Android app whitelist/blacklist feature

Android app whitelist/blacklist feature

[Eric Kuck]

[-- Attachment #1: Type: text/plain, Size: 2081 bytes --]

I’d like to make a contribution to the Android app, but would like to know
if this is something that would actually get merged before I go through all
the effort. What I’d like to do is add an exceptions list (apps that will
not be routed through the Wireguard interface). The rationale for this
being that some apps simply don’t work with Wireguard. For example, the use
of a Wireguard VPN with custom DNS breaks WearOS watches due to Google
hardcoding the use of the 8.8.8.8 DNS server. Another example is that
Netflix doesn’t work when routed through my VPN server since they know it’s
a DigitalOcean instance, but works fine without the VPN enabled. Another
example is that there’s often no reason to route data-heavy video apps
through your VPN server. Rather than turning the VPN on my phone off to use
my wearable or to watch something on my phone, I’d like to be able to opt
those apps out of using the VPN at all. I’m sure there are many more
examples of apps that simply don’t need to go through a VPN, as no
confidential information is passed through them.

My proposal is to add another Fragment that’s just a list of all apps
installed on the phone with check boxes next to them. If the checkbox is
checked, that app will be routed through Wireguard. If not, it will be free
to bypass the VPN. Naturally, all apps will be default to being checked.
This is an easy change to make for the GoBackend implementation
using VpnService.Builder.addDisallowedApplication(<packageName>), but would
likely be pretty complicated to add to WgQuickBackend. Perhaps this is
something that would only be possible for GoBackend users.

Any thoughts on this? I have everything working locally by simply adding
these two hardcoded lines to GoBackend.java:

            builder.addDisallowedApplication("com.netflix.mediaclient");

builder.addDisallowedApplication("com.google.android.wearable.app”);

but I would like to make this more configurable and available to the rest
of Wireguard users if you’re agreeable to it. Thanks.

[-- Attachment #2: Type: text/html, Size: 2851 bytes --]

Re: Android app whitelist/blacklist feature

[Samuel Holland]

Hello Eric,

On 07/02/18 15:35, Eric Kuck wrote:
> I’d like to make a contribution to the Android app, but would like to know if
> this is something that would actually get merged before I go through all the
> effort. What I’d like to do is add an exceptions list (apps that will not be
> routed through the Wireguard interface). The rationale for this being that 
> some apps simply don’t work with Wireguard. For example, the use of a 
> Wireguard VPN with custom DNS breaks WearOS watches due to Google hardcoding 
> the use of the 8.8.8.8 DNS server. Another example is that Netflix doesn’t 
> work when routed through my VPN server since they know it’s a DigitalOcean 
> instance, but works fine without the VPN enabled. Another example is that 
> there’s often no reason to route data-heavy video apps through your VPN 
> server. Rather than turning the VPN on my phone off to use my wearable or to 
> watch something on my phone, I’d like to be able to opt those apps out of 
> using the VPN at all. I’m sure there are many more examples of apps that 
> simply don’t need to go through a VPN, as no confidential information is 
> passed through them.

This sounds like a generally useful feature.

> My proposal is to add another Fragment that’s just a list of all apps 
> installed on the phone with check boxes next to them. If the checkbox is 
> checked, that app will be routed through Wireguard. If not, it will be free 
> to bypass the VPN. Naturally, all apps will be default to being checked.

If you base the UI on DialogPreference or MultiSelectListPreference, Android
will take care of persisting the setting for you, and it would be easy to add to
the settings page.

> This is an easy change to make for the GoBackend implementation using 
> VpnService.Builder.addDisallowedApplication(<packageName>), but would likely 
> be pretty complicated to add to WgQuickBackend. Perhaps this is something 
> that would only be possible for GoBackend users.

For WgQuickBackend, we'd need to modify the set_users function[1] in the
wg-quick "script" to take a dynamic list of user IDs instead of hard coding it.
PackageManager should provide us the UIDs of other applications. I'm not sure
the best way to communicate the ID list from the app to the script. Jason, thoughts?

