Symlink with fontconfig directory on the host

This is usually necessary for multilingual individuals if they want to change the font for a specific language.

mkdir -p ~/.config/fontconfig

ln -s /var/home/archerallstars/.config/fontconfig/conf.d ~/.config/fontconfig/

For example, if I want to change the font just for Thai language while keeping the rest intact:

nano ~/.config/fontconfig/conf.d/99-my-preferred-font-for-th.conf

I can add this to the file:

<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
  <match target="pattern">
    <test name="lang" compare="contains">
      <string>th</string>
    </test>
    <test qual="any" name="family">
      <string>sans-serif</string>
    </test>
    <edit name="family" mode="prepend" binding="strong">
      <string>Waree</string>
    </edit>
  </match>
</fontconfig>

Normally, people with the need would already configure this on their host. So, just by linking ~/.config/fontconfig/conf.d/ on the host will make the container follows the same rule without having to do anything. Just make sure you also link the fonts directory on the host as shown on the above, so the container can use the font specified in this rule.

9. Install your browser

Please refer to your browser installation instruction. It's the same regardless of the containerization. For example, Brave in CachyOS container:

sudo pacman -S yay
yay -Sy brave-bin

10. Export the browser to the host

For example, for Brave:

distrobox-export -a brave

Note: The actual name of the browser could be different. For example, if you're using CachyOS image, Brave uses brave for its binary, while it's brave-browser when installing from their official openSUSE repo 😂

Try catching this with ls /usr/bin | grep brave.

After the export, you can exit from the container and forget it with exit.

11. Create a script to run the browser with hardware video acceleration flags

Unfortunately, this is still necessary in 2025. So, create a file called brave-vaapi or something, put it in ~/.local/bin on your host. Here are the scripts depending on your GPU vendor:

Intel

#!/bin/bash
exec /usr/bin/distrobox-enter  -n browser-v3-dbx  --   /usr/bin/brave --enable-features=AcceleratedVideoEncoder "$@"

AMD

#!/bin/bash
exec /usr/bin/distrobox-enter  -n browser-v3-dbx  --   /usr/bin/brave --enable-features=AcceleratedVideoEncoder,VaapiIgnoreDriverChecks "$@"

NVIDIA

#!/bin/bash
exec /usr/bin/distrobox-enter  -n browser-v3-dbx  --   /usr/bin/brave --enable-features=AcceleratedVideoEncoder,VaapiIgnoreDriverChecks,VaapiOnNvidiaGPUs "$@"

Save the file, then right-click > properties and make it executable/run as program.

Note: The reason I use the script to add these flags because these flags could change at any time. Instead of changing them in all the desktop files, changing them here would take a much lesser effort 😅

12. Modify the browser desktop file that we previously exported on the host

It's in ~/.local/share/applications/. The desktop file could be browser-v3-dbx-brave-browser.desktop.

Open it with your text editor, then search for exec, replace its value to your script from the previous step, like this:

Exec=/var/home/archerallstars/.local/bin/brave-vaapi  %U

Search for all lines that starts with Exec=, replace them with your script, but keep its flags intact (if there's any), like:

Exec=/var/home/archerallstars/.local/bin/brave-vaapi --incognito

Note: Remember to use the absolute path!

13. Fixing the PWAs issue in the container

There's one serious issue that would prevent us from the seamless integration, though. That's the broken PWAs icons, as the icons created in the container would obviously refer to their executable path in the container, of which doesn't exist on the host side.

Moreover, it also has the same issue with every Chromium browser on Flathub when running in native Wayland mode.

However, you can fix both of these issues easily with a simple bash script, called it brave-pwa-fix and save it in ~/.local/bin on your host.

