lokinet
lokinet copied to clipboard
oxen-io
redo route management.
the route poker as is, currently is a linux only thing and it's kind of hacky. we end up having to periodically probe the routing table to figure out if we need to modify it. this was done because i wanted to make it work and all i had to reference was openvpn. the way it is done now also does not allow us to do selective routing, which is something users have been asking for (i want it too).
ideally i want to remove the route poker and delegate the responsibility of route management to the system layer using nftables. i can see 2 primary modes of operation:
- (opt out) any user not belonging to a group
_lokinet-directwould be forced to route traffic over thelokitun0interface. - (opt in) any user in the
_lokinet-tunnelgroup will always use thelokitun0interface for traffic.
this means future route management would not be done by lokinet process on linux. this would also make the route management code on every other platform much simpler as they all offload this to the system layer already.
how would per-application routing be done ? I've tried a few and they seem like hacks. Netns, iptables+running as different users, firejail, all have different issues. And there is flatpak, which has no consideration for proxying either.
how would per-application routing be done ? I've tried a few and they seem like hacks.
in the proposed setup, it'd be nftables rules + run application as a user in a group
e.g. sudo -g _lokinet-tunnel program args args args
Netns, iptables+running as different users, firejail, all have different issues. And there is flatpak, which has no consideration for proxying either.
tooling for netns are painful still.
Is it possible that a process changes its GID so that it leaks the traffic.
nvm, apps are not assumed to be malicious in this threat model
Is it possible that a process changes its GID so that it leaks the traffic
only if a process can setgid / setegid
setgid is as restricted as setuid, if it can call that it very likely can become root which is game over anyways.
How about setting up a netns and running firefox in firejail ? It sounds more secure to me. (nftables seemed to leak traffic for me when interface down or misconfigured) I fiddled with netns but no success. Idk how to configure this. I shouldn't move lokitun0 into netns apparently. I'm not sure what a bridge is but lokitun0 can't be added to a bridge
How about setting up a netns and running firefox in firejail ? It sounds more secure to me. (nftables seemed to leak traffic for me when interface down or misconfigured)
that would indeed work very well. there was an attempt years ago to do it that failed.
I fiddled with netns but no success. Idk how to configure this. I shouldn't move lokitun0 into netns apparently.
lokinet needs to somehow straddle the boundary of both netns so that dns and tun are inside it and the rest of lokinet is outside it.
I'm not sure what a bridge is but lokitun0 can't be added to a bridge
yea it's a l3 tun, if it was l2 tap it may work
how do you think of portmaster. it seems to do selective routing
i like their ui but i know nothing of their internals
from my two days use of portmaster, its a pain to use without subscribing to their SPN.
- You can't route applications individually in the UI even though they can add this feature easily. (de facto SPN vendor-lock-in)
- so I only use it to prevent leaks, by killing non-localhost connections in the default net namaspace.
- You can't disable their DNS server, and their DNS server doesn't work at all (prolly bcs my system has complicated configs but anyway). I have to manually remove their nftables rule to un-redirect DNS to allow my VPN to do the initial lookup, ie bootstrap.
it'd be great if it can route to socks proxies, tor (through tun2socks or something idk) and lokinet, as an all-encompassing solution to desktop proxy-selective-routing on linux. (but it doesnt consider netns)
edit,
I switched to Opensnitch when portmaster started hogging my cpu
@planetoryd
proxy-selective-routing on linux
You mean like stream isolation?
I think more documentation should be about editing the loki config (the equivilent to Tor's torrc)
Cause by default Loki doesn't have any Exitnodes set. (you have to set them manually if you want them to be automatic at start in the config). Also would be great if you could put in more then one in the config and randomly $RANDOM selecting one from the listed in the config upon startup of the systemd service.
stream isolation would be for .loki and .snode using ipv6 flow labels, it should be in with #2119
You mean like stream isolation?
I mean maintaining multiple isolated online identities through different proxies securely, in general.
The core of proxy-selective-routing is not application/connection/whatever, but identity isolation. The set of rules are means to the end.
Casual proxying usually aims at simple circumvention of censor, or accessing private networks. It's already available. Find the right environment variables, parameters, and try again if the app doesn't pick them up.
Usually there are two identities at least, one for package installers, the other for browsing. more for more complex setup.
FYI, I wrote a Rust script to handle my needs. It's really handy to me. Ex. enters netns without sudo (sudo messes up a lot of things I decided to ditch it in this scenario) I use it daily.
On Tuesday, 23 May 2023 06:32:55 EDT plein wrote:
FYI, I wrote a Rust script to handle my needs. It's really handy to me. Ex. enters netns without sudo (sudo messes up a lot of things I decided to ditch it in this scenario) I use it daily.
this is very very cool. you should make a lokinet-awesome repo too. i have a few other things i'd like to add to such.
-- ~jeff