Effortless privacy for Omarchy Linux.
LazyVPN replaces manual network configuration with a fast, keyboard-driven interface. Browse thousands of servers, connect instantly, and stay protected with an ironclad killswitchβall without leaving your keyboard.
- Quick Start
- Screenshots
- Why LazyVPN?
- Installation
- Dynamic Server Browser
- Intelligent Server Naming
- Security Architecture
- Privacy & Logging
- Usage Guide
- Troubleshooting
- Roadmap
- License
Get connected in 30 seconds:
git clone https://github.com/blank-query/lazyVPN-for-Omarchy.git
cd lazyVPN-for-Omarchy
./install_lazyVPN.shπ That's it! Press SUPER+SHIFT+L to launch the menu.
- Select Dynamic Server List.
- Load one WireGuard config from your provider to authenticate.
- Instantly browse and connect to thousands of servers.
View More Screenshots
- β‘ Blazing Fast: Built with
fzfandjaqfor instant server filtering and navigation. - π No More Manual Configs: The new Dynamic Browser lets you access your provider's entire fleet with just one setup step.
- π‘οΈ Ironclad Security: Firewall-based killswitch and kernel-level IPv6 leak protection that persist across reboots.
- πΉ Keyboard Centric: Navigate, filter, and connect entirely with hotkeys.
- π§ Smart Automation: Auto-connects to the fastest server on boot and self-heals if the connection drops.
- π¨ Beautiful Integration: Seamlessly integrates with your Waybar and Omarchy desktop environment.
The installer automatically handles all software dependencies (fzf, jaq, bc, iptables, etc.).
You only need:
- Omarchy Linux (Strictly required for system integration)
- A VPN provider that supports WireGuard
- An internet connection
Supported Providers: β ProtonVPN (Verified & Recommended - has free tier) π§ͺ Mullvad (Lightly tested - should work) π§ͺ IVPN, PIA, NordVPN, Surfshark (Experimental - Help us test!)
git clone https://github.com/blank-query/lazyVPN-for-Omarchy.git
cd lazyVPN-for-Omarchy
./install_lazyVPN.shDuring installation, you can choose to enable passwordless sudo for seamless VPN operations (recommended).
Stop downloading hundreds of config files.
LazyVPN revolutionizes how you manage servers. Instead of cluttering your disk with static .conf files, you now have live access to your provider's network.
- One-Time Setup: Authenticate once with a single config file.
- Live Updates: Server data is sourced from the excellent gluetun project (MIT License), ensuring robust and up-to-date server lists.
- Powerful Filters:
1-5: Toggle P2P, Tor, Secure Core, Streaming, Free6: Random Connect (selects randomly from currently filtered list)7: Quickest (tests latency of currently filtered servers)9: Favorite (Star the best servers to save them to "My Servers")
Note: Feature filters work best with ProtonVPN. Mullvad does not publish per-server feature data, so their servers won't appear when filtering by P2P, Tor, etc. (Mullvad supports port forwarding globally via their API, not per-server.)
LazyVPN automatically parses cryptic filenames and metadata to present clean, readable server names with feature indicators.
| Raw Config Name | LazyVPN Display |
|---|---|
proton-us-ny-03 |
πΊπΈ United States - New York (US-NY#3) |
se-sto-p2p-05 |
πΈπͺ Sweden - Stockholm (SE-STO#5) π |
ch-us-01 |
π¨π Switzerland β πΊπΈ United States (CH-US#1) π |
Feature Indicators:
| Emoji | Feature |
|---|---|
| π | P2P / Port Forward |
| π | Secure Core (Multi-Hop) |
| π§ | Tor Routing |
| πΊ | Streaming Optimized |
| π€‘ | Free Tier |
| β | Favorite |
Your personal dashboard combining:
- β Favorites: Servers you starred in the Dynamic Browser.
- π Manual Configs: Custom WireGuard files you've imported manually.
LazyVPN is built on a "least privilege" security model, ensuring your system stays secure while offering the convenience of a TUI.
The core application runs as your normal user. Root access is strictly isolated to specific operations via the lazyvpn-file-helper script.
- Validated Operations: The helper script strictly validates all inputs (paths, filenames, content) to prevent path traversal or symlink attacks.
- No Blanket Access: The main application cannot modify arbitrary system files. It can only request the helper to write specific WireGuard configs to
/etc/systemd/network/.
Your sensitive data stays in your control.
- Private Keys: Stored in
~/.config/lazyvpn/providers/and~/.config/lazyvpn/wireguard/withchmod 600permissions (read/write only by you). - Runtime Only: Private keys are never stored permanently in global system directories. They are injected into ephemeral
systemd-networkdruntime configurations only when you actively connect, and are removed upon disconnection.
The installer configures /etc/sudoers.d/lazyvpn to allow passwordless execution only for a specific allowlist of commands required for VPN operation:
networkctl(to manage the interface)iptables(to manage the killswitch firewall rules)lazyvpn-file-helper(for secure file operations)
You are in control. LazyVPN never initiates network traffic without your explicit command.
- No Phone Home: It does not check for updates, send telemetry, or report usage statistics.
- On-Demand Only: Server lists are only refreshed when you explicitly run the fetch command or select "Refresh" in the menu.
- No Background Chatter: The auto-recover daemon only pings your VPN endpoint to check connectivity; it sends no other data.
LazyVPN doesn't just "delete" files; it ensures they are irrecoverable.