#!/bin/bash

yourBrowser="brave"
browserDesktopFilename="browser-v3-dbx-brave-browser.desktop"
binPath="/var/home/archerallstars/.local/bin/brave-with-video-accelerated"
hostAppsPath="/var/home/archerallstars/.local/share/applications"
containerAppsPath="/var/home/archerallstars/distrobox/browser-v3-dbx/Desktop"

process_file() {
    local file="$1"
    if [[ ! -f "$file" ]]; then
        return
    fi
    local temp_file
    temp_file=$(mktemp)
    local changed=0
    local icon_value=""

    # First pass to get icon_value
    while IFS= read -r line; do
        if [[ $line =~ ^Icon= ]]; then
            icon_value="${line#Icon=}"
        fi
    done <"$file"

    # Second pass to process
    while IFS= read -r line; do
        if [[ $line =~ ^Name= ]]; then
            if [[ $line == *" ("* ]]; then
                line="${line%% (*}"
                changed=1
            fi
        elif [[ $line =~ ^Exec= ]]; then
            local exec_value="${line#Exec=}"
            if [[ "$exec_value" == *" --"* ]]; then
                local suffix="${exec_value#* --}"
                line="Exec=$binPath --$suffix"
            else
                line="Exec=$binPath"
            fi
            changed=1
        elif [[ $line =~ ^StartupWMClass= ]] && [[ -n "$icon_value" ]]; then
            current_value="${line#StartupWMClass=}"
            if [[ "$current_value" != "$icon_value" ]]; then
                line="StartupWMClass=$icon_value"
                changed=1
            fi
        fi
        echo "$line" >>"$temp_file"
    done <"$file"

    if [[ $changed -eq 1 ]]; then
        cp "$temp_file" "$hostAppsPath/$(basename "$file")"
    fi
    rm "$temp_file"
}

# Process missing files from container
find "$containerAppsPath" -name "*$yourBrowser*.desktop" 2>/dev/null | while read -r file; do
    basename=$(basename "$file")
    host_file="$hostAppsPath/$basename"
    if [[ ! -f "$host_file" ]]; then
        process_file "$file"
    fi
done

# Synchronize: remove orphaned files from hostAppsPath
find $hostAppsPath -name "*$yourBrowser*.desktop" 2>/dev/null | while read -r host_file; do
    basename=$(basename "$host_file")
    if [[ "$basename" == "$browserDesktopFilename" ]]; then
        continue
    fi
    container_file="$containerAppsPath/$basename"
    if [[ ! -f "$container_file" ]]; then
        rm -f "$host_file"
    fi
done

Save the file, then right-click > properties and make it executable/run as program.

Explaination

You only need to change these variables values at the top of the script to match the one on your system:

yourBrowser andbrowserDesktopFilename should be obvious enough 😂
binPath is the path of the script you use to launch the browser with hardware accelerated flags above.
hostAppsPath is the path of the user desktop files on the host.
containerAppsPath is one of the paths of the user desktop files in the container where PWAs desktop files reside.

Using `watchexec` to sync PWAs from inside the container to the host and vice versa

The script already handled everything. So, we just need a watcher that we already installed in step #5, watchexec. We'll run this small yet powerful tool using a systemd service, in which we'll also autostart it after user login (with some delay - container safe).

I will go quickly with nano. By now, you should be familiar with what we're doing now 😁

nano ~/.config/systemd/user/pwa-watcher.service

Inside the service file:

[Unit]
Description=Start PWA watcher in the background for the containerized browser
RequiresMountsFor=/run/user/1000/containers
StartLimitBurst=3
StartLimitIntervalSec=600

[Service]
Type=exec
ExecStart=/usr/bin/distrobox-enter  -n browser-v3-dbx  --   bash -c 'watchexec -n --watch ~/Desktop distrobox-host-exec /var/home/archerallstars/.local/bin/brave-pwa-fix'
Restart=on-failure
RestartSec=60

Note: Replace my host's absolute path with your host's absolute path.

nano ~/.config/systemd/user/pwa-watcher.timer

Inside the timer file:

[Unit]
Description=Start PWA watcher service with some delay.

[Timer]
OnStartupSec=23
RandomizedDelaySec=12
Persistent=true

[Install]
WantedBy=timers.target

Reload and enable the timer, also start the service if you will:

systemctl --user daemon-reload
systemctl --user enable pwa-watcher.timer
systemctl --user start pwa-watcher

14. Auto-update the container to which will also update the browser and everything inside with zero maintenance

We will use a systemd service and its timer agian. Not only that it will update the container that we created, if you have more fun with more containers, all of them will also be updated in the background.

