Age | Commit message (Collapse) | Author |
|
|
|
for now, we'll be hardcoding tcp as a more reliable alternative, no
matter what the provider announces.
explicitely specifying ipv4 should fix the case in which vpn fails to
start because ipv6 is disabled.
-Resolves: #9181, #9129
|
|
honor the anonymous certificate for the providers that offer it.
this still needs a change in bonafide, in which if provider supports
anonymous access we still have to download eip-service.json
for testing, I assume this has been already manually downloaded.
|
|
|
|
|
|
|
|
|
|
|
|
In ubuntu 17.10 some changes with systemd-resolved broke our firewall,
blocking all DNS queries. The masquerade rules in the firewall, that
are used to rewrite the source IP address of the DNS queries, were
wrongly modifying the queries to systemd-resolved.
Let's apply masquerade only to the packets addressed to the nameserver.
- Resolves: #9137
|
|
Removing '--persist-ip' param on openvpn it will try to connect to a
different gateway if the first one fails. This means, that in case of
network disconnection for some minutes bitmask will keep rotating
between the different gateways and one the network comes back it will
not connect anymore to the first one, but to the one that was trying at
this moment.
- Resolves: #9188
|
|
I should remember this change when we merge elijah's fix again.
Hopefully that happens soon enough.
|
|
It has been reported that, after this fix, dns leaks happen under some
circumstances not yet clear. Preparing for a release, we have decided to
revert this change until the problem can be properly triaged.
This means a broken vpn aartful support for the time being, but a
non-leaking master.
https://0xacab.org/leap/bitmask-dev/issues/9137
- Related: #9137
|
|
|
|
|
|
Chech the hash of the installed bitmask root and sign as not installed
if doesn't match the one we have in the bundle. Also for running
bitmask-root, if there is more than one (in /usr/local/sbin and
/usr/sbin) run the one with higher version number.
- Resolves: #9020
|
|
|
|
|
|
|
|
-Resolves: #9119
|
|
- Resolves: #9094
|
|
|
|
|
|
Apparently, this would allow us to run in Elementary OS.
-Resolves: #9076
|
|
|
|
|
|
- Resolves: #9099
|
|
|
|
we make a distinction between the system-wide bitmask-root, which should
be placed there by the maintainers of whatever packages your
distribution uses, and the bitmask-root that is placed by the bundles
(using polkit).
since the bundles copying over the helper from user-writeable folders
is a potential attack vector, we prefer to use the package's version if
present.
also, if we cannot find either, we abort the launching of the VPN. we've
discussed that this might move to the service initialization instead,
but I think the cases in which this is needed should be rare.
I fix also a corner-case in which we were using getcwd() at import time.
if you execute code and then remove the installation path, this will
raise a traceback in bitmaskctl. I think it's nicer to catch the error
properly when starting.
|
|
|
|
|
|
|
|
|
|
|
|
- Resolves: #9084
|
|
Check it before starting the vpn.
- Resolves: #8895
|
|
We were not renewing the vpn cert. Now the UI will trigger a cert
renewal by telling it that is the vpn is not ready if the cert is
expired.
- Resolves: #9059
|
|
- Related: #9012
|
|
|
|
|
|
|
|
Better psutil than ps+grep.
|
|
Don't persist-tun on the vpn, so it can restart properly. Also let's
match better the options that are sent and taken into account from
bitmask-root.
- Resolves: #9048
|
|
the UI is expecting it there, not inside the result data.
we probably could delete it from the later.
|
|
there was an exception catched, AttributeError, that showed up as a
transient "failed" state.
- Resolves: #9044
|
|
|
|
the debian package was failing because of a bad polkit policy file name.
|
|
- Related: #9010
|
|
|
|
|
|
|