vpnweb issueshttps://0xacab.org/leap/vpnweb/-/issues2022-01-20T12:29:59Zhttps://0xacab.org/leap/vpnweb/-/issues/20CVE-2020-26160 in jwt-go2022-01-20T12:29:59ZKali KanekoCVE-2020-26160 in jwt-goI have not been able to inspect the alert, but this needs to be looked at:
https://github.com/leapcode/vpnweb/security/dependabot/go.mod/github.com%2Fdgrijalva%2Fjwt-go/open
no impact right now, since there's no known deployment of the...I have not been able to inspect the alert, but this needs to be looked at:
https://github.com/leapcode/vpnweb/security/dependabot/go.mod/github.com%2Fdgrijalva%2Fjwt-go/open
no impact right now, since there's no known deployment of the SIP authenticator.https://0xacab.org/leap/vpnweb/-/issues/19vpnweb:latest doesn't support v4 api, but lilypad deploys that tag2021-06-25T13:18:00ZGuivpnweb:latest doesn't support v4 api, but lilypad deploys that tagi've just completed a fresh deploy of a bitmask provider using https://0xacab.org/leap/container-platform/lilypad
the problem is, it deploys `vpnweb:latest` (https://0xacab.org/leap/container-platform/lilypad/-/blob/main/config/services...i've just completed a fresh deploy of a bitmask provider using https://0xacab.org/leap/container-platform/lilypad
the problem is, it deploys `vpnweb:latest` (https://0xacab.org/leap/container-platform/lilypad/-/blob/main/config/services.openvpn.yml#L65) which currently points to a 9-month-old version, which doesn't support api_version=4
so when i open bitmask 1.0.7 on android and try to "add a provider", it will ask for "GET /4/config/eip-service.json HTTP/2.0" and get a showstopper "404 page not found" in returnhttps://0xacab.org/leap/vpnweb/-/issues/18Issue Ed25519 certificates2021-06-12T15:53:14ZKali KanekoIssue Ed25519 certificatesWe should add a new endpoint to generate Ed25519 certificates, to be used with tls 1.3We should add a new endpoint to generate Ed25519 certificates, to be used with tls 1.3https://0xacab.org/leap/vpnweb/-/issues/17Needs to serve the correct Cache-control headers2021-05-26T16:10:50ZmicahNeeds to serve the correct Cache-control headersBecause the vpnweb service is behind a nginx caching proxy, it needs to tell the proxy about what it should, and should not be caching.
That is done by emitting the proper Cache-control headers: https://developer.mozilla.org/en-US/docs...Because the vpnweb service is behind a nginx caching proxy, it needs to tell the proxy about what it should, and should not be caching.
That is done by emitting the proper Cache-control headers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
Perhaps only "Cache-Control: no-cache" is all that would be necessary.Kali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/16Transition to v4 of the api2021-05-27T18:45:58ZmicahTransition to v4 of the apiThe v4 version of the api, when finished, will require that various pieces that are served up by vpnweb, be available on the /4/ endpoint, instead of on /3/. Right now, everything is coded as /3/, and maybe we should keep 3 around for a ...The v4 version of the api, when finished, will require that various pieces that are served up by vpnweb, be available on the /4/ endpoint, instead of on /3/. Right now, everything is coded as /3/, and maybe we should keep 3 around for a bit, while people transition, but add in a /4/ endpoint so we can start building out the new features that we want to have in that api version.https://0xacab.org/leap/vpnweb/-/issues/14Different obfs4 key per eip-service.json version2021-02-23T15:42:56ZkwadronautDifferent obfs4 key per eip-service.json versionThere should only be one key.
```
{
"version" : 4,
"locations" : {
"Seattle" : {
"country_code" : "US",
"hemisphere" : "N",
"timezone" : "-7"
}
},
"openvpn_configuration" : {
"dev...There should only be one key.