> Any thoughts on this? I have everything working locally by simply adding 
> these two hardcoded lines to GoBackend.java:
> 
> builder.addDisallowedApplication("com.netflix.mediaclient"); 
> builder.addDisallowedApplication("com.google.android.wearable.app”);
> 
> but I would like to make this more configurable and available to the rest of
>  Wireguard users if you’re agreeable to it. Thanks.

Thank you,
Samuel

[1]:
https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=dfd9827d5b08c506522bb3762cd3b0dbac640bbc#n291

Re: Android app whitelist/blacklist feature

[Eric Kuck]

[-- Attachment #1: Type: text/plain, Size: 3507 bytes --]

Excellent. I unfortunately haven’t done any C programming for almost a
decade and have never done any kind of kernel development, so I’m not going
to be any help adding this functionality to the wg-quick implementation. If
I were to do the work I initially proposed (new fragment + GoBackend
implementation), would this be enough to get merged? If so, would it be
better if I simply disabled the new fragment for custom kernel users or if
I left a placeholder assuming someone else can add the missing
implementation?


On July 2, 2018 at 4:43:53 PM, Samuel Holland (samuel@sholland.org) wrote:

Hello Eric,

On 07/02/18 15:35, Eric Kuck wrote:
> I’d like to make a contribution to the Android app, but would like to
know if
> this is something that would actually get merged before I go through all
the
> effort. What I’d like to do is add an exceptions list (apps that will not
be
> routed through the Wireguard interface). The rationale for this being
that
> some apps simply don’t work with Wireguard. For example, the use of a
> Wireguard VPN with custom DNS breaks WearOS watches due to Google
hardcoding
> the use of the 8.8.8.8 DNS server. Another example is that Netflix
doesn’t
> work when routed through my VPN server since they know it’s a
DigitalOcean
> instance, but works fine without the VPN enabled. Another example is that
> there’s often no reason to route data-heavy video apps through your VPN
> server. Rather than turning the VPN on my phone off to use my wearable or
to
> watch something on my phone, I’d like to be able to opt those apps out of
> using the VPN at all. I’m sure there are many more examples of apps that
> simply don’t need to go through a VPN, as no confidential information is
> passed through them.

This sounds like a generally useful feature.

> My proposal is to add another Fragment that’s just a list of all apps
> installed on the phone with check boxes next to them. If the checkbox is
> checked, that app will be routed through Wireguard. If not, it will be
free
> to bypass the VPN. Naturally, all apps will be default to being checked.

If you base the UI on DialogPreference or MultiSelectListPreference,
Android
will take care of persisting the setting for you, and it would be easy to
add to
the settings page.

> This is an easy change to make for the GoBackend implementation using
> VpnService.Builder.addDisallowedApplication(<packageName>), but would
likely
> be pretty complicated to add to WgQuickBackend. Perhaps this is something
> that would only be possible for GoBackend users.

For WgQuickBackend, we'd need to modify the set_users function[1] in the
wg-quick "script" to take a dynamic list of user IDs instead of hard coding
it.
PackageManager should provide us the UIDs of other applications. I'm not
sure
the best way to communicate the ID list from the app to the script. Jason,
thoughts?

> Any thoughts on this? I have everything working locally by simply adding
> these two hardcoded lines to GoBackend.java:
>
> builder.addDisallowedApplication("com.netflix.mediaclient");
> builder.addDisallowedApplication("com.google.android.wearable.app”);
>
> but I would like to make this more configurable and available to the rest
of
> Wireguard users if you’re agreeable to it. Thanks.

Thank you,
Samuel

[1]:
https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=dfd9827d5b08c506522bb3762cd3b0dbac640bbc#n291

[-- Attachment #2: Type: text/html, Size: 4506 bytes --]

Re: Android app whitelist/blacklist feature

[Jason A. Donenfeld]

Hey Eric,

Sorry for not responding earlier when you sent this to me directly.
I'm glad you sent it here and Samuel caught it, so your nice idea
won't go to waste.

