Changes
Page history
Minor typo fixes & formatting improvements
authored
Jun 06, 2024
by
intrigeri
Hide whitespace changes
Inline
Side-by-side
VPN-support.md
View page @
25afa959
...
@@ -111,14 +111,14 @@ don't, then how can we avoid tor being routed over the VPN?
...
@@ -111,14 +111,14 @@ don't, then how can we avoid tor being routed over the VPN?
In the branch
`vpn-before-tor`
, I gave a PoC implementation of the firewall. I tested Mullvad like this:
In the branch
`vpn-before-tor`
, I gave a PoC implementation of the firewall. I tested Mullvad like this:
-
nmcli connection import type wireguard file cc-loc-wg-001.conf
-
`
nmcli connection import type wireguard file cc-loc-wg-001.conf
`
-
nmcli connection up cc-loc-wg-001
-
`
nmcli connection up cc-loc-wg-001
`
... and it works! I tested that:
... and it works! I tested that:
-
tor works.
-
tor works.
-
Unsafe Browser is routed through the VPN
-
Unsafe Browser is routed through the VPN
-
the clearnet user goes through the VPN
-
the clearnet user goes through the VPN
-
if the VPN goes down (ie: nmcli connection down cc-loc-wg-001), tor and unsafe browser fail close. None of
-
if the VPN goes down (ie:
`
nmcli connection down cc-loc-wg-001
`
), tor and unsafe browser fail close
d
. None of
their traffic goes to physical interfaces.
their traffic goes to physical interfaces.
I think we could even only support Mullvad (or everything which has the same working, if there's more). In
I think we could even only support Mullvad (or everything which has the same working, if there's more). In
...
@@ -130,21 +130,21 @@ fact:
...
@@ -130,21 +130,21 @@ fact:
from the UI, but I haven't tried.
from the UI, but I haven't tried.
To implement VPN-before-Tor, we need to distinguish if VPN is enabled or not. I propose we make it something
To implement VPN-before-Tor, we need to distinguish if VPN is enabled or not. I propose we make it something
that cannot be changed during the session. We could even add it to the
greeter
. Whatever method we use, let's
that cannot be changed during the session. We could even add it to the
Welcome Screen
. Whatever method we use, let's
assume that during a single session, this information never changes.
assume that during a single session, this information never changes.
If the VPN is off, everything works like Tails
'
does currently.
If the VPN is off, everything works like Tails does currently.
When the VPN is on, then the firewall rules need to be changed:
When the VPN is on, then the firewall rules need to be changed:
-
only wireguard can use the network
-
only wireguard can use the network
-
everything else that used to be able to use the network directly (clearnet and debian-tor) can now only use
-
everything else that used to be able to use the network directly (
`
clearnet
`
and
`
debian-tor
`
) can now only use
the VPN interface
the VPN interface
Subtleties:
Subtleties:
-
what if the user somehow imports/enables multiple VPNs? shall we try to forbid them to do so?
-
what if the user somehow imports/enables multiple VPNs? shall we try to forbid them to do so?
-
how can the user import a VPN without being able to use the internet? should they keep it in a separate
usb
-
how can the user import a VPN without being able to use the internet? should they keep it in a separate
USB
stick, then move it to Persistent Storage?
stick, then move it to Persistent Storage?
-
How can we wait for the
`
VPN
`
to be ready, so that
`tor`
is started when it makes sense?
-
How can we wait for the VPN to be ready, so that
`tor`
is started when it makes sense?
We could just ignore this, start tor anyway, and hope this is good enough.
We could just ignore this, start tor anyway, and hope this is good enough.
#### Q: Will we need to write some UI that wraps NetworkManager and VPNs?
#### Q: Will we need to write some UI that wraps NetworkManager and VPNs?
...
@@ -167,9 +167,9 @@ It might be that we assume that VPN mode ⇒ easy mode (over VPN).
...
@@ -167,9 +167,9 @@ It might be that we assume that VPN mode ⇒ easy mode (over VPN).
If you were wondering: it won't fit in a (reasonably readable) QR code.
If you were wondering: it won't fit in a (reasonably readable) QR code.
So passing it on a USB stick would work. Obviously, you could put it into Tails' persistence. Worst case:
So passing it on a USB stick would work. Obviously, you could put it into Tails' persistence. Worst case:
-
run Tails with persistent storage enabled and
vpn
disabled
-
run Tails with persistent storage enabled and
VPN
disabled
-
go to mullvad.net, download your file, put it in persistent storage
-
go to mullvad.net, download your file, put it in persistent storage
-
reboot, enable both persistent storage and
vpn
-
reboot, enable both persistent storage and
VPN
-
you can now pick your file from some UI
-
you can now pick your file from some UI
#### Q: What about Unsafe Browser and captive portals?
#### Q: What about Unsafe Browser and captive portals?
...
@@ -183,5 +183,3 @@ If we wanted to make captive portal work, we'd have 2 options:
...
@@ -183,5 +183,3 @@ If we wanted to make captive portal work, we'd have 2 options:
the same fwmark set that wireguard is setting, so it ignores the
`main`
routing table.
the same fwmark set that wireguard is setting, so it ignores the
`main`
routing table.
2.
the unsafe browser becomes the VPN browser after the VPN has been started
2.
the unsafe browser becomes the VPN browser after the VPN has been started