```
{
"version" : 4,
"locations" : {
"Seattle" : {
"country_code" : "US",
"hemisphere" : "N",
"timezone" : "-7"
}
},
"openvpn_configuration" : {
"dev" : "tun",
"rcvbuf" : "0",
"sndbuf" : "0",
"key-direction" : "1",
"tls-version-min" : "1.2",
"cipher" : "AES-256-GCM",
"verb" : "3",
"tun-ipv6" : true,
"tls-cipher" : "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
"keepalive" : "10 30",
"auth" : "SHA512",
"persist-key" : true,
"nobind" : true
},
"gateways" : [
{
"ip_address6" : null,
"ip_address" : "95.217.26.109",
"capabilities" : {
"limited" : false,
"filter_dns" : false,
"transport" : [
{
"type" : "openvpn",
"ports" : [
"443"
],
"protocols" : [
"tcp"
]
},
{
"type" : "obfs4",
"options" : {
"cert" : "AYHcCYnNtc8WFYzaFSgbSYmgolr6nM3ddlVoC2ieIN0iD/MVKHg/VhIqwsvfqz/WxBdLdg",
"iatMode" : "0"
},
"protocols" : [
"tcp"
],
"ports" : [
"23042"
]
}
],
"adblock" : false
},
"location" : "Helsinki",
"host" : "api.vpn.solitech.org"
}
],
"serial" : 4
}
```
```
{
"openvpn_configuration" : {
"dev" : "tun",
"auth" : "SHA512",
"tun-ipv6" : true,
"sndbuf" : "0",
"tls-cipher" : "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
"cipher" : "AES-256-GCM",
"nobind" : true,
"key-direction" : "1",
"persist-key" : true,
"tls-version-min" : "1.2",
"verb" : "3",
"keepalive" : "10 30",
"rcvbuf" : "0"
},
"gateways" : [
{
"ip_address" : "95.217.26.109",
"host" : "api.vpn.solitech.org",
"capabilities" : {
"limited" : false,
"filter_dns" : false,
"transport" : [
{
"protocols" : [
"tcp"
],
"type" : "openvpn",
"ports" : [
"1194"
]
},
{
"protocols" : [
"tcp"
],
"options" : {
"cert" : "pjm0nzN94YnCTn9WYP0ifLoXE2LY25xlEMpoXVRXMkirBzUxHqoNMDgz9OgT1zCEHM4qdA",
"iatMode" : "0"
},
"ports" : [
"23042"
],
"type" : "obfs4"
}
],
"adblock" : false
},
"location" : "Helsinki"
}
],
"locations" : {
"Helsinki" : {
"timezone" : "+2",
"hemisphere" : "N",
"country_code" : "FI"
}
},
"version" : 3,
"serial" : 3
}
```https://0xacab.org/leap/vpnweb/-/issues/13remove versioned ca cert endpoints2021-05-26T15:42:22Zcybertaremove versioned ca cert endpointsvpnweb has an versioned endpoint for ca certs:
``web.HttpFileHandler(srv, "/3/ca.crt", opts.ProviderCaPath)``
I wonder if we really need them and tend to remove them. IIRC they are not in use in current clients. @meskio @kali Do you kn...vpnweb has an versioned endpoint for ca certs:
``web.HttpFileHandler(srv, "/3/ca.crt", opts.ProviderCaPath)``
I wonder if we really need them and tend to remove them. IIRC they are not in use in current clients. @meskio @kali Do you know more?https://0xacab.org/leap/vpnweb/-/issues/12expose passwordPolicy in eip-service.json2021-01-28T18:41:14ZKali Kanekoexpose passwordPolicy in eip-service.jsonIf we get the VPNWEB_PASSWORD_POLICY=ignore, we should add that to eip-service.json
This is configured in float. Client also will have to switch to detect that from here (and not from providers.json).
See https://0xacab.org/leap/bitmask...If we get the VPNWEB_PASSWORD_POLICY=ignore, we should add that to eip-service.json
This is configured in float. Client also will have to switch to detect that from here (and not from providers.json).
