Tools

Tools: Install Windscribe VPN Client in a Distrobox Container on Any Linux Distro!

2026-03-22 0 views admin
Tools: Install Windscribe VPN Client in a Distrobox Container on Any Linux Distro!

Install Windscribe in a Container

👉️ Table of contents:

1. Install Distrobox

2. Configure Distrobox to use Podman

3. Create a Container 📦️

Creating a Container for Windscribe (Ubuntu Image)

4. Install Windscribe client in the Container

Update All Packages in the Container

Install the Official Client You Downloaded

5. Enable the Client's Helper

Create a Service Running the Helper

Create a Timer Triggering the Helper Service

Reload and Enable the Timer

6. Create a Desktop File on the Host

7. Make the Container Update Itself Automatically, Zero Maintenance!

Create a Service File

Create a Timer File

Reload and Enable the Timer

Config Your Firewall to Have Port Forwarding Working Correctly

For ufw System

For firewalld System

1. Create a New Zone in firewalld

2. Finding the Interface's Name Using Network Manager

3. Adding the Interface to firewalld Permanently

4. Adding the Required Ports to firewalld's Zone Permanently

Check the Reach-ability of Your Opened Port

For Headless Folks Windscribe is a legitimate, privacy-focused VPN service with strong security features. It's regarded as one of the top VPN providers among enthusiasts in privacy-focused communities. Moreover, you can see miles away from the download page that it takes Linux users seriously. From my personal experience with the client, this is, by far, the best Linux compatible VPN client in the market! The client also works flawlessly inside a container, eliminating the need of layering the client on an immutable OS like Fedora Silverblue. Here are reasons why you should consider Windscribe: The command will be differ based on your specific package manager. Refer to your distro's docs. For example, on Fedora Silverblue: After the installation, reboot your system to activate the new layer. For other mutable distros, there's no need to reboot. I use the official container image from Ubuntu, as I also use the image for ZeroTier and Cloudflare WARP. Otherwise, you could use openSUSE image instead: Do NOT create a rootful init container, as it can cause ownership/permission conflicts on shared volumes between the host and other containers. Please refer to Windscribe's official download page. The client required its helper running to function. Normally, if you install/layer the client directly on the system, the installer script will create a systemd unit for the helper automatically. But no worry, it can be done easily. The helper is now running in the background 👟 So, you don't have to manually type a lengthy command in the terminal just to open a VPN client 😆 You can download the app icon easily from Play Store 🛍️ Replace the path on the above with your icon's absolute path. It depends on your host's firewall. For example, Ubuntu uses ufw, Fedora uses firewalld. Check your firewall status: If it's enabled, you will need to open the correct port that you've opened in your Windscribe account's port forwarding page: List all the available zones: We will create a new zone called vpn, if it's not presented yet, create a new one: Reload firewalld for it to take effect: Check all the available zones again: Now, vpn should be listed as one of the zones. ⚠️ It's possible to add the interface to the zone using the Network Manager, but it'll be conflicted with how Windscribe's client manages the network. Therefore, use firewalld to manage firewall's rules, as it's supposed to. Never use the Network Manager to mange your firewall rules! firewalld, however, cannot list the interface that's not being in any of its zones. It only knows and manages the interfaces that are bound to one of its zones. Therefore, we use Network Manager for this instead. Finding your active connection name first: It will return something like: Note down your connection name. Usually, it will be something that has tun it its name. If you have connected to the VPN network, you can use an app like Resources to know the name for sure. Reload the firewall (to apply the change): Also, check whether the interface is already in firewalld's zone (it should): List all the rules in vpn zone: If it doesn't show any port number after the ports: entry, this means firewalld is blocking all incoming ports in this zone (vpn). You can add your port like this: Reload the firewall (to apply the change): If you want to remove the port, since most of you would use an ephemeral port anyway: First, please don't use any of the online port checkers like portchecker.co, for example. It never works for me... The reliable way to test the reach-ability of your opened port is through torrent clients like Fragments, for example: You can use this command to check the reach-ability of your opened port in the terminal like this: Thanks for reading 🤓 Cover Photo by Thomas Richter on Unsplash A Container Photo by Sophie Cardinale on Unsplash A WiFi Device Photo by Amal S on **Unsplash A Hand Photo by Frankie Mish on Unsplash Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

