Open majestrate opened 1 year ago
planetoryd
commented
1 year ago how would per-application routing be done ? I've tried a few and they seem like hacks. Netns, iptables+running as different users, firejail, all have different issues. And there is flatpak, which has no consideration for proxying either.
majestrate
commented
1 year ago how would per-application routing be done ? I've tried a few and they seem like hacks.
in the proposed setup, it'd be nftables rules + run application as a user in a group
e.g. sudo -g _lokinet-tunnel program args args args
Netns, iptables+running as different users, firejail, all have different issues. And there is flatpak, which has no consideration for proxying either.
tooling for netns are painful still.
planetoryd
commented
1 year ago Is it possible that a process changes its GID so that it leaks the traffic.
nvm, apps are not assumed to be malicious in this threat model
majestrate
commented
1 year ago Is it possible that a process changes its GID so that it leaks the traffic
only if a process can setgid / setegid
majestrate
commented
1 year ago setgid is as restricted as setuid, if it can call that it very likely can become root which is game over anyways.
planetoryd
commented
1 year ago How about setting up a netns and running firefox in firejail ? It sounds more secure to me. (nftables seemed to leak traffic for me when interface down or misconfigured) I fiddled with netns but no success. Idk how to configure this. I shouldn't move lokitun0 into netns apparently. I'm not sure what a bridge is but lokitun0 can't be added to a bridge
majestrate
commented
1 year ago How about setting up a netns and running firefox in firejail ? It sounds more secure to me. (nftables seemed to leak traffic for me when interface down or misconfigured)
that would indeed work very well. there was an attempt years ago to do it that failed.
I fiddled with netns but no success. Idk how to configure this. I shouldn't move lokitun0 into netns apparently.
lokinet needs to somehow straddle the boundary of both netns so that dns and tun are inside it and the rest of lokinet is outside it.
I'm not sure what a bridge is but lokitun0 can't be added to a bridge
yea it's a l3 tun, if it was l2 tap it may work
planetoryd
commented
1 year ago how do you think of portmaster. it seems to do selective routing
majestrate
commented
1 year ago how do you think of portmaster. it seems to do selective routing
i like their ui but i know nothing of their internals
planetoryd
commented
1 year ago from my two days use of portmaster, its a pain to use without subscribing to their SPN.
it'd be great if it can route to socks proxies, tor (through tun2socks or something idk) and lokinet, as an all-encompassing solution to desktop proxy-selective-routing on linux. (but it doesnt consider netns)
edit,
I switched to Opensnitch when portmaster started hogging my cpu
ghost
commented
1 year ago @planetoryd
proxy-selective-routing on linux
You mean like stream isolation?
I think more documentation should be about editing the loki config (the equivilent to Tor's torrc)
Cause by default Loki doesn't have any Exitnodes set. (you have to set them manually if you want them to be automatic at start in the config). Also would be great if you could put in more then one in the config and randomly $RANDOM selecting one from the listed in the config upon startup of the systemd service.
majestrate
commented
1 year ago stream isolation would be for .loki and .snode using ipv6 flow labels, it should be in with #2119
planetoryd
commented
1 year ago You mean like stream isolation?
I mean maintaining multiple isolated online identities through different proxies securely, in general.
The core of proxy-selective-routing is not application/connection/whatever, but identity isolation. The set of rules are means to the end.
Casual proxying usually aims at simple circumvention of censor, or accessing private networks. It's already available. Find the right environment variables, parameters, and try again if the app doesn't pick them up.
Usually there are two identities at least, one for package installers, the other for browsing. more for more complex setup.
planetoryd
commented
1 year ago FYI, I wrote a Rust script to handle my needs. It's really handy to me. Ex. enters netns without sudo (sudo messes up a lot of things I decided to ditch it in this scenario) I use it daily.
majestrate
commented
1 year ago On Tuesday, 23 May 2023 06:32:55 EDT plein wrote:
FYI, I wrote a Rust script to handle my needs. It's really handy to me. Ex. enters netns without sudo (sudo messes up a lot of things I decided to ditch it in this scenario) I use it daily.
this is very very cool. you should make a lokinet-awesome repo too. i have a few other things i'd like to add to such.
-- ~jeff
the route poker as is, currently is a linux only thing and it's kind of hacky. we end up having to periodically probe the routing table to figure out if we need to modify it. this was done because i wanted to make it work and all i had to reference was openvpn. the way it is done now also does not allow us to do selective routing, which is something users have been asking for (i want it too).
ideally i want to remove the route poker and delegate the responsibility of route management to the system layer using nftables. i can see 2 primary modes of operation:
_lokinet-directwould be forced to route traffic over thelokitun0interface._lokinet-tunnelgroup will always use thelokitun0interface for traffic.this means future route management would not be done by lokinet process on linux. this would also make the route management code on every other platform much simpler as they all offload this to the system layer already.