- Shred-by-Default: Uses
shred -u(3-pass overwrite) for all credentials, configs, and logs. - Smart Journal Scrubbing: Instead of nuking your entire system log, it identifies specific binary journal files containing VPN traces (IPs, server names, interface IDs) and shreds only those files.
- Surgical History Cleaning: For shell history (
.bash_history, etc.), it creates a sanitized copy, securely shreds the original tainted file, and restores the clean version to preserve your non-VPN history. - Interactive Recovery: If a wipe fails (e.g., due to root ownership), the tool provides diagnostic logs and prompts for
sudo shredescalation, ensuring no "false success" reports.
LazyVPN is designed with a "zero-knowledge" philosophy for your local machine. We prioritize data sovereignty and explicit user consent.
- No Logs by Default: LazyVPN does not log your activity, connection times, or errors unless you explicitly enable Debug Mode.
- Opt-In Debugging: If you need to troubleshoot an issue, you can enable temporary logging in Settings > Advanced > Debug Logging.
- Granular Categories: Enable logging for specific subsystems (Connection, Auto-recover, Firewall, Provider Parsing, or Autostart) to keep data collection minimal.
- Safe Mode (Default): Debug logs automatically redact sensitive metadata, including WireGuard private keys and public IP addresses.
- Verified Secure Deletion: Unlike standard tools that simply "delete" files, LazyVPN uses
shred -u(overwrite and remove) for all logs and configuration files. - Explicit Feedback: Every file operation provides explicit feedback. If a secure wipe fails (e.g., due to permissions), the tool prompts you to escalate to
sudo shredor force-remove, ensuring you are never under a false sense of security. - Clean Uninstallation: The uninstaller securely shreds all local logs, credentials, and cache. It also performs a surgical scrub of VPN-related entries from your system journal and shell history (see Security Architecture for details).
Open Menu: SUPER+SHIFT+L
Navigate: Arrow keys and Enter. Esc to go back.
LazyVPN works silently in the background to keep you safe.
- Firewall Killswitch: Blocks all traffic if the VPN drops. Can be configured to allow local network (printer/NAS) access.
- Auto-Recover: Background daemon monitors connection health and reconnects automatically.
- Auto-Failover: If a server goes down, automatically switches to the next best server.
- IPv6 Leak Protection: Blocks IPv6 traffic at the kernel level to prevent leaks.
Verify your privacy directly from the Settings menu:
- Latency Test: Ping check to current server.
- Speedtest: 10MB download test.
- IP & DNS Leak: Opens
ipleak.netin your browser.
LazyVPN isn't just an app; it's part of your Omarchy desktop.
- Waybar Status: A custom module appears automatically when connected, showing your provider, location flag, and IP. Click to open the menu.
- Omarchy Menu: Fully integrated into the main system menu (
SUPER+ALT+SPACE) with the native Omarchy visual style. - Keybinding Helper: Automatically registers
SUPER+SHIFT+Lin the Omarchy keybinding cheat sheet (SUPER+K). - Desktop Notifications: Native notifications for connection status and auto-recovery events.
LazyVPN exclusively supports WireGuard. We do not support OpenVPN, and here is why:
- Performance: WireGuard runs in the Linux kernel, offering significantly higher throughput and lower CPU usage than OpenVPN.
- Instant Connection: WireGuard is stateless. Roaming between networks (WiFi/Ethernet) and connecting to servers is near-instantaneous.
- Native Integration: By using WireGuard, we can leverage
systemd-networkddirectly, avoiding heavy external daemons and ensuring rock-solid stability. - Simplicity: WireGuard's modern codebase (~4k lines vs OpenVPN's 100k+) aligns with our philosophy of security and minimalism.
Network Stack: Uses systemd-networkd for WireGuard interface management (not wg-quick)
Firewall: Custom iptables chains (LAZYVPN_OUT for IPv4/IPv6)
DNS: Integrates with systemd-resolved for DNS privacy
Privilege Model: Minimal sudo scope via /etc/sudoers.d/lazyvpn
Configuration Files:
- Settings:
~/.config/lazyvpn/config - Manual server configs:
~/.config/lazyvpn/wireguard/*.conf(chmod 600) - Provider credentials:
~/.config/lazyvpn/providers/*.conf(chmod 600)
To remove LazyVPN and all associated files:
lazyvpn-uninstall (or via Settings menu)
Secure Deletion: You will be prompted to securely shred credential files, config files, and sanitize shell history. The uninstaller uses interactive secure deletion to ensure all files are irrecoverably destroyed.
Killswitch blocks all traffic
- Check "KS on Disconnect" setting. If set to "Never", internet remains blocked until you reconnect.
- Emergency Disable: Run
lazyvpn-disable-killswitchfrom terminal.
Provider setup shows "Invalid or sanitized private key"
- ProtonVPN: Re-downloading an existing config gives a sanitized key (
****). You must generate a new config from the Proton dashboard.
- Encrypted configuration storage for server/provider confs containing private keys.
- Expanded support/testing for additional VPN providers.
- Develop a custom, integrated TUI for a more seamless and responsive user experience.
Suggestions welcome! Open an issue on GitHub.
The previous version of LazyVPN (without dynamic server browser) is preserved in the old-stable branch.
MIT License - Copyright (c) 2025 blank-query
WireGuard is a registered trademark of Jason A. Donenfeld.