Changes

boyska · 35055440
--- a/VPN-support.md
+++ b/VPN-support.md
@@ -43,6 +43,8 @@ make other apps go through the same VPN as well (eg. Signal for calls).
 Having an option to use a VPN instead of Tor for the whole system and keep Tor
 Browser to use Tor only.

+We probably need to have our own UI (or, lot of glue code) to configure the VPN.
+
 # Technical solutions that we didn't envision

 Some users have requested support for VPNs in Tails to improve Tor's anonymity,
@@ -60,9 +62,70 @@ Table of user benefits depending on the technical solution:
 |--------------------------------|-------------------------------|-----------------------|----------------------------|---------------------------------|
 | Access services that block Tor | Yes, in VPN browser           | Yes                   | Yes                        | Yes, except in Tor Browser      |
 | Access private VPN services    | Yes, in VPN browser           | Yes                   | Yes, in VPN browser        | Yes, in VPN browser             |
-| Use WebRTC services            | Yes, in VPN browser           | ???                   | Yes, in VPN browser        | Yes, in VPN browser             |
+| Use WebRTC services            | Yes, in VPN browser           | Yes (but very slow!)  | Yes, in VPN browser        | Yes, in VPN browser             |
+| Have a videocall w/ browser    | Yes, in VPN browser           | No                    | Yes, in VPN browser        | Yes, in VPN browser             |
 | Circumvent censorship          | Another PT                    | Depends on VPN        | Depends on VPN             | Depends on VPN                  |
 | Have strong anonymity          | Yes, except in VPN browser    | Yes, if anonymous VPN | Yes, except in VPN browser | No, except in Tor Browser       |
 | Have higher speed              | Yes, in VPN browser           | No                    | Yes, in VPN browser        | Yes                             |
 | Can pay for quality of service | Optional, in VPN browser      | No                    | Optional, in VPN browser   | Optional, except in Tor Browser |
 | Hide location from VPN service | No                            | Yes                   | No                         | No                              |
+
+
+# Open questions
+
+## META: What does "Circumvent censorship" mean?
+
+Do we mean "Circumvent Tor blockage"? Or "Visit a website that is censored in many countries" ?
+
+## META: what is an anonymous VPN?
+
+## Can we use WebRTC in "Tor before VPN"?
+
+
+## How would users configure their VPN?
+
+... and how would this interact with Tor Connection?
+
+A short research says that reusing the GNOME Network Manager should be possible (at least in some cases),
+*but* this opens the door to the user being able to fiddle with plenty of options, which could result in users
+shooting in their feet.
+
+### System VPN + Tor Browser
+
+First question: why don't VPN work *now*? Is it "just" because they are blocked by firewall?
+If this is the case, then it might be enough to change firewall rules so that VPN software can work. Ideally,
+this would only happen in a NetworkManager hook which detects if the user actually configured a VPN.
+
+To be sure that `tor` runs over the physical interface, and not over the VPN, we need to have some magic with
+routing table. It should be feasible to have a dedicated routing table for a specific user (`iptables -I
+mangle -m owner ... -j mark`  + `ip rule add fwmark 3 table foobar`).
+
+### VPN Browser
+
+Shall we write our own UI to configure VPN (definitely painful), or use the GNOME one?
+
+If we use the GNOME one, how can we avoid the new VPN being used as part of the `main` routing table? If we
+don't, then how can we avoid tor being routed over the VPN?
+
+### VPN before Tor
+
+To make VPN work, we need to change lot of firewall rules. This could mean that the user has "VPN" as an
+option in Tor Connection (so it becomes easy mode / hide mode / vpn mode). Selecting that option would:
+ - change firewall rules so that VPN can actually send packets wherever they need to
+   - _Q_: how can we enforce that *only* VPN software can do that? Is it enough to only allow specific users
+     (`root`, or some `vpn-specific` user maybe) to send packets? Can we have specific iptables rules that
+     allow only the vpn software to send packets?
+ - Counterintuitively, *forbid* `tor` to send any packets on the physical interface, but allow it to send
+   packets to VPN interfaces (`tun0` usually)
+ - spawn the GNOME VPN configuration utility
+   - _Q_: wouldn't that have too many knobs, leading to the user being more easily able to shoot themselves in the
+     feet?
+     
+     I tested OpenVPN. While the GNOME interface clearly puts the focus on the most relevant details, there's
+     plenty of space for fiddling available.
+   - _Q_: can we validate the configuration (which also means we only support a subset of the VPN that GNOME would
+     support)?
+
+     kinda: we can get [an event](https://developer-old.gnome.org/NetworkManager/stable/gdbus-org.freedesktop.NetworkManager.Settings.html#gdbus-signal-org-freedesktop-NetworkManager-Settings.NewConnection) very early, but NetworkManager won't wait for us to handle it. So we need to quickly validate and, if everything works, do the appropriate firewall changes that will allow connections to be performed. If there is something we don't like, we can't provide information context. Sure, we can open a window, or a notification, but that will be a bit out of place.
+
+ - wait for `VPN` to be initialized, then start `tor` with the same configuration we use in easy mode.