From 40ced0c4b817a6fa4c94dafc4c4481fb5ac4ad97 Mon Sep 17 00:00:00 2001 From: "kali kaneko (leap communications)" Date: Wed, 8 Jun 2022 17:12:32 +0200 Subject: [feat] dry-run --- docs/debug.rst | 8 ++++++++ pkg/pickle/helpers/bitmask-root | 6 +++++- pkg/vpn/launcher_linux.go | 7 ++++++- pkg/vpn/openvpn.go | 13 ++++++++++++- 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/docs/debug.rst b/docs/debug.rst index 49a2c03..21eca1e 100644 --- a/docs/debug.rst +++ b/docs/debug.rst @@ -111,5 +111,13 @@ environment variable that contains the hostname of the gateway: LEAP_GW=hostname.riseup.net ./riseup.vpn +Dry run +------- + +To avoid setting up the routes, you can pass the LEAP_DRYRUN variable: + +.. code:: bash + LEAP_DRYRUN=1 ./riseup.vpn +We should probably restrict this to non-release versions only. diff --git a/pkg/pickle/helpers/bitmask-root b/pkg/pickle/helpers/bitmask-root index e704bd9..a0ae746 100644 --- a/pkg/pickle/helpers/bitmask-root +++ b/pkg/pickle/helpers/bitmask-root @@ -89,7 +89,7 @@ def is_ipv6_disabled(): def tostr(s): return s.decode('utf-8') -VERSION = "17" +VERSION = "18" SCRIPT = "bitmask-root" NAMESERVER_TCP = "10.41.0.1" NAMESERVER_UDP = "10.42.0.1" @@ -151,6 +151,7 @@ if is_ipv6_disabled(): "--pull-filter", "ignore", "ifconfig-ipv6", "--pull-filter", "ignore", "route-ipv6"]) + ALLOWED_FLAGS = { "--remote": ["IP", "NUMBER", "PROTO"], "--tls-cipher": ["CIPHER"], @@ -168,6 +169,7 @@ ALLOWED_FLAGS = { "--management-client": [], "--tun-ipv6": [], "--log": ["LOGFILE"], + "--pull-filter": ["ignore", "route"], } PARAM_FORMATS = { @@ -183,6 +185,8 @@ PARAM_FORMATS = { "NETGW": lambda s: s == "net_gateway", "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s), "LOGFILE": lambda s: s == "/tmp/leap-vpn.log", + "ignore": lambda s: s == "ignore", + "route": lambda s: s == "route", } # Determine Qubes OS version, if any diff --git a/pkg/vpn/launcher_linux.go b/pkg/vpn/launcher_linux.go index 57bbe78..1fbcd6f 100644 --- a/pkg/vpn/launcher_linux.go +++ b/pkg/vpn/launcher_linux.go @@ -167,11 +167,16 @@ func (l *launcher) openvpnStop() error { } func (l *launcher) firewallStart(gateways []bonafide.Gateway) error { + if os.Getenv("LEAP_DRYRUN") == "1" { + log.Println("dry-run: skip firewall start") + return nil + } log.Println("firewall start") arg := []string{"firewall", "start"} for _, gw := range gateways { arg = append(arg, gw.IPAddress) } + return runBitmaskRoot(arg...) } @@ -214,8 +219,8 @@ func runBitmaskRoot(arg ...string) error { return err } arg = append([]string{bitmaskRoot}, arg...) - cmd := exec.Command("pkexec", arg...) + out, err := cmd.Output() if err != nil && arg[2] != "isup" { log.Println("Error while running bitmask-root:") diff --git a/pkg/vpn/openvpn.go b/pkg/vpn/openvpn.go index 567b912..fcd4aee 100644 --- a/pkg/vpn/openvpn.go +++ b/pkg/vpn/openvpn.go @@ -180,6 +180,10 @@ func (b *Bitmask) startOpenVPN() error { if err != nil || verb > 6 || verb < 3 { openvpnVerb = "3" } + // TODO we need to check if the openvpn options pushed by server are + // not overriding (or duplicating) some of the options we're adding here. + log.Println("VERB", verb) + arg = append(arg, "--verb", openvpnVerb, "--management-client", @@ -190,7 +194,14 @@ func (b *Bitmask) startOpenVPN() error { "--persist-tun", "--float") if verb > 3 { - arg = append(arg, "--log", "/tmp/leap-vpn.log") + arg = append( + arg, + "--log", "/tmp/leap-vpn.log") + } + if os.Getenv("LEAP_DRYRUN") == "1" { + arg = append( + arg, + "--pull-filter", "ignore", "route") } /* persist-tun is needed for reconnects */ return b.launch.openvpnStart(arg...) -- cgit v1.2.3