summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/vpn
AgeCommit message (Collapse)Author
2018-01-26[bug] don't check for updates on polkit just for its existenceRuben Pollan
We don't update the polkit file normally, for now let's check if it's installed. It should be more clever, detecting wich file is needed, depending on wich bitmask-root will be executed. But for now it's just a dummy check.
2018-01-25[tests] workaround for functional tests in dockerKali Kaneko
polkit doesn't work inside docker.
2018-01-25[bug] do not fail if the provider does not allow anonymous vpnKali Kaneko
Since bonafide was not catching the error 401, an attempt to bootstrap a provider that does not support anonvpn with the new setup was resulting in a json that was containing only an error message. this was producing an error when trying to access the configuration for that provider's EIP section. we now avoid writing a json config file if an error 401 is found, and also catch the exception for a ValueError when the EIP section is not found in the provider's configuration.
2018-01-25[bug] several fixes after reviewKali Kaneko
2018-01-25[feat] report missing polkit properly from main UIKali Kaneko
also refactor and move polkit_agent so that it does not depend on having bitmask on the path.
2018-01-25[bug] check if attribute existsKali Kaneko
2018-01-25[feat] autostart application when user logs inKali Kaneko
2018-01-25[feat] implement autostart for vpnKali Kaneko
2018-01-25[feat] implement vpn status watchdogKali Kaneko
2018-01-25[feat] hardcode tcp4 in vpn connectionsKali Kaneko
for now, we'll be hardcoding tcp as a more reliable alternative, no matter what the provider announces. explicitely specifying ipv4 should fix the case in which vpn fails to start because ipv6 is disabled. -Resolves: #9181, #9129
2018-01-25[feat] support anonymous vpnKali Kaneko
honor the anonymous certificate for the providers that offer it. this still needs a change in bonafide, in which if provider supports anonymous access we still have to download eip-service.json for testing, I assume this has been already manually downloaded.
2018-01-25[feat] get cert automatically on vpn startKali Kaneko
2018-01-16[bug] fix the systemctl runRuben Pollan
2018-01-12[feat] bump bitmask-root versionRuben Pollan
2018-01-12Add Qubes DNS support, fixesChristopher Laprise
2018-01-12Add anti-leak rules for qubes-firewallChristopher Laprise
2018-01-09[bug] fix issues with dns resolution with systemd-resolvedRuben Pollan
In ubuntu 17.10 some changes with systemd-resolved broke our firewall, blocking all DNS queries. The masquerade rules in the firewall, that are used to rewrite the source IP address of the DNS queries, were wrongly modifying the queries to systemd-resolved. Let's apply masquerade only to the packets addressed to the nameserver. - Resolves: #9137
2018-01-08[feat] try other gateways if the main one failsRuben Pollan
Removing '--persist-ip' param on openvpn it will try to connect to a different gateway if the first one fails. This means, that in case of network disconnection for some minutes bitmask will keep rotating between the different gateways and one the network comes back it will not connect anymore to the first one, but to the one that was trying at this moment. - Resolves: #9188
2017-12-21[doc] add note about expected paths to bitmask-root itselfKali Kaneko
I should remember this change when we merge elijah's fix again. Hopefully that happens soon enough.
2017-12-21[bug] temporarily revert dnsmasq firewall fixKali Kaneko
It has been reported that, after this fix, dns leaks happen under some circumstances not yet clear. Preparing for a release, we have decided to revert this change until the problem can be properly triaged. This means a broken vpn aartful support for the time being, but a non-leaking master. https://0xacab.org/leap/bitmask-dev/issues/9137 - Related: #9137
2017-12-20[bug] add lock in command dispatcherKali Kaneko
2017-12-08[docs] add comment about python interpreterKali Kaneko
2017-12-07[feat] update bitmask-root if neededRuben Pollan
Chech the hash of the installed bitmask root and sign as not installed if doesn't match the one we have in the bundle. Also for running bitmask-root, if there is more than one (in /usr/local/sbin and /usr/sbin) run the one with higher version number. - Resolves: #9020
2017-12-05[bug] change bitmask-root to work with dnsmasqelijah
2017-11-30[refactor] use /var/run for osx helper socketKali Kaneko
2017-11-02[style] fix formattingKali Kaneko
2017-11-02[feature] support deepin polkit agentKali Kaneko
-Resolves: #9119
2017-11-01[docs] document systray in changelogKali Kaneko
- Resolves: #9094
2017-11-01[refactor] refactor status objectKali Kaneko
2017-11-01[feature] display vpn status on systrayKali Kaneko
2017-10-25[feat] support pantheon polkit agentKali Kaneko
Apparently, this would allow us to run in Elementary OS. -Resolves: #9076
2017-10-11[style] pep8Kali Kaneko
2017-10-11[bug] import linux specific constants inside if blockkali
2017-10-09[bug] properly check for local openvpn pathKali Kaneko
- Resolves: #9099
2017-10-06[style] pep80.10.1Kali Kaneko
2017-10-06[bug] use sytem-wide bitmask-root, if foundKali Kaneko
we make a distinction between the system-wide bitmask-root, which should be placed there by the maintainers of whatever packages your distribution uses, and the bitmask-root that is placed by the bundles (using polkit). since the bundles copying over the helper from user-writeable folders is a potential attack vector, we prefer to use the package's version if present. also, if we cannot find either, we abort the launching of the VPN. we've discussed that this might move to the service initialization instead, but I think the cases in which this is needed should be rare. I fix also a corner-case in which we were using getcwd() at import time. if you execute code and then remove the installation path, this will raise a traceback in bitmaskctl. I think it's nicer to catch the error properly when starting.
2017-10-03[feat] Update polkit optionsRuben Pollan
2017-09-29[style] pep8Kali Kaneko
2017-09-29[bug] look also from bitmask-root in the debian pathKali Kaneko
2017-09-29[bug] fixes needed to launch vpn on mac after refactorkali
2017-09-29[bug] check for pkexec only in linuxkali
2017-09-29[bug] create /usr/local/sbin folder if it does not existKali Kaneko
- Resolves: #9084
2017-09-20[feat] detect if pkexec is present in the systemRuben Pollan
Check it before starting the vpn. - Resolves: #8895
2017-09-20[bug] flag vpn_ready == false if cert expiredRuben Pollan
We were not renewing the vpn cert. Now the UI will trigger a cert renewal by telling it that is the vpn is not ready if the cert is expired. - Resolves: #9059
2017-09-15[feat] wait up to 20 seconds for polkit to be launchedRuben Pollan
- Related: #9012
2017-09-15[refactor] remove unused 'is_missing_policy_permissions'Ruben Pollan
2017-09-15[feat] add --nodaemon param to polkit_agentRuben Pollan
2017-09-15[docs] having the polkits to try in a list sets already a prio to themRuben Pollan
2017-09-15[feat] use psutil to discover polkit processRuben Pollan
Better psutil than ps+grep.
2017-09-15[bug] get the VPN restart working againRuben Pollan
Don't persist-tun on the vpn, so it can restart properly. Also let's match better the options that are sent and taken into account from bitmask-root. - Resolves: #9048