On Tue, Jul 3, 2018 at 2:22 AM Eric Kuck <eric@bluelinelabs.com> wrote:
> If I were to do the work I initially proposed (new fragment + GoBackend i=
mplementation), would this be enough to get merged?

No, but I can write the C part and just provide you with some sane
interface for passing off the relevant information to wg-quick. Send
me offlist an SSH key, and I'll give you commit access to branches
that begin with `ek/`.

> My proposal is to add another Fragment that=E2=80=99s just a list of all =
apps installed on the phone with check boxes next to them.

How would one get to the Fragment? From the overflow menu, or from the
settings? I suspect the settings would be a more natural place for it.
Or were you thinking that this would actually be part of each
individual tunnel profile, stored within the configuration for the
tunnel somehow?

Regards,
Jason

Re: Android app whitelist/blacklist feature

[Eric Kuck]

[-- Attachment #1: Type: text/plain, Size: 1416 bytes --]

I was originally thinking the new fragment would be a per-tunnel thing (set
when you create the tunnel or edit it), but you’re right - making it a
general setting likely makes a whole lot more sense. I can’t think of any
use-cases for different tunnels handling different apps.

On July 2, 2018 at 9:21:23 PM, Jason A. Donenfeld (jason@zx2c4.com) wrote:

Hey Eric,

Sorry for not responding earlier when you sent this to me directly.
I'm glad you sent it here and Samuel caught it, so your nice idea
won't go to waste.

On Tue, Jul 3, 2018 at 2:22 AM Eric Kuck <eric@bluelinelabs.com> wrote:
> If I were to do the work I initially proposed (new fragment + GoBackend
implementation), would this be enough to get merged?

No, but I can write the C part and just provide you with some sane
interface for passing off the relevant information to wg-quick. Send
me offlist an SSH key, and I'll give you commit access to branches
that begin with `ek/`.

> My proposal is to add another Fragment that’s just a list of all apps
installed on the phone with check boxes next to them.

How would one get to the Fragment? From the overflow menu, or from the
settings? I suspect the settings would be a more natural place for it.
Or were you thinking that this would actually be part of each
individual tunnel profile, stored within the configuration for the
tunnel somehow?

Regards,
Jason

[-- Attachment #2: Type: text/html, Size: 2069 bytes --]

Re: Android app whitelist/blacklist feature

[Jason A. Donenfeld]

On Tue, Jul 3, 2018 at 4:27 AM Eric Kuck <eric@bluelinelabs.com> wrote:
>
> I was originally thinking the new fragment would be a per-tunnel thing (s=
et when you create the tunnel or edit it), but you=E2=80=99re right - makin=
g it a general setting likely makes a whole lot more sense. I can=E2=80=99t=
 think of any use-cases for different tunnels handling different apps.

It might actually make most sense to make it a per-tunnel thing. We'd
then have to introduce conf key called, "ExemptedApplications=3D" or
something. Samuel - any thoughts on this?

Re: Android app whitelist/blacklist feature

[Samuel Holland]

On 07/02/18 21:31, Jason A. Donenfeld wrote:
> On Tue, Jul 3, 2018 at 4:27 AM Eric Kuck <eric@bluelinelabs.com> wrote:
>> 
>> I was originally thinking the new fragment would be a per-tunnel thing
>> (set when you create the tunnel or edit it), but you’re right - making it
>> a general setting likely makes a whole lot more sense. I can’t think of
>> any use-cases for different tunnels handling different apps.
> 
> It might actually make most sense to make it a per-tunnel thing. We'd then 
> have to introduce conf key called, "ExemptedApplications=" or something. 
> Samuel - any thoughts on this?

Right, trying to make it a global setting requires either some sort of
out-of-band way to pass the information to wg-quick, or rewriting the
configuration file every time the tunnel is brought up.

Since from netd's point of view, this is a per-network setting anyway, I agree
it makes sense to configure it per-tunnel. ExemptedApplications works as a
configuration key, though I prefer ExcludedApplications--the application isn't
just not required to use the tunnel, it's not allowed to use the tunnel.