There's a caveat, though. A misconfigured container will stop the update process of all containers after it, so make sure you're doing it right.

nano ~/.config/systemd/user/dbx-upgrade.service

Inside the service file:

[Unit]
Description=Upgrade all Distrobox containers
RequiresMountsFor=/run/user/1000/containers
StartLimitBurst=3
StartLimitIntervalSec=600

[Service]
Type=exec
ExecStart=sh -c "distrobox-upgrade --all && distrobox enter browser-v3-dbx -- yay -Syu --noconfirm"
Restart=on-failure
RestartSec=60

Note: Since the official build of Brave for Arch based distros is delivered on AUR, we need to chain yay -Syu --noconfirm manually (distrobox-upgrade --all doesn't take care of AUR) to keep Brave up-to-date (only if you installed Brave in CachyOS container). You can chain as many containers as you want to update AUR packages if necessary.

nano ~/.config/systemd/user/dbx-upgrade.timer

Inside the timer file:

[Unit]
Description=Start Distrobox containers upgrade service with some delay.

[Timer]
OnStartupSec=30
RandomizedDelaySec=15
Persistent=true

[Install]
WantedBy=timers.target

Reload and enable the timer:

systemctl --user daemon-reload && systemctl --user enable dbx-upgrade.timer

15. Check the browser's keyring entry

After you turning on the sync feature in your browser, it's super important to check whether your setup has created the keyring's entries correctly to ensure you use the uncompromised encryption to store your data.

You can check this easily with GNOME Passwords and Keys. It looks dated than Key Rack, but the latter doesn't always find all the entries.

If you did everything right, you will see an entry like this:

Note, if you're using Brave, you won't be able to use the sync feature without the access to the system's keyring. While the rest won't tell you anything 😂

Anyway, you can also launch the browser in the terminal (inside the container) with debug mode enable. For example:

brave --enable-logging=stderr --v=1

This will pump out the debug log like crazy 😂 You can search (ctrl + shift + F) in the terminal for libsecret. If you're using the system keyring properly, you'll see something like this:

Selected backend for OSCrypt: GNOME_LIBSECRET
OSCrypt using Libsecret as backend.

Is it just easier to go with the Flatpak version if you're using Brave?

Yes, it's. But it has a questionable security implication, thus not recommended by Brave. When it comes to web browser, I want maximum security. Less is not more here, it's unacceptable!

You can check this with the ://sandbox page, for example, in Brave: brave://sandbox.

When running inside the container

Simply the same with running the browser natively on your system. Meaning your browser sandbox is not compromised when it's running inside the container.

When running in Flatpak

As you can see, the Layer 1 Sandbox is now SUID, and this is without Ptrace Protection with Yama LSM (Non-broker) enabled, of which is available as an alternative mode when namespaces aren't available, see more here and here

16. Enhancing the sandbox in a distro that doesn't enable the `ptrace_scope=1` by default

For any users that doesn't debug anything on their PC, enable this security feature shouldn't break anything. It's enabled by default in Ubuntu, Arch, and openSUSE (by my request 😄).

Currently, I'm on Fedora Silverblue 42, of which doesn't enable ptrace_scope=1 by default. There's a proposal to enable this by default in Fedora 44, though.

You can check your current ptrace_scope value with:

cat /proc/sys/kernel/yama/ptrace_scope

However, in the meantime, you can enable this easily by copying the default config file and edit it:

sudo cp /usr/lib/sysctl.d/10-default-yama-scope.conf /etc/sysctl.d/

sudo nano /etc/sysctl.d/10-default-yama-scope.conf

The last line should be kernel.yama.ptrace_scope = 1 instead of kernel.yama.ptrace_scope = 0.

Then, reboot. cat /proc/sys/kernel/yama/ptrace_scope again, now, it should return 1. And when you open brave://sandbox/ again, there should be no red entries left (meaning a secure sandbox):

I hope I don't miss anything. Thanks for reading 🙏

Cover Image by Aron Yigin on Unsplash

Chrome Flags' Latest 2024 Update, Web Browser Video Hardware Acceleration on Linux

Archer Allstars — Fri, 15 Nov 2024 02:50:14 +0000

UPDATE: As of Chrome/Chromium 143 or Brave 1.85, hardware video decode is enabled by default on Wayland, see Chromium issue #40225939.

