2024.05 LEAP VPN Release
Milestone ID: 5800
Overview
- Two more weeks of field testing KCP+obfs4
- Launching MVS deployment of ST with KCP+obfs4 (Lilypad and Android integration)
- MVS of invite system
- API3 to 5
- New Bitmask-core and Menshen Tech
Android Client
--> cyberta
- Integration of first transport: KCP+obfs4 proxy ( bitmask_android#9170)
- adption how we start obfs4 (using transparent proxying) bitmask_android#9171
- JNI bindings for Bitmask-core bitmask-core#5
- Integration of Bitmask-core shared library in android bitmask_android#9172
- Invite system integration. UX etc bitmask_android#9173
- Handle overloaded VPN gateways bitmask_android#9174
- Figma prototype for UX adjustments for circumvention only app (flags added to only show circumvention)
Desktop
--> anjan
- Desktop release process division of labor deliniated (create a release doc and checklist to follow during releases) bitmask-vpn#789
- Create cross platform builds of win and macos on linux bitmask-vpn#298
- Integration of bitmask core - see bitmask core (Pea) bitmask-vpn#758
- Integration of first transport: KCP+obfs4 proxy
- adoption how we start obfs4 (using transparent proxying) bitmask-vpn#760 , https://0xacab.org/leap/bitmask-vpn/-/issues/792
- provider agnostic client, Bitmask for Desktop bitmask-vpn#790
- App size reduction
- UX parity with android (onboarding, UI colors and background images/theme etc) bitmask-vpn#794
- improve logging, error handling, make code more readable (Pea) https://www.0xacab.org/leap/bitmask-vpn/-/issues/771
- macOS universal builds (use circle CI to build arm64 artifacts)
- debugging: there are a lot of undocumented environment variables https://www.0xacab.org/leap/bitmask-vpn/-/issues/771
- On linux investigate and use d-bus for controlling openvpn client process bitmask-vpn#761
- running bitmask-vpn on windows with non-admin user account bitmask-vpn#779
- Handle overloaded VPN gateway bitmask-vpn#791
Comments
- Snowflake is currently not fully integrated (but there is working code)
Platform Dev
--> Sgk and Max
- Fix Lilypad CI:
- Integrate Obfs4+KCP into Lilypad obfsvpn#10
- Fix slow obfsvpn + KCP issue obfsvpn#39
- Update architectual diagrams to include introducer, control plane, meshen agent etc. leap/container-platform/lilypad#89
- Make sure CA isn’t leaking domain name : leap/container-platform/lilypad#87
- For ST, we dont want to expose plain OpenVPN without obfuscation. We need to define ability to do this. : leap/container-platform/lilypad#88
- Discuss if and how we can restrict OpenVPN handshakes from the bridges only
Devops
--> kwadro, sgk, powerpuffin
- Creation of development, staging, and production environments for ST
- Get end points/ egress: continue conversations with Riseup, agree on deployment model if possible
- Maintain staging environment demo.bitmask.net (with little resources if possible)
Bitmask-core
--> Peanut, cyberta, some work from sgk
https://0xacab.org/leap/bitmask-core/-/issues
This is a new bootstrapping process peanut is working on that allows clients to communicate with menshen. It will need to be finished and then requires both integration into clients and multiple adaptions within clients of things like states, models and possibly error handling.
- internal: improve/rewrite existing logic/workflow bitmask-core#7 (closed)
- Bitmask core to extend bootstrapping functionality to fetch basic provider information (equivalent to provider.json in v3, cmp. Menshen section) /service endpoint bitmask-core#9
- Bug fixes such as bitmask-core#3
- continue integration Bitmask-core into desktop bitmask-vpn#758
- Integration Bitmask-core into android
- JNI bindings for Bitmask-core bitmask-core#5
- Integration into clients requires v3 compatibility: keep existing code-paths for v3 in the clients, switch between client-bonafide (v3 code path) code and bitmask-core (v5 code path) for bootstrapping
Menshen
--> sgk point, peanut
- Deprecation of VPNWeb: integration of some aspects of VPN web (sgk)
- Design way of handling inventory in menshen: menshen#26
- Backwards-compat for v3: menshen#27
- EC support (key generation ability in menshen, ensuring that v3 legacy /cert is correctly documented). we want ed25519 keys. leap/container-platform/lilypad#77 (closed)
- Improvments of v5 API (peanut)
- agree on and implementation of port distribution menshen#30
- fix missing filtering options
Menshen Agent
--> max
- Menshen agent will ensure the communication between gateways and menshen. It operates as a sidecar service of openVPN allowing gateways to announce metrics to menshen.
