Add support for minimalistic installations

[zonescape]

Is there an existing issue that is already proposing this?

• I have searched the existing issues

Application

Outline Manager

What are you trying to do? What is your use case?

I am trying to install Outline server and setup Outline client. This issue is not about specific application but about the whole Outline product. I don't know whether this is the right place to write such issue but anyway.

Is your feature request related to a problem? Please describe it.

Let's take a look to the Outline from the perspective of different types of users:

• ordinary VPN users can't do anything but download some app and push "Connect" button. Working with servers is impossible for them. Any tiny glitch will make them stuck. They can't setup Outline on their own.
• experienced users don't need Outline Server & Outline Manager. This is unnecessary complication.
• VPN service providers obviously have their own deployment & monitoring tools. They don't need Outline Server & Outline Manager. Also config servers (AFAIK they are intended for use by service providers) look like terrible idea because such server is a perfect target for blocking. Moreover this is a very questionable idea in terms of security.

So I conclude that Outline users are pretty marginal. They must be experienced enough to deal with servers but they also need to cope with Outline Server & Outline Manager. I think this unnecessary complication repels them from Outline.

Describe the solution you'd like.

Remove Outline Server & Outline Manager.

I propose to add support for minimalistic installations where users have only outline-ss-server & some client installed. What should be done in this case:

1. Docker image for outline-ss-server. Currently you need to build it yourself.

2. Static access keys must support all connection types. Not only shadowsocks.

3. Easy way to generate static access keys & QR codes based on server config or parameters supplied via command line. Ideally this must be a command in the Docker image for outline-ss-server or a subcommand of outline-ss-server. Something like:

outline-ss-server gen-key <some-options>
outline-ss-server gen-qr <some-options>

As a source of inspiration, wireguard image has show-peer command which displays QR codes. This image can also display QR codes on the first run of the container. In our case, access keys in the URI form are also needed to support devices without QR scanners.

Describe alternatives you've considered

Alternative approaches for access key sharing

Secret hosting:

• doesn't look secure. This is security by obscurity.
• unusual port for secret server is prone for blocking

This OpenVPN image has relatively good example of secret hosting. The main point is that you run secret server for a short time just to fetch the secret. This is good enough when you share secrets with your family and friends.

# Run OpenVPN image, store container ID
CID=$(docker run -d --privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/dockvpn)

# Run config server, fetch config using generated URL, then stop the server
docker run -t -i -p 8080:8080 --volumes-from $CID jpetazzo/dockvpn serveconfig
https://YOUR.SERVER.EXTERNAL.IP:8080/
^C

Copy pasting configs is better then secret hosting but:

• suffer from formatting issues. Most likely config will be first copied to the intermediate place like messenger and subsequently copied to the Outline client. This intermediate place can mess the formatting which is essential for YAML.
• users should be careful enough to copy full config not part of it. Unexperienced users may not pay attention to this detail. "I copied what you sent me but it didn't work."

I would prefer a URI or QR code because you just need to click the link to add a new server. Manual connection setup (as a fallback) would also be a great option.

Repository with an example implementation

https://github.com/zonescape/outline-ss-server

[daniellacosse]

Okay, if I understand correctly, you're asking for a few features, here:

1. Hosted image for outline-ss-server (we could probably do that with github)
2. Universal access keys? I'm not sure if this is possible. Currently the information encoded into the ss:// key is specific to shadowsocks. JSON is a subset of YAML - we could encourage people to send a single minified line of JSON to counteract the UX issues you mentioned.
3. A sort of "Manager CLI". That's been requested here: Outline Manager CLI  #2254

Let me know if I have that right. If I do, we should make an issue for the first point.

[zonescape]

1. Hosted image for outline-ss-server

Yes

2. Universal access keys? I'm not sure if this is possible. Currently the information encoded into the ss:// key is specific to shadowsocks. JSON is a subset of YAML - we could encourage people to send a single minified line of JSON to counteract the UX issues you mentioned.

Yes, I am talking about universal access keys. I know that ss:// links are specific to shadowsocks. There must be some other format. The main goal is that all access information must be stored inside the key itself (no need to download anything). AFAIK Outline clients accept ssconf:// links but I didn't find the format. May be these links meet the requirement. As to whether these access keys must be a URI or a minified line of JSON is not that important. URI is just easier for end users.

3. A sort of "Manager CLI". That's been requested here: Outline Manager CLI Outline Manager CLI  #2254

No. #2254 assumes Outline Server installed. I propose to add support for minimalistic installations where Outline Server is not installed. Ideally this must be a command in the Docker image for outline-ss-server or a subcommand of outline-ss-server. Something like gen-key command in this example:

$ gen-key --host 1.2.3.4:443 --pass qwerty --prefix 'HTTP/1.1 '
ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpxd2VydHk=@1.2.3.4:443/?outline=1&prefix=HTTP%2F1.1%20

[daniellacosse]

Yes, I am talking about universal access keys. I know that ss:// links are specific to shadowsocks. There must be some other format. The main goal is that all access information must be stored inside the key itself (no need to download anything). AFAIK Outline clients accept ssconf:// links but I didn't find the format. May be these links meet the requirement. As to whether these access keys must be a URI or a minified line of JSON is not that important. URI is just easier for end users.

ssconf:// currently just is a link that pulls information from outside the key, so that's not what you're asking for here. Right, so basically an inlined universal format. Got it.