However, hardware video encode is still not enabled by default, so you still need --enable-features=AcceleratedVideoEncoder.

There's an important change made to the flags to enable video hardware acceleration on Linux, starting from Chrome/Chromium 131, or Brave 1.73.89 which is based on Chromium 131. Other Chromium based browsers are all affected too.

It's on Chromium issue #40225939. Here are the updated flags for each GPU vendor:

Intel GPUs

--enable-features=AcceleratedVideoDecodeLinuxZeroCopyGL,AcceleratedVideoDecodeLinuxGL,AcceleratedVideoEncoder

The Vaapi part is replaced with Accelerated. Other than that, --use-gl=angle --use-angle=gl is no longer needed.

AMD GPUs

--enable-features=AcceleratedVideoDecodeLinuxZeroCopyGL,AcceleratedVideoDecodeLinuxGL,VaapiIgnoreDriverChecks

NVIDIA GPUs

--enable-features=AcceleratedVideoDecodeLinuxZeroCopyGL,AcceleratedVideoDecodeLinuxGL,VaapiIgnoreDriverChecks,VaapiOnNvidiaGPUs

I am not sure whether adding AcceleratedVideoEncoder would enable video hardware encoding on AMD and NVIDIA GPUs like it does on my Intel GPU.

Here's how to check

Go to chrome://gpu or brave://gpu if you're using Brave.
Scroll down nearing the end of the page, see in the Video Acceleration Information section, if you have video decoding and encoding, it should show the info similar to this:

Are we close to have video hardware acceleration enabled by default on Linux (in Chromium browsers)?

The answer would be yes and no. While AcceleratedVideoDecoder will be enabled in Chrome/Chromium 132 by default, it's not decided yet for AcceleratedVideoDecodeLinuxZeroCopyGL. And AcceleratedVideoEncoder is not getting much attention. Meaning that, we will still have to launch the browser with flags for the unforeseeable future.

What is the problem with the flags?

They change overtime, as they are considered experiment features.
It's inconvenient to make use of PWAs. If we need all the accelerations to work, we will have to launch the first instance of the browser with these flags. In other word, we can't just go straight to the PWA window. And it is not a good idea either to populate all these flags in all the PWAs' desktop files, as flags are changed/removed all the time. I don't think this is an ideal setup for my grandma's PC.

Well, this is it for today! Thanks for reading. Bye 💨

Cover Photo by Muhammad-Taha Ibrahim on Unsplash

Running adb in a rootless Podman Distrobox container

Archer Allstars — Thu, 23 May 2024 19:20:19 +0000

Updated: As of Distrobox 1.8.1.2, adb works out of the box in a rootless container.

adb stands for Android Debug Bridge. It's a part of SDK Platform Tools, which is bundled with Android Studio.

For Linux users, they might want to use adb with scrcpy (https://github.com/Genymobile/scrcpy), which is a very powerful tool for controlling Android devices from PC. Installing scrcpy from the distro's repo would bring in adb by default, so it's not necessary to download adb directly from Google.

Why would anyone use `adb` in a container?

Like most apps that anyone would want to run in a container:

It doesn't pile up your system with a ton of packages/dependencies.
You always get the latest official release of apps, regardless of your Linux distro.
You can easily delete all the app data and its configurations.
It works with immutable OSes very well.
Minimizing the apps' system access through a rootless environment.
Maybe more. 😎

Note, Distrobox gives you a convenient over raw Podman/Docker setup, and it also integrates very well in the system. But if you want the absolute security, please consider setting up a rootless Podman container without using Distrobox. However, I will go with Distrobox, as I think a rootless Distrobox container already gives you a sane amount of security-convenient ratio.

👉️ Table of contents:

Know Your Device
udev Rules Setup on the Host
Preparing the Container
Testing adb
Automatically Update the Container

1. Know Your Device

You can identify your device easily with:

lsusb

It will list all USB related devices. Look for a line that's corresponding to your Android device. For example:

Bus 001 Device 009: ID 1234:5678 Google Inc. Nexus/Pixel Device (charging + debug)

The important part is your device ID, which is 1234:5678 in this example. We'll use this ID in the next step.