- unification of menshen agent between gateways and bridges to understand the status of these, and maybe their configuration as well. (maxb)
- https://www.0xacab.org/leap/obfsvpn/-/tree/main/control?ref_type=heads
- menshen_agent#2
- Update readme: menshen_agent#3
Introducer
--> sgk
For circumvention tech providers we will integrate Introducer for api communication into Lilypad: Introducer is on a bridge between client and api. Introducer will use / build off of obfsvpn to be the proxy technology. Invite token has the link to the introducer as well as the invite token. Todos are:
- Configure obfsvpn-server to point to a menshen backend: obfsvpn#38
- Clients: communicate with introducer: Configure obfsvpn-client to expose a socks proxy that tunnels to that menshen backend: leap/container-platform/lilypad#91
- Orchestration: deploy introducer within lilypad leap/container-platform/lilypad#90
- Test deployment with obfsvpn-client and curl
- Configure frontend UI to use that socks proxy for fetching from menshen bitmask-vpn#793 (closed)
- Stretch: make the API available to local network, only introducer speaks to api and close the public ports that expose the api and open vpn ports
Control plane
--> (Post menshen agent work).
This is a sidecar service for obfsVPN that allows Menshen to get info that it needs to forward to the client about the existence of bridges. leap/container-platform/lilypad#25
- Design: Determine if control plane is a separate process or becomes part of obfsvpn itself
- Integrate with Lilypad
Invite system
--> max, cyberta
- UX on first run and within settings for invite system (amnezia, shadow socks, vpn generator examples. bitmask_android#9173
- have a way to tag resources with buckets
- First pass at invite system where we annotate bridges and gateways in lillypad hosts.yaml with a `buckets` property leap/container-platform/lilypad#92
- Figuring out how resources would be assigned buckets from the deployment (lilypad->menshen) pipeline, possible approach: menshen!18 (comment 1169589)
- add Documentation for the orchestration part
ST MVS
--> Kwadro, powerpuffin, cyberta lurking and learning
- Continues to use jnk-compose for the small batch tech savvy field testers.
- Will launch MVS with lilypad and build a small user base through word of mouth.
- Users will use Bitmask to connect
- After MVS released: when invite system is ready and integrated we will broaden the audience to media orgs, allies, etc
Experimental Track
(Jnk-Compose and ST-compose-client)
- Two more weeks of field testing KCP+obfs4
- Automated tests can be sent to infrastructure without user interaction
- Need http server that accepts incoming reports
- Write script to parse raw data of reports (powerpuffin in progress)
- Add Prometheus to jnk-compose environment
- Push gate that pushes the parsed and structure gateway to Prometheus.
- Determine when we want to test next protocol, hoppng PT
Stretch Goals
- We need to streamline the approach for launching obfs4+kcp and use transparent proxying instead of using SOCKS5 in both clients and obfsVPN.
- Menshen Stretch Goal
- Not needed for mvs, but really good to have for partner providers
- Evaluation and implementation of load balancing. It's already implemented in menshen_agent, it can use some tweaking on the linear combinations or corner cases
- deploy menshen_agent per each openvpn process, but do not action on the load in the clients by default.
- keep track of historical load data for later analysis
- some thoughts about "load": bitmask-vpn#788
- Isolate some services to their own container - specifically openVPN from KRESD
- Mechanism to rotate credentials for the bridges and have one secret per bridge (lovely to have, not needed for mvs) <---is this a stretch goal still or part of max's work?