Remediate TunnelVision, TunnelCrack and fix "Exclude Local Networks" #3460
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diegoreymendez
changed the title
diegoreymendez
commented
Nov 6, 2024
Comment on lines
135
to
139
| if !settings.enforceRoutesForceEnabledOnce { | ||
| settings.enforceRoutesForceEnabledOnce = true | ||
| settings.excludeLocalNetworks = true | ||
| settings.enforceRoutes = true | ||
| } |
There was a problem hiding this comment.
The first time the VPN is started with the feature flag ON, we'll enable enforce routes. But the setting can be overridden by internal users in case there's trouble.
diegoreymendez
commented
Nov 6, 2024
Comment on lines
-53
to
-55
| .onTapGesture { | ||
| viewModel.toggleExcludeLocalNetworks() | ||
| } |
There was a problem hiding this comment.
This was not really working at all, and adding to the overall problems.
samsymons
reviewed
Nov 8, 2024
DuckDuckGo/IPC/VPNCommander.swift
Outdated
Comment on lines
24
to
31
| func restartAdapter() async throws { | ||
| guard let activeSession = await AppDependencyProvider.shared.networkProtectionTunnelController.activeSession(), | ||
| activeSession.status == .connected else { | ||
|
|
||
| return | ||
| } | ||
|
|
||
| try? await activeSession.sendProviderRequest(.command(.restartAdapter)) |
There was a problem hiding this comment.
What do you think about instead putting this in NetworkProtectionTunnelController? (I wonder whether the tunnel controller should have a function like sendProviderRequest that abstracts the fetching of the session etc., since we have similar logic in a few places.)
There was a problem hiding this comment.
Agreed. I was avoiding it because this forces the change on macOS (as I need to modify the TunnelController protocol) which requires some thinking.
That said, I think it makes sense so I pushed the change.
samsymons
reviewed
Nov 8, 2024
not-a-rootkit
approved these changes
Nov 11, 2024
diegoreymendez
added a commit
to duckduckgo/BrowserServicesKit
that referenced
this pull request
Nov 11, 2024
…1039) Task/Issue URL: https://app.asana.com/0/1206580121312550/1208686409805161/f Tech Design URL: https://app.asana.com/0/481882893211075/1208643192597095/f iOS PR: duckduckgo/iOS#3460 macOS PR: duckduckgo/macos-browser#3422 What kind of version bump will this require?: Major ## Description Remediate TunnelVision, TunnelCrack and fix "Exclude Local Networks".
diegoreymendez
added a commit
to duckduckgo/macos-browser
that referenced
this pull request
Nov 11, 2024
…3422) Task/Issue URL: https://app.asana.com/0/1206580121312550/1208686409805161/f Tech Design URL: https://app.asana.com/0/481882893211075/1208643192597095/f iOS PR: iOS PR: duckduckgo/iOS#3460 BSK PR: duckduckgo/BrowserServicesKit#1039 ## Description Remediate TunnelVision, TunnelCrack and fix "Exclude Local Networks".
samsymons
added a commit
that referenced
this pull request
Nov 12, 2024
# By Daniel Bernal (1) and others # Via Federico Cappelli (1) and GitHub (1) * main: Remediate TunnelVision, TunnelCrack and fix "Exclude Local Networks" (#3460) Sync: Send pixels for account removal + decoding issues (#3557) Release 7.145.0-0 (#3560) [DuckPlayer] Base Overlay Pixel Implementation (#3545) Refresh toast updates (#3552) point to BSK branch (#3559) Remove ATB from attribution pixel (#3550) # Conflicts: # DuckDuckGo.xcodeproj/project.pbxproj # DuckDuckGo.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Task/Issue URL: https://app.asana.com/0/1206580121312550/1208686409805161/f
Tech Design URL: https://app.asana.com/0/481882893211075/1208643192597095/f
macOS PR: duckduckgo/macos-browser#3422
BSK PR: duckduckgo/BrowserServicesKit#1039
Description
Remediate TunnelVision, TunnelCrack and fix "Exclude Local Networks".
Testing
Test 1: External Users aren't affected
Prerequisites:
Steps:
enforceRoutesis OFF, you'll be able to access your local network devices, but when it's ON you won't be able to access those devices.Test 2: Internal Users get new routing
Prerequisites:
enforceRoutesremote feature flag is ON.Steps:
2. Star the VPN (the first time you start the VPN as an internal user, "Enforce routes" should be enabled).
3. Make sure you can access the internet.
4. Make sure you cannot access local devices.
Test 3: Internal Users can override enforce routes.
Prerequisites:
Steps:
Test 4: TunnelVision fixed when enforceRoutes is ON.
Prerequisites:
Steps:
Test 5: TunnelCrack blocks all VPN traffic.
Prerequisites:
Steps:
Please note: I'm suggesting we show a warning here, but this will be tackled as a follow-up task.
Internal references:
Software Engineering Expectations
Technical Design Template