Lack of 'vpn always on' feature is a security vulnerability
asked 2020-04-24 12:30:09 +0200
There is no VPN-always-on option in Sailfish OS. This has been featured with the Android ROM for many years.
This is a major security vulnerability for anyone using or relying on Sailfish's VPN feature. Since my internet connection regularly drops, this causes my traffic to regularly leak out into my host network, unencrypted.
I logged this issue as a bug on 23/10/19 on https://jolla.zendesk.com. I am submitting this as a feature request because this seems to be my only option but this should really be logged as a security vulnerability.
For the meanwhile, please can someone suggest some iptables rules that will patch this vulnerability such as:
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
Thank you for all your hard work Sailfish!
From 3.1.0 release notes:
Enabling VPN without (prior to getting) network connection is now possible. This is to ensure that all your traffic is secure from the beginning. The text "Waiting for network..." is shown in Settings in this situation. The Top menu toggle can be enabled regardless of network state.
Isn't this what you meant?
Fuzzillogic ( 2020-04-24 13:42:40 +0200 )editI don't get it. If your internet connection drops, how can something leak? And how exactly does NATting on
Maus ( 2020-04-24 14:38:51 +0200 )edittun0mitigate anything? If I read your question right, you want traffic onwlan0andrmnet0to be halted somehow whentun0state changes to down. If so, how cantun0ever come up again?But he is right. (and @Fuzzylogic too)
You may enable VPN in advance. And it should connect only when VPN can vet activated.
But I just tested with a VPN that on 3.2.1.20 very often 'forvets' its setting and user/pass.
If you enable that before the data connection it does not establishthe VPN (as it asks for credentials) but leaks (send and receive) some kB in the background during displaying the credentials popup.
As I do not know my credentials off the top of my bead I have to look them up and need to dismiss the popup, hereby letting more data leaked.
I do not know but I do hope that this forgetting of credentials is solved with 3.3.x.x???
@Maus if he experience that behaviour then on connection drop and re-establishing the phone may leak data not tunneled, right?
peterleinchen ( 2020-04-24 23:45:25 +0200 )edit@peterleinchen Thank you, I just have to go the additional steps of reminding myself that others use VPNs in a different way than I do. I use VPN tunnels to connect to services that are not available at all otherwise.
If you use data encryption layers (which you should whenever you can), all your phone can leak is communications metadata. If this is potentially valuable to someone on the same network, I understand @sailfishuser0's concern. But I'd be very picky about the wireless networks I let my device see and use.
How would you even implement such a feature? Like, creating a virtual bridge with a pseudo-public interface that applications can bind to, and connecting the
Maus ( 2020-04-25 00:33:00 +0200 )edittun0interface to this bridge as an uplink? I guess that applications must be aware of such a setup to make use of this. I am sure I could build a setup that is working like this in a lab environment, but I doubt it is easy to convince our apps to behave as intended ... unless we can isolate them in container(s).id recall this as session management? even if at tcp / udp level.
perhaps then connmanager would prioritize traffic to given interfaces, depending on the available ones (connected or not, would then be handled at application level)? considering this whole stack is invisible to the app, ie the app doesnt care how the data gets out, only that data is delivered and replies are relayed...
note that i have no idea how connman works btw :)
tortoisedoc ( 2020-04-25 13:48:38 +0200 )edit