Jigsaw-Code / outline-apps

Outline Client and Manager, developed by Jigsaw. Outline Manager makes it easy to create your own VPN server. Outline Client lets you share access to your VPN with anyone in your network, giving them access to the free and open internet.
https://getoutline.org/
Apache License 2.0
8.45k stars 1.37k forks source link

Outline client for mac routing behaviour changed since 1.2.5 #500

Open vansickle opened 5 years ago

vansickle commented 5 years ago

Describe the bug

I have an Outline Server and a Web Server (nginx in my case) on the same host. Up to Outline Mac Client 1.2.3 (and it's still so for Android client) when I enabled my Outline connection on the Mac and try to access any page on the Web Server traffic to the Web Server went through this VPN connection. And it's expected behaviour, I suppose. Since Outline Mac Client 1.2.5 when I enable my Outline connection on the Mac the traffic to the Web Server goes directly. It's clearly seen by nginx access log.

To Reproduce Steps to reproduce the behavior:

  1. Setup Outline Shadowbox and Nginx on the same server
  2. Setup Domain name pointing to the same server
  3. Setup Outline Mac Client 1.2.5 and connect
  4. Try to open web page on the domain via browser
  5. In Nginx output you'll see original IP of your mac

Expected behavior

In Nginx output you see Server's own IP address as source address (and it's so on Android and was on Mac up to Outline client 1.2.3)

Desktop (please complete the following information):

Additional context Tested with the latest Outline Server - behavior is as described above for all Mac client 1.2.3, 1.2.5 and latest Android client. Traffic to all other web goes via VPN.

UnclaimedPants commented 5 years ago

+1 same behaviour noticed.

trevj commented 5 years ago

@vansickle Thanks for the detailed report - apologies for the slow reply.

We did make some changes in 1.2.5 which may have affected routes to the server (though we certainly didn't expect it to).

@alalamav Can you imagine how this might be happening? I wonder if it affects iOS, too: https://github.com/Jigsaw-Code/outline-client/releases/tag/macos-v1.2.4

alalamav commented 5 years ago

I was able to reproduce the behavior with v1.2.5 on macOS 10.13.6. I also verified that the latest Android client behaves as you describe.

The fact that we see the client IP in the HTTP server hosted in proxy server is technically correct. Traffic directed to the proxy IP, by definition, is excluded from the VPN. v1.2.3 introduced the LAN bypass feature, which excludes private subnets (i.e. 192.168.0.0/16) from the VPN. My suspicion was that excluding these routes implicitly caused the proxy IP to also bypass the VPN. However, I ran v1.2.1 and v1.2.2 and still saw the client IP in my HTTP server logs. I now believe this could be caused by a change in how the OS handles routing.

@vansickle, @UnclaimedPants, is there any chance that you saw the previous behavior (proxy IP in HTTP server logs) before High Sierra (macOS 10.13)? If so that could explain the discrepancy.

@trevj, I was able to reproduce this behavior on iOS 10.3 running the latest client.