2. `udev` Rules Setup on the Host

In /etc/udev/rules.d/51-android.rules I put:

SUBSYSTEM=="usb", ATTR{idVendor}=="1234", ATTRS{idProduct}=="5678", MODE="0666", GROUP="yourusername"

If yours doesn't have 51-android.rules in /etc/udev/rules.d/, please create a new one.
Replace ATTR{idVendor}=="1234" and ATTRS{idProduct}=="5678" with your real device ID.
Replace yourusername with your real username.

3. Preparing the Container

3.1. Install Distrobox and Podman on the Host

For example, on openSUSE Tumbleweed:

sudo zypper install distrobox podman

3.2. Configure Distrobox to use Podman

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

3.3. Create a New Distrobox Container for `adb`

distrobox create -i docker.io/library/archlinux:latest -n adb-dbx -H ~/distrobox/adb-dbx --volume /dev/bus/usb/:/dev/bus/usb --volume /etc/udev/rules.d/:/etc/udev/rules.d --additional-packages "adwaita-cursors"

I use Arch container image because:

It's a rolling image, so every necessary package or dependency would always be updated.
It really depends on your needs. If you plan to use this container with scrcpy, the best container for adb would be Arch, since you will get all the codecs from the main repo. If you plan to use this container as a dev box, Tumbleweed image would be better because Chrome is not available officially on Arch. But if you only want to run adb, the container image wouldn't matter much.

I volume /dev/bus/usb/ and /etc/udev/rules.d/ in the container because they're needed for adb to work.

4. Testing `adb`

adb devices

This should return your device properly. If it's not, please check whether you have adb process already running in the background. In that case, please end the process first.

5. Automatically Update the Container

We can use systemd's service and timer to update/upgrade all Distrobox's containers like this:

dbx-upgrade.service

[Unit]
Description=Upgrade all rootless Distrobox containers.
RequiresMountsFor=/run/user/1000/containers

[Service]
Type=exec
ExecStart=-bash -c "distrobox-upgrade --all"
Restart=on-failure
RestartSec=60
TimeoutStopSec=5min
RemainAfterExit=yes

Save this file as ~/.config/systemd/user/dbx-upgrade.service.

dbx-upgrade.timer

[Unit]
Description=Run distrobox-upgrade --all daily.

[Timer]
OnCalendar=daily
RandomizedDelaySec=5min
Persistent=true

[Install]
WantedBy=timers.target

Save this file as ~/.config/systemd/user/dbx-upgrade.timer.

Enable the Timer

systemctl --user daemon-reload && systemctl --user enable dbx-upgrade.timer

Cover Photo by Edho Fitrah on Unsplash

Install the official build of mpv media player on any Linux distribution

Archer Allstars — Sat, 18 May 2024 01:08:47 +0000

Ever wonder why we should use the software directly from the developer’s official distribution channel when it's possible? Maybe, we should learn from an example in the recent Snap store incidents:

A fake Exodus wallet app had entered the store and scammed 9 BTC (worth around $490K at the time) from an investor. And another incident happened again shortly after the first incident. It's a mess nonetheless.
As we can see, the sandboxing security of Snap didn’t help. This is why we should only use the official apps when it’s possible, as this could’ve happened to any store, Flathub, Play Store, App Store, etc. In fact, it already happened on App Store [1], [2] and Microsoft Store [3] recently.

The level of trust

App Developer

Sure, if we can’t trust developers, we shouldn’t use their apps at all. But if we decide to use their apps, it means we must only download the apps from them, unless we prefer to get ourselves scammed. Therefore, this should be our 101 security practice.

This is not only for our security concerns, but using the official build will also make the debugging a lot less painful for the upstream developers.

System

We can’t possibly use everything directly from the original developers, e.g. apps, packages, drivers, or even the Linux kernel, etc. It’s undeniably that choosing Linux distro wisely is a very important part of our threat model. Therefore, your distro’s main/default repos, excluding the community maintained repos like AUR or home projects on OBS for example, are probably safe enough to use. At the very least, they shouldn’t introduce more risk, since you already trusted the kernel from them.

Third-party / unverified / community maintained

Unless we have no other choice, this channel should be avoided at all cost.

