EthACKdotOrg / orWall

Put your apps behind Orbot, and block all unwanted traffic in one row.
https://orwall.org/
GNU General Public License v3.0
86 stars 26 forks source link

add third option for apps to let themselves connect normally to the internet / use their own proxy settings #16

Closed hxe closed 10 years ago

hxe commented 10 years ago

is this not acceptable for this kind of app? i use tor 99% of the time on my phone, but sometimes i need apps to connect normally (even though i don't want to). there doesn't seem to be a way to disable orwall temporarily. an ideal solution would be to have 3 options for every app, tor, normal, disabled. or maybe allow users to add custom apps with toggles, like you have added for the browser.

e.g. i don't want chatsecure to be completely tor'd. it has in built orbot compatibility. and i use tor for all of my xmpp servers, except one which doesn't support it. and it would be nice if i had the choice of allowing chatsecure to control proxy settings on it's own. or my carrier's app, which i use to check data usage, and renew my credit. renewing credit (via card) only seems to work when i'm using an ip in my own country, so i don't want that tor'd all the time

thoughts?

cjeanneret commented 10 years ago

Hello,

hm. adding new checkboxes would make the app a bit messy. And orwall main goal is to prevent other apps to go out without using Tor ;).

Another proposal, though it may become a bit unfriendly:

This should meet one part of your request, while still allowing to be pretty safe as you won't forget to remove the permission for the app after usage.

Regarding chatSecure (and, probably, other tor-compatible app), I may add a "long-press" setting in order to let them manage their connection. I don't think a couple of checkbox would be good — AFWall uses that, and it's kind of messy (though they don't really have other choice).

Any thoughts?

Cheers,

C.

PS: consider your carrier app as a troyan. Really. They are flawed, and allowed to do some nasty things as they are system apps with full privileges…

hxe commented 10 years ago

yea, it's just those small exceptions that sometimes people may need. i also just remembered; i think recently my university has started blocking tor. no matter what options i change (such as change ports to 80,443), it still wont start. so there's another time where it would be nice to allow an app through, if i really need to, and don't want to switch to mobile data.

and yea i knew it was something going against the purpose of this app, and would make the interface messy. i can probably manage with the browser workaround for now.

if i'm understanding what you mean by long-press setting, then maybe: long pressing on an app in the list can bring up 1-3 options, e.g. "allow normal connection" or "allow bypass" (i'm bad at wording), and it can be temporary like the browser option, or have multiple options: Allow orWall bypass for 5 minutes Allow orWall bypass for 1 hour Allow orWall bypass until reboot maybe? or even let one or both of the default grace times be configured in the main settings, or allow one of the options to let the user enter a custom interval. so i guess if an app was ticked, the user can long press on it, and let the app use the normal connection temporarily, then it will go back to using tor. or if it was unticked, it will go from not being able to use the internet at all, to using it for a bit, then being disabled again. or maybe a replacement for "until reboot" could be "until connection changes" or "until disconnection", where orwall can automatically revert the setting once the user turns off wifi/data or loses connection. or even closes the app? but in some cases, a permanent bypass could be preferrable, e.g. chatsecure. i don't know.

i cant really think of anything else other than the long-press options like u mentioned, or having an extra list or something [deep] inside the settings of orwall, like a bypass list. but then maybe that goes against the apps purpose too far? i don't know how often, if ever, others need to have exceptions like me. but it would be useful to be able to let certain apps manage their proxy settings, or to let certain apps bypass [temporarily], if downloading a large file, or if tor is blocked where the app needs to connect, or on the connection the user is using.

what do u think?

and about the carrier app, yea haha. i'm using a custom rom but just transferred over the app to check data usage / renew credit sometimes. i use cyanogenmod's privacy guard on everything, and use "permissions denied" to limit them all too. i think this one didn't ask for too many permissions :p

cjeanneret commented 10 years ago

yep, was thinking of something like that, more or less. All the trick is:

I'm also currently trying to get i2p support ­— most probably your issue will be done before i2p ;).

I'll keep you updated — would you test some alpha release with this feature?

Cheers,

C:

hxe commented 10 years ago

sure :D

cjeanneret commented 10 years ago

New UI on its way. Options:

The bypass option will allow the app to go out, without Tor nor i2p. A timer will be added in order to prevent any problems like "shoo, I forgot to close it". I think the timer will have a max value (1 hour) — maybe this max value may be removed from the settings, with some big fat warnings.

The new UI will hence provide a far better way to control your apps accesses and, in addition, provide a better way to add new features at request.

I guess that's a must have, seeing the other issues (#27 for example, and some emails I got).

hxe commented 10 years ago

sounds great. i think 1 hour is a fine max.

also, is "Internal support (the app knows about Tor and how to talk to it)" basically just a permanent bypass? since it's letting the app choose it's own proxy settings?

cjeanneret commented 10 years ago

Not really. I see it more like a fenced road: there won't be the nat filter rule with the redirect target, but the app won't be allowed to go elsewhere (i.e. "you go to this port only, else you'll locked").

hxe commented 10 years ago

oic. so in the case of say, chatsecure and wanting to proxy only certain accounts, it will still only be allowed to use tor on all of them right? won't be able to let any of them use the net normally? i guess i don't really mind anymore though. i've gotten used to using only the xmpp servers on my phone which support tor

also, i have thought about using an sshtunnel app on my phone too, and maybe just tunnelling the few things which dont work with tor. your solution won't take in to account other sorts of proxies though will it? if it still only allows the apps to connect to either i2p or tor ports or something. but right now its not an issue for me anyway as i'm not using ssh tunnels or anything on my phone yet. just thought i would bring it up anyway, in case others do

cjeanneret commented 10 years ago

hmm… this use-case is special. Really. A kind of "hybrid" app like that may cause some problems ;).

Proposal: I go as I said, fenced road and so on, and if it's not that good, I can find a way to provide a small configuration in addition.

hxe commented 10 years ago

yea :)