Changes

Page history
Minor typo fixes & formatting improvements authored by intrigeri's avatar intrigeri
Hide whitespace changes
Inline Side-by-side
VPN-support.md
View page @ 25afa959
......@@ -111,14 +111,14 @@ don't, then how can we avoid tor being routed over the VPN?
In the branch `vpn-before-tor`, I gave a PoC implementation of the firewall. I tested Mullvad like this:
- nmcli connection import type wireguard file cc-loc-wg-001.conf
- nmcli connection up cc-loc-wg-001
- `nmcli connection import type wireguard file cc-loc-wg-001.conf`
- `nmcli connection up cc-loc-wg-001`
... and it works! I tested that:
- tor works.
- Unsafe Browser is routed through the VPN
- the clearnet user goes through the VPN
- if the VPN goes down (ie: nmcli connection down cc-loc-wg-001), tor and unsafe browser fail close. None of
- if the VPN goes down (ie: `nmcli connection down cc-loc-wg-001`), tor and unsafe browser fail closed. None of
their traffic goes to physical interfaces.
I think we could even only support Mullvad (or everything which has the same working, if there's more). In
......@@ -130,21 +130,21 @@ fact:
from the UI, but I haven't tried.
To implement VPN-before-Tor, we need to distinguish if VPN is enabled or not. I propose we make it something
that cannot be changed during the session. We could even add it to the greeter. Whatever method we use, let's
that cannot be changed during the session. We could even add it to the Welcome Screen. Whatever method we use, let's
assume that during a single session, this information never changes.
If the VPN is off, everything works like Tails' does currently.
If the VPN is off, everything works like Tails does currently.
When the VPN is on, then the firewall rules need to be changed:
- only wireguard can use the network
- everything else that used to be able to use the network directly (clearnet and debian-tor) can now only use
- everything else that used to be able to use the network directly (`clearnet` and `debian-tor`) can now only use
the VPN interface
Subtleties:
- what if the user somehow imports/enables multiple VPNs? shall we try to forbid them to do so?
- how can the user import a VPN without being able to use the internet? should they keep it in a separate usb
- how can the user import a VPN without being able to use the internet? should they keep it in a separate USB
stick, then move it to Persistent Storage?
- How can we wait for the `VPN` to be ready, so that `tor` is started when it makes sense?
- How can we wait for the VPN to be ready, so that `tor` is started when it makes sense?
We could just ignore this, start tor anyway, and hope this is good enough.
#### Q: Will we need to write some UI that wraps NetworkManager and VPNs?
......@@ -167,9 +167,9 @@ It might be that we assume that VPN mode ⇒ easy mode (over VPN).
If you were wondering: it won't fit in a (reasonably readable) QR code.
So passing it on a USB stick would work. Obviously, you could put it into Tails' persistence. Worst case:
- run Tails with persistent storage enabled and vpn disabled
- run Tails with persistent storage enabled and VPN disabled
- go to mullvad.net, download your file, put it in persistent storage
- reboot, enable both persistent storage and vpn
- reboot, enable both persistent storage and VPN
- you can now pick your file from some UI
#### Q: What about Unsafe Browser and captive portals?
......@@ -183,5 +183,3 @@ If we wanted to make captive portal work, we'd have 2 options:
the same fwmark set that wireguard is setting, so it ignores the `main` routing table.
2. the unsafe browser becomes the VPN browser after the VPN has been started