The good thing about mpv over other video players is that it plays HDR videos nicely on my SDR monitors and projectors. Without further ado, let’s see how to install mpv, my favorite video player, using the official build (Arch package) on any Linux distro.

Distrobox

Yes, we can install mpv for Arch (official package) on any Linux distro using a rootless Distrobox container. We’ll install mpv in Arch container using the official Arch Docker image.

I will use command lines in this walkthrough. You can use BoxBuddy if you prefer the GUI for the container’s creation process. But that’s about it. The app is pretty much bare bone currently. In the end, you’ll have to use the command lines to set up everything inside the container. Therefore, have your terminal ready!

Note, I use openSUSE Tumbleweed. Therefore, I will use zypper command in this walkthrough. Please change the command according to your distro's package manager.

👉️ Table of contents:

Preparing the Container
Install mpv
Enable Video Hardware Acceleration
Exporting the App
Automatically Update the App

1. Preparing the Container

1.1. Install Distrobox and Podman on the Host

sudo zypper install distrobox podman

1.2. Configure Distrobox to use Podman

echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf

You can see more of the config options on the official repo.

1.3. Create a New Distrobox Container for `mpv`

distrobox create -i docker.io/library/archlinux:latest -n mpv-dbx -H ~/distrobox/mpv-dbx --additional-packages "adwaita-cursors"

distrobox create is used to create a Distrobox container. See the docs for all the usages.

1.4. Prepare the Packages Inside the Container

Update All the Packages

sudo pacman -Syu

When it asks which DBus you want to use, I recommend dbus-broker over dbus-daemon, as it’s the new default DBus on Arch now.

Install GPU Video Acceleration Driver for Your GPU

For example, VA-API drivers for Intel GPUs

sudo pacman -S intel-media-driver libva-utils

2. Install `mpv`

sudo pacman -S mpv

It will ask which jack you want to use, between jack and pipewire-jack. You can choose pipewire-jack.

3. Enable Video Hardware Acceleration

Creating a config file at ~/.config/mpv/mpv.conf (in the container), as shown below:

# enable video hardware acceleration
hwdec=auto

# optional options
vo=gpu-next
tone-mapping=reinhard
ao=pipewire
sub-border-style=opaque-box
sub-outline-color=0.0/0.0/0.0/0.75
sub-auto=fuzzy

I put vo=gpu-next option to use the new GPU backend, which is supposed to be a lot faster than the current default.
I put tone-mapping=reinhard to enable tone mapping from HDR to SDR on my SDR projector. There are many tone mappings available, but I like this one the most.
I put ao=pipewire option to use PipeWire audio driver.
I put sub-border-style=opaque-box and sub-outline-color=0.0/0.0/0.0/0.75 options to make some subtitles easier to see.
I put sub-auto=fuzzy option to make mpv scan for separated subtitle files, even if they don't have exactly the same filenames as the video file. You can try to enable this option if mpv can't find your subtitles.

You can see all the available config options from the official mpv manual.

4. Exporting the App

distrobox-export -a mpv

By exporting the app, it can be set as your default video player. You can also open any video with the app. No one would notice that it's installed in the container. This is the system integration power of Distrobox!

5. Automatically Update the App

We can use systemd's service and timer to update/upgrade all Distrobox's containers like this:

`dbx-upgrade.service`

[Unit]
Description=Upgrade all rootless Distrobox containers.
RequiresMountsFor=/run/user/1000/containers

[Service]
Type=exec
ExecStart=-bash -c "distrobox-upgrade --all"
Restart=on-failure
RestartSec=60
TimeoutStopSec=5min
RemainAfterExit=yes

Save this file as ~/.config/systemd/user/dbx-upgrade.service.

`dbx-upgrade.timer`

[Unit]
Description=Run distrobox-upgrade --all daily.

[Timer]
OnCalendar=daily
RandomizedDelaySec=5min
Persistent=true

[Install]
WantedBy=timers.target

Save this file as ~/.config/systemd/user/dbx-upgrade.timer.

Enable the Timer

systemctl --user daemon-reload && systemctl --user enable dbx-upgrade.timer

Cover Photo by Denisse Leon on Unsplash

Forem: Archer Allstars

Install Windscribe VPN Client in a Distrobox Container on Any Linux Distro!