No. #2254 assumes Outline Server installed. I propose to add support for minimalistic installations where Outline Server is not installed. Ideally this must be a command in the Docker image for outline-ss-server or a subcommand of outline-ss-server. Something like gen-key command in this example:

You're asking for something that can be done with, like, docker container run?

[zonescape]

You're asking for something that can be done with, like, docker container run?

Yes. Let outline-ss-server is the image name for outline-ss-server command. Then access keys can be generated using this command:

$ docker run --rm outline-ss-server gen-key --host 1.2.3.4:443 --pass qwerty --prefix 'HTTP/1.1 '
ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpxd2VydHk=@1.2.3.4:443/?outline=1&prefix=HTTP%2F1.1%20

Key generator can either be a separate command or a subcommand of outline-ss-server.

[zonescape]

I made a repository with an example implementation of the proposal
https://github.com/zonescape/outline-ss-server

[daniellacosse]

I made a repository with an example implementation of the proposal https://github.com/zonescape/outline-ss-server

Wait this is so cool!! I'm showing the team

[fortuna]

@zonescape There are a number of assumptions in the original message that are not true. The Outline Manager has been instrumental in making Outline popular. But yes, larger providers use outline-ss-server.

You asked for an image, but one already exists for outline-server, which is more convenient. It sets up Prometheus metrics and the API you can use to generate keys.

Building the outline-ss-server is no issue. you simply call go build and you get a static binary. Easy!

There's a more flexible deployment that combines with a Caddy Server, making it easy to co-exist with a web server and support websockets: https://developers.google.com/outline/docs/guides/service-providers/caddy

You can find the advanced config format at https://developers.google.com/outline/docs/guides/service-providers/config

Regarding config formatting, you can use either JSON or the inline format, as YAML can parse JSON.

[zonescape]

@fortuna

The Outline Manager has been instrumental in making Outline popular.

I disagree. This may be true if we consider Outline as a privacy tool. But in places with real censorship all easy ways to set up Outline will not work because popular hosters like Digital Ocean are blocked. Therefore you need to deal with servers yourself. I think the only thing that gives Outline some popularity as a censorship circumvention tool (not privacy tool) is the fact that Outline clients are somehow available in the App Store & Play Market. And this advantage will disappear if they are removed.

You asked for an image, but one already exists for outline-server, which is more convenient.

I know about this image. This image is huge and contains a lot of unnecessary stuff. I am talking about minimalistic installations.

Building the outline-ss-server is no issue. you simply call go build and you get a static binary. Easy!

This is not easy. To deploy Outline this way you need:

• download source code
• install Go compiler
• build. This is not just go build. You may need cross-compilation and don't forget about outline-ss-server version (or updates can be painful).
• write systemd unit
• deploy
• somehow generate access key

PS
I feel that I may be misinterpreting Outline as a censorship circumvention tool and this is actually a privacy tool for inexperienced users who don't trust VPN providers like Proton. In this case Outline Server & Outline Manager make sense.

[jyyi1]

I apologize for any interruption, but I would like to clarify something.

But in places with real censorship all easy ways to set up Outline will not work because popular hosters like Digital Ocean are blocked.

Outline Manager is designed for regular users and can be set up on any servers, not just DigitalOcean.

However, if you're an advanced user and prefer not to use Outline Manager, you have the option to build and configure your own server.

[fortuna]

This is not easy. To deploy Outline this way you need:

• download source code
• install Go compiler
• build. This is not just go build. You may need cross-compilation and don't forget about outline-ss-server version (or updates can be painful).

The Go compiler installation is a one time thing. And it will pull new versions of it as needed.
Our server is pure Go (no cgo), so you can easily build for any platform.
By using @latest you will always have the latest.

We also have binary releases:
https://github.com/Jigsaw-Code/outline-ss-server/releases

We don't have Docker images for outline-ss-server though. It's one more thing to maintain.

[zonescape]

@jyyi1

Outline Manager is designed for regular users
(from screenshot) Log into your server

Regular users can't do this.

if you're an advanced user and prefer not to use Outline Manager, you have the option to build and configure your own server

Any open source project gives you that option. The question is how easy it is to install and then use the server. I propose to add support for this use case.

[zonescape]

@fortuna

We don't have Docker images for outline-ss-server though. It's one more thing to maintain.

This proposal is not about Docker image only. Universal static access keys and key generator are also important. As to the Docker image, I don't understand why this and many other projects consider Docker as a second class citizen. I treat Docker as the main modern method of packaging and distributing server software. I would rather don't offer to download executables than Docker images. Moreover outline-ss-server has Windows and MacOS releases. Servers with these OS are pretty rare. It is strange to have support for these OS and nothing for Docker.