LINUXMIND.DEV

How to choose, use and configure a VPN in Porteus Kiosk (Comparison)

Choosing the Right VPN for Porteus Kiosk

Porteus Kiosk is a highly specialised, read-only Linux distribution designed solely for running a locked-down browser in fullscreen mode. There’s no traditional desktop environment, no Apt or DNF on the machine itself, and installation of extra software must happen by injecting modules (.xzm) at build time or via the online Kiosk Wizard. Typical users of Porteus Kiosk are system administrators deploying public terminals or secure browsing stations—they value stability, minimal attack surface and predictable boot behaviour above all.

Given these constraints, the ideal VPN solution for Porteus Kiosk will:

  • Be fully command-line driven (no GUI dependencies).
  • Support either OpenVPN or WireGuard, since these protocols can be packaged into a single module.
  • Require minimal external libraries beyond what Porteus already provides (openssl, iptables, kernel-space modules).
  • Offer reliable kill-switch or leak-protection scripts that you can wire into the kiosk’s startup.

Below are four providers that meet these criteria. We’ll dive into why they work well on Porteus Kiosk, compare their core features, then cover step-by-step instructions to install and configure the top two on your next kiosk build.

VPN Comparison Table

Provider Protocols CLI Tool Kill Switch Leak Protection Custom Scripting Website
Mullvad WireGuard, OpenVPN Yes (mullvad-cli) Built-in DNS, IPv6 Full JSON config export Mullvad VPN
ProtonVPN WireGuard, OpenVPN Yes (protonvpn-cli-ng) Built-in DNS Easy key-file import ProtonVPN
NordVPN WireGuard (NordLynx), OpenVPN Yes (nordvpn) Built-in DNS, IPv6 Simple CLI amp systemd hooks NordVPN
Private Internet Access WireGuard, OpenVPN Yes (piactl) Built-in DNS, IPv6 Shell-script friendly PIA

Why Mullvad and ProtonVPN Shine on Porteus Kiosk

Of the four, Mullvad and ProtonVPN tick the most boxes for kiosk deployments:

  • Small footprint: Mullvad’s WireGuard configs are single‐file and require only the kernel module plus tools. ProtonVPN-CLI is a pure-Python client that relies only on OpenSSL.
  • Scripting friendly: Both support easy export of VPN configuration to a folder you can bundle inside your custom kiosk module.
  • Leak protection: They publish example kill-switch scripts you can adapt to the kiosk’s --postlogin hook in the Wizard or embed into a startup hook.
  • Offline packaging: You can convert their Linux packages into Porteus .xzm modules with convert2xzm on your build host.

Preparing Your Custom Modules

Before diving into installation steps, remember that Porteus Kiosk uses .xzm modules. You’ll need a build host (any standard Porteus or Slackware machine) with convert2xzm installed. For each VPN client:

  • Download the .deb or .tar.gz for the CLI tool.
  • Convert it to .xzm: convert2xzm yourpackage.deb vpnclient.xzm.
  • Include that module under “Additional Modules” in the Kiosk Wizard or manually place it in the porteus-kiosk/modules/ folder before ISO creation.

1. Installing Mullvad (WireGuard)

Step A: Build the Mullvad module

# On your build host
wget https://mullvad.net/media/client_deb/mullvad-latest.deb
convert2xzm mullvad-latest.deb mullvad.xzm
# Also package the WireGuard tools if not already present
apt-get download wireguard-tools
convert2xzm wireguard-tools__amd64.deb wireguard-tools.xzm

Step B: Generate a WireGuard config

# Locally on your build host
mullvad account status     # to ensure CLI works
mullvad generate wireguard --output wg0.conf

Copy wg0.conf into a folder named etc/wireguard/ inside a mini-module:

# Create a custom module for configs
mkdir -p configs/etc/wireguard
mv wg0.conf configs/etc/wireguard/
convert2xzm configs mullvad-wg-config.xzm

Step C: Configure Porteus Kiosk to start the VPN

In the Kiosk Wizard under “Custom Command Line Parameters,” add:

--postlogin /usr/bin/wg-quick up wg0  iptables -W

This ensures WireGuard comes up before the browser launch and enforces leak protection via firewall rules.

2. Installing ProtonVPN (OpenVPN WireGuard)

Step A: Build the ProtonVPN-CLI module

# On build host
wget https://repo.protonvpn.com/debian/pool/main/p/protonvpn-cli/protonvpn-cli_3.4.0-1_all.deb
convert2xzm protonvpn-cli_3.4.0-1_all.deb protonvpn-cli.xzm

Step B: Pre-fetch VPN profiles

# Authenticate and fetch a profile
protonvpn-cli login YOUR_USERNAME
protonvpn-cli configure --proton-openvpn --output /tmp/pvpn-ovpn/
# Bundle OVPN files
convert2xzm /tmp/pvpn-ovpn protonvpn-ovpn-config.xzm

Step C: Wire it into Kiosk startup

# Kiosk Wizard → Custom Command Line Parameters
--postlogin /usr/local/bin/protonvpn-cli connect --sc on --p2p off  until ping -c1 1.1.1.1 do sleep 1 done

Here we connect via ProtonVPN’s OpenVPN backend, check for network reachability, then allow the browser to launch.

Quick Tips for Leak-Free Operation

  • Always test your module combo in a local VM before deploying to hardware.
  • Use the kiosk’s built-in “Cryptik” option to force the root filesystem read-only.
  • Combine iptables rules into a single firewall.xzm module if you need extra port filtering.
  • For advanced setups, you can script automatic key rotation on each reboot by embedding a small shell script in /opt/kiosk_autostart.sh.

Conclusion

By choosing Mullvad or ProtonVPN and packaging their CLI tools, protocol modules and config bundles into .xzm modules, you maintain the locked-down, read-only integrity of Porteus Kiosk while giving your users secure, private browsing. With just a few steps in the Kiosk Wizard and some lightweight bash hooks, you’ll have a robust VPN tunnel protecting every kiosk session.

Download TXT



Powered by LinuxMind

Leave a Reply

Your email address will not be published. Required fields are marked *