2025.02 LEAP VPN Release

Timing

Overview

Circumvention Tech: We will create automated uploads for reports and finalize and deploy the dashboard toolchain to improve our measurement system. We will end KCP tests and initiate a four-week Quic field testing cycle of Quic+Hopping and Quic solo. CSOs will be contacted and give invite codes to pass to their users.

Desktop client release: We will work on an update of Bitmask Multi-Provider client. This release will introduce beta support for using an invite code during the onboarding process to connect to a provider for dev testing. Additionally, small UX improvements, specifically in the sidebar and topbar will enhance the overall user experience. And work will continue on the the automatic updater.

Android release: We will add the ability to use invite codes via inputting a url or scanning a QR code as part of the onboarding process. API V5 integration will be completed. Multiple bug will be fixed, and a new circuvention focused UX implemented in settings. The app store will have new translations, copy and screenshots.

Platform release: We added obfscated discovery (The Introducer) to lilypad. We added to lilypad the ability to to use obfs4 via QUIC. We implemented the ability to run gateways on different ports to ward against protocol blocking by port. We have standardised deployment code for Circumvention Technologies: kcp, bridge, and introduced QUIC as a new CT - Tagged release 2.4.0 https://0xacab.org/leap/container-platform/lilypad/-/tagsand. Work to finalize the api v5 workflow is complete and tested with android.

Several complete tear-downs and redeployments of recent changes to staging and production environment for a new provider, troubleshooting the bucket system which will allow us to delegate specific gateways to specific groups, and found a bug on gateway selection endpoint(/gateways) in menshen(api backend) that was intefering with gateway selection. Fixing the Integration tests after the migration to podman and upstream gitlab-runner instance changes.

Tunnel-telemetry Improvements For increased sharability, we will create ability to submit field testing measurements to OONI collector

CIRCUMVENTION TECH

Provider Overview: https://nc.riseup.net/index.php/f/2369429

DEVELOPMENT

Create automated uploads for report (powerpuffin)
finalize and deploy the dashboard toolchain (powerpuffin)
integrate quic into lilypad leap/container-platform/lilypad#120 (closed)

FIELD TESTING

Experimental Track

Deploy Quic on a bridge server with a different port
Configure and build Quic-compatible clients and debug
Quic: field test

Using Bitmask

Setup ft.demo.bitmask.net or other url
Reach out to CSO, proposing to use our latest Bitmask prior to invite code

ANDROID

new settings UI for circumvention options bitmask_android#9194 (closed)
QR code scanning the invite URL bitmask_android#9198 (closed)

INVITE SYSTEM

The Invite system will allow use of an invite code to establish connections with circumvention providers. It requires: 1) APIV5 implemented on the platform and clients, 2) The "Introducer", a new proxy tech used for circumvention tech providers to protect the discovery process. In addition a Bucket system which creates resilency in the case of burnt bridges will be created, but is not neccessary to begin use. For desktop we will begin dev on the required bitmask multi-provider.

APIV5

Android: add Java swagger client generator to bitmask_android, fetch swagger definition from menshen repo, create a build script bitmask_android#9201 (closed)
Android: improve error handling for APIv5 bitmask_android#9185 (closed)
Upgrade Desktop

INTRODUCER

Android: calling bitmask-core's setInviteCode from the UI bitmask_android#9202 (closed)
Desktop: Implement invite UI in desktop multi provider client bitmask-vpn#897 (closed)

BUCKET SYSTEM - INVITE TOKEN HANDLING

enable setting introducer url using env variable bitmask-vpn!265 (merged)
[Discussion/Design] Add support for invite token / API authentication bitmask-core#27 (closed)
Reference implementation for introducer url/obfvsintro bitmask-core#29 (closed)
bitmask-core: send invite token with API calls bitmask-core#30 (closed)
Create a tool to manage invite tokens menshen#61 (closed)
Buckets First pass at invite system where we annotate bridges and gateways in lilypad hosts.yaml with a `buckets` property leap/container-platform/lilypad#92 (closed) (4hrs)

LOAD BALANCING & OPTIMIZATION

Working to ease congestion of gateways is taking the following form:

GEO-LOCATION

Sending the country code in apiv5 (bitmask-core) allows us to better distribute the load of the gateways. Currently the country code is fetched, but not yet used, as the backend part was missing in the past.

PLATFORM / MENSHEN

Add custom STUN server to provider.json (menshen#54 (closed)) --> ask peanut: is this on your plate?

BITMASK CORE

Code cleanup for geolocation lookup tests bitmask-core#25 (closed)
Send the country code API requests bitmask-core#31 (closed)

GENERAL IMPROVEMENTS

PLATFORM

ability to run different gatewys on different ports. leap/container-platform/lilypad#109 (closed)
upgrade to latest float leap/container-platform/lilypad#96 (closed)
fix broken lilypad CI due to virtmanager/gitlab runner changes done by riseup leap/container-platform/lilypad#119 (closed)

DESKTOP

Log port of connected OpenVPN gateway bitmask-vpn!257 (merged)

INFRASTRUCTURE

Update sshd everywhere CVE-2024-6387 https://0xacab.org/leap/infrastructure/-/issues/26

ANDROID UX

finalize permissions screen UX bitmask_android#9196 (closed) requires info @mcnair
new permissions screen implementation: bitmask_android#9197 (closed)
Only include langs with enough translation in the in-app language switch bitmask_android#9192 (closed)

ANDROID BUG FIXES

fix retry handling after failing provider setup bitmask_android#9204 (closed)

PUBLIC FACE IMPROVEMENTS

Screenshots in Playstore bitmask_android#9180