WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: Eric Kuck <eric@bluelinelabs.com>
To: Samuel Holland <samuel@sholland.org>, wireguard@lists.zx2c4.com
Subject: Re: Android app whitelist/blacklist feature
Date: Mon, 2 Jul 2018 20:22:41 -0400
Message-ID: <CAMj-8hQFk_UPJO4-KEH8YvK5NOBH5vu23Vu5JM2Gt0srMD_kEg@mail.gmail.com> (raw)
In-Reply-To: <d939f3b9-ff51-4b94-fcdc-2e819a98459c@sholland.org>

[-- Attachment #1: Type: text/plain, Size: 3507 bytes --]

Excellent. I unfortunately haven’t done any C programming for almost a
decade and have never done any kind of kernel development, so I’m not going
to be any help adding this functionality to the wg-quick implementation. If
I were to do the work I initially proposed (new fragment + GoBackend
implementation), would this be enough to get merged? If so, would it be
better if I simply disabled the new fragment for custom kernel users or if
I left a placeholder assuming someone else can add the missing
implementation?


On July 2, 2018 at 4:43:53 PM, Samuel Holland (samuel@sholland.org) wrote:

Hello Eric,

On 07/02/18 15:35, Eric Kuck wrote:
> I’d like to make a contribution to the Android app, but would like to
know if
> this is something that would actually get merged before I go through all
the
> effort. What I’d like to do is add an exceptions list (apps that will not
be
> routed through the Wireguard interface). The rationale for this being
that
> some apps simply don’t work with Wireguard. For example, the use of a
> Wireguard VPN with custom DNS breaks WearOS watches due to Google
hardcoding
> the use of the 8.8.8.8 DNS server. Another example is that Netflix
doesn’t
> work when routed through my VPN server since they know it’s a
DigitalOcean
> instance, but works fine without the VPN enabled. Another example is that
> there’s often no reason to route data-heavy video apps through your VPN
> server. Rather than turning the VPN on my phone off to use my wearable or
to
> watch something on my phone, I’d like to be able to opt those apps out of
> using the VPN at all. I’m sure there are many more examples of apps that
> simply don’t need to go through a VPN, as no confidential information is
> passed through them.

This sounds like a generally useful feature.

> My proposal is to add another Fragment that’s just a list of all apps
> installed on the phone with check boxes next to them. If the checkbox is
> checked, that app will be routed through Wireguard. If not, it will be
free
> to bypass the VPN. Naturally, all apps will be default to being checked.

If you base the UI on DialogPreference or MultiSelectListPreference,
Android
will take care of persisting the setting for you, and it would be easy to
add to
the settings page.

> This is an easy change to make for the GoBackend implementation using
> VpnService.Builder.addDisallowedApplication(<packageName>), but would
likely
> be pretty complicated to add to WgQuickBackend. Perhaps this is something
> that would only be possible for GoBackend users.

For WgQuickBackend, we'd need to modify the set_users function[1] in the
wg-quick "script" to take a dynamic list of user IDs instead of hard coding
it.
PackageManager should provide us the UIDs of other applications. I'm not
sure
the best way to communicate the ID list from the app to the script. Jason,
thoughts?

> Any thoughts on this? I have everything working locally by simply adding
> these two hardcoded lines to GoBackend.java:
>
> builder.addDisallowedApplication("com.netflix.mediaclient");
> builder.addDisallowedApplication("com.google.android.wearable.app”);
>
> but I would like to make this more configurable and available to the rest
of
> Wireguard users if you’re agreeable to it. Thanks.

Thank you,
Samuel

[1]:
https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=dfd9827d5b08c506522bb3762cd3b0dbac640bbc#n291

[-- Attachment #2: Type: text/html, Size: 4506 bytes --]