$ -weight: 600;">sudo rpm-ostree -weight: 500;">install distrobox -weight: 600;">sudo rpm-ostree -weight: 500;">install distrobox -weight: 600;">sudo rpm-ostree -weight: 500;">install distrobox echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf echo 'container_manager="podman"' > ~/.config/distrobox/distrobox.conf registry.opensuse.org/opensuse/distrobox:latest registry.opensuse.org/opensuse/distrobox:latest registry.opensuse.org/opensuse/distrobox:latest distrobox create -i -weight: 500;">docker.io/library/ubuntu:latest -n vpn-dbx--root -H ~/distrobox/vpn-dbx--root --additional-packages "pipewire libxcb-shape0 libnl-genl-3-200" --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket --additional-flags "--device=/dev/net/tun --cap-add=NET_ADMIN --cap-add=SYS_ADMIN" -r distrobox create -i -weight: 500;">docker.io/library/ubuntu:latest -n vpn-dbx--root -H ~/distrobox/vpn-dbx--root --additional-packages "pipewire libxcb-shape0 libnl-genl-3-200" --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket --additional-flags "--device=/dev/net/tun --cap-add=NET_ADMIN --cap-add=SYS_ADMIN" -r distrobox create -i -weight: 500;">docker.io/library/ubuntu:latest -n vpn-dbx--root -H ~/distrobox/vpn-dbx--root --additional-packages "pipewire libxcb-shape0 libnl-genl-3-200" --volume /run/dbus/system_bus_socket:/run/dbus/system_bus_socket --additional-flags "--device=/dev/net/tun --cap-add=NET_ADMIN --cap-add=SYS_ADMIN" -r -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">update -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install ./windscribe_2.20.7_amd64.deb -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install ./windscribe_2.20.7_amd64.deb -weight: 600;">sudo -weight: 500;">apt -weight: 500;">install ./windscribe_2.20.7_amd64.deb -weight: 600;">sudo nano /etc/systemd/system/windscribe-helper.-weight: 500;">service -weight: 600;">sudo nano /etc/systemd/system/windscribe-helper.-weight: 500;">service -weight: 600;">sudo nano /etc/systemd/system/windscribe-helper.-weight: 500;">service [Unit] Description=Start Windscribe VPN Helper After=network-online.target Wants=network-online.target RequiresMountsFor=%t/containers StartLimitIntervalSec=30 StartLimitBurst=5 [Service] Type=exec ExecStartPre=/bin/podman -weight: 500;">start vpn-dbx--root ExecStart=/bin/podman exec vpn-dbx--root bash -c "/opt/windscribe/helper" Restart=on-failure RestartSec=5 RemainAfterExit=yes [Unit] Description=Start Windscribe VPN Helper After=network-online.target Wants=network-online.target RequiresMountsFor=%t/containers StartLimitIntervalSec=30 StartLimitBurst=5 [Service] Type=exec ExecStartPre=/bin/podman -weight: 500;">start vpn-dbx--root ExecStart=/bin/podman exec vpn-dbx--root bash -c "/opt/windscribe/helper" Restart=on-failure RestartSec=5 RemainAfterExit=yes [Unit] Description=Start Windscribe VPN Helper After=network-online.target Wants=network-online.target RequiresMountsFor=%t/containers StartLimitIntervalSec=30 StartLimitBurst=5 [Service] Type=exec ExecStartPre=/bin/podman -weight: 500;">start vpn-dbx--root ExecStart=/bin/podman exec vpn-dbx--root bash -c "/opt/windscribe/helper" Restart=on-failure RestartSec=5 RemainAfterExit=yes -weight: 600;">sudo nano /etc/systemd/system/windscribe-helper.timer -weight: 600;">sudo nano /etc/systemd/system/windscribe-helper.timer -weight: 600;">sudo nano /etc/systemd/system/windscribe-helper.timer [Unit] Description=A trigger to -weight: 500;">start Windscribe's helper on startup [Timer] OnBootSec=25 RandomizedDelaySec=10 [Install] WantedBy=timers.target [Unit] Description=A trigger to -weight: 500;">start Windscribe's helper on startup [Timer] OnBootSec=25 RandomizedDelaySec=10 [Install] WantedBy=timers.target [Unit] Description=A trigger to -weight: 500;">start Windscribe's helper on startup [Timer] OnBootSec=25 RandomizedDelaySec=10 [Install] WantedBy=timers.target -weight: 600;">sudo -weight: 500;">systemctl daemon-reload && -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable --now windscribe-helper.timer -weight: 600;">sudo -weight: 500;">systemctl daemon-reload && -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable --now windscribe-helper.timer -weight: 600;">sudo -weight: 500;">systemctl daemon-reload && -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable --now windscribe-helper.timer nano ~/.local/share/applications/windscribe.desktop nano ~/.local/share/applications/windscribe.desktop nano ~/.local/share/applications/windscribe.desktop [Desktop Entry] Type=Application Icon=/var/home/archerallstars/.local/share/icons/windscribe.png Name=Windscribe Comment=Start Windscribe VPN Keywords=vpn;windscribe Exec=distrobox-enter -r vpn-dbx--root -- /opt/windscribe/Windscribe StartupWMClass=Windscribe Terminal=true [Desktop Entry] Type=Application Icon=/var/home/archerallstars/.local/share/icons/windscribe.png Name=Windscribe Comment=Start Windscribe VPN Keywords=vpn;windscribe Exec=distrobox-enter -r vpn-dbx--root -- /opt/windscribe/Windscribe StartupWMClass=Windscribe Terminal=true [Desktop Entry] Type=Application Icon=/var/home/archerallstars/.local/share/icons/windscribe.png Name=Windscribe Comment=Start Windscribe VPN Keywords=vpn;windscribe Exec=distrobox-enter -r vpn-dbx--root -- /opt/windscribe/Windscribe StartupWMClass=Windscribe Terminal=true -weight: 600;">sudo nano /etc/systemd/system/vpn-dbx--weight: 500;">upgrade.-weight: 500;">service -weight: 600;">sudo nano /etc/systemd/system/vpn-dbx--weight: 500;">upgrade.-weight: 500;">service -weight: 600;">sudo nano /etc/systemd/system/vpn-dbx--weight: 500;">upgrade.-weight: 500;">service [Unit] Description=Upgrade vpn-dbx--root After=network-online.target Wants=network-online.target RequiresMountsFor=%t/containers StartLimitIntervalSec=600 StartLimitBurst=5 [Service] Type=exec ExecStartPre=/bin/podman -weight: 500;">start vpn-dbx--root ExecStart=/bin/podman exec vpn-dbx--root bash -c "-weight: 500;">apt -weight: 500;">update -y && -weight: 500;">apt full--weight: 500;">upgrade -y" Restart=on-failure RestartSec=60 RemainAfterExit=yes [Unit] Description=Upgrade vpn-dbx--root After=network-online.target Wants=network-online.target RequiresMountsFor=%t/containers StartLimitIntervalSec=600 StartLimitBurst=5 [Service] Type=exec ExecStartPre=/bin/podman -weight: 500;">start vpn-dbx--root ExecStart=/bin/podman exec vpn-dbx--root bash -c "-weight: 500;">apt -weight: 500;">update -y && -weight: 500;">apt full--weight: 500;">upgrade -y" Restart=on-failure RestartSec=60 RemainAfterExit=yes [Unit] Description=Upgrade vpn-dbx--root After=network-online.target Wants=network-online.target RequiresMountsFor=%t/containers StartLimitIntervalSec=600 StartLimitBurst=5 [Service] Type=exec ExecStartPre=/bin/podman -weight: 500;">start vpn-dbx--root ExecStart=/bin/podman exec vpn-dbx--root bash -c "-weight: 500;">apt -weight: 500;">update -y && -weight: 500;">apt full--weight: 500;">upgrade -y" Restart=on-failure RestartSec=60 RemainAfterExit=yes -weight: 600;">sudo nano /etc/systemd/system/vpn-dbx--weight: 500;">upgrade.timer -weight: 600;">sudo