vpnweb issueshttps://0xacab.org/leap/vpnweb/-/issues2022-01-20T12:29:59Zhttps://0xacab.org/leap/vpnweb/-/issues/20CVE-2020-26160 in jwt-go2022-01-20T12:29:59ZKali KanekoCVE-2020-26160 in jwt-goI have not been able to inspect the alert, but this needs to be looked at:
https://github.com/leapcode/vpnweb/security/dependabot/go.mod/github.com%2Fdgrijalva%2Fjwt-go/open
no impact right now, since there's no known deployment of the...I have not been able to inspect the alert, but this needs to be looked at:
https://github.com/leapcode/vpnweb/security/dependabot/go.mod/github.com%2Fdgrijalva%2Fjwt-go/open
no impact right now, since there's no known deployment of the SIP authenticator.https://0xacab.org/leap/vpnweb/-/issues/1announce geoip service from eip-service.json2021-06-28T17:41:24ZKali Kanekoannounce geoip service from eip-service.jsonright now the location of the geoip service is hardcoded in the vendor.conf
but it would be nice to have it announced in eip-service.json so that android client can use it too.right now the location of the geoip service is hardcoded in the vendor.conf
but it would be nice to have it announced in eip-service.json so that android client can use it too.Kali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/19vpnweb:latest doesn't support v4 api, but lilypad deploys that tag2021-06-25T13:18:00ZGuivpnweb:latest doesn't support v4 api, but lilypad deploys that tagi've just completed a fresh deploy of a bitmask provider using https://0xacab.org/leap/container-platform/lilypad
the problem is, it deploys `vpnweb:latest` (https://0xacab.org/leap/container-platform/lilypad/-/blob/main/config/services...i've just completed a fresh deploy of a bitmask provider using https://0xacab.org/leap/container-platform/lilypad
the problem is, it deploys `vpnweb:latest` (https://0xacab.org/leap/container-platform/lilypad/-/blob/main/config/services.openvpn.yml#L65) which currently points to a 9-month-old version, which doesn't support api_version=4
so when i open bitmask 1.0.7 on android and try to "add a provider", it will ask for "GET /4/config/eip-service.json HTTP/2.0" and get a showstopper "404 page not found" in returnhttps://0xacab.org/leap/vpnweb/-/issues/18Issue Ed25519 certificates2021-06-12T15:53:14ZKali KanekoIssue Ed25519 certificatesWe should add a new endpoint to generate Ed25519 certificates, to be used with tls 1.3We should add a new endpoint to generate Ed25519 certificates, to be used with tls 1.3https://0xacab.org/leap/vpnweb/-/issues/3Should support bonafide /v1 endpoint2021-02-24T15:30:10ZmicahShould support bonafide /v1 endpointOlder clients only support v1 api endpoint (/v1) and vpnweb seems to only respond to /v3. We need to be able to support those older clients for some time still.
Windows/Mac have only had v3 support for around 6 months, and people do not...Older clients only support v1 api endpoint (/v1) and vpnweb seems to only respond to /v3. We need to be able to support those older clients for some time still.
Windows/Mac have only had v3 support for around 6 months, and people do not update those as regularly as snap, so its very possible that they still have v1 support.Kali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/14Different obfs4 key per eip-service.json version2021-02-23T15:42:56ZkwadronautDifferent obfs4 key per eip-service.json versionThere should only be one key.
```
{
"version" : 4,
"locations" : {
"Seattle" : {
"country_code" : "US",
"hemisphere" : "N",
"timezone" : "-7"
}
},
"openvpn_configuration" : {
"dev...There should only be one key.