In that case, here are my UI suggestions:
- Add a button in the editor that switches to a fragment or pops up a Dialog
similar to a MultiSelectListPreference.
- For consistency, checked means excluded -- everything defaults to unchecked.
- The package names of excluded apps are put in the
com.wireguard.config.Interface, and wg-quick handles package name to uid
translation.

How does that sound?

Samuel

Re: Android app whitelist/blacklist feature

[Jason A. Donenfeld]

On Tue, Jul 3, 2018 at 8:12 PM Samuel Holland <samuel@sholland.org> wrote:
> Right, trying to make it a global setting requires either some sort of
> out-of-band way to pass the information to wg-quick, or rewriting the
> configuration file every time the tunnel is brought up.
>
> Since from netd's point of view, this is a per-network setting anyway, I agree
> it makes sense to configure it per-tunnel. ExemptedApplications works as a
> configuration key, though I prefer ExcludedApplications--the application isn't
> just not required to use the tunnel, it's not allowed to use the tunnel.
>
> In that case, here are my UI suggestions:
> - Add a button in the editor that switches to a fragment or pops up a Dialog
> similar to a MultiSelectListPreference.
> - For consistency, checked means excluded -- everything defaults to unchecked.
> - The package names of excluded apps are put in the
> com.wireguard.config.Interface, and wg-quick handles package name to uid
> translation.
>
> How does that sound?

All of that sounds right-on to me, and I think you're right that
ExcludedApplications is the better key.

(This also provides a good basis for later adding a
"ExcludeLocalNetwork" option.)

 Eric's git access should be all setup now, so we can watch the
commits coming on in.

Re: Android app whitelist/blacklist feature

[Eric Kuck]

[-- Attachment #1: Type: text/plain, Size: 1669 bytes --]

A first pass that only works with GoBackend has just been pushed. Feel free
to make suggestions or requests. This is the first time I’ve used
databinding for more than just a findViewById substitute, so it’s very
possible I didn’t do something canonically.


On July 3, 2018 at 1:17:27 PM, Jason A. Donenfeld (jason@zx2c4.com) wrote:

On Tue, Jul 3, 2018 at 8:12 PM Samuel Holland <samuel@sholland.org> wrote:
> Right, trying to make it a global setting requires either some sort of
> out-of-band way to pass the information to wg-quick, or rewriting the
> configuration file every time the tunnel is brought up.
>
> Since from netd's point of view, this is a per-network setting anyway, I
agree
> it makes sense to configure it per-tunnel. ExemptedApplications works as
a
> configuration key, though I prefer ExcludedApplications--the application
isn't
> just not required to use the tunnel, it's not allowed to use the tunnel.
>
> In that case, here are my UI suggestions:
> - Add a button in the editor that switches to a fragment or pops up a
Dialog
> similar to a MultiSelectListPreference.
> - For consistency, checked means excluded -- everything defaults to
unchecked.
> - The package names of excluded apps are put in the
> com.wireguard.config.Interface, and wg-quick handles package name to uid
> translation.
>
> How does that sound?

All of that sounds right-on to me, and I think you're right that
ExcludedApplications is the better key.

(This also provides a good basis for later adding a
"ExcludeLocalNetwork" option.)

Eric's git access should be all setup now, so we can watch the
commits coming on in.

[-- Attachment #2: Type: text/html, Size: 2403 bytes --]

Re: Android app whitelist/blacklist feature

[Jason A. Donenfeld]

Hey Eric,

On cursory glance, this looks really good; well done. It might be
desirable to have an easy toolbar icon for deselecting all apps. Great
that you managed to use RecyclerView. We'd like to use that on the
main tunnel list fragment, but haven't done so yet [1] (if you feel so
inclined and want to give it a spin.)

I'll let Samuel do a proper of the code.

Regards,
Jason

[1] https://docs.google.com/document/d/15i0Z750eL_OlUyrypUFLF7Hoi5eoF-dTFWj-Rs4RXGI/edit

Re: Android app whitelist/blacklist feature

[Jason A. Donenfeld]

On Thu, Jul 5, 2018 at 3:23 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> I'll let Samuel do a proper of the code.

Missing word: review