nano /etc/systemd/system/vpn-dbx--weight: 500;">upgrade.timer -weight: 600;">sudo nano /etc/systemd/system/vpn-dbx--weight: 500;">upgrade.timer [Unit] Description=Upgrade vpn-dbx--root daily. [Timer] OnCalendar=daily Persistent=true RandomizeDelaySec=5min [Install] WantedBy=timers.target [Unit] Description=Upgrade vpn-dbx--root daily. [Timer] OnCalendar=daily Persistent=true RandomizeDelaySec=5min [Install] WantedBy=timers.target [Unit] Description=Upgrade vpn-dbx--root daily. [Timer] OnCalendar=daily Persistent=true RandomizeDelaySec=5min [Install] WantedBy=timers.target -weight: 600;">sudo -weight: 500;">systemctl daemon-reload && -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable vpn-dbx--weight: 500;">upgrade.timer -weight: 600;">sudo -weight: 500;">systemctl daemon-reload && -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable vpn-dbx--weight: 500;">upgrade.timer -weight: 600;">sudo -weight: 500;">systemctl daemon-reload && -weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">enable vpn-dbx--weight: 500;">upgrade.timer -weight: 600;">sudo ufw -weight: 500;">status verbose -weight: 600;">sudo ufw -weight: 500;">status verbose -weight: 600;">sudo ufw -weight: 500;">status verbose -weight: 600;">sudo ufw allow <port>/tcp && -weight: 600;">sudo ufw allow <port>/udp -weight: 600;">sudo ufw allow <port>/tcp && -weight: 600;">sudo ufw allow <port>/udp -weight: 600;">sudo ufw allow <port>/tcp && -weight: 600;">sudo ufw allow <port>/udp firewall-cmd --get-zones firewall-cmd --get-zones firewall-cmd --get-zones -weight: 600;">sudo firewall-cmd --permanent --new-zone=vpn -weight: 600;">sudo firewall-cmd --permanent --new-zone=vpn -weight: 600;">sudo firewall-cmd --permanent --new-zone=vpn -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --reload firewall-cmd --get-zones firewall-cmd --get-zones firewall-cmd --get-zones nmcli connection show --active nmcli connection show --active nmcli connection show --active NAME UUID TYPE DEVICE YourConnectionName xxxxxxxxxxxxxxxxxxxxxxxxxxxxx wifi xxxxxx NAME UUID TYPE DEVICE YourConnectionName xxxxxxxxxxxxxxxxxxxxxxxxxxxxx wifi xxxxxx NAME UUID TYPE DEVICE YourConnectionName xxxxxxxxxxxxxxxxxxxxxxxxxxxxx wifi xxxxxx -weight: 600;">sudo firewall-cmd --zone=vpn --change-interface='YourConnectionName' --permanent -weight: 600;">sudo firewall-cmd --zone=vpn --change-interface='YourConnectionName' --permanent -weight: 600;">sudo firewall-cmd --zone=vpn --change-interface='YourConnectionName' --permanent -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --reload firewall-cmd --zone=vpn --list-interfaces firewall-cmd --zone=vpn --list-interfaces firewall-cmd --zone=vpn --list-interfaces firewall-cmd --zone=vpn --list-all firewall-cmd --zone=vpn --list-all firewall-cmd --zone=vpn --list-all -weight: 600;">sudo firewall-cmd —permanent —zone=vpn —add-port=<yourport>/tcp -weight: 600;">sudo firewall-cmd —permanent —zone=vpn —add-port=<yourport>/udp -weight: 600;">sudo firewall-cmd —permanent —zone=vpn —add-port=<yourport>/tcp -weight: 600;">sudo firewall-cmd —permanent —zone=vpn —add-port=<yourport>/udp -weight: 600;">sudo firewall-cmd —permanent —zone=vpn —add-port=<yourport>/tcp -weight: 600;">sudo firewall-cmd —permanent —zone=vpn —add-port=<yourport>/udp -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --reload -weight: 600;">sudo firewall-cmd --zone=public ---weight: 500;">remove-port=<yourport>/tcp --permanent -weight: 600;">sudo firewall-cmd --zone=public ---weight: 500;">remove-port=<yourport>/udp --permanent -weight: 600;">sudo firewall-cmd --zone=public ---weight: 500;">remove-port=<yourport>/tcp --permanent -weight: 600;">sudo firewall-cmd --zone=public ---weight: 500;">remove-port=<yourport>/udp --permanent -weight: 600;">sudo firewall-cmd --zone=public ---weight: 500;">remove-port=<yourport>/tcp --permanent -weight: 600;">sudo firewall-cmd --zone=public ---weight: 500;">remove-port=<yourport>/udp --permanent p=<port_number>; -weight: 500;">curl -s https://portcheck.transmissionbt.com/$p | grep -q '^1' && echo -e "\033[1;32m✅ Port $p is OPEN\033[0m" || echo -e "\033[1;31m❌ Port $p is CLOSED\033[0m" p=<port_number>; -weight: 500;">curl -s https://portcheck.transmissionbt.com/$p | grep -q '^1' && echo -e "\033[1;32m✅ Port $p is OPEN\033[0m" || echo -e "\033[1;31m❌ Port $p is CLOSED\033[0m" p=<port_number>; -weight: 500;">curl -s https://portcheck.transmissionbt.com/$p | grep -q '^1' && echo -e "\033[1;32m✅ Port $p is OPEN\033[0m" || echo -e "\033[1;31m❌ Port $p is CLOSED\033[0m" ✅ Port XXXXX is OPEN ✅ Port XXXXX is OPEN ✅ Port XXXXX is OPEN ❌ Port XXXXX is CLOSED ❌ Port XXXXX is CLOSED ❌ Port XXXXX is CLOSED - There are many connection protocols available, WireGuard, Stealth, WStunnel, OpenVPN, IKEv2 (on mobile). The differences between them depend on your use case WireGuard is the fastest. Stealth is a censorship circumvention (China, Russia, Iran), restrictive networks. WStunnel is a last-resort option for the toughest firewalls or corporate networks. - WireGuard is the fastest. - Stealth is a censorship circumvention (China, Russia, Iran), restrictive networks. - WStunnel is a last-resort option for the toughest firewalls or corporate networks. - If that's not enough, there are more to circumvent censorship, decoy traffic, MAC spoofing, and GPS spoofing. - Port forwarding is supported 🤫 - Split tunneling is supported. - CLI client for those on headless servers - Many DNS resolver profiles, blocking malware, ads, and trackers by default. - Static IP is available, along with static port for port forwarding. This is a killing feature for your remote home projects 🧰 - Config files for OpenVPN, IKEv2 and WireGuard are available. - Arcade sound for the connection! 👾🕹️ This feature sealed the deal for me 😆 - And many more, see all features! - WireGuard is the fastest. - Stealth is a censorship circumvention (China, Russia, Iran), restrictive networks. - WStunnel is a last-resort option for the toughest firewalls or corporate networks. - Install Distrobox - Configure Distrobox to use Podman - Create a Container 📦️ - Install Windscribe client in the Container - Enable the Client's Helper - Create a Desktop File on the Host - Make the Container Update Itself Automatically, Zero Maintenance! - It's easier to maintain as it uses a rolling release model, no need to worry about the EOL date of the image/OS. - It offers some x86-64-v3 packages, free performance boost!, just by installing the patterns-glibc-hwcaps-x86_64_v3 package. - I add the pipewire package to have the audio working for the arcade sound in the client 👾🕹️ - libxcb-shape0 and libnl-genl-3-200 are used by the client. - /run/dbus/system_bus_socket, /dev/net/tun, along with --cap-add=NET_ADMIN --cap-add=SYS_ADMIN are universally necessary for any app that wants to modify the state of your network. - -r is used to create a rootful container, for obvious reason.

🏷️ Tags

toolsutilitiessecurity toolsinstallwindscribeclientdistroboxcontainerlinuxdistro

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views