```
{
"version" : 4,
"locations" : {
"Seattle" : {
"country_code" : "US",
"hemisphere" : "N",
"timezone" : "-7"
}
},
"openvpn_configuration" : {
"dev" : "tun",
"rcvbuf" : "0",
"sndbuf" : "0",
"key-direction" : "1",
"tls-version-min" : "1.2",
"cipher" : "AES-256-GCM",
"verb" : "3",
"tun-ipv6" : true,
"tls-cipher" : "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
"keepalive" : "10 30",
"auth" : "SHA512",
"persist-key" : true,
"nobind" : true
},
"gateways" : [
{
"ip_address6" : null,
"ip_address" : "95.217.26.109",
"capabilities" : {
"limited" : false,
"filter_dns" : false,
"transport" : [
{
"type" : "openvpn",
"ports" : [
"443"
],
"protocols" : [
"tcp"
]
},
{
"type" : "obfs4",
"options" : {
"cert" : "AYHcCYnNtc8WFYzaFSgbSYmgolr6nM3ddlVoC2ieIN0iD/MVKHg/VhIqwsvfqz/WxBdLdg",
"iatMode" : "0"
},
"protocols" : [
"tcp"
],
"ports" : [
"23042"
]
}
],
"adblock" : false
},
"location" : "Helsinki",
"host" : "api.vpn.solitech.org"
}
],
"serial" : 4
}
```
```
{
"openvpn_configuration" : {
"dev" : "tun",
"auth" : "SHA512",
"tun-ipv6" : true,
"sndbuf" : "0",
"tls-cipher" : "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
"cipher" : "AES-256-GCM",
"nobind" : true,
"key-direction" : "1",
"persist-key" : true,
"tls-version-min" : "1.2",
"verb" : "3",
"keepalive" : "10 30",
"rcvbuf" : "0"
},
"gateways" : [
{
"ip_address" : "95.217.26.109",
"host" : "api.vpn.solitech.org",
"capabilities" : {
"limited" : false,
"filter_dns" : false,
"transport" : [
{
"protocols" : [
"tcp"
],
"type" : "openvpn",
"ports" : [
"1194"
]
},
{
"protocols" : [
"tcp"
],
"options" : {
"cert" : "pjm0nzN94YnCTn9WYP0ifLoXE2LY25xlEMpoXVRXMkirBzUxHqoNMDgz9OgT1zCEHM4qdA",
"iatMode" : "0"
},
"ports" : [
"23042"
],
"type" : "obfs4"
}
],
"adblock" : false
},
"location" : "Helsinki"
}
],
"locations" : {
"Helsinki" : {
"timezone" : "+2",
"hemisphere" : "N",
"country_code" : "FI"
}
},
"version" : 3,
"serial" : 3
}
```https://0xacab.org/leap/vpnweb/-/issues/10Test Reliability of Auth Mechanism2021-01-28T18:42:12Zmcy100Test Reliability of Auth Mechanism(manual test/configure 2-node instanaces in LEAP's infra with float)(manual test/configure 2-node instanaces in LEAP's infra with float)https://0xacab.org/leap/vpnweb/-/issues/12expose passwordPolicy in eip-service.json2021-01-28T18:41:14ZKali Kanekoexpose passwordPolicy in eip-service.jsonIf we get the VPNWEB_PASSWORD_POLICY=ignore, we should add that to eip-service.json
This is configured in float. Client also will have to switch to detect that from here (and not from providers.json).
See https://0xacab.org/leap/bitmask...If we get the VPNWEB_PASSWORD_POLICY=ignore, we should add that to eip-service.json
This is configured in float. Client also will have to switch to detect that from here (and not from providers.json).
See https://0xacab.org/leap/bitmask-vpn/-/issues/323https://0xacab.org/leap/vpnweb/-/issues/4support refresh tokens2020-09-08T17:16:20ZKali Kanekosupport refresh tokensafter we merge sip authentication, I'd like to define how bonafide v3 will handle refresh tokens, for how long will they live, etc, and their relationship with vpn certificates. we should document this somewhere.after we merge sip authentication, I'd like to define how bonafide v3 will handle refresh tokens, for how long will they live, etc, and their relationship with vpn certificates. we should document this somewhere.https://0xacab.org/leap/vpnweb/-/issues/7sip2: be more reliable if connection fails2020-02-05T19:00:51ZKali Kanekosip2: be more reliable if connection failsthe initial sip telnet client implementation is prone to errors. first, it swallows some errors. second, it never times out.
* [ ] use a telnet client library that uses `net.DialTimeout` instead of `net.DialTo`
* [ ] refactor client to ...the initial sip telnet client implementation is prone to errors. first, it swallows some errors. second, it never times out.
* [ ] use a telnet client library that uses `net.DialTimeout` instead of `net.DialTo`
* [ ] refactor client to use channels, in a way that a single goroutine is serially processing connections and returning responses
* [ ] send a get-status request every 5 minutes or so, to keep the connection up
* [ ] if everything fails, try to reset the connectionKali KanekoKali Kaneko