New features for later
from: https://pad.riseup.net/p/bitmask-qa (has a read-only problem)
shorten the time to reconnect
is there a way we can speed up the reconnection (attempt to reconnect after the network comes back). on linux, at least, it takes a while. is there a network event the OS will give us when a connection comes back? in the past we discussed making the client send out pings every second when it detected that the network was down, and as soon as one ping was successful then starting openvpn again. important, but later.
provider selection -> https://leap.se/code/issues/3864
In provider selection page in the wizard, include a list of preconfigured providers. This list should include at the top any providers we have previously configured and validated.
non-root openvpn -> https://leap.se/code/issues/3972
Don't run openvpn as root. Instead, run a management/wrapper process as root, and have it set up the routes. It can also firewall off DNS and IPv6, as appropriate, to prevent leakage.
kali: running as root is a workaround for the (buggy) tearing down of the routes. but in general, and once that can be fixed, the approach of starting openvpn as root and let it drop privileges (using openvpn-down-root to call our wrapper maybe) should be the best approach.
elijah: the greenhost people said they wrote a housekeeper daemon with root priv that runs in the background all the time and is responsible for important stuff, like preventing ipv6 leakage by maintaining proper iptables rules. and then they just always run openvpn as unprivileged. i think this is the way to go, for a couple reasons. (1) it is better to not ever run any program that gets network input as root (2) a root housekeeper daemon could allow us to nicely "fail closed" meaning that it could set up iptables rules to block all traffic when the openvpn is down or we are restarting it.
Prevent DNS leakage.
kali: we shouldn't be getting dns leaks now. are we?
elijah: I suspect that we do on windows and mac, but not linux. on mac, if you are on a dhcp network, but then type in a static IP, it will cause a DNS leakage with openvpn. i will try to confirm.
elijah: i can't find existing issues for this, although i suspect there are some.
Prevent IPv6 leakage.
important, but later.
existing issues:
(from redmine: created on 2013-09-17, closed on 2014-05-07, relates #3972 (closed), relates #3864 (closed), relates #54 (closed), relates #52 (closed), relates #38 (closed), relates #5588 (closed))