3hhh

Let me rephrase: `user session` -- (leading to) --> `sslsplit pcap` `TLS(proto)` -- (leading to) --> `proto` `TLS(TLS(proto))` -- (leading to) --> `TLS(proto)`

> Do you have a real life use case for this? I was recently debugging https connections of a web scraper framework tunelled via a https proxy. But I guess...

> I've already tried that, but AMO won't let me publish an update with a different extension ID than the one it automatically generated. Any idea how to fix this?...

@tasket: While I respect you and your work, I don't necessarily agree with you on all points. Btw I think we had this discussion already 3 years back or so....

> mind letting tasket take a go at it first so we have something not 2.x/3.x at least to base from, then making sure your points get addressed too? Totally...

> @awokd @3hhh I would be comfortable starting a re-write if there were more agreement on the technical points. Relying on sys-firewall is highly problematic as that VM won't have...

> The problem with integrating _sys-firewall_ with VPN anti-leak protection stems from the fact that the VPN client itself is providing a rather strong guardian function, wherein it cryptographically verifies...

> some proxy kernel driver that instead of executing the kernel-related network requests (create interface X etc.) inside `vpn-control` would have to execute them inside `sys-vpn` via qrexec. > The...

> > > The problem with integrating _sys-firewall_ with VPN anti-leak protection stems from the fact that the VPN client itself is providing a rather strong guardian function, wherein it...

A good start @tasket! Some comments so far: - I like that you discarded the scripts & netVM stuff and focused on `qubes-tunnel`. - The ping to 1.1.1.1 doesn't look...