<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">Excellent. I unfortunately haven’t done any C programming for almost a decade and have never done any kind of kernel development, so I’m not going to be any help adding this functionality to the wg-quick implementation. If I were to do the work I initially proposed (new fragment + GoBackend implementation), would this be enough to get merged? If so, would it be better if I simply disabled the new fragment for custom kernel users or if I left a placeholder assuming someone else can add the missing implementation?</div> <br> <div id="bloop_sign_1530577058338650880" class="bloop_sign"></div> <br><p class="airmail_on">On July 2, 2018 at 4:43:53 PM, Samuel Holland (<a href="mailto:samuel@sholland.org">samuel@sholland.org</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>Hello Eric,
<br>
<br>On 07/02/18 15:35, Eric Kuck wrote:
<br>&gt; I’d like to make a contribution to the Android app, but would like to know if
<br>&gt; this is something that would actually get merged before I go through all the
<br>&gt; effort. What I’d like to do is add an exceptions list (apps that will not be
<br>&gt; routed through the Wireguard interface). The rationale for this being that  
<br>&gt; some apps simply don’t work with Wireguard. For example, the use of a  
<br>&gt; Wireguard VPN with custom DNS breaks WearOS watches due to Google hardcoding  
<br>&gt; the use of the 8.8.8.8 DNS server. Another example is that Netflix doesn’t  
<br>&gt; work when routed through my VPN server since they know it’s a DigitalOcean  
<br>&gt; instance, but works fine without the VPN enabled. Another example is that  
<br>&gt; there’s often no reason to route data-heavy video apps through your VPN  
<br>&gt; server. Rather than turning the VPN on my phone off to use my wearable or to  
<br>&gt; watch something on my phone, I’d like to be able to opt those apps out of  
<br>&gt; using the VPN at all. I’m sure there are many more examples of apps that  
<br>&gt; simply don’t need to go through a VPN, as no confidential information is  
<br>&gt; passed through them.
<br>
<br>This sounds like a generally useful feature.
<br>
<br>&gt; My proposal is to add another Fragment that’s just a list of all apps  
<br>&gt; installed on the phone with check boxes next to them. If the checkbox is  
<br>&gt; checked, that app will be routed through Wireguard. If not, it will be free  
<br>&gt; to bypass the VPN. Naturally, all apps will be default to being checked.
<br>
<br>If you base the UI on DialogPreference or MultiSelectListPreference, Android
<br>will take care of persisting the setting for you, and it would be easy to add to
<br>the settings page.
<br>
<br>&gt; This is an easy change to make for the GoBackend implementation using  
<br>&gt; VpnService.Builder.addDisallowedApplication(&lt;packageName&gt;), but would likely  
<br>&gt; be pretty complicated to add to WgQuickBackend. Perhaps this is something  
<br>&gt; that would only be possible for GoBackend users.
<br>
<br>For WgQuickBackend, we&#39;d need to modify the set_users function[1] in the
<br>wg-quick &quot;script&quot; to take a dynamic list of user IDs instead of hard coding it.
<br>PackageManager should provide us the UIDs of other applications. I&#39;m not sure
<br>the best way to communicate the ID list from the app to the script. Jason, thoughts?
<br>
<br>&gt; Any thoughts on this? I have everything working locally by simply adding  
<br>&gt; these two hardcoded lines to GoBackend.java:
<br>&gt;  
<br>&gt; builder.addDisallowedApplication(&quot;com.netflix.mediaclient&quot;);  
<br>&gt; builder.addDisallowedApplication(&quot;com.google.android.wearable.app”);
<br>&gt;  
<br>&gt; but I would like to make this more configurable and available to the rest of
<br>&gt;  Wireguard users if you’re agreeable to it. Thanks.
<br>
<br>Thank you,
<br>Samuel
<br>
<br>[1]:
<br><a href="https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=dfd9827d5b08c506522bb3762cd3b0dbac640bbc#n291">https://git.zx2c4.com/WireGuard/tree/src/tools/wg-quick/android.c?id=dfd9827d5b08c506522bb3762cd3b0dbac640bbc#n291</a>
<br></div></div></span></blockquote></body></html>

  reply index

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-02 20:35 Eric Kuck
2018-07-02 21:43 ` Samuel Holland
2018-07-03  0:22   ` Eric Kuck [this message]
2018-07-03  2:21     ` Jason A. Donenfeld
2018-07-03  2:27       ` Eric Kuck
2018-07-03  2:31         ` Jason A. Donenfeld
2018-07-03 18:12           ` Samuel Holland
2018-07-03 18:17             ` Jason A. Donenfeld
2018-07-04 22:19               ` Eric Kuck
2018-07-05 13:23                 ` Jason A. Donenfeld
2018-07-05 13:24                   ` Jason A. Donenfeld

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMj-8hQFk_UPJO4-KEH8YvK5NOBH5vu23Vu5JM2Gt0srMD_kEg@mail.gmail.com \
    --to=eric@bluelinelabs.com \
    --cc=samuel@sholland.org \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git