Install Windscribe in a Container

👉️ Table of contents:

🧧 And More:

😱 Limitations

1. Install distrobox 🪩, podman 💊, and screen 📺️

2. Configure distrobox to use podman

3. Create a Container 📦️

Creating a Container for Windscribe (Ubuntu Image)

4. Install Windscribe client in the Container

Update All Packages in the Container

Install the Official Client You Downloaded

5. Enable the Client's Helper

Create a Service Running the Helper

Create a Timer Triggering the Helper Service

Reload and Enable the Timer

6. Create a Launcher Script 🚀 and a Desktop File 🖥️ on the Host

The Wrapper Script

Explanation 🤓

The Desktop File

7. Make the Container Update Itself Automatically, Zero Maintenance! 😍

Create a Service File

Create a Timer File

Reload and Enable the Timer

Config Your Firewall 🔥 to Have Port Forwarding 🔌 Working Correctly

For ufw System

For firewalld System

1. Create a New Zone in firewalld

2. Finding the Interface's Name Using Network Manager

3. Adding the Interface to firewalld Permanently

4. Adding the Required Ports to firewalld's Zone Permanently

Check the Reach-ability of Your Opened Port 🔍️

For Headless Folks

😱 Limitations

App-based Split Tunneling 🪓

Solution ✅️

A Container-safe 👷 Startup Delay

Solution ✅️

I've updated this walkthrough to work with the latest version of Podman, Distrobox, and "any" of your favorite Linux OS! Cloudflare WARP is the easiest way to enable IPv6 and security on your network today.

Install Cloudflare WARP on any Linux Distro, Thanks to Distrobox!

Install Mailspring, the Best Free Email App on Linux, in a Distrobox Container!

Why Not Geary?

Why not Evolution?

Why not Thunderbird?

👉️ Table of contents

1. Install Distrobox and Podman

2. Configure Distrobox to Use Podman

3. Create a Container 📦️

4. Enable x86-64-v3 Packages

5. Install Required Packages

6. [optional] Symlink fonts and fontconfig Directories on the Host

Make the Required Directories Inside the Container

Symlink With the Host

7. Install Mailspring

8. Export Mailspring to the Host

9. Make Mailspring Follow the System’s Light/Dark Theme

10. Start Mailspring in the Background on Startup

11. Update the Container Automatically, Zero Maintenance!

Create a User systemd Service on the Host

Create a Timer

My Opinionated Fedora Silverblue Setup

Table of Contents

1. Enable Transparent Disk Compression

Compress Existing Data

2. Using a Secure DNS Resolver

Configure /etc/systemd/resolved.conf

Configure Your Preferred DNS Resolver in the GUI

IPv4

IPv6

3. Enable BBR, a Better Network Congestion Control Algorithm

Enable the Module

Change the Congestion Control Algorithm to BBR

4. Enable ptrace_scope = 1

Check Your Current ptrace_scope Value

Enable ptrace_scope = 1

5. Changing the Default ZRAM Configuration

Creating a New Configuration File

Adding Some Secret Sauce

Editing /etc/sysctl.conf File

1. Install `distrobox` 🪩, `podman` 💊, and `screen` 📺️

2. Configure `distrobox` to use `podman`

For `ufw` System

For `firewalld` System

1. Create a New Zone in `firewalld`

3. Adding the Interface to `firewalld` Permanently

4. Adding the Required Ports to `firewalld`'s Zone Permanently

Create a User `systemd` Service on the Host

Configure `/etc/systemd/resolved.conf`

4. Enable `ptrace_scope = 1`

Check Your Current `ptrace_scope` Value

Enable `ptrace_scope = 1`

Editing `/etc/sysctl.conf` File

Set `AutomaticUpdatePolicy` in `/etc/rpm-ostreed.conf`

Reload `rpm-ostree`

Enable `rpm-ostreed-automatic.timer`

Create a `systemd` service file:

Create a `systemd` timer file:

BONUS: Increase `vm.max_map_count`

Why not `wireguard-tools`?

1. Set Up `systemd-resolved`

`DNSOverTLS=opportunistic` is Your Best Friend