Tinyproxy creates open proxy

[c-hri-s]

When using WEBPROXY_ENABLED=true Tinyproxy creates a proxy that is open from the Internet via your assigned VPN address. This is a problem because the proxy is unauthenticated.

There should be (or perhaps, is there already?) a way to restrict the use of Tinyproxy to the local IP range of the internal network.

[mrjackyliang]

Are you port forwarding the ports on the router?

[c-hri-s]

No - the packets are coming in through the VPN interface ... that bypasses (is a tunnel through) the router. Using the VPN IP address and the tinyproxy port anyone on the Internet can use my connection as a proxy.

It should be authenticated or firewalled within the docker image somehow, or should only respond to the local IP range (not the external IP)

[tommitytom]

For this to happen wouldn't the VPN have to be forwarding that particular port to your IP? Presuming there are many people connected to the VPN..

[c-hri-s]

The VPN isn't NAT, so no port forwarding is needed on their side. The IP you are assigned is 'your' IP for the duration of the VPN session. Any connection attempt (on any port) will hit the OpenVPN interface. If you've something running there it will respond, assuming it's configured to listen on that IP interface (which is the problem here with the Tinyproxy config - it should only listen on the internal interface).

[haugene]

This depends on your provider. Getting a "whole IP" for yourself with all ports open is not how most of them operate I think (estimation). With PIA you have to cURL a specific URL to get an open port assigned. NordVPN apparently closed all incoming ports (?), ref: https://github.com/haugene/docker-transmission-openvpn/issues/790#issuecomment-521976944

All that taken into account. Adding the possibility of restricting access would still be nice of course :)

[c-hri-s]

Just for clarity, I use iPredator - they currently operate as I've described. I can see it may not be an issue across all providers according to their policies.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

Note: The stale bot was recently added to this project to help weed out outdated issues. This will help us to focus time and energy on issues that are important and move the others out of the way. There could however be many issues that are still relevant but have gotten old without ever being fixed. As this is the first round of cleaning it might have been too eager. Feel free to re-open this issue if you think it deserves another look.