See https://0xacab.org/leap/bitmask-vpn/-/issues/323https://0xacab.org/leap/vpnweb/-/issues/11float: make password-policy configurable for vpnweb2021-01-28T18:45:54ZKali Kanekofloat: make password-policy configurable for vpnwebwe need to be able to configure an optional flag for password-policy for vpnweb. the default is 'require', but some deployments will want to set 'ignore'.we need to be able to configure an optional flag for password-policy for vpnweb. the default is 'require', but some deployments will want to set 'ignore'.LibraryVPN-ils integrationKali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/10Test Reliability of Auth Mechanism2021-01-28T18:42:12Zmcy100Test Reliability of Auth Mechanism(manual test/configure 2-node instanaces in LEAP's infra with float)(manual test/configure 2-node instanaces in LEAP's infra with float)https://0xacab.org/leap/vpnweb/-/issues/9modify auth proxy to allow empty passwords2021-01-28T18:46:41ZKali Kanekomodify auth proxy to allow empty passwordsLibraryVPN-ils integrationKali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/8document how to expose sip endpoint through stunnel2021-01-28T18:46:53ZKali Kanekodocument how to expose sip endpoint through stunnelhttps://jsn4lib.wordpress.com/2012/02/06/encrypting-sip2-traffic-with-koha/https://jsn4lib.wordpress.com/2012/02/06/encrypting-sip2-traffic-with-koha/LibraryVPN-ils integrationKali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/7sip2: be more reliable if connection fails2020-02-05T19:00:51ZKali Kanekosip2: be more reliable if connection failsthe initial sip telnet client implementation is prone to errors. first, it swallows some errors. second, it never times out.
* [ ] use a telnet client library that uses `net.DialTimeout` instead of `net.DialTo`
* [ ] refactor client to ...the initial sip telnet client implementation is prone to errors. first, it swallows some errors. second, it never times out.
* [ ] use a telnet client library that uses `net.DialTimeout` instead of `net.DialTo`
* [ ] refactor client to use channels, in a way that a single goroutine is serially processing connections and returning responses
* [ ] send a get-status request every 5 minutes or so, to keep the connection up
* [ ] if everything fails, try to reset the connectionKali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/6Path for files2020-02-06T12:34:51ZmicahPath for filesRight now the path for the json files and the CA is just `./public`. I'd like to either have that be something more explicit, like `/etc/leap/config` or have it be an environment variable, instead of putting it in the same directory as t...Right now the path for the json files and the CA is just `./public`. I'd like to either have that be something more explicit, like `/etc/leap/config` or have it be an environment variable, instead of putting it in the same directory as the binary.
Also, the ca.crt is hardcoded to be `./public/ca.crt`, for organization sake, i'd like to keep that file in `/etc/leap/ca`, so if this can also be parameterized so it can be changed, that would be pura vida.Kali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/5document needed environment variables in README2020-02-06T12:34:52ZKali Kanekodocument needed environment variables in READMEfor SIP2 authenticationfor SIP2 authenticationKali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/4support refresh tokens2020-09-08T17:16:20ZKali Kanekosupport refresh tokensafter we merge sip authentication, I'd like to define how bonafide v3 will handle refresh tokens, for how long will they live, etc, and their relationship with vpn certificates. we should document this somewhere.after we merge sip authentication, I'd like to define how bonafide v3 will handle refresh tokens, for how long will they live, etc, and their relationship with vpn certificates. we should document this somewhere.https://0xacab.org/leap/vpnweb/-/issues/3Should support bonafide /v1 endpoint2021-02-24T15:30:10ZmicahShould support bonafide /v1 endpointOlder clients only support v1 api endpoint (/v1) and vpnweb seems to only respond to /v3. We need to be able to support those older clients for some time still.
Windows/Mac have only had v3 support for around 6 months, and people do not...Older clients only support v1 api endpoint (/v1) and vpnweb seems to only respond to /v3. We need to be able to support those older clients for some time still.
Windows/Mac have only had v3 support for around 6 months, and people do not update those as regularly as snap, so its very possible that they still have v1 support.Kali KanekoKali Kanekohttps://0xacab.org/leap/vpnweb/-/issues/2consider merging geoip service into vpnweb app2020-01-29T17:14:54ZKali Kanekoconsider merging geoip service into vpnweb appwhat are the pros and cons of merging geoip into the webapp?what are the pros and cons of merging geoip into the webapp?https://0xacab.org/leap/vpnweb/-/issues/1announce geoip service from eip-service.json2021-06-28T17:41:24ZKali Kanekoannounce geoip service from eip-service.jsonright now the location of the geoip service is hardcoded in the vendor.conf
but it would be nice to have it announced in eip-service.json so that android client can use it too.right now the location of the geoip service is hardcoded in the vendor.conf
but it would be nice to have it announced in eip-service.json so that android client can use it too.Kali KanekoKali Kaneko