search

mysteriumnetwork / node

Mysterium Network Node - official implementation of distributed VPN network (dVPN) protocol
https://mysterium.network
GNU General Public License v3.0
1.12k stars 311 forks source link

Allow kill switch to be enabled on node start #3924

Open chompomonim opened 3 years ago

chompomonim commented 3 years ago

Problem statement

There are cases when users may need to have kill switch enabled right after node (consumer mode) start, even before starting first session. This is heavily used by SuperProxy, they need firewall all the traffic right after docker container start and only when connecting to some exit node it should start sending it via tunnel.

For couple of years we already had option --firewall.killSwitch.always (added during starting node daemon) which was working only for Linux but were very useful for consumers run in docker. This feature is not covered by end-to-end tests and there were cases that after new release it stopped working.

Proposed solution

I see two options:

  1. Cover --firewall.killSwitch.always feature with tests and ensure that it is always supported. The only downside of this is that it works only for Linux.

  2. Extend our new multi platform kill switch (--keep-connected-on-fail) with additional option to have it enabled even before first session starts.

Snawoot commented 3 years ago

there were cases that after new release it stopped working.

AFAIK, there weren't such cases. Last issue was with incorrect netmask in firewall routes, which was falsely attributed to new release of node.

Cover --firewall.killSwitch.always feature with tests and ensure that it is always supported. The only downside of this is that it works only for Linux.

Could be useful either way.

Whole issue raises bigger question: what node is? Is it an implementation of VPN app? or it is a platform for dVPN? Should it absorb all possible features of any application built on top of it? In later case it looks like a dead end.

soffokl commented 3 years ago

This sounds very specific for superproxy only, and might be easy to implement on the superproxy level.

chompomonim commented 3 years ago

@Waldz what do you think? Can it be implemented on SuperNode level?

But if looking more wide, there are users who would like MysteriumVPN to be run right after computer start and that kill switch is enabled so no traffic without VPN at all. @tadaskay @furkanarius @cvl what do you think guys, is enabling kill switch on app start makes any sense to you? Could you do that on app level?

cvl commented 3 years ago

For Portals kill-switch should be working only after user has initiated connection, i.e. not right after node is started. So if he clicks "Connect", after that moment the traffic should be protected. Also, if user disconnects manually, he should be able to use his original connection (as